Hi Thomas, You need to subscribe to that particular api from the application you have generated access token. if there is no valid subscription then this error can happen. And also if you have assigned specif scopes to api resource , then the access token should also have that scopes when it was generated. This resource forbidden issue can occur due to above mentioned errors.
Thanks! Rajith On Fri, Jun 16, 2017 at 12:32 PM, Thomas LEGRAND < [email protected]> wrote: > Hello ! > > Sure. Here is my api-manager.xml AM configuration file: > > <APIManager> > <!-- JNDI name of the data source to be used by the API publisher, API > store and API > key manager. This data source should be defined in the > master-datasources.xml file > in conf/datasources directory. --> > <DataSourceName>jdbc/WSO2AM_DB</DataSourceName> > > <!-- This parameter is used when adding api management capability to > other products like GReg, AS, DSS etc.--> > <!--GatewayType>Synapse</GatewayType--> > <GatewayType>None</GatewayType> > > <!-- This parameter is used to enable the securevault support when try > to publish endpoint secured APIs. Values should be "true" or "false". > By default secure vault is disabled.--> > <EnableSecureVault>false</EnableSecureVault> > > <!-- Authentication manager configuration for API publisher and API > store. This is > a required configuration for both web applications as their user > authentication > logic relies on this. --> > <AuthManager> > <!-- Server URL of the Authentication service --> > <!--ServerURL>https://localhost:${mgt.transport. > https.port}${carbon.context}services/</ServerURL--> > <ServerURL>https://localhost:9448/services/</ServerURL> > <!-- Admin username for the Authentication manager. --> > <Username>${admin.username}</Username> > <!-- Admin password for the Authentication manager. --> > <Password>${admin.password}</Password> > <!-- Indicates whether the permissions checking of the user (on > the Publisher and Store) should be done > via a remote service. The check will be done on the local > server when false. --> > <CheckPermissionsRemotely>false</CheckPermissionsRemotely> > </AuthManager> > > <JWTConfiguration> > <!-- Enable/Disable JWT generation. Default is false. --> > <!-- EnableJWTGeneration>false</EnableJWTGeneration--> > > <!-- Name of the security context header to be added to the > validated requests. --> > <JWTHeader>X-JWT-Assertion</JWTHeader> > > <!-- Fully qualified name of the class that will retrieve > additional user claims > to be appended to the JWT. If not specified no claims will be > appended.If user wants to add all user claims in the > jwt token, he needs to enable this parameter. > The DefaultClaimsRetriever class adds user claims from the > default carbon user store. --> > <!--ClaimsRetrieverImplClass>org.wso2.carbon.apimgt.impl. > token.DefaultClaimsRetriever</ClaimsRetrieverImplClass--> > > <!-- The dialectURI under which the claimURIs that need to be > appended to the > JWT are defined. Not used with custom ClaimsRetriever > implementations. The > same value is used in the keys for appending the default > properties to the > JWT. --> > <!--ConsumerDialectURI>http://wso2.org/claims</ > ConsumerDialectURI--> > > <!-- Signature algorithm. Accepts "SHA256withRSA" or "NONE". To > disable signing explicitly specify "NONE". --> > <!--SignatureAlgorithm>SHA256withRSA</SignatureAlgorithm--> > > <!-- This parameter specifies which implementation should be used > for generating the Token. JWTGenerator is the > default implementation provided. --> > <JWTGeneratorImpl>org.wso2.carbon.apimgt.keymgt.token. > JWTGenerator</JWTGeneratorImpl> > > <!-- This parameter specifies which implementation should be used > for generating the Token. For URL safe JWT > Token generation the implementation is provided in > URLSafeJWTGenerator --> > <!--<JWTGeneratorImpl>org.wso2.carbon.apimgt.keymgt. > token.URLSafeJWTGenerator</JWTGeneratorImpl>--> > > <!-- Remove UserName from JWT Token --> > <!-- <RemoveUserNameFromJWTForApplicationToken>true</ > RemoveUserNameFromJWTForApplicationToken>--> > </JWTConfiguration> > > <!-- Primary/secondary login configuration for APIstore. If user likes > to keep two login attributes in a distributed setup, to login the APIstore, > he should configure this section. Primary login doesn't have a claimUri > associated with it. But secondary login, which is a claim attribute, > is associated with a claimuri.--> > <!--LoginConfig> > <UserIdLogin primary="true"> > <ClaimUri></ClaimUri> > </UserIdLogin> > <EmailLogin primary="false"> > <ClaimUri>http://wso2.org/claims/emailaddress</ClaimUri> > </EmailLogin> > </LoginConfig--> > > <!