On Fri, Jun 16, 2017 at 4:37 PM, Rajith Roshan <[email protected]> wrote:
> Hi Thomas,
>
> You need to subscribe to that particular api from the application you have
> generated access token. if there is no valid subscription then this error
> can happen.
> And also if you have assigned specif scopes to api resource , then the
> access token should also have that scopes when it was generated.
> This resource forbidden issue can occur due to above mentioned errors.
>
In those cases shouldn't the error codes be different according to [1].
<ams:fault xmlns:ams="http://wso2.org/apimanager/security";>
<ams:code>900900</ams:code>
<ams:message>Unclassified Authentication Failure</ams:message>
<ams:description>Resource forbidden</ams:description>
</ams:fault>
Error code 900900. according [1] says that,
Backend service for key validation is not accessible when trying to invoke
an API
[1] https://docs.wso2.com/display/AM210/Error+Handling
>
> Thanks!
> Rajith
>
> On Fri, Jun 16, 2017 at 12:32 PM, Thomas LEGRAND <
> [email protected]> wrote:
>
>> Hello !
>>
>> Sure. Here is my api-manager.xml AM configuration file:
>>
>> <APIManager>
>> <!-- JNDI name of the data source to be used by the API publisher,
>> API store and API
>> key manager. This data source should be defined in the
>> master-datasources.xml file
>> in conf/datasources directory. -->
>> <DataSourceName>jdbc/WSO2AM_DB</DataSourceName>
>>
>> <!-- This parameter is used when adding api management capability to
>> other products like GReg, AS, DSS etc.-->
>> <!--GatewayType>Synapse</GatewayType-->
>> <GatewayType>None</GatewayType>
>>
>> <!-- This parameter is used to enable the securevault support when
>> try to publish endpoint secured APIs. Values should be "true" or "false".
>> By default secure vault is disabled.-->
>> <EnableSecureVault>false</EnableSecureVault>
>>
>> <!-- Authentication manager configuration for API publisher and API
>> store. This is
>> a required configuration for both web applications as their user
>> authentication
>> logic relies on this. -->
>> <AuthManager>
>> <!-- Server URL of the Authentication service -->
>> <!--ServerURL>https://localhost:${mgt.transport.https.port}$
>> {carbon.context}services/</ServerURL-->
>> <ServerURL>https://localhost:9448/services/</ServerURL>
>> <!-- Admin username for the Authentication manager. -->
>> <Username>${admin.username}</Username>
>> <!-- Admin password for the Authentication manager. -->
>> <Password>${admin.password}</Password>
>> <!-- Indicates whether the permissions checking of the user (on
>> the Publisher and Store) should be done
>> via a remote service. The check will be done on the local
>> server when false. -->
>> <CheckPermissionsRemotely>false</CheckPermissionsRemotely>
>> </AuthManager>
>>
>> <JWTConfiguration>
>> <!-- Enable/Disable JWT generation. Default is false. -->
>> <!-- EnableJWTGeneration>false</EnableJWTGeneration-->
>>
>> <!-- Name of the security context header to be added to the
>> validated requests. -->
>> <JWTHeader>X-JWT-Assertion</JWTHeader>
>>
>> <!-- Fully qualified name of the class that will retrieve
>> additional user claims
>> to be appended to the JWT. If not specified no claims will
>> be appended.If user wants to add all user claims in the
>> jwt token, he needs to enable this parameter.
>> The DefaultClaimsRetriever class adds user claims from the
>> default carbon user store. -->
>> <!--ClaimsRetrieverImplClass>org.wso2.carbon.apimgt.impl.tok
>> en.DefaultClaimsRetriever</ClaimsRetrieverImplClass-->
>>
>> <!-- The dialectURI under which the claimURIs that need to be
>> appended to the
>> JWT are defined. Not used with custom ClaimsRetriever
>> implementations. The
>> same value is used in the keys for appending the default
>> properties to the
>> JWT. -->
>> <!--ConsumerDialectURI>http://wso2.org/claims</ConsumerDiale
>> ctURI-->
>>
>> <!-- Signature algorithm. Accepts "SHA256withRSA" or "NONE". To
>> disable signing explicitly specify "NONE". -->
>> <!--SignatureAlgorithm>SHA256withRSA</SignatureAlgorithm-->
>>
>> <!-- This parameter specifies which implementation should be used
>> for generating the Token. JWTGenerator is the
>> default implementation provided. -->
>> <JWTGeneratorImpl>org.wso2.carbon.apimgt.keymgt.token.JWTGen
>> erator</JWTGeneratorImpl>
>>
>> <!-- This parameter specifies which implementation should be used
>> for generating the Token. For URL safe JWT
>> Token generation the implementation is provided in
>> URLSafeJWTGenerator -->
>> <!--<JWTGeneratorImpl>org.wso2.carbon.apimgt.keymgt.token.
>> URLSafeJWTGenerator</JWTGeneratorImpl>-->
>>
>> <!-- Remove UserName from JWT Token -->
>> <!-- <RemoveUserNameFromJWTForApplicationToken>true</RemoveUserNa
>> meFromJWTForApplicationToken>-->
>> </JWTConfiguration>
>>
>> <!-- Primary/secondary login configuration for APIstore. If user
>> likes to keep two login attributes in a distributed setup, to login the
>> APIstore,
>> he should configure this section. Primary login doesn't have a claimUri
>> associated with it. But secondary login, which is a claim attribute,
>> is associated with a claimuri.-->
>> <!--LoginConfig>
>> <UserIdLogin primary="true">
>> <ClaimUri></ClaimUri>
>> </UserIdLogin>
>> <EmailLogin primary="false">
>> <ClaimUri>http://wso2.org/claims/emailaddress</ClaimUri>
>> </EmailLogin>
>> </LoginConfig-->
>>
>> <!-- Credentials for the API gateway admin server. This configuration
>> is mainly used by the API publisher and store to connect to the
>> API gateway and
>> create/update published API configurations. -->
>> <APIGateway>
>> <!-- The environments to which an API will be published -->
>> <Environments>
>> <!-- Environments can be of different types. Allowed values
>> are 'hybrid', 'production' and 'sandbox'.
>> An API deployed on a 'production' type gateway will only
>> support production keys
>> An API deployed on a 'sandbox' type gateway will only
>> support sandbox keys
>> An API deployed on a 'hybrid' type gateway will support
>> both production and sandbox keys. -->
>> <!-- api-console element specifies whether the environment
>> should be listed in API Console or not -->
>> <Environment type="hybrid" api-console="true">
>> <Name>Production and Sandbox</Name>
>> <Description>This is a hybrid gateway that handles both
>> production and sandbox token traffic.</Description>
>> <!-- Server URL of the API gateway -->
>> <ServerURL>https://localhost:$
>> {mgt.transport.https.port}${carbon.context}services/</ServerURL>
>> <!-- Admin username for the API gateway. -->
>> <Username>${admin.username}</Username>
>> <!-- Admin password for the API gateway.-->
>> <Password>${admin.password}</Password>
>> <!-- Endpoint URLs for the APIs hosted in this API
>> gateway.-->
>> <GatewayEndpoint>http://${carb
>> on.local.ip}:${http.nio.port},https://${carbon.local.ip}:${
>> https.nio.port}</GatewayEndpoint>
>> </Environment>
>> </Environments>
>> </APIGateway>
>>
>> <CacheConfigurations>
>> <!-- Enable/Disable token caching at the Gateway-->
>> <EnableGatewayTokenCache>true</EnableGatewayTokenCache>
>> <!-- Enable/Disable API resource caching at the Gateway-->
>> <EnableGatewayResourceCache>true</EnableGatewayResourceCache>
>> <!-- Enable/Disable API key validation information caching at
>> key-management server -->
>> <EnableKeyManagerTokenCache>false</EnableKeyManagerTokenCache>
>> <!-- This parameter specifies whether Recently Added APIs will be
>> loaded from the cache or not.
>> If there are multiple API modification during a short time
>> period, better to disable cache. -->
>> <EnableRecentlyAddedAPICache>false</EnableRecentlyAddedAPICache>
>> <!-- JWT claims Cache expiry in seconds -->
>> <!--JWTClaimCacheExpiry>900</JWTClaimCacheExpiry-->
>> <!-- Expiry time for the apim key mgt validation info cache -->
>> <!--TokenCacheExpiry>900</TokenCacheExpiry-->
>> <!-- This parameter specifies the expiration time of the
>> TagCache. TagCache will
>> only be created when this element is uncommented. When the
>> specified
>> time duration gets elapsed ,tag cache will get re-generated.
>> -->
>> <!--TagCacheDuration>120000</TagCacheDuration-->
>> </CacheConfigurations>
>>
>> <!--
>> API usage tracker configuration used by the DAS data publisher and
>> Google Analytics publisher in API gateway.
>> -->
>> <Analytics>
>> <!-- Enable Analytics for API Manager -->
>> <Enabled>false</Enabled>
>>
>> <!-- Server URL of the remote DAS/CEP server used to collect
>> statistics. Must
>> be specified in protocol://hostname:port/ format.
>>
>> An event can also be published to multiple Receiver Groups
>> each having 1 or more receivers. Receiver
>> Groups are delimited by curly braces whereas receivers are
>> delimited by commas.
>> Ex - Multiple Receivers within a single group
>> tcp://localhost:7612/,tcp://localhost:7613/,tcp://localhost
>> :7614/
>>
>> Ex - Multiple Receiver Groups with two receivers each
>> {tcp://localhost:7612/,tcp://localhost:7613},{tcp://localho
>> st:7712/,tcp://localhost:7713/} -->
>> <DASServerURL>{tcp://localhost:7612}</DASServerURL>
>> <!--DASAuthServerURL>{ssl://localhost:7712}</DASAuthServerURL-->
>> <!-- Administrator username to login to the remote DAS server. -->
>> <DASUsername>${admin.username}</DASUsername>
>> <!-- Administrator password to login to the remote DAS server. -->
>> <DASPassword>${admin.password}</DASPassword>
>>
>> <!-- For APIM implemented Statistic client for RDBMS -->
>> <StatsProviderImpl>org.wso2.carbon.apimgt.usage.client.impl.
>> APIUsageStatisticsRdbmsