Securing the Management API¶
The Management API of WSO2 Micro Integrator is an internal REST API, which was introduced to substitute the admin services that were available in WSO2 EI 6.x.x.
The Micro Integrator CLI and the Micro Integrator dashboard communicates with this service to obtain administrative information of the server instance and to perform various administration tasks. If required, you can directly access the management API without using the dashboard or CLI.
See the topics given below information on securing the management API.
JWT-based user authentication is enabled for the management API by default. This ensures that users that log in to the management API or log out will be authenticated.
The following resources of the API handles login and logout:
/login: This resource is used to obtain a JWT token for the provided user name and password and it is protected by basic auth.
/logout: This resource is used to revoke the JWT token.
When you access the management API directly, you must first acquire a JWT token with your valid username and password. To log out of the management API, this token must be revoked. See securely invoking the management API for more information.
Disable user authentication¶
If security is not required, you can simply disable the handler for the Micro Integrator. Open the
deployment.toml file (stored in the
MI_HOME/conf/ directory) and add the following configuration:
[management_api.jwt_token_security_handler] enable = false
Update token store configurations¶
Add the following configuration section to the
deployment.toml file and change the default values.
[management_api.jwt_token_security_handler] token_store_config.max_size= "200" token_store_config.clean_up_interval= "600" token_store_config.remove_oldest_token_on_overflow= "true" token_config.expiry= "3600" token_config.size= "2048"
||Number of tokens stored in the in memory token store. User can increase or decrease this value accordingly.|
||Token cleanup will be handled through a seperate thread and the frequency of the token clean up can be configured from this setting. This will clean all the expired and revoked security tokens. The thread will run only when there are tokens in the store. If it is empty, the cleanup thread will automatically stop. Interval is specified in seconds.|
If set to
||This configures the expiry time of the token (specified in seconds).|
||Specifies the key size of the token.|
Authorization can be set for resources that only need to be invoked by admin users. The
/management/users resource is by default secured with authorization, meaning that only users with admin privileges can access this resource.
Add the following to the
[management_api.authorization_handler] enable = false
Enable authorization for other resources¶
If you want to enable authorization for any resources other than
/users, open the
deployment.toml file (stored in
MI_HOME/conf/ directory) and add the following:
Note that the
/users resource is secured by default. However, you need to redefine the
/users resource (as shown below) in cases where you need to customize the resources that need authorization. Failing to do so will remove authorization from the
[[management_api.authorization_handler.resources]] path = "/users" [[management_api.authorization_handler.resources]] path = "/apis"
CORS is enabled for the management API by default. The default configuration allows all origins (denoted by the
* symbol). The
Authorization header is also enabled by default to cater to the functionalities of the the Micro Integrator dashboard.
Add the following to the
deployment.toml file and update the values.
[management_api.cors] enabled = true allowed_origins = "https://127.0.0.1:9743,https://wso2.com:9743" allowed_headers = "Authorization"