I am using 4.8.1.
I wish to authenticate against of Carbon Users-tore with plain text password.
If we use Username-tokens Signature its easy to do but my client having some other Header like
<soapenv:Header>
<mw:authentication soapenv:soa="http://schemas.xmlsoap.org/soap/soa/next" soapenv:mustUnderstand="0" xmlns:mw="http://soa.dev.com/mwoxy">
<mw:user>admin</mw:user>
<mw:password>admin</mw:password>
</mw:authentication>
</soapenv:Header>
So I wish to authenticate this inside proxy so that i wrote a proxy like this
<?xml version="1.0" encoding="UTF-8"?>
<proxy xmlns="http://ws.apache.org/ns/synapse" name="authent" transports="https,http" statistics="disable" trace="disable" startOnLoad="true">
<target>
<inSequence>
<property name="username" expression="//mw:authentication/mw:user/text()" scope="default" type="STRING"/>
<property name="password" expression="//mw:authentication/mw:password/text() type="STRING"/>
<dblookup>
<connection>
<pool>
<dsName>jdbc/WSO2CarbonDB</dsName>
</pool>
</connection>
<statement>
<sql>select UM_USER_NAME from UM_USER where UM_USER_NAME=? and UM_USER_PASSWORD= ?</sql>
<parameter expression="get-property('username')" type="VARCHAR"/>
<parameter expression="get-property('password')" type="VARCHAR"/>
<result name="IsUserExisted" column="UM_USER_NAME"/>
</statement>
</dblookup>
<log level="full">
<property name="IsUserExisted" expression="get-property('IsUserExisted')"/>
</log>
</inSequence>
<outSequence/>
</target>
<description/>
</proxy>
So i wish authenticate against of Primary UserStore for that I used this query
select UM_USER_NAME from UM_USER where UM_USER_NAME=? and UM_USER_PASSWORD= ?
and changes done in user-mgt.xml file but its not working how would i do beacuse there is just 3 user and password's is there.
the configuration is like this
<UserStoreManager class="org.wso2.carbon.user.core.jdbc.JDBCUserStoreManager">
<Property name="TenantManager">org.wso2.carbon.user.core.tenant.JDBCTenantManager</Property>
<Property name="ReadOnly">false</Property>
<Property name="MaxUserNameListLength">100</Property>
<Property name="IsEmailUserName">false</Property>
<Property name="DomainCalculation">default</Property>
<!-- <Property name="PasswordDigest">SHA-256</Property>-->
<Property name="StoreSaltedPassword">true</Property>
<Property name="ReadGroups">true</Property>
<Property name="WriteGroups">true</Property>
<Property name="UserNameUniqueAcrossTenants">false</Property>
<Property name="PasswordJavaRegEx">^[\S]{5,30}$</Property>
<Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property>
<Property name="UsernameJavaRegEx">^[^~!#$;%^*+={}\\|\\\\<>,\'\"]{3,30}$</Property>
<Property name="UsernameJavaScriptRegEx">^[\S]{3,30}$</Property>
<Property name="RolenameJavaRegEx">^[^~!#$;%^*+={}\\|\\\\<>,\'\"]{3,30}$</Property>
<Property name="RolenameJavaScriptRegEx">^[\S]{3,30}$</Property>
<Property name="UserRolesCacheEnabled">true</Property>
<Property name="MaxRoleNameListLength">100</Property>
<Property name="MaxUserNameListLength">100</Property>
<Property name="SharedGroupEnabled">false</Property>
<Property name="SCIMEnabled">false</Property>
</UserStoreManager>
Its not working how would i achive this
Thnks in advance
you are using a wrong approach. I believe you are trying to secure your proxy service using username and password. So basically you can secure your proxy from applying a username and password secure policy as shown in [1].
[1]. https://docs.wso2.com/display/ESB481/Applying+Security+Policies
Related
I have a REST API on Enterprise Integrator that uses a db lookup mediator to search a microsoft sql server database and redirects based on the whether or not the data exists in the db. I need to make the redirect part of the code configurable/dynamic as it wouldn't make sense to constantly update the url and redeploy every time the url changes.