-- Credentials for the API gateway admin server. This configuration > is mainly used by the API publisher and store to connect to the > API gateway and > create/update published API configurations. --> > <APIGateway> > <!-- The environments to which an API will be published --> > <Environments> > <!-- Environments can be of different types. Allowed values > are 'hybrid', 'production' and 'sandbox'. > An API deployed on a 'production' type gateway will only > support production keys > An API deployed on a 'sandbox' type gateway will only > support sandbox keys > An API deployed on a 'hybrid' type gateway will support > both production and sandbox keys. --> > <!-- api-console element specifies whether the environment > should be listed in API Console or not --> > <Environment type="hybrid" api-console="true"> > <Name>Production and Sandbox</Name> > <Description>This is a hybrid gateway that handles both > production and sandbox token traffic.</Description> > <!-- Server URL of the API gateway --> > <ServerURL>https://localhost:${mgt.transport.https.port}${ > carbon.context}services/</ServerURL> > <!-- Admin username for the API gateway. --> > <Username>${admin.username}</Username> > <!-- Admin password for the API gateway.--> > <Password>${admin.password}</Password> > <!-- Endpoint URLs for the APIs hosted in this API > gateway.--> > <GatewayEndpoint>http://${carbon.local.ip}:${http.nio. > port},https://${carbon.local.ip}:${https.nio.port}</GatewayEndpoint> > </Environment> > </Environments> > </APIGateway> > > <CacheConfigurations> > <!-- Enable/Disable token caching at the Gateway--> > <EnableGatewayTokenCache>true</EnableGatewayTokenCache> > <!-- Enable/Disable API resource caching at the Gateway--> > <EnableGatewayResourceCache>true</EnableGatewayResourceCache> > <!-- Enable/Disable API key validation information caching at > key-management server --> > <EnableKeyManagerTokenCache>false</EnableKeyManagerTokenCache> > <!-- This parameter specifies whether Recently Added APIs will be > loaded from the cache or not. > If there are multiple API modification during a short time > period, better to disable cache. --> > <EnableRecentlyAddedAPICache>false</EnableRecentlyAddedAPICache> > <!-- JWT claims Cache expiry in seconds --> > <!--JWTClaimCacheExpiry>900</JWTClaimCacheExpiry--> > <!-- Expiry time for the apim key mgt validation info cache --> > <!--TokenCacheExpiry>900</TokenCacheExpiry--> > <!-- This parameter specifies the expiration time of the TagCache. > TagCache will > only be created when this element is uncommented. When the > specified > time duration gets elapsed ,tag cache will get re-generated. > --> > <!--TagCacheDuration>120000</TagCacheDuration--> > </CacheConfigurations> > > <!-- > API usage tracker configuration used by the DAS data publisher and > Google Analytics publisher in API gateway. > --> > <Analytics> > <!-- Enable Analytics for API Manager --> > <Enabled>false</Enabled> > > <!-- Server URL of the remote DAS/CEP server used to collect > statistics. Must > be specified in protocol://hostname:port/ format. > > An event can also be published to multiple Receiver Groups > each having 1 or more receivers. Receiver > Groups are delimited by curly braces whereas receivers are > delimited by commas. > Ex - Multiple Receivers within a single group > tcp://localhost:7612/,tcp://localhost:7613/,tcp:// > localhost:7614/ > > Ex - Multiple Receiver Groups with two receivers each > {tcp://localhost:7612/,tcp://localhost:7613},{tcp:// > localhost:7712/,tcp://localhost:7713/} --> > <DASServerURL>{tcp://localhost:7612}</DASServerURL> > <!--DASAuthServerURL>{ssl://localhost:7712}</DASAuthServerURL--> > <!-- Administrator username to login to the remote DAS server. --> > <DASUsername>${admin.username}</DASUsername> > <!-- Administrator password to login to the remote DAS server. --> > <DASPassword>${admin.password}</DASPassword> > > <!-- For APIM implemented Statistic client for RDBMS --> > <StatsProviderImpl>org.wso2.carbon.apimgt.usage.client.impl. > APIUsageStatisticsRdbmsClientImpl</StatsProviderImpl> > > <!-- DAS REST API configuration --> > <DASRestApiURL>https://localhost:9444</DASRestApiURL> > <DASRestApiUsername>${admin.username}</DASRestApiUsername> > <DASRestApiPassword>${admin.password}</DASRestApiPassword> > > <!-- Below property is used to skip trying to connect to event > receiver nodes when publishing events even if > the stats enabled flag is set to true. --> > <SkipEventReceiverConnection>false</SkipEventReceiverConnection> > > <!-- API Usage Data Publisher. --> > <PublisherClass>org.wso2.carbon.apimgt.usage.publisher. > APIMgtUsageDataBridgeDataPublisher</PublisherClass> > > <!-- If below property set to true,then the response message size > will be calculated and publish > with each successful API invocation event. --> > <PublishResponseMessageSize>false</PublishResponseMessageSize> > <!-- Data publishing stream names and versions of API requests, > responses and faults. If the default values > are changed, the toolbox also needs to be changed accordingly. > --> > <Streams> > <Request> > <Name>org.wso2.apimgt.statistics.request</Name> > <Version>1.1.0</Version> > </Request> > <Response> > <Name>org.wso2.apimgt.statistics.response</Name> > <Version>1.1.0</Version> > </Response> > <Fault> > <Name>org.wso2.apimgt.statistics.fault</Name> > <Version>1.0.0</Version> > </Fault> > <Throttle> > <Name>org.wso2.apimgt.statistics.throttle</Name> > <Version>1.0.0</Version> > </Throttle> > <Workflow> > <Name>org.wso2.apimgt.statistics.workflow</Name> > <Version>1.0.0</Version> > </Workflow> > <ExecutionTime> > <Name>org.wso2.apimgt.statistics.execution.time</Name> > <Version>1.0.0</Version> > </ExecutionTime> > <AlertTypes> > <Name>org.wso2.analytics.apim.alertStakeholderInfo</Name> > <Version>1.0.0</Version> > </AlertTypes> > </Streams> > > </Analytics> > > <!-- > API key validator configuration used by API key manager (IS), API > store and API gateway. > API gateway uses it to validate and authenticate users against the > provided API keys. > --> > <APIKeyValidator> > <!-- Server URL of the API key manager --> > <!--ServerURL>https://localhost:${mgt.transport. > https.port}${carbon.context}services/</ServerURL--> > <ServerURL>https://localhost:9448/services/</ServerURL> > > <!-- Admin username for API key manager. --> > <Username>${admin.username}</Username> > <!-- Admin password for API key manager. --> > <Password>${admin.password}</Password> > <!--Username>admin</Username> > <Password>admin</Password--> > > <!-- Configurations related to enable thrift support for > key-management related communication. > If you want to switch back to Web Service Client, change the > value of "KeyValidatorClientType" to "WSClient". > In a distributed environment; > -If you are at the Gateway node, you need to point > "ThriftClientPort" value to the "ThriftServerPort" value given at > KeyManager node. > -If you need to start two API Manager instances in the same > machine, you need to give different ports to "ThriftServerPort" value in > two nodes. > -ThriftServerHost - Allows to configure a hostname for the > thrift server. It uses the carbon hostname by default. > -The Gateway uses this parameter to connect to the key validation > thrift service. --> > <KeyValidatorClientType>WSClient</KeyValidatorClientType> > <ThriftClientConnectionTimeOut>10000</ > ThriftClientConnectionTimeOut> > <!--ThriftClientPort>10397</ThriftClientPort--> > > <EnableThriftServer>false</EnableThriftServer> > <ThriftServerHost>localhost</ThriftServerHost> > <!--ThriftServerPort>10397</ThriftServerPort--> > > <!--ConnectionPool> > <MaxIdle>100</MaxIdle> > <InitIdleCapacity>50</InitIdleCapacity> > </ConnectionPool--> > <!-- Specifies the implementation to be used for > KeyValidationHandler. Steps for validating a token can be controlled by > plugging in a > custom KeyValidation Handler --> > <KeyValidationHandlerClassName>org.wso2.carbon.apimgt.keymgt. > handlers.DefaultKeyValidationHandler</KeyValidationHandlerClassName> > </APIKeyValidator> > > <!-- Uncomment this section only if you are going to have an instance > other than KeyValidator as your KeyManager. > Unless a ThirdParty KeyManager is used, you don't need to > configure this section. --> > <!--APIKeyManager> > <KeyManagerClientImpl>org.wso2.carbon.apimgt.impl. > AMDefaultKeyManagerImpl</KeyManagerClientImpl> > <Configuration> > <ServerURL>https://localhost:${mgt.transport.https.port}${ > carbon.context}services/</ServerURL> > <Username>${admin.username}</Username> > <Password>${admin.password}</Password> > <TokenURL>https://${carbon.local.ip}:${https.nio.port}/ > token</TokenURL> > <RevokeURL>https://${carbon.local.ip}:${https.nio.port}/ > revoke</RevokeURL> > </Configuration> > </APIKeyManager--> > > <OAuthConfigurations> > <!-- Remove OAuth headers from outgoing message. --> > <!--RemoveOAuthHeadersFromOutMessage>true</ > RemoveOAuthHeadersFromOutMessage--> > <!-- Scope used for marking Application Tokens. If a token is > generated with this scope, they will be treated as Application Access > Tokens --> > <ApplicationTokenScope>am_application_scope</ > ApplicationTokenScope> > <!-- All scopes under the ScopeWhitelist element are not > validating against roles that has assigned to it. > By default ^device_.* and openid scopes have been white > listed internally. --> > <!--ScopeWhitelist> > <Scope>^device_.*</Scope> > <Scope>openid</Scope> > </ScopeWhitelist--> > <!-- Name of the token API --> > <TokenEndPointName>/oauth2/token</TokenEndPointName> > <!-- This the API URL for revoke API. When we revoke tokens revoke > requests should go through this > API deployed in API gateway. Then it will do cache > invalidations related to revoked tokens. > In distributed deployment we should configure this property > in key manager node by pointing > gateway https( /http, we recommend users to use 'https' > endpoints for security purpose) url. > Also please note that we should point gateway revoke service > to key manager --> > <RevokeAPIURL>https://localhost:${https.nio.port}/ > revoke</RevokeAPIURL> > <!-- Whether to encrypt tokens when storing in the Database > Note: If changing this value to true, change the value of > <TokenPersistenceProcessor> to > org.wso2.carbon.identity.oauth.tokenprocessor. > EncryptionDecryptionPersistenceProcessor in the identity.xml --> > <EncryptPersistedTokens>false</EncryptPersistedTokens> > </OAuthConfigurations> > > <!-- Settings related to managing API access tiers. --> > <TierManagement> > <!-- Enable the providers to expose their APIs over the special > 'Unlimited' tier which > basically disables tier based throttling for the specified > APIs. --> > <EnableUnlimitedTier>true</EnableUnlimitedTier> > </TierManagement> > > <!-- API Store Related Configurations --> > <APIStore> > <!--GroupingExtractor>org.wso2.carbon.apimgt.impl. > DefaultGroupIDExtractorImpl</GroupingExtractor--> > <!--This property is used to indicate how we do user name > comparision for token generation https://wso2.org/jira/browse/ > APIMANAGER-2225--> > <CompareCaseInsensitively>true</CompareCaseInsensitively> > <DisplayURL>false</DisplayURL> > <URL>https://localhost:${mgt.transport.https.port}/store</URL> > > <!-- Server URL of the API Store. --> > <ServerURL>https://localhost:${mgt.transport.https.port}${ > carbon.context}services/</ServerURL> > <!-- Admin username for API Store. --> > <Username>${admin.username}</Username> > > <!-- Admin password for API Store. --> > <Password>${admin.password}</Password> > <!-- This parameter specifies whether to display multiple versions > of same > API or only showing the latest version of an API. --> > <DisplayMultipleVersions>false</DisplayMultipleVersions> > <!-- This parameter specifies whether to display all the APIs > [which are having DEPRECATED/PUBLISHED status] or only > display the APIs > with having their status is as 'PUBLISHED' --> > <DisplayAllAPIs>false</DisplayAllAPIs> > <!-- Uncomment this to limit the number of APIs in api the API > Store --> > <!--APIsPerPage>5</APIsPerPage--> > > <!-- This parameter specifies whether to display the comment > editing facility or not. > Default is "true". If user wants to disable, he must set this > param as "false" --> > <DisplayComments>true</DisplayComments> > > <!-- This parameter specifies whether to display the ratings or > not. > Default is "true". If user wants to disable, he must set this > param as "false" --> > <DisplayRatings>true</DisplayRatings> > > <!--set isStoreForumEnabled to false for disable forum in store--> > <!--isStoreForumEnabled>false</isStoreForumEnabled--> > </APIStore> > > <APIPublisher> > <DisplayURL>false</DisplayURL> > <URL>https://localhost:${mgt.transport.https.port}/publisher</URL> > <!-- This parameter specifies enabling the capability of setting > API documentation level granular visibility levels. > By default any document associate with an API will have the > same permissions set as the API.With enabling below > property,it will show two additional permission levels as > visible only to all registered users in a particular > domain or only visible to API doc creator --> > <!--EnableAPIDocVisibilityLevels>true</ > EnableAPIDocVisibilityLevels--> > <!-- Uncomment this to limit the number of APIs in api the API > Publisher --> > <!--APIsPerPage>30</APIsPerPage--> > </APIPublisher> > > <!-- Status observers can be registered against the API Publisher to > listen for > API status update events. Each observer must implement the > APIStatusObserver > interface. Multiple observers can be engaged if necessary and in > such situations > they will be notified in the order they are defined here. > This configuration is unused from API Manager version 1.10.0 --> > <!--StatusObservers> > <Observer>org.wso2.carbon.apimgt.impl.observers. > SimpleLoggingObserver</Observer> > </StatusObservers--> > > <!-- Use this configuration Create APIs at the Server startup --> > <StartupAPIPublisher> > <!-- Enable/Disable the API Startup Publisher --> > <Enabled>false</Enabled> > > <!-- Configuration to create APIs for local endpoints. > Endpoint will be computed as http://${carbon.local.ip}:${ > mgt.transport.http.port}/Context. > Define many LocalAPI elements as below to create many APIs > for local Endpoints. > IconPath should be relative to CARBON_HOME. --> > <LocalAPIs> > <LocalAPI> > <Context>/resource</Context> > <Provider>admin</Provider> > <Version>1.0.0</Version> > <IconPath>none</IconPath> > <DocumentURL>none</DocumentURL> > <AuthType>Any</AuthType> > </LocalAPI> > </LocalAPIs> > > <!-- Configuration to create APIs for remote endpoints. > When Endpoint need to be defined use this configuration. > Define many API elements as below to create many APIs > for external Endpoints. > If you do not need to add Icon or Documentation set > 'none' as the value for IconPath & DocumentURL. --> > <!--APIs> > <API> > <Context>/resource</Context> > <Endpoint>http://localhost:9764/resource</Endpoint> > <Provider>admin</Provider> > <Version>1.0.0</Version> > <IconPath>none</IconPath> > <DocumentURL>none</DocumentURL> > <AuthType>Any</AuthType> > </API> > </APIs--> > </StartupAPIPublisher> > > <!-- Configuration to enable/disable sending CORS headers in the > Gateway response > and define the Access-Control-Allow-Origin header value.--> > <CORSConfiguration> > <!-- Configuration to enable/disable sending CORS headers from the > Gateway--> > <Enabled>true</Enabled> > > <!-- The value of the Access-Control-Allow-Origin header. Default > values are > API Store addresses, which is needed for swagger to function. > --> > <Access-Control-Allow-Origin>*</Access-Control-Allow-Origin> > > <!-- Configure Access-Control-Allow-Methods --> > <Access-Control-Allow-Methods>GET,PUT,POST,DELETE,PATCH, > OPTIONS</Access-Control-Allow-Methods> > > <!-- Configure Access-Control-Allow-Headers --> > <Access-Control-Allow-Headers>authorization,Access-Control- > Allow-Origin,Content-Type,SOAPAction</Access-Control-Allow-Headers> > > <!-- Configure Access-Control-Allow-Credentials --> > <!-- Specifying this header to true means that the server allows > cookies (or other user credentials) to be included on cross-origin requests. > It is false by default and if you set it to true then make > sure that the Access-Control-Allow-Origin header does not contain the > wildcard (*) --> > <Access-Control-Allow-Credentials>false</Access- > Control-Allow-Credentials> > </CORSConfiguration> > > <!-- This property is there to configure velocity log output into > existing Log4j carbon Logger. > You can enable this and set preferable Logger name. --> > <!-- VelocityLogger>VELOCITY</VelocityLogger --> > > <RESTAPI> > <!--Configure white-listed URIs of REST API. Accessing > white-listed URIs does not require credentials (does not require > Authorization header). --> > <WhiteListedURIs> > <WhiteListedURI> > <URI>/api/am/publisher/{version}/swagger.json</URI> > <HTTPMethods>GET,HEAD</HTTPMethods> > </WhiteListedURI> > <WhiteListedURI> > <URI>/api/am/store/{version}/swagger.json</URI> > <HTTPMethods>GET,HEAD</HTTPMethods> > </WhiteListedURI> > <WhiteListedURI> > <URI>/api/am/admin/{version}/swagger.json</URI> > <HTTPMethods>GET,HEAD</HTTPMethods> > </WhiteListedURI> > <WhiteListedURI> > <URI>/api/am/store/{version}/apis</URI> > <HTTPMethods>GET,HEAD</HTTPMethods> > </WhiteListedURI> > <WhiteListedURI> > <URI>/api/am/store/{version}/apis/{apiId}</URI> > <HTTPMethods>GET,HEAD</HTTPMethods> > </WhiteListedURI> > <WhiteListedURI> > <URI>/api/am/store/{version}/apis/{apiId}/swagger</URI> > <HTTPMethods>GET,HEAD</HTTPMethods> > </WhiteListedURI> > <WhiteListedURI> > <URI>/api/am/store/{version}/apis/{apiId}/documents</URI> > <HTTPMethods>GET,HEAD</HTTPMethods> > </WhiteListedURI> > <WhiteListedURI> > <URI>/api/am/store/{version}/apis/{apiId}/documents/{ > documentId}</URI> > <HTTPMethods>GET,HEAD</HTTPMethods> > </WhiteListedURI> > <WhiteListedURI> > <URI>/api/am/store/{version}/apis/{apiId}/documents/{ > documentId}/content</URI> > <HTTPMethods>GET,HEAD</HTTPMethods> > </WhiteListedURI> > <WhiteListedURI> > <URI>/api/am/store/{version}/apis/{apiId}/thumbnail</URI> > <HTTPMethods>GET,HEAD</HTTPMethods> > </WhiteListedURI> > <WhiteListedURI> > <URI>/api/am/store/{version}/tags</URI> > <HTTPMethods>GET,HEAD</HTTPMethods> > </WhiteListedURI> > <WhiteListedURI> > <URI>/api/am/store/{version}/tiers/{tierLevel}</URI> > <HTTPMethods>GET,HEAD</HTTPMethods> > </WhiteListedURI> > <WhiteListedURI> > <URI>/api/am/store/{version}/ > tiers/{tierLevel}/{tierName}</URI> > <HTTPMethods>GET,HEAD</HTTPMethods> > </WhiteListedURI> > </WhiteListedURIs> > <ETagSkipList> > <ETagSkipURI> > <URI>/api/am/store/{version}/apis</URI> > <HTTPMethods>GET</HTTPMethods> > </ETagSkipURI> > <ETagSkipURI> > <URI>/api/am/store/{version}/apis/generate-sdk</URI> > <HTTPMethods>POST</HTTPMethods> > </ETagSkipURI> > <ETagSkipURI> > <URI>/api/am/store/{version}/apis/{apiId}/documents</URI> > <HTTPMethods>GET</HTTPMethods> > </ETagSkipURI> > <ETagSkipURI> > <URI>/api/am/store/{version}/applications</URI> > <HTTPMethods>GET</HTTPMethods> > </ETagSkipURI> > <ETagSkipURI> > <URI>/api/am/store/{version}/applications/generate-keys</ > URI> > <HTTPMethods>POST</HTTPMethods> > </ETagSkipURI> > <ETagSkipURI> > <URI>/api/am/store/{version}/subscriptions</URI> > <HTTPMethods>GET,POST</HTTPMethods> > </ETagSkipURI> > <ETagSkipURI> > <URI>/api/am/store/{version}/tags</URI> > <HTTPMethods>GET</HTTPMethods> > </ETagSkipURI> > <ETagSkipURI> > <URI>/api/am/store/{version}/tiers/{tierLevel}</URI> > <HTTPMethods>GET</HTTPMethods> > </ETagSkipURI> > <ETagSkipURI> > <URI>/api/am/store/{version}/ > tiers/{tierLevel}/{tierName}</URI> > <HTTPMethods>GET</HTTPMethods> > </ETagSkipURI> > <ETagSkipURI> > <URI>/api/am/publisher/{version}/apis</URI> > <HTTPMethods>GET,POST</HTTPMethods> > </ETagSkipURI> > <ETagSkipURI> > <URI>/api/am/publisher/{version}/apis/{apiId}</URI> > <HTTPMethods>GET,DELETE,PUT</HTTPMethods> > </ETagSkipURI> > <ETagSkipURI> > <URI>/api/am/publisher/{version}/apis/{apiId}/swagger< > /URI> > <HTTPMethods>GET,PUT</HTTPMethods> > </ETagSkipURI> > <ETagSkipURI> > <URI>/api/am/publisher/{version}/apis/{apiId}/ > thumbnail</URI> > <HTTPMethods>GET,POST</HTTPMethods> > </ETagSkipURI> > <ETagSkipURI> > <URI>/api/am/publisher/{version}/apis/{apiId}/change- > lifecycle</URI> > <HTTPMethods>POST</HTTPMethods> > </ETagSkipURI> > <ETagSkipURI> > <URI>/api/am/publisher/{version}/apis/{apiId}/copy- > api</URI> > <HTTPMethods>POST</HTTPMethods> > </ETagSkipURI> > <ETagSkipURI> > <URI>/api/am/publisher/{version}/applications/{ > applicationId}</URI> > <HTTPMethods>GET</HTTPMethods> > </ETagSkipURI> > <ETagSkipURI> > <URI>/api/am/publisher/{version}/apis/{apiId}/ > documents</URI> > <HTTPMethods>GET,POST</HTTPMethods> > </ETagSkipURI> > <ETagSkipURI> > <URI>/api/am/publisher/{version}/apis/{apiId}/ > documents/{documentId}/content</URI> > <HTTPMethods>GET,POST</HTTPMethods> > </ETagSkipURI> > <ETagSkipURI> > <URI>/api/am/publisher/{version}/apis/{apiId}/ > documents/{documentId}</URI> > <HTTPMethods>GET,PUT,DELETE</HTTPMethods> > </ETagSkipURI> > <ETagSkipURI> > <URI>/api/am/publisher/{version}/environments</URI> > <HTTPMethods>GET</HTTPMethods> > </ETagSkipURI> > <ETagSkipURI> > <URI>/api/am/publisher/{version}/subscriptions</URI> > <HTTPMethods>GET</HTTPMethods> > </ETagSkipURI> > <ETagSkipURI> > <URI>/api/am/publisher/{version}/subscriptions/block- > subscription</URI> > <HTTPMethods>POST</HTTPMethods> > </ETagSkipURI> > <ETagSkipURI> > <URI>/api/am/publisher/{version}/subscriptions/{ > subscriptionId}</URI> > <HTTPMethods>GET</HTTPMethods> > </ETagSkipURI> > <ETagSkipURI> > <URI>/api/am/publisher/{version}/subscriptions/ > unblock-subscription</URI> > <HTTPMethods>POST</HTTPMethods> > </ETagSkipURI> > <ETagSkipURI> > <URI>/api/am/publisher/{version}/tiers/{tierLevel}</URI> > <HTTPMethods>GET,POST</HTTPMethods> > </ETagSkipURI> > <ETagSkipURI> > <URI>/api/am/publisher/{version}/tiers/{tierLevel}/{ > tierName}</URI> > <HTTPMethods>GET,PUT,DELETE</HTTPMethods> > </ETagSkipURI> > <ETagSkipURI> > <URI>/api/am/publisher/{version}/tiers/update- > permission</URI> > <HTTPMethods>POST</HTTPMethods> > </ETagSkipURI> > </ETagSkipList> > </RESTAPI> > <ThrottlingConfigurations> > <EnableAdvanceThrottling>true</EnableAdvanceThrottling> > <DataPublisher> > <Enabled>true</Enabled> > <Type>Binary</Type> > <ReceiverUrlGroup>tcp://${carbon.local.ip}:${receiver. > url.port}</ReceiverUrlGroup> > <AuthUrlGroup>ssl://${carbon.local.ip}:${auth.url.port}</ > AuthUrlGroup> > <Username>${admin.username}</Username> > <Password>${admin.password}</Password> > <DataPublisherPool> > <MaxIdle>1000</MaxIdle> > <InitIdleCapacity>200</InitIdleCapacity> > </DataPublisherPool> > <DataPublisherThreadPool> > <CorePoolSize>200</CorePoolSize> > <MaxmimumPoolSize>1000</MaxmimumPoolSize> > <KeepAliveTime>200</KeepAliveTime> > </DataPublisherThreadPool> > </DataPublisher> > <PolicyDeployer> > <ServiceURL>https://localhost:${mgt.transport.https.port}${ > carbon.context}services/</ServiceURL> > <Username>${admin.username}</Username> > <Password>${admin.password}</Password> > </PolicyDeployer> > <BlockCondition> > <Enabled>true</Enabled> > <!