I would like to share web service which is deployed in super tenant to other tenants. As far as I know everyone can access the super admin services if they are using http:// localhost :8280/services/echo?wsdl url. But I do not want just to access super tenant application, I would also like to see request count on correct tenant. Should I have to deploy the same application to every tenant and call service with proper url (http:// localhost .com:8280/services/t/tenantname/echo?wsdl) to collect the request counts?
Is there any other way to do this? For example maybe I could put header variable to my request which is showing, which tenant is calling the application etc., and with this kind of approach, I do not have to deploy my service to other tenants.
You can use a code something like,
int tenantId = MultitenantUtils.getTenantId(this.getConfigContext());
to get the tenant ID of the current tenant and send it either in the message itself or in the header. Then you can record the tenants accessed in the server side, by counting the tenant IDs.
This will help you to get the tenant ID.
One possibility is to deploy the application at each tenant. Then you get a separate URL for each.
Or else you can make your service multi tenant aware. For this you need to make the service secured. When log into the service, we can determine the tenant using the user name. For an example foo user should be a super tenant user while foo#bar.com should belongs to bar.com tenant. In this case carbon framework, does this authentication and set the tenant details to carbon context. You can access that at the service level. eg. CarbonContext.getCurrentContext().getTenantID() or with the method Maninda has mentioned.
org.wso2.carbon.tomcat.ext.internal.Utils class has a function which name is getTenantDomain.
I have changed this methods to find tenant domain from headers, so it is working like a charm :)
I think WSO2 also thinks to customize this method.
Related
We have a multi tenant application and some tenants need a data pre processing to modify incoming data from third party modules.
Therefore we use tenant specific bpm's like in the image below tenant specific bpmn
There we need a callActivity to call an internal dataPreProcess which have no tenant defined.
The problem is, how i can set the tenant id to 'no tenant' so that the multi-tenant specific workflow is called?
Information:
We don't have a chance to deploy the internal data pre process as a tenant specific bpm, because the tenants are dynamic.
After i post the question it was so easy....
In the groovy script 'LF011' set a variable like
execution.setVariable('tenant', null)
So in the callActivity you can use '${tenant}' as the Tenant id, that's it....
I have a web app where front end layer has a angular based UI.It has both public pages and other private pages which are accessible to logged in users and it depends on roles of the logged in users as well
My server based application is a java based rest service api .
How can i use wso2 for handle user authenticaiton and role based authorsation.i would like to have an additional layer of api security depending on the role of the user as well.
can someone explain the best architecture for this in wso2?
if i use wso2 api manager , how can i handle login's of the user and how to relate api access with role of the logged in user?
thanks in advance
you can use wso2 appmanager to control the access of any web apps[1]. App manager supports role based access control as well as xacml policy based access control . In order to provide api level role based security you can use scopes[2] in wso2 api manager
[1] https://docs.wso2.com/display/APPM120/Web+Application+Resource+Authorization
[2] https://docs.wso2.com/display/APPM120/Web+Application+Resource+Authorization
Let me suggest another solution. I haven't tried this with APIM. But since APIM also has Identity features installed in it, this should work.
Use OpenID Connect for login. See here for a sample. This sample is for IS, but it should work for APIM too. Only endpoint URLs are different in APIM like this.
Token: https://localhost:8243/token
Revoke: https://localhost:8243/revoke
Authorize: https://localhost:8243/authorize
There, when a user login, you get an ID_token which contains user claims. You can allow/deny page views depending on those data.
In above step, you create an SP and generate a client key-secret pair. You can set the same keys in APIM's application. Read this.
Then, as I mentioned here, you can use scopes to secure your APIs by roles.
I recently updated my environment from WSO2 IS 5.0.0 to WSO2 IS 5.2.0. My environment consists of 2 machines that are creating a cluster (using the WKA membership scheme and Load Balancer(AWS ELB) with sticky session enabled). I am using MySQL(not the default H2 database). The machines on which the IS is deployed are Windows Server 2012 R2 (EC2 AWS machines). I am also using the so called WSO2 IS Admin services.
As mentioned in the heading I am consuming the UserProfileMgtService
(https://url:port/services/UserProfileMgtService?wsdl).
In combination with it I am using OAuth2TokenValidationService
(https://url:port/services/OAuth2TokenValidationService?wsdl).
If I pass valid access token to the OAuth2TokenValidationService I am able to fill in with data OAuth2TokenValidationResponseDTO object by using the Validate method of the OAuth2TokenValidationService. As result I am able to extract the authorizedUser and pass it to the getUserProfile method of the UserProfileMgtService. I am using the standard carbon.super domain and I am using the email as username. For example I am passing the following two parameters to the getUserProfile:
"admin#admin.com#carbon.super" as username
"default" as profileName
And as result I receive the following message:
UserNotFound: User admin#admin.com#carbon.superdoes not exist in: PRIMARY
If I remove the "#carbon.super" from the authorizedUser, everything is fine and I am able to get the user profile information. This is quite important for me since I am using multitenancy of the IS and there is a case that I might have the following users:
admin#admin.com#test.net
admin#admin.com#test2.net
I noticed that this service was not working this way in WSO2 IS 5.0.0. I started experiencing this issue after the upgrade.