<api xmlns="http://ws.apache.org/ns/synapse" name="DBLookupAPI" context="/dblookup">
<resource methods="GET" uri-template="/{UserCode}">
<inSequence>
<log level="custom">
<property name="Value" expression="get-property('uri.var.UserCode')"/>
</log>
<dblookup>
<connection>
<pool>
<driver>com.microsoft.sqlserver.jdbc.SQLServerDriver</driver>
<url>jdbc:sqlserver://10.1.1.111\test;databaseName=UserDB</url>
<user>admin</user>
<password>admin</password>
</pool>
</connection>
<statement>
<sql>select UserCode from UserDB.dbo.Users where UserCode =?;</sql>
<parameter expression="get-property('uri.var.UserCode ')" type="CHAR"/>
<result name="foundnr" column="UserCode "/>
</statement>
</dblookup>
<log level="custom">
<property name="Value" expression="get-property('foundnr')"/>
</log>
<filter source="boolean(get-property('foundnr'))" regex="true">
<then>
<log>
<property name="Message" value="Name Exists Lets redirect"/>
</log>
<property name="HTTP_SC" value="302"/>
<property name="Location" value="https://wso2.com/" scope="transport"/>
</then>
<else>
<log>
<property name="Message" value="Name Does Not Exist Lets redirect"/>
</log>
<property name="HTTP_SC" value="302"/>
<property name="Location" value="https://www.youtube.com/" scope="transport"/>
</else>
</filter>
<respond/>
</inSequence>
<outSequence/>
<faultSequence/>
</resource>
</api>
You can use the property mediator as below.
<property name="Location" expression="get-property('registry','REGISTRY_PATH')"/>
Below are the possible options for get-property method.
Read from registry
get-property('registry', String registryPath#propertyName)
get-property('registry', String registryPath)
Read from Java System property
get-property('system', String propertyName)
Read from the environment
get-property('env', String propertyName)
Read from a file
get-property('file', String propertyName)
Read from the context
You can use the class mediator or any other mediator and set the redirect url to the context and use the following property mediator to retrieve it from the context.
<property name="Location" expression="$ctx:ERROR_MESSAGE"/>
Please refer the documentation - https://ei.docs.wso2.com/en/latest/micro-integrator/references/mediators/property-reference/accessing-properties-with-xpath/#get-property-function
There are different ways to do this. One way is to read from environment variables. In the following example the Location property is set from the environment variable named REDIRECT_URL.
<property name="Location" expression="get-property('env','REDIRECT_URL')" scope="transport"/>
I have mediation settings for request and response:
for request(jms_in_flow):
<?xml version="1.0" encoding="UTF-8"?>
<sequence name="jms_in_flow" trace="disable" xmlns="http://ws.apache.org/ns/synapse">
<property name="transactionId" expression="get-property('MessageID')"/>
<clone continueParent="true">
<target>
<sequence>
<property action="remove" name="OUT_ONLY" value="true"/>
<property expression="$ctx:api.ut.api_version" name="api_version" scope="transport" type="STRING"/>
<property expression="$ctx:api.ut.version" name="api_short_version" scope="transport" type="STRING"/>
<property expression="$ctx:api.ut.requestTime" name="api_request_time" scope="transport" type="STRING"/>
<property expression="$ctx:REST_API_CONTEXT" name="api_context" scope="transport" type="STRING"/>
<property expression="$ctx:API_NAME" name="api_name" scope="transport" type="STRING"/>
<property name="api_message_id" expression="get-property('transactionId')" scope="transport"/>
<property value="REQUEST" name="api_message_type" scope="transport" type="STRING"/>
<property expression="$ctx:REST_FULL_REQUEST_PATH" name="api_request_path" scope="transport" type="STRING"/>
<property expression="$ctx:api.ut.HTTP_METHOD" name="api_method" scope="transport" type="STRING"/>
<property expression="$ctx:api.ut.application.name" name="api_app_name" scope="transport" type="STRING"/>
<property expression="$ctx:api.ut.userName" name="api_username" scope="transport" type="STRING"/>
<call>
<endpoint>
<address uri="jms:"AAA"/>
</endpoint>
</call>
<drop/>
<send/>
</sequence>
</target>
</clone>
for response(jms_out_flow):
<sequence name="jms_out_flow" trace="disable" xmlns="http://ws.apache.org/ns/synapse">
<clone continueParent="true">
<target>
<sequence>
<property name="RESPONSE" value="true"/>
<property name = "api_response_time" expression = "get-property('SYSTEM_TIME')" scope="transport"/>
<property name="api_message_id" expression="get-property('transactionId')" scope="transport"/>
<property value="RESPONSE" name="api_message_type" scope="transport" type="STRING"/>
<property expression="$axis2:HTTP_SC" name="http_status" scope="transport" type="STRING"/>
<call>
<endpoint>
<address uri="jms:/AAA"/>
</endpoint>
</call>
<drop/>
</sequence>
</target>
</clone>
When I execute GET request on WSO2 Manager it executes fast and successful, and PUT request is not execute and falls off after the time expires(~2min). When I remove the mediator settings for the request (jms_in_flow), PUT request starts working normally.
I think that the error is in jms_in_flow, but I can't find it.
I found in google: Enter link description here
The processing of get and put methods is different, but I don’t know how to apply it.
UPDATE.
LOGS
[2019-07-01 13:38:06,083] ERROR - Unexpected error during sending message out {org.apache.synapse.core.axis2.Axis2Sender}
org.apache.axis2.AxisFault: Did not receive a JMS response within 30000 ms to destination : temp-queue://ID:c115c33d0c81-45342-543:1:1 with JMS correlation ID : ID:c115c33d0c81-45342-543:1:1:1:1
at org.apache.axis2.transport.base.AbstractTransportSender.handleException(AbstractTransportSender.java:234)
at org.apache.axis2.transport.jms.JMSSender.waitForResponseAndProcess(JMSSender.java:435)
at org.apache.axis2.transport.jms.JMSSender.sendOverJMS(JMSSender.java:369)
at org.apache.axis2.transport.jms.JMSSender.sendMessage(JMSSender.java:192)
at org.apache.axis2.transport.base.AbstractTransportSender.invoke(AbstractTransportSender.java:112)
at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:442)
at org.apache.synapse.core.axis2.DynamicAxisOperation$DynamicOperationClient.send(DynamicAxisOperation.java:185)
at org.apache.synapse.core.axis2.DynamicAxisOperation$DynamicOperationClient.executeImpl(DynamicAxisOperation.java:167)
at org.apache.axis2.client.OperationClient.execute(OperationClient.java:149)
at org.apache.synapse.core.axis2.Axis2FlexibleMEPClient.send(Axis2FlexibleMEPClient.java:603)
at org.apache.synapse.core.axis2.Axis2Sender.sendOn(Axis2Sender.java:85)
at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.send(Axis2SynapseEnvironment.java:511)
at org.apache.synapse.endpoints.AbstractEndpoint.send(AbstractEndpoint.java:384)
at org.apache.synapse.endpoints.AddressEndpoint.send(AddressEndpoint.java:65)
at org.apache.synapse.mediators.builtin.CallMediator.handleNonBlockingCall(CallMediator.java:276)
at org.apache.synapse.mediators.builtin.CallMediator.mediate(CallMediator.java:121)
at org.apache.synapse.mediators.AbstractListMediator.mediate(AbstractListMediator.java:108)
at org.apache.synapse.mediators.AbstractListMediator.mediate(AbstractListMediator.java:70)
at org.apache.synapse.mediators.base.SequenceMediator.mediate(SequenceMediator.java:158)
at org.apache.synapse.mediators.MediatorWorker.run(MediatorWorker.java:80)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
I'm not sure this is related. But I think you need <property action="remove" name="OUT_ONLY" value="true"/> in the out sequence too.
such as the title, where can i find the log of gateway which is only about the api`s request and response?
in the file of wso2-apigw-trace.log,I can find nothing.
You can write synapse wire logs to a separate file with an appender like this.
