synapse-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ruwan (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (SYNAPSE-953) Introducing transport level (HTTPs etc.) access restriction to Rest APIs
Date Thu, 25 Jul 2013 10:51:48 GMT

    [ https://issues.apache.org/jira/browse/SYNAPSE-953?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13719486#comment-13719486
] 

Ruwan commented on SYNAPSE-953:
-------------------------------

Please find attached a patch containing necessary changes to address above issue.

Fix description is as follows.

1) Introduced a new transports property to api configuration xml (If a transport is not listed
in the api, it will be assumed, the API is accessible via both HTTP and HTTPs)
2) Introduced a validation in the canProcess method to see if the transport with which the
api is accessed is listed in the transports section of said api.
3) If its a restricted transport and canProcess returns false, a warning will be listed on
console and a property will be set in the synapse context to indicate transport was rejected.
4) Message will be directed to main sequence as usual, the user may include a filter mediator
in the main sequence to display a custom error message using the variables added to synapse/axis2
context. Pls. refer below example.

E.g. 

<!-- Filter for handling Rest-API access via unauthorized transports  -->
        <filter source="$ctx:TRANSPORT_DENIED" regex="true">
            <payloadFactory>
                <format>
                    <fault>
                        <code>403</code>
                        <type>Status report</type>
                        <message>Forbidden</message>
                        <description>Unsupported Transport $2. The requested resource
(/$1) is not available.</description>
                    </fault>
                </format>
                <args>
                    <arg expression="$axis2:REST_URL_POSTFIX"/>
                    <arg expression="$ctx:IN_TRANSPORT"/>
                </args>
            </payloadFactory>
            <property name="HTTP_SC" value="403" scope="axis2"/>
            <property name="RESPONSE" value="true"/>
            <header name="To" action="remove"/>
            <property name="NO_ENTITY_BODY" scope="axis2" action="remove"/>
            <property name="ContentType" scope="axis2" action="remove"/>
            <property name="Authorization" scope="transport" action="remove"/>
            <property name="Host" scope="transport" action="remove"/>
            <property name="Accept" scope="transport" action="remove"/>
            <send/>
        </filter>
                
> Introducing transport level (HTTPs etc.) access restriction to Rest APIs
> ------------------------------------------------------------------------
>
>                 Key: SYNAPSE-953
>                 URL: https://issues.apache.org/jira/browse/SYNAPSE-953
>             Project: Synapse
>          Issue Type: New Feature
>          Components: Core
>    Affects Versions: 1.1
>            Reporter: Ruwan
>            Assignee: Hiranya Jayathilaka
>              Labels: features, patch
>             Fix For: 1.1.1
>
>         Attachments: rest_api_transport_access_restriction.patch
>
>
> There is no way to enforce transport level access restrictions to APIs, like on proxy
services.
> This can be addressed by adding a property called "transports" to the API configuration
XML, based on which, access to said API can be granted or deflected.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@synapse.apache.org
For additional commands, e-mail: dev-help@synapse.apache.org


Mime
View raw message