WSO2 APIM Denial Policies

-

WSO2 API Manager (APIM) provides several mechanisms to block or restrict API access based on specific conditions. These blocking conditions can be used to control access to APIs, protect resources, and enforce security policies. Here are the main blocking conditions available in WSO2 APIM and we can enforce the same by creating the denial policies via admin portal (https://localhost:9443/admin)

1. IP Address Blocking

  • Description: Blocks or allows API access based on the client's IP address or range of IP addresses.
  • Use Cases:
    • Preventing access from known malicious IP addresses.
    • Restricting access to specific APIs from certain regions or networks.
    • Allowing access only from trusted IP addresses or networks.
    • We can also INVERT the condition to whitelist the IPs

Example:

  • Block access from a specific IP: 192.168.1.1
  • Block access from an IP range: 192.168.1.0/24 

2. Application Blocking

  • Description: Blocks access to APIs from specific applications. This can be useful for controlling which applications can invoke certain APIs.
  • Use Cases:
    • Disabling API access for deprecated or unauthorized applications.
    • Controlling access based on the application's subscription tier.
    • Temporarily blocking access for troubleshooting or maintenance purposes.

Example:

  • Block an application with a specific application key or name.

3. User Blocking

  • Description: Blocks API access for specific users or user roles. This is useful for enforcing user-level access control.
  • Use Cases:
    • Revoking API access for users who no longer need it.
    • Preventing certain roles from accessing sensitive APIs.
    • Blocking access for users who have violated terms of service.

Example:

  • Block a user with a specific username or role.

4. Blocking by API Context or Resource

  • Description: Blocks access based on the API context or specific resources (e.g., paths or endpoints) within an API.
  • Use Cases:
    • Restricting access to sensitive resources within an API.
    • Blocking access to specific API paths or operations for certain users or applications.
    • Implementing granular access control at the resource level.

Example:

  • Block access to the /admin path within an API.

Summary

These blocking conditions in WSO2 API Manager allow for fine-grained control over who can access APIs and under what conditions. They help ensure that APIs are used securely and appropriately, protecting both the API provider and the consumers from unauthorized access or misuse.

Comments

Post a Comment

Popular posts from this blog

Oracle SOA Suite- Implementing Email Notification

-
Image
In this post, I am going to show how to implement email notifications in Oracle SOA Suite using BPEL process. So let's get started- Implementing email notification in Oracle SOA Suite consists of below steps: Environment- IDE- Oracle jDeveloper 11g Weblogic Server 12c Oracle SOA Suite 12c High Level Steps Keep ready email server settings. Configure & enable usermessagingdriver-email for target SOA servers via console. Setting up Email driver (usermessagingdriver-email )with email server settings via enterprise manager. Enable notifications for SOA workflows(make sure either All or EMail option is selected).. Create SOA composite application Deploy it on SOA server. Testing & done. 1. Keep ready email server settings. Keep ready your below email server settings: Outgoing Mail Server          : smtp.domain.com Outgoing Mail Server Port   : xxx Default From Address         : username@doamin.com Outgoing Username            : actualemailid@doma
Read more

Oracle SOA Suite 12c- PKIX path building failed & unable to find valid certification path to requested target

-
Image
Hi Everyone, in this blog I'll be writing one of the strange issue that has been encountered while working with a Oracle SOA composite running in Oracle IDAM environment and trying to invoke a SSL based remote service where SSL certification based exception has been thrown during the service invocation. Environment Oracle SOA Suite 12c  (HA Mode) Oracle IDAM 12c (HA Mode) Oracle Linux 7 External Web Service (SOAP Service) Problem Below is the exception thrown when trying to invoke an external webservice (SSL Based) via BPEL process- <bpelFault><faultType>0</faultType><remoteFault xmlns="http://schemas.oracle.com/bpel/extension"><part name="summary"><summary>oracle.fabric.common.FabricInvocationException: Unable to invoke endpoint URI "https://idam.uppclonline.com/soa-infra/services/default/DefaultOperationalApproval!5.12*soa_69e4734b-d8fe-4edf-b44e-e287f61c2ddf/SMSNotification%23ApprovalProcess/SMSNotification" succe
Read more

Migration of Oracle SOA Suite Composite from 11g to 12c

-
Image
Recently I have came across a scenario where I have a business requirement of  migration of Oracle SOA Suite 11g(11.1.1.7.0) to 12c(12.1.3.0). Below are the different mechanisms I have tried to do, few of them failed and one succeeded. Working in Oracle SOA Suite 11g is completely different from 12c. In 11g, we need to install the jDeveloper(11.1.1.7) then SOA extension separately to be installed either via offline file  (download available at  https://www.oracle.com/ocom/groups/public/@otn/documents/webcontent/156082.xml ) or through jDeveloper top menu >>  Help >> Check for Updates >> SOA Extension.  While working with 12c doesn't involves such tedious job. Only single installer is required for jDeveloper/SOA/Weblogic and is available as QuickStart Installer(download available at https://www.oracle.com/technetwork/middleware/soasuite/downloads/index.html). Approach 1- Compress(Zip) SOA composite code of 11g version (11.1.1.7.0) and unzip to a differe
Read more