--InitDelay>300000</InitDelay> > <Period>3600000</Period--> > </BlockCondition> > <JMSConnectionDetails> > <Enabled>true</Enabled> > <ServiceURL>tcp://${carbon.local.ip}:${jms.port}</ServiceURL> > <Username>${admin.username}</Username> > <Password>${admin.password}</Password> > <Destination>throttleData</Destination> > <!--InitDelay>300000</InitDelay--> > <JMSConnectionParameters> > <transport.jms.ConnectionFactoryJNDIName> > TopicConnectionFactory</transport.jms.ConnectionFactoryJNDIName> > <transport.jms.DestinationType>topic</ > transport.jms.DestinationType> > <java.naming.factory.initial>org.wso2.andes.jndi. > PropertiesFileInitialContextFactory</java.naming.factory.initial> > <connectionfactory.TopicConnectionFactory>amqp:// > ${jms.username}:${jms.password}@clientid/carbon?brokerlist='${jms.url}'</ > connectionfactory.TopicConnectionFactory> > </JMSConnectionParameters> > <JMSTaskManager> > <MinThreadPoolSize>20</MinThreadPoolSize> > <MaxThreadPoolSize>100</MaxThreadPoolSize> > <KeepAliveTimeInMillis>1000</KeepAliveTimeInMillis> > <JobQueueSize>10</JobQueueSize> > </JMSTaskManager> > </JMSConnectionDetails> > <JMSEventPublisherParameters> > <java.naming.factory.initial>org.wso2.andes.jndi. > PropertiesFileInitialContextFactory</java.naming.factory.initial> > <java.naming.provider.url>repository/conf/jndi. > properties</java.naming.provider.url> > <transport.jms.DestinationType>topic</ > transport.jms.DestinationType> > <transport.jms.Destination>throttleData</transport.jms. > Destination> > <transport.jms.ConcurrentPublishers>allow</transport.jms. > ConcurrentPublishers> > <transport.jms.ConnectionFactoryJNDIName> > TopicConnectionFactory</transport.jms.ConnectionFactoryJNDIName> > </JMSEventPublisherParameters> > <!--DefaultLimits> > <SubscriptionTierLimits> > <Gold>5000</Gold> > <Silver>2000</Silver> > <Bronze>1000</Bronze> > <Unauthenticated>60</Unauthenticated> > </SubscriptionTierLimits> > <ApplicationTierLimits> > <50PerMin>50</50PerMin> > <20PerMin>20</20PerMin> > <10PerMin>10</10PerMin> > </ApplicationTierLimits> > <ResourceLevelTierLimits> > <50KPerMin>50000</50KPerMin> > <20KPerMin>20000</20KPerMin> > <10KPerMin>10000</10KPerMin> > </ResourceLevelTierLimits> > </DefaultLimits--> > <EnableUnlimitedTier>true</EnableUnlimitedTier> > <EnableHeaderConditions>false</EnableHeaderConditions> > <EnableJWTClaimConditions>false</EnableJWTClaimConditions> > <EnableQueryParamConditions>false</EnableQueryParamConditions> > </ThrottlingConfigurations> > > <WorkflowConfigurations> > <Enabled>false</Enabled> > <ServerUrl>https://localhost:9445/bpmn</ServerUrl> > <ServerUser>${admin.username}</ServerUser> > <ServerPassword>${admin.password}</ServerPassword> > <WorkflowCallbackAPI>https://localhost:${mgt.transport. > https.port}/api/am/publisher/v0.11/workflows/update-workflow-status</ > WorkflowCallbackAPI> > <TokenEndPoint>https://localhost:${https.nio.port}/ > token</TokenEndPoint> > <DCREndPoint>https://localhost:${mgt.transport.https.port}/client- > registration/v0.11/register</DCREndPoint> > <DCREndPointUser>${admin.username}</DCREndPointUser> > <DCREndPointPassword>${admin.password}</DCREndPointPassword> > </WorkflowConfigurations> > > <SwaggerCodegen> > <ClientGeneration> > <GroupId>org.wso2</GroupId> > <ArtifactId>org.wso2.client.</ArtifactId> > <ModelPackage>org.wso2.client.model.</ModelPackage> > <ApiPackage>org.wso2.client.api.</ApiPackage> > <!-- Configure supported languages/Frameworks as comma > separated values, > Supported Languages/Frameworks : android, java, scala, > csharp, cpp, dart, flash, go, groovy, javascript, jmeter, > nodejs, perl, php, python, ruby, swift, clojure, aspNet5, > asyncScala, spring, csharpDotNet2, haskell--> > <SupportedLanguages>java,android</SupportedLanguages> > </ClientGeneration> > </SwaggerCodegen> > > </APIManager> > > Do you need my IS one, too? > > Regards, > > Thomas > > 2017-06-15 22:16 GMT+02:00 Farasath Ahamed <[email protected]>: > >> Would be better if you could share the api-manager.xml configuration file >> to see if there are any errors in configs. >> >> >> >> >> Farasath Ahamed >> Software Engineer, WSO2 Inc.; http://wso2.com >> Mobile: +94777603866 >> Blog: blog.farazath.com >> Twitter: @farazath619 <https://twitter.com/farazath619> >> <http://wso2.com/signature> >> >> >> >> On Thu, Jun 15, 2017 at 8:40 PM, Thomas LEGRAND < >> [email protected]> wrote: >> >>> Hello again, >>> >>> I followed the tutorial in [1] to configure my Identity Server (IS) as a >>> key manager for my API Manager (AM). When I create my Production & Sandbox >>> applications in the AM, I can see service providers created in the IS. I >>> configures them to use SAML to retrieve informations like the roles, if the >>> authentication is successfull. And I can "exchange" my SAML assertion for a >>> OAuth token. So, everything is cool, here. >>> >>> But, when I try to reuse this OAuth token to access to a resource via >>> the AM, it rejects me with this sweet message: >>> >>> <ams:fault xmlns:ams="http://wso2.org/apimanager/security";> >>> <ams:code>900900</ams:code> >>> <ams:message>Unclassified Authentication Failure</ams:message> >>> <ams:description>Resource forbidden</ams:description> >>> </ams:fault> >>> >>> But no errors in the logs but just a WARN. So, I activated the DEBUG >>> mode and then, I can see some intersting things: >>> >>> [2017-06-15 16:44:52,954] WARN - APIAuthenticationHandler API >>> authentication failure due to Unclassified Authentication Failure >>> [2017-06-15 16:44:52,954] DEBUG - APIAuthenticationHandler API >>> authentication failed with error 900900 >>> org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException: >>> Resource forbidden >>> at org.wso2.carbon.apimgt.gateway.handlers.security.keys.WSAPIK >>> eyDataStore.getAPIKeyData(WSAPIKeyDataStore.java:51) >>> at org.wso2.carbon.apimgt.gateway.handlers.security.APIKeyValid >>> ator.doGetKeyValidationInfo(APIKeyValidator.java:253) >>> at org.wso2.carbon.apimgt.gateway.handlers.security.APIKeyValid >>> ator.getKeyValidationInfo(APIKeyValidator.java:209) >>> at org.wso2.carbon.apimgt.gateway.handlers.security.oauth.OAuth >>> Authenticator.authenticate(OAuthAuthenticator.java:196) >>> at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenti >>> cationHandler.handleRequest(APIAuthenticationHandler.java:117) >>> at org.apache.synapse.rest.API.process(API.java:325) >>> at org.apache.synapse.rest.RESTRequestHandler.dispatchToAPI(RES >>> TRequestHandler.java:90) >>> at org.apache.synapse.rest.RESTRequestHandler.process(RESTReque >>> stHandler.java:69) >>> at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.inject >>> Message(Axis2SynapseEnvironment.java:304) >>> at org.apache.synapse.core.axis2.SynapseMessageReceiver.receive >>> (SynapseMessageReceiver.java:78) >>> at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:1 >>> 80) >>> at org.apache.synapse.transport.passthru.ServerWorker.processNo >>> nEntityEnclosingRESTHandler(ServerWorker.java:325) >>> at org.apache.synapse.transport.passthru.ServerWorker.run(Serve >>> rWorker.java:158) >>> at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.r >>> un(NativeWorkerPool.java:172) >>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >>> Executor.java:1142) >>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >>> lExecutor.java:617) >>> at java.lang.Thread.run(Thread.java:745) >>> Caused by: >>> org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException: >>> Error while accessing backend services for API key validation >>> at org.wso2.carbon.apimgt.gateway.handlers.security.keys.APIKey >>> ValidatorClient.getAPIKeyData(APIKeyValidatorClient.java:114) >>> at org.wso2.carbon.apimgt.gateway.handlers.security.keys.WSAPIK >>> eyDataStore.getAPIKeyData(WSAPIKeyDataStore.java:48) >>> ... 16 more >>> Caused by: org.apache.axis2.AxisFault: org.apache.axis2.AxisFault: >>> Mapping qname not fond for the package: java.util >>> >>> From here, I don't know what to do since I tried some fancy URLs for the >>> ServerURL value in the elements AuthManager and APIKeyValidator. >>> My IS has an offset of 5 so the port is 9448. Here is the URL I used to >>> point to the IS server: https://localhost:9448/services/ >>> >>> Is there a way to know in which URL the IS deploy its Key Manager >>> feature web services (WS)? >>> Should I reinstall the Key Manager feature in the IS? >>> >>> Regards, >>> >>> Thomas >>> >>> [1] https://docs.wso2.com/display/AM210/Configuring+WSO2+Ide >>> ntity+Server+as+a+Key+Manager >>> >>> _______________________________________________ >>> Dev mailing list >>> [email protected] >>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>> >>> >> > > _______________________________________________ > Dev mailing list > [email protected] > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- Rajith Roshan Software Engineer, WSO2 Inc. Mobile: +94-7 <%2B94-71-554-8430>17-064-214
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
