CODEWITHSUNDEEP
wso2wso2-esb
asn
asn

Reputation: 33

how to configure a basic auth security policy in wso2

I want to secure some wso2 endpoints using basic auth security so that whoever invokes needs a username and policy How do i configure this policy in wso2 esb?Can i create the username/password in a vault and validate the auth against it? wso2 security policy screen

This doenst give an option to give username/password.. I dont need any roles validation ;but just need a username/password.. I know how to enable the security policy in the esb dataservice/endpoint ;but please help me in configuring the policy

Upvotes: 0

Views: 559

Answers (1)

Dilan Premarathna
Dilan Premarathna

Reputation: 1294

you can refer to the answer in [1] regarding the basic authentication. If you want to use a security policy to achieve your requirements, you can modify the security policy and avoid using the following in the policy file.

<sec:CarbonSecConfig xmlns:sec="http://www.wso2.org/products/carbon/security">
        <sec:Authorization>
            <sec:property name="org.wso2.carbon.security.allowedroles">admin,role1</sec:property>
        </sec:Authorization>
    </sec:CarbonSecConfig>

[1]-https://stackoverflow.com/a/57811507/9990440

Modified Based on the comment

Ths document [1] and blog post [2] contain the steps that need to be followed to develop a security policy. The blog post explains on how to add WS-Policy type, Integrity. But for the basic OAuth, you can select UserNameToken as the basic scenario. After adding the policy as a registry resource you can point the policy file as follows at the end of the data service

 <data>
   ...
    <policy key="conf:security/ESE-DevOps_policy.xml"/>
    <enableSec>true</enableSec>
 </data>

In addition to using the security policy to secure the data service, you can expose the data service through an API. The data service can be configured to invoke only through local transport to avoid any security issues. Then the API can be secured with Basic Auth handler. The document [3] contains sample code and the steps in developing a handler.

[1]-https://docs.wso2.com/display/EI650/Applying+Security+to+a+Proxy+Service [2]-https://medium.com/@prabushi/use-ws-policy-to-secure-a-wso2-proxy-service-33a1bfa19f5b [3]-https://docs.wso2.com/display/ESB481/Securing+APIs#SecuringAPIs-BasicAuthUsingaBasicAuthhandler

Upvotes: 1

Related Questions