Securing REST APIs¶
In most of the real-world use cases of REST, when a consumer attempts to access a privileged resource, access will be denied unless the consumer's credentials are provided in an Authorization header. By default, the Micro Integrator validates the credentials of the consumer (that is provided in the Authorization header) against the credentials of users that are registered in the user store connected to the server.
Info
The Micro Integrator uses a Basic Auth handler for this purpose. If required, you can use a custom basic auth handler or other security implementations. Find out more about applying security to REST APIs.
Synapse configuration¶
Following is a sample REST API configuration that we can used to implement this scenario. See the instructions on how to build and run this example.
Note
The basic auth handler is engaged in the API as follows:
<handlers>
<handler class="org.wso2.micro.integrator.security.handler.RESTBasicAuthHandler"/>
</handlers>
See the REST API given below for an example of how the default basic auth handler is used.
<api xmlns="http://ws.apache.org/ns/synapse" name="StockQuoteAPI" context="/stockquote">
<resource methods="GET" uri-template="/view/{symbol}">
<inSequence>
<payloadFactory media-type="xml">
<format>
<m0:getQuote xmlns:m0="http://services.samples">
<m0:request>
<m0:symbol>$1</m0:symbol>
</m0:request>
</m0:getQuote>
</format>
<args>
<arg evaluator="xml" expression="get-property('uri.var.symbol')"/>
</args>
</payloadFactory>
<header name="Action" scope="default" value="urn:getQuote"/>
<send>
<endpoint>
<address uri="http://localhost:9000/services/SimpleStockQuoteService" format="soap11"/>
</endpoint>
</send>
</inSequence>
<outSequence>
<send/>
</outSequence>
<faultSequence/>
</resource>
<handlers>
<handler class="org.wso2.micro.integrator.security.handler.RESTBasicAuthHandler"/>
</handlers>
</api>
Build and run¶
Create the artifacts:
- Set up WSO2 Integration Studio.
- Create an ESB Solution project.
- Create the rest api with the configurations given above.
- Deploy the artifacts in your Micro Integrator.
Configure a read-only LDAP user store.
Set up the back-end service:
- Download the stockquote_service.jar.
-
Open a terminal, navigate to the location of the downloaded service, and run it using the following command:
java -jar stockquote_service.jar
Test the API:
-
First, invoke the service using the following service URL without providing any user credentials:
http://127.0.0.1:8290/stockquote/view/IBM
Info
You can invoke the service using Postman or Curl.
curl -v http://127.0.0.1:8290/stockquote/view/IBM
Note that you will receive the following error because the username and password are not passed and the service cannot be authenticated:
401 Unauthorized
-
Now, invoke the service again by providing the credentials of a user that is registered in the user store that is hosted.
curl -v http://127.0.0.1:8290/stockquote/view/IBM -H "Authorization: Basic YWRtaW46YWRtaW4="
Info
The credentials (
YWRtaW46YWRtaW4=
) in the authorization header (Authorization: Basic YWRtaW46YWRtaW4=
) are the Base64-encoded username and password in the following format:username:password
.The request is passed to the back-end service and you will receive a response similar to what is shown below:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Body> <ns:getQuoteResponse xmlns:ns="http://services.samples"> <ns:return xmlns:ax21="http://services.samples/xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="ax21:GetQuoteResponse"> <ax21:change>-2.6989539095024164</ax21:change> <ax21:earnings>12.851852793420885</ax21:earnings> <ax21:high>-166.81703170012037</ax21:high> <ax21:last>170.03627716039932</ax21:last> <ax21:lastTradeTimestamp>Mon Jul 30 15:10:56 IST 2018</ax21:lastTradeTimestamp> <ax21:low>178.02122263133768</ax21:low> <ax21:marketCap>-7306984.135450081</ax21:marketCap> <ax21:name>IBM Company</ax21:name> <ax21:open>-165.86249647643422</ax21:open> <ax21:peRatio>23.443106773044992</ax21:peRatio> <ax21:percentageChange>1.5959734616866617</ax21:percentageChange> <ax21:prevClose>-169.11019978052138</ax21:prevClose> <ax21:symbol>IBM</ax21:symbol> <ax21:volume>9897</ax21:volume> </ns:return> </ns:getQuoteResponse> </soapenv:Body> </soapenv:Envelope>