Reputation: 73
Securing a REST proxy service in WSO2ESB
Using WSO2ESB I am trying to add security and expose un-secured REST APIs running in WSO2DSS. Basically I want to store the username/password in the user store in ESB with roles and give access to APIs based on the roles. I understand client should send the authorization token in 'Authorization' http header. So how can I configure ESB to compare this token with user store and allow access to particular services only? I am using ESB because there are some transformations to be done on the response before sending it to client. Any broad ideas would help.
Thank you
Upvotes: 3
Views: 200
Answers (3)
Reputation: 73
I am able to use HTTP Basic authentication with the the help of http://suhan-opensource.blogspot.co.uk/2016/08/wso2-dss-secure-data-service-using.html.
Please note that the latest version of WSO2ESB or DSS doesn't let you to add security directly from Management Console. Either use the Developer studio or edit the XML source directly.
Upvotes: 1
Reputation: 12075
There are several approaches.
Direct authorization: The simplest way is you enable the service security (on the management console), select the "username token" and then select the allowed roles. This way the client must send either:
- use basic authentication (Authorization: Basic
- send the WS-Security header with UsernameToken and Timestamp
Keep it simple. For most of the use cases this approach is good enough.
Delegated authorization: Having a 3rd party PDP (a service which says the user may access your service).
For fine grained authorization (e.g. only specific role in specific hours of days, etc) you can use the XACML EntitlementService (from the WSO2IS or AM) to authorize the call.
For authenticated users from other systems, the simplest approach is to use a Bearer token you can validate (e.g using the API Managed as already mentioned in other answers)
Upvotes: 0
Reputation: 12502
You can create an API in ESB to proxy your beckend REST API. Then you can write a handler to authorize API calls. See this blog bost.
By the way, didn't you have a look at WSO2 API Manager? To manage your APIs, that's more suitable than ESB. If you have complex transformations, you can use ESB (fronted by APIM). If your mediation logic is not complex, you can do it inside APIM itself. See this doc for more information.
If you need more fine-grained authorization capability, you can use entitlement mediator with XACML policies. See this article for more information.
Upvotes: 1
Related Questions
- How to enable proxy service security in WSO2 ESB 4.9.0
- How to protect REST API with wso2 IS?
- How to securing Axis2 WebService on WSO2 ESB 5.0.0?
- How to Create Proxy Service from WSDL That Requires HTTP Authentication to Access?
- Securing Rest API in WSO2 ESB
- Proxy a RESTful service using SOAP with WSO2 ESB
- WSO2 ESB Secured Proxy Endpoint
- WSO2 ESB and REST services security
- Secured HTTP Proxy over different ESB Products
- REST calls to a proxied SOAP API via WSO2 ESB