[
https://issues.apache.org/jira/browse/SYNAPSE-953?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13719486#comment-13719486
]
Ruwan commented on SYNAPSE-953:
-------------------------------
Please find attached a patch containing necessary changes to address above
issue.
Fix description is as follows.
1) Introduced a new transports property to api configuration xml (If a
transport is not listed in the api, it will be assumed, the API is accessible
via both HTTP and HTTPs)
2) Introduced a validation in the canProcess method to see if the transport
with which the api is accessed is listed in the transports section of said api.
3) If its a restricted transport and canProcess returns false, a warning will
be listed on console and a property will be set in the synapse context to
indicate transport was rejected.
4) Message will be directed to main sequence as usual, the user may include a
filter mediator in the main sequence to display a custom error message using
the variables added to synapse/axis2 context. Pls. refer below example.
E.g.
<!-- Filter for handling Rest-API access via unauthorized transports -->
<filter source="$ctx:TRANSPORT_DENIED" regex="true">
<payloadFactory>
<format>
<fault>
<code>403</code>
<type>Status report</type>
<message>Forbidden</message>
<description>Unsupported Transport $2. The requested
resource (/$1) is not available.</description>
</fault>
</format>
<args>
<arg expression="$axis2:REST_URL_POSTFIX"/>
<arg expression="$ctx:IN_TRANSPORT"/>
</args>
</payloadFactory>
<property name="HTTP_SC" value="403" scope="axis2"/>
<property name="RESPONSE" value="true"/>
<header name="To" action="remove"/>
<property name="NO_ENTITY_BODY" scope="axis2" action="remove"/>
<property name="ContentType" scope="axis2" action="remove"/>
<property name="Authorization" scope="transport" action="remove"/>
<property name="Host" scope="transport" action="remove"/>
<property name="Accept" scope="transport" action="remove"/>
<send/>
</filter>
> Introducing transport level (HTTPs etc.) access restriction to Rest APIs
> ------------------------------------------------------------------------
>
> Key: SYNAPSE-953
> URL: https://issues.apache.org/jira/browse/SYNAPSE-953
> Project: Synapse
> Issue Type: New Feature
> Components: Core
> Affects Versions: 1.1
> Reporter: Ruwan
> Assignee: Hiranya Jayathilaka
> Labels: features, patch
> Fix For: 1.1.1
>
> Attachments: rest_api_transport_access_restriction.patch
>
>
> There is no way to enforce transport level access restrictions to APIs, like
> on proxy services.
> This can be addressed by adding a property called "transports" to the API
> configuration XML, based on which, access to said API can be granted or
> deflected.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