# WIRE_LOGFILE is set to be a DailyRollingFileAppender using a PatternLayout.
log4j.appender.WIRE_LOGFILE=org.wso2.carbon.utils.logging.appenders.CarbonDailyRollingFileAppender
log4j.appender.WIRE_LOGFILE.File=${carbon.home}/repository/logs/${instance.log}/wso2wire${instance.log}.log
log4j.appender.WIRE_LOGFILE.Append=true
log4j.appender.WIRE_LOGFILE.layout=org.wso2.carbon.utils.logging.TenantAwarePatternLayout
log4j.appender.WIRE_LOGFILE.layout.ConversionPattern=TID: [%T] [%S] [%d] %P%5p {%c} - %x %m {%c}%n
log4j.appender.WIRE_LOGFILE.layout.TenantPattern=%U%#%D [%T] [%S]
log4j.appender.WIRE_LOGFILE.threshold=DEBUG
log4j.logger.org.apache.synapse.transport.http.wire=DEBUG, WIRE_LOGFILE
log4j.additivity.org.apache.synapse.transport.http.wire=false
If you want to log request and response with a correlation id, you can write a custom sequence. Correlation id can be taken from message_id like this.
You can also get access to the log via Log Analyzer UI in Admin Portal.
Here are the instructions on how to do this in WSO2 API Cloud (hosted version of API Manager).
If you want to have details of the calls to the backend and responses in the logs, you need to also add mediation policies that would output the data. This can be done on the second step of API editing ("Implement"), as shown in the picture below:
API Cloud has these sequences pre-installed. For your own API Manager deployment, you would have to upload them manually. Here are the XML files:
In Flow:
<sequence name="debug_in_flow" xmlns="http://ws.apache.org/ns/synapse">
<log level="full" />
<log level="custom">
<property name="Host" expression="get-property('transport', 'Host')"/>
<property name="Context" expression="get-property('To')"/>
<property name="HTTP_METHOD" expression="get-property('axis2', 'HTTP_METHOD')"/>
<property name="Resource" expression="$axis2:REST_URL_POSTFIX"/>
<property name="Origin" expression="get-property('transport', 'Origin')"/>
<property name="Content-Type" expression="get-property('transport', 'Content-Type')"/>
</log>
</sequence>
Out Flow:
<sequence name="debug_out_flow" xmlns="http://ws.apache.org/ns/synapse">
<log level="full" />
<log level="custom">
<property name="EndPoint" expression="get-property('ENDPOINT_PREFIX')"/>
<property name="Content-Type" expression="get-property('transport', 'Content-Type')"/>
</log>
</sequence>
Fault Flow:
<sequence xmlns="http://ws.apache.org/ns/synapse" name="debug_json_fault">
<log level="custom">
<property xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope"
xmlns:ns3="http://org.apache.synapse/xsd"
name="ERROR_CODE"
expression="get-property('ERROR_CODE')"/>
<property xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope"
xmlns:ns3="http://org.apache.synapse/xsd"
name="ERROR_MESSAGE"
expression="get-property('ERROR_MESSAGE')"/>
<property xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope"
xmlns:ns3="http://org.apache.synapse/xsd"
name="ERROR_DETAIL"
expression="get-property('ERROR_DETAIL')"/>
<property xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope"
xmlns:ns3="http://org.apache.synapse/xsd"
name="ERROR_EXCEPTION"
expression="get-property('ERROR_EXCEPTION')"/>
<property name="EndPoint" expression="get-property('ENDPOINT_PREFIX')"/>
<property name="Content-Type" expression="get-property('transport', 'Content-Type')"/>
</log>
<payloadFactory>
<format>
<am:fault xmlns:am="http://wso2.org/apimanager">
<am:code>$1</am:code>
<am:type>Status report</am:type>
<am:message>Runtime Error</am:message>
<am:description>$2</am:description>
</am:fault>
</format>
<args>
<arg expression="$ctx:ERROR_CODE"/>
<arg expression="$ctx:ERROR_MESSAGE"/>
</args>
</payloadFactory>
<filter xpath="$ctx:CUSTOM_HTTP_SC">
<then>
<property name="HTTP_SC" expression="$ctx:CUSTOM_HTTP_SC" scope="axis2"/>
</then>
<else>
<property name="HTTP_SC" value="500" scope="axis2"/>
</else>
</filter>
<class name="org.wso2.carbon.apimgt.usage.publisher.APIMgtFaultHandler"/>
<property name="RESPONSE" value="true"/>
<header name="To" action="remove"/>
<property name="NO_ENTITY_BODY" scope="axis2" action="remove"/>
<property name="ContentType" scope="axis2" action="remove"/>
<property name="Authorization" scope="transport" action="remove"/>
<property name="Host" scope="transport" action="remove"/>
<property name="Accept" scope="transport" action="remove"/>
<property name="X-JWT-Assertion" scope="transport" action="remove"/>
<property name="messageType" value="application/json" scope="axis2"/>
<send/>
<drop/>
I think you can find those log records from http_access_<Date>.log
File path: <APIM Home>/repositary/logs/http_access_<Date>.log
I am working with wso2esb 4.8.1. I wish to authenticate my client against wso2 esb Primary user store with Plain text password.So i have done below changes and its working fine.
