Evaluating Wso2 API Manager. I have dozens of various APIs that have been developed by several groups over the past few years, all authenticate with IIS windows authentication.
How can I configure Wso2 API Manager to call a backend OData API that is expecting Windows Authentication in the request?
I don't actually need to pass-through authentication from the calling user, I'd be okay specifying a dedicated service account that API Manager always used to call the backend services.
API Manager supports NTLM authentication. You can follow the sample in APIM_HOME/samples/NTLMGrantClient. This documentation explains this. Also please follow this blog.
The Endpoint Auth Type "Windows Authentification" is not supported by API Manager. You might want to consider activating "Basic" or "Digest" authentification on your service in IIS (both of them are supported by API Manager).
see: https://docs.wso2.com/display/AM1100/Basic+Auth
Related
Can someone please clarify when to use API Manager and when to use Identity Server. I see that API Manager comes with Key Manager. Isn't that sufficient. I am really confused. Any help would be helpful.
Many thanks....
I hope this explaination will help you out,
WSO2 Identity Server
WSO2 Identity Server is a fully fledged Identity Management Solution which supports Authentication, Authorization, Single Sign-On and Identity Federation to name a few capabilities. WSO2 Identity Server supports almost all major identity protocols such as SAML, OAuth2, OpenID Connect etc.Take a look at this page to get an idea about the capabilities of WSO2 Identity Server.
WSO2 API Manager
WSO2 API Manager, on the other hand, focuses on managing your APIs. Managing life cycle of your APIs, Authorization, Throttling, applying policies on API consumers are some of the functionalities handled by API manager. API manager has several components such as publisher, store, gateway, key manager, traffic manager that clearly separates different aspects of API Management.
So the Key manager component is responsible for managing OAuth applications, generate, validate and revoke OAuth2 Tokens. API has an inbuilt key manager component to handle these functionalities.
API Manager also offers the flexibility to use an external key manager instead of its inbuilt one should you require to do so. This external key manager needs to confirm to an interface specified by API manager. By default, API has an implementation of this interface that allows WSO2 Identity Server to used an external key manager.
So whether or not you want to use Identity Server or any other external key manager is totally dependent on your use case and the API traffic.
You can use WSO2 Identity Server for all the authentication/authorization stuff:
XACML Architecture solution.
SSO with anothers webapps or WSO2 tools.
Implement a Oauth2 autorization mechanish
Federate authentication
etc....
You can uso WSO2 API Manager for expose unsecure resultful apis or webservices as secure apis using Oauth with monitoring and billings functionallities
The key manager functionallity properly decouples the operations for creating OAuth applications and validating access tokens so that you can even plug in a third party-authorization server for key validations.
In a DEV enviroment you can work with WSO2 API Manager without the WSO2 Identity Server at all.
In a production enviroment it's recommended to use a separate WSO2 API Manager as a Key Manager or use the WSO2 Identity Server as the Key Manager
I am working on a web application implementing online shopping functionality. I am using Struts2 + Spring + Hibernate. I am using Spring security to implement authorization and authentication.
Now my client wants to develop an iOS/Android App for the same where users of my web application can login and use some of the functionality using the app.
Mobile App will access the REST based web services on JSON which will be implemented using Jersey. Here are my questions:
Users are going to have a role from three of the roles. Depending on the role they should be able to access the specific resources. I am thinking about using Spring Security 2.0 with Jersey and authenticate the users using OAuth 2.0. Is OAuth 2.0 right applicable choice?
Also, Jersey doesn't support oAuth 2.0 on server side. Still I guess I should be able to use any other OAuth provider to secure Jersey services right?
If oAuth is not the right choice then what I can use to provide role based authentication and authorization for Mobile App users to my REST web services.
Don't forget you can use simple HTTP BASIC auth (with SSL, of course).
For comparsions of OAuth versions, see this.
After having to deal with the same problem I did some research and currently I can see 3 solutions.
Pivotal actually have a piece of software which they use for their cloudfoundry services, called UAA (User Account and Authentication) Server. You can deploy this to your own server, and it's role is basically to provide OAuth2 access tokens. You will need to create your own Resource Server which will serve different resources if the correct OAuth token is provided in the request. (they have a couple of sample apps in the UAA repo which you can use) https://github.com/cloudfoundry/uaa
Google actually provide services like that. If you host your backend on appengine you can use cloud endpoints to expose your API and they take care of Authentication and Authorization.
https://cloud.google.com/appengine/docs/java/endpoints/
You can create your own architecture. Basic approach would be to have an Authorization server (to generate tokens), an Resource Server (to serve your API) and some sort of storage for users and tokens.
Hope that helps a bit, I'm personally going to go with the UAA to try it out.
I am trying to use wso2 identification server as authorization center:
there are several system, they share same user information
I want them to utilize identification server to perform authentication and authorization
In current research, I have found the API which I can use to perform authentication, and also soap api to perform user/group/permission management soap api
But I could not find the api which I can use to perform authorization request? So far those code are written in AuthrozationMgrJDBCImpl, there is no soap API expose those API.
Is there anybody know such API?
Yes.. WSO2 Identity Server can be used as centralized authorization management. There are two approaches
Use XACML capabilities of the WSO2IS. This is the standard way. WSO2IS can act as XACML PDP. You can create policies for different appolications. PDP is exposed as web service API, Application can call this web service API to receive authorization decision based on the policies. You can see the WSDL by pointing to https://localhost:9443/services/EntitlementService?wsdl. You can find more details on XACML and WSO2IS from here.
Use "AuthorizationAdminService" services. This is a custom way that you have referred. WSO2IS stores permission data in its own database and manage it through JDBCAuthorizationManager. However it only supports for RBAC. (in XACML you can use ABAC). you can see the WSDL by pointing to https://localhost:9443/services/AuthorizationAdminService?wsdl.
Note : You can see the WSDL of this service. But it is not exposed by default. Please go through this OS question. Also "AuthorizationAdminService" service available only after WSO2IS 450 version.
In the link
http://blog.facilelogin.com/2008/10/wsas-hiddedn-services.html I saw WSo2 Soap apis , can I get it's equivalent rest apis. And an example which shows how to pass authentication details. I need this one for wso2 Identity server.
In Identity server, You can find many management web services API that can be used for authentication, authorization, user management and so on. Could you let us know the API that you are looking for.. then we can say what is exact web service that you could use. As an example for XACML based authorization, there are "EntitlementService" web service where you can find more details here. But still rest API is not available for this service.
Normally it is mentioned these web service API as admin services in WSO2 products.
Currently (With IS 450), It has a rest API for user management based on SCIM where you find them here. However, you can expose all SOAP based API as Rest API using WSO2 APIM product.
I was using OAuth for a REST API Service on WSO2-ESB using WSO2-IS, and now I wanted to register this service on API Manager. But looks like API Gateway already has OAuth incorporated.
Does it make sense to have WSO2-IS for OAuth in above scenario because having WSO2-API Manager and WSO2-IS make it a two layer OAuth which is not required?
Thanks,
Wajid
Yes API Gateway already has OAuth incorporated. WSO2 API Manager provides secure authorization for APIs using OAuth 2.0 standard for key management. Every API created through WSO2 APIM will engage authentication handler which does this. So if you are using WSO2 API Manger you can skip the engagement of OAuth to your REST API. If you want to keep your own authentication mechanism, it also can be done by defining your APIs in API Provider with None Auth type. In that case API gateway will just pass the any Authentication headers came in the request to the backend service, without validating. But here since you are also using OAuth, you can go with WSO2 API Manager's default authentication mechanism.
http://docs.wso2.org/wiki/display/AM131/API+Manager+Components