I wish to update the proxy generated default Url. I have followed How to change WSO2 ESB URL but the solution provided there was not working and even i wish to block generating two urls for soap bindings depending on version.
Any help please
You have to redirect to the default URL from the main sequence of the ESB. Following article explains the configurations
http://achala11.blogspot.com/2012/08/access-wsdl-for-customuri-wso2-esb.html
Related
I am trying to set up WSO2 Identity Server behind a reverse proxy for SSL offloading. For example, let's say if WSO2 IS is available at say https://<some-ip>:9443/, I am trying to put it behind reverse proxy with address such as https://<domain name>/is/. Note the context path /is and SSL port 443. I thought that this will be trivial enough but sadly I am unable to find any conclusive documentation for achieving the same.
My applications are using OIDC to connect to WSO2 IS and using Azure Application Gateway as reverse proxy - typically all API calls works well but neither of UI (or flows involving redirections) works due to context. I can also fix redirects by URL rewriting at reverse proxy but that still doesn't solve problems. For example, login page will appear but XHR call from the same will go to /logincontext instead of /is/logincontext. Where can I set up the proxy context path in WSO2 IS? I already tried setting the same in .toml file (equivalent of setting it in carbon.xml) but it seems to be affecting only Management Portal.
WSo2 IS documentation talks about setting it up behind ngnix but that documentation is not using any path context. I could find reverse proxy documentation for other WSO2 product such as WSO2 API Manager but it only involves updating carbon.xml and that doesn't work for WSO2 IS. I am not a java person and hence, finding it difficult to figure out web app organization of WSO2.
Any help/link to documentation/guide to set up with proxy context will be useful.
I know that this answer comes a little bit late but recently I had a similar issue and here it is how I made it work, maybe it could be helpful for someone. I was using WSO2 IS 5.11.0.
Note:
I checked similar questions on stackoverflow and found a few but none was enough by itself for my case.
Maybe the solution I came up with is not the best or the most correct but it is the only one I could make work.
Here's how I did, assuming the context path is is:
Open Carbon Management Console and go to Identity Providers -> Resident. Then, go to Inbound Authentication Configuration -> OAuth2/OpenID Connect Configuration. Here, change the hostname under Identity Provider Entity ID to https://domain_name:443/is/<remaining path>.
Make sure that the port number is present or absent both here and in the client application. If there is a mismatch between the two, for some reason, it won't work (or at least it didn't for me).
Open the file deployment.toml and modify it as follows:
under the [server] section, add your proxy context at the end of the base_path url, e.g. base_path = "https://$ref{server.hostname}:${carbon.management.port}/is";
of course, also add proxy_context_path = "is" (actually, this last line should be enough but for some reason in my case it wasn't, so I had to modify the base path too);
under [transport.https.properties] add proxyPort="443".
For the record, I also turned off compression, by adding:
[transport.http.properties]
compression="off"
[transport.https.properties]
...
compression="off"
and set the token issuer URL equal to the entity id set up in Carbon, with:
[oauth]
use_entityid_as_issuer_in_oidc_discovery = true
but found out that these last two steps (turning off compression and setting the entity id as issuer) weren't needed.
Disable the csrf guard by setting org.owasp.csrfguard.Enabled = false
in the file /repository/resources/conf/templates/repository/conf/security/Owasp.CsrfGuard.Carbon.properties.j2.
This step was necessary for me to avoid the 403 Error after logging in on the Carbon Console (turning off compression didn't work).
Lastly, if you use nginx as reverse proxy (as I did), add these two lines in the location used for wso2:
proxy_redirect https://domain_name/oauth2/ https://domain_name/is/oauth2/;
proxy_redirect https://domain_name/carbon/ https://domain_name/is/carbon/;
These are needed (or at least were for me) because some URLs are not under the context path. In particular, the last one allows you to open the Carbon Console at https://domain_name/is/carbon/.
References:
wso2 api manger carbon page gives 403 Forbidden
WSO2 Identity Server login returns a 403
WSO2 Identity Server port configuration
To understand the template-based configuration model adopted from version 5.9.0 onwards, see:
https://apim.docs.wso2.com/en/latest/reference/understanding-the-new-configuration-model/
https://mcvidanagama.medium.com/understand-wso2-api-managers-new-configuration-model-6425a2710faa
Here are some useful configuration mappings from the old xml to the new toml based model:
https://github.com/ayshsandu/samples/tree/master/config-mapping
I need to add a WebRootContext to all the calls in the WSO2 Identity Server's Implicit Flow so that I can make calls through an API Gateway. I have managed to do this for all the calls I need by changing the
<WebContextRoot>/wso2-is<WebContextRoot>
property as well as changing the name of my webapp folders: wso2-is#authenticationendpoint and wso2-is#oauth2 endpoints. I can now successfully call http://localhost:9443/wso2-is/oauth2/authorize.
I also changed the endpoints in repository/conf/identity/identity.xml to include the wso2-is root context, specifically the OAuth2AuthzEPUrl, so that in the management console this shows up under identity:
However, after I login, the application calls http://localhost:9443/wso2-is/commonauth which has a return location of http://localhost:9443/oauth2/authorize?sessionDataKey=... and I can't figure out how to add my context root to the returning call. Where does the commonauth endpoint get the location it returns to? I'm assuming there is some property I need to set to make that happen, but I can't find it.
I also tried re-seeding the database with all my changes and this did not solve my issue either.
I looked in the source code here in github and couldn't find any references to commonauth or oauth2/authorize that stood out as to where this call is being formed. Any additional details would be greatly appreciated.
As per the official documentation, using a reverse proxy is the recommended way to add a custom context path to wso2 products.
However, as I wrote in another question, I could complete the implicit flow with local auth successfully with the mentioned configs in my answer.
I guess, what you are missing here is ProxyContextPath.
I'm running WSO2 5.7.0, using OIDC with the Implicit Flow. I have set the context root to wso2-is, so the authorize endpoint is located at http://MY_DOMAIN/wso2-is/oauth2/authorize. When I begin the flow with a GET call to the oauth2/authorizeendpoint, I am redirected to http://MY_DOMAIN/authenticationendpoint/login.do?client_id=MY_CLIENT_ID&commonAuthCallerPath=%2Foauth2%2Fauthorize....
The problem is that it drops the context root and so later in the Implicit Flow I am (incorrectly) redirected to http://MY_DOMAIN/oauth2/authorize, which fails because that URL lacks the context root of wso2-is. How/where in the code is the commonAuthCallerPath parameter set?
As per the official documentation, using a reverse proxy is the recommended way to add a custom context path to wso2 products.
If you are not going to use a reverse proxy, I would suggest the following steps to add a custom context path. But, note that I have tested basic authentication with oauth2/oidc only.
Set WebContextRoot in repository/conf/carbon.xml to /wso2-is to change the context path of the carbon management console
Set ProxyContextPath in repository/conf/carbon.xml to /wso2-is
Rename oauth2.war and authenticationendpoint.war in repository/deployment/server/webapps/ by adding a prefix wso2-is#
Update repository/conf/indeitiy/identity.xml all the relevent instances of the following pattern by adding the context path /wso2-is after the port
${carbon.protocol}://${carbon.host}:${carbon.management.port}/xxxxx
to
${carbon.protocol}://${carbon.host}:${carbon.management.port}/wso2-is/xxxxx
Update AuthenticationEndpointURL, AuthenticationEndpointRetryURL and AuthenticationEndpointMissingClaimsURL values in repository/conf/identity/application-authentication.xml by adding /wso2-is prefix
Restart the Identity Server
Do not forget that, this is not the recommended way in the documentation.
This problem is somewhat involved. The short version is that my custom error.html is obeyed sometimes, but not others when using Embedded Jetty/RESTeasy. A small example can be found at https://github.com/pepperdog/sensus (the initial commit).
I have configured the web.xml with a custom error page:
<error-page>
<error-code>404</error-code>
<location>/util/error.html</location>
</error-page>
And this works if you hit a random URL: http://localhost:8080/XYZ
If you hit a RESTeasy URL configured in the web.xml: http://localhost:8080/ListMessages/books this works fine
If you hit a non-existent URL within the RESTeasy domain: http://localhost:8080/ListMessages/books_nonexistent
you only get the standard blank page 404, and not the custom 404. This has not been my past experience using RESTeasy inside a tomcat container, so my assumption is that it is Jetty related. Is this just the way it is, or am I missing something?
Thanks for any answers.
This is a very old question, but I came across while trying to solve the issue for myself.
If anybody is still looking, the solution is to implement RESTeasy as a Filter instead of a servlet. Per the docs: "The downside of running Resteasy as a Servlet is that you cannot have static resources like .html and .jpeg files in the same path as your JAX-RS services. Resteasy allows you to run as a Filter instead. If a JAX-RS resource is not found under the URL requested, Resteasy will delegate back to the base servlet container to resolve URLs."
I am looking to change the structure of the URL generated by the WSO2 API Manager for a defined service by switching the position of the version number. For example, the default for a service is
http://localhost:8020/some_service/1.0.0
however, I would prefer to have it as
http://localhost:8020/1.0.0/some_service/
My 2cts; you could put Apache with mod-proxy and mod-rewrite module or HAProxy in front of WSO2 AM and user rewrite rules on the URL's.
That URL format is fixed one and generally that is the URL format is followed. If you like to change the format, there is no way, but you can define the version with context and make a preferred url pattern. But again version must be filled.