I have commented the PasswordDigest element.
<UserStoreManager class="org.wso2.carbon.user.core.jdbc.JDBCUserStoreManager">
<Property name="TenantManager">org.wso2.carbon.user.core.tenant.JDBCTenantManager</Property>
<Property name="ReadOnly">false</Property>
<Property name="MaxUserNameListLength">100</Property>
<Property name="IsEmailUserName">false</Property>
<Property name="DomainCalculation">default</Property>
<!-- <Property name="PasswordDigest">SHA-256</Property> -->
<Property name="StoreSaltedPassword">true</Property>
<Property name="ReadGroups">true</Property>
<Property name="WriteGroups">true</Property>
<Property name="UserNameUniqueAcrossTenants">false</Property>
<Property name="PasswordJavaRegEx">^[\S]{5,30}$</Property>
<Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property>
<Property name="UsernameJavaRegEx">^[^~!#$;%^*+={}\\|\\\\<>,\'\"]{3,30}$</Property>
<Property name="UsernameJavaScriptRegEx">^[\S]{3,30}$</Property>
<Property name="RolenameJavaRegEx">^[^~!#$;%^*+={}\\|\\\\<>,\'\"]{3,30}$</Property>
<Property name="RolenameJavaScriptRegEx">^[\S]{3,30}$</Property>
<Property name="UserRolesCacheEnabled">true</Property>
<Property name="MaxRoleNameListLength">100</Property>
<Property name="MaxUserNameListLength">100</Property>
<Property name="SharedGroupEnabled">false</Property>
<Property name="SCIMEnabled">false</Property>
</UserStoreManager>
and wrote the proxy like this
<?xml version="1.0" encoding="UTF-8"?><proxy xmlns="http://ws.apache.org/ns/synapse" name="authent" transports="https,http" statistics="disable" trace="disable" startOnLoad="true">
<target>
<inSequence>
<property name="username" value="admin" scope="default" type="STRING"/>
<property name="password" value="admin" scope="default" type="STRING"/>
<dblookup>
<connection>
<pool>
<dsName>jdbc/WSO2CarbonDB</dsName>
</pool>
</connection>
<statement>
<sql>select UM_USER_NAME from UM_USER where UM_USER_NAME=? and UM_USER_PASSWORD= ?</sql>
<parameter value="faisal" type="CHAR"/>
<parameter value="faisal" type="CHAR"/>
<result name="IsUserExisted" column="UM_USER_NAME"/>
</statement>
</dblookup>
<log level="full">
<property name="IsUserExisted" expression="get-property('IsUserExisted')"/>
</log>
</inSequence>
<outSequence/>
</target>
<description/>
</proxy>
I created faisal user in my console. So its working fine.
whenever my offset is 0 that time its working fine.If i change the offset its not working.
Its returning null.
Basically i wish to use this query as my username and password validation.
So please let me know what is the issue.
Thanks in Advance.
I want to pass my query to database for retrieving the column. I am passing dynamic columns using ESB my configuration is like this
<proxy xmlns="http://ws.apache.org/ns/synapse" name="dbl3" transports="https,http" statistics="disable" trace="disable" startOnLoad="true"> <target>
<inSequence>
<property name="A" value="select e_name,e_address from emp where " scope="default" type="STRING"/>
<property name="B" expression="//fieldname/text()" scope="default" type="STRING"/>
<property name="C" expression="//fieldvalue/text()" scope="default" type="STRING"/>
<property name="D" value="=" scope="default" type="STRING"/>
<property name="E" expression="concat(get-property('A'),get-property('B'),get-property('D'),get-property('C'))" scope="default" type="STRING"/>
<dblookup>
<connection>
<pool>
<password>Youtility11</password>
<user>youtilitydba</user>
<url>jdbc:postgresql://localhost:5432/sample</url>
<driver>org.postgresql.Driver</driver>
</pool>
</connection>
<statement>
<sql>get-property('E')</sql>
<result name="ee" column="e_name"/>
</statement>
</dblookup>
<log level="custom">
<property name="AA" expression="get-property('A')"/>
<property name="BB" expression="get-property('B')"/>
<property name="CC" expression="get-property('C')"/>
<property name="DD" expression="get-property('ee')"/>
<property name="EE" expression="get-property('E')"/>
</log>
</inSequence>
<outSequence>
<send/>
</outSequence> </target> <description></description> </proxy>
My output like this:
EE = select e_name,e_address from emp where e_address=thane
EE = select e_name,e_address from emp where e_no=5
Based on input values query will generate, how can I pass the above query to the database?
My error is like this:
[2013-01-24 14:22:32,743] ERROR - DBLookupMediator Error executing statement : get-property('E') against DataSource : jdbc:postgresql://localhost:5432/sample
org.postgresql.util.PSQLException: ERROR: syntax error at or near "get"
Position: 1
at org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(QueryExecutorImpl.java:2102)
at org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExecutorImpl.java:1835)
at org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java:257)
at org.postgresql.jdbc2.AbstractJdbc2Statement.execute(AbstractJdbc2Statement.java:500)
at org.postgresql.jdbc2.AbstractJdbc2Statement.executeWithFlags(AbstractJdbc2Statement.java:388)
at org.postgresql.jdbc2.AbstractJdbc2Statement.executeQuery(AbstractJdbc2Statement.java:273)
at org.apache.commons.dbcp.DelegatingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:96)
at org.apache.commons.dbcp.DelegatingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:96)
at org.apache.commons.dbcp.DelegatingPreparedStatement.executeQuery(DelegatingPreparedStatement.java:96)
at org.apache.synapse.mediators.db.DBLookupMediator.processStatement(DBLookupMediator.java:46)
at org.apache.synapse.mediators.db.AbstractDBMediator.mediate(AbstractDBMediator.java:143)
at org.apache.synapse.mediators.AbstractListMediator.mediate(AbstractListMediator.java:60)
at org.apache.synapse.mediators.base.SequenceMediator.mediate(SequenceMediator.java:114)
at org.apache.synapse.core.axis2.ProxyServiceMessageReceiver.receive(ProxyServiceMessageReceiver.java:154)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:181)
at org.apache.axis2.transport.http.util.RESTUtil.invokeAxisEngine(RESTUtil.java:144)
at org.apache.axis2.transport.http.util.RESTUtil.processXMLRequest(RESTUtil.java:89)
at org.apache.synapse.transport.nhttp.util.RESTUtil.processPOSTRequest(RESTUtil.java:189)
at org.apache.synapse.transport.nhttp.ServerWorker.processEntityEnclosingMethod(ServerWorker.java:411)
at org.apache.synapse.transport.nhttp.ServerWorker.run(ServerWorker.java:268)
at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
at java.lang.Thread.run(Thread.java:679)
I'm afraid you can't pass a SQL statement to the "<sql/>" element of the DBLookup/DBReport mediators using "get-property" construct. Besides, I believe what you're trying to do is sort of a hack to pass variables to a SQL query. The proper way of doing this should be by using WSO2 Data Services Server. Please refer the documentation of WSO2 DSS [1] which provides you with a comprehensive guide on how to use it to achieve your data manipulative tasks with its rich set of features offered to the users.
[1] http://docs.wso2.org/wiki/display/DSS301/WSO2+Data+Services+Server+Documentation