Is this a desired behavior and is introduced because of the change in the API in IS 5.2.0? If so is there another way to be able to get the user profile using the "username"+"tenant-domain"(that is retrieved by the OAuth2TokenValidationService as authorized user when passing valid access token).
Is it possible that this is caused because of misconfiguration? If so which is the file that needs to updated and what exactly should be modified in it?
Is there a place where more information could be retrieved for the WSO2 IS 5.2.0 Admin Services?
Thanks in advance.
UserProfileMgtService in Identity Server is an Admin Service. In WSO2 Admin Services, the tenant domain is identified by authenticated user and it should not pass with username.
username should be tenant free username.
So, you can remove carbon.super portion from the username and then it will work.
In tenant setup, you need to authenticate with a tenant user (Ex admin#admin.com#test.net) in order to access these API. So, like in the super tenant, you can use tenant free username and then it will work.
For example, if you want to get user profile of user : testuser#admin.com in tenant domain test.net, your request should be like bellow image.
Thanks
Isura.
Brand new, checking out wso2 API manager 1.8.0. I work for a corp with multiple organizations/teams, so setting up multi-tenancy seems like the logical choice.
Following the quick start guide, I first created a new tenant, gave it a domain of "dev.api.myorg.company.net", added some users to it, and I can log in. I added one API.
I am able to hit the endpoint using the URL listed in the store:
http ://wso2server.company.net:8280/t/dev.api.myorg.company.net/apiname/v1/endpoint
But my expectation was that configuring this tenant with a domain would allow me to hit:
http ://dev.api.myorg.company.net:8280/apiame/v1/endpoint
I have pointed the dev domain to the wso2server IP, but when I try to access using the dev api I get:
http://pastebin.com/VNXjEv3y
Am I just missing something completely obvious? Is there extra work to make wso2 allow tenants to point their domains at it?
I have spent the last hour and a half googling and searching through tagged wso2 here, but google mostly points to the wso2 multi-tenant docs page, which is like a single page without any details.
Any pointers to better docs or suggestions for better search terms? Ive tried combinations of:
wso2 multi tenant tenancy domains hosts how to access
when you create an api in a tenant it will get the following url pattern
http ://**<IP-where apimanger is hosted>**:8280/t/<tenantdomain>/<apiname>/<version>/
where 't' denotes this api url is specific to tenant and tenantdomain denotes which denant
but for super tenant url will be as following
http ://<IP-where apimanger is hosted>:8280/<apiname>/<version>/
For tenanants, domain is just a name (not having mapping to ip).So APIM will not work as you expect.Because you need to specify the IP(or domain) where APIM is hosted in the url.
I have downloaded the new version of API Manager 1.0.0 GA.
I am confused about publishing the WSDLs, since that has not a related API KEY, everyone can access it.
For that reason I have tried to add access token from ESB, but that will not authenticate the API Manager's Users (like Apisubscriber) only the users inside the ESB (even if I have configured an external JDBC db for both APIManager and ESB user-mgt.xml).
So, is there a way to create an API key for WSDLs as well from the API Manager? Or How do I control the access to the published WSDLs in the API store?
Many thanks
EDIT:
From the ESB I have added security to the service by using the built-in security scenarios, in my case I have used "UsernameToken". This authenticates users based on roles defined in the ESB "admin/everyone..." and only accepts users defined in the ESB's user store "admin/admin" (and others you might have created).
I have ESB and AM configured to share the same mysqlDB for user store, but that does not work in my Security Scenario described before: if I create a user "apicreator" inside AP and I create "usertest" inside ESB, they store the users inside the same MySQL db, but under different "tentant", i.e. "apicreator" is not a valid user to authenticate in my Security Scenario (UsernameToken). I hope this description helps to clarify the problem. thanks
With WSO2 API Manager, you couldn't control the access to a published WSDL in API Store.Currently there's no way of creating an API key for WSDLs as well from the API Manager.But that controlling has to be done through your back-end service. How-ever when creating an API from WSO2 API Manager ,giving the Wsdl url as an input is not a required field,but an optional field.
Apart from that I'm not clear about your following phrase."For that reason I have tried to add access token from ESB, but that will not authenticate the API Manager's Users (like Apisubscriber) only the users inside the ESB".Can you explain a bit more what you mean by "add access token from ESB"?
Thanks;
/Lalaji