synapse-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ruwan (JIRA)" <>
Subject [jira] [Commented] (SYNAPSE-953) Introducing transport level (HTTPs etc.) access restriction to Rest APIs
Date Thu, 25 Jul 2013 10:51:48 GMT


Ruwan commented on SYNAPSE-953:

Please find attached a patch containing necessary changes to address above issue.

Fix description is as follows.

1) Introduced a new transports property to api configuration xml (If a transport is not listed
in the api, it will be assumed, the API is accessible via both HTTP and HTTPs)
2) Introduced a validation in the canProcess method to see if the transport with which the
api is accessed is listed in the transports section of said api.
3) If its a restricted transport and canProcess returns false, a warning will be listed on
console and a property will be set in the synapse context to indicate transport was rejected.
4) Message will be directed to main sequence as usual, the user may include a filter mediator
in the main sequence to display a custom error message using the variables added to synapse/axis2
context. Pls. refer below example.


<!-- Filter for handling Rest-API access via unauthorized transports  -->
        <filter source="$ctx:TRANSPORT_DENIED" regex="true">
                        <type>Status report</type>
                        <description>Unsupported Transport $2. The requested resource
(/$1) is not available.</description>
                    <arg expression="$axis2:REST_URL_POSTFIX"/>
                    <arg expression="$ctx:IN_TRANSPORT"/>
            <property name="HTTP_SC" value="403" scope="axis2"/>
            <property name="RESPONSE" value="true"/>
            <header name="To" action="remove"/>
            <property name="NO_ENTITY_BODY" scope="axis2" action="remove"/>
            <property name="ContentType" scope="axis2" action="remove"/>
            <property name="Authorization" scope="transport" action="remove"/>
            <property name="Host" scope="transport" action="remove"/>
            <property name="Accept" scope="transport" action="remove"/>
> Introducing transport level (HTTPs etc.) access restriction to Rest APIs
> ------------------------------------------------------------------------
>                 Key: SYNAPSE-953
>                 URL:
>             Project: Synapse
>          Issue Type: New Feature
>          Components: Core
>    Affects Versions: 1.1
>            Reporter: Ruwan
>            Assignee: Hiranya Jayathilaka
>              Labels: features, patch
>             Fix For: 1.1.1
>         Attachments: rest_api_transport_access_restriction.patch
> There is no way to enforce transport level access restrictions to APIs, like on proxy
> This can be addressed by adding a property called "transports" to the API configuration
XML, based on which, access to said API can be granted or deflected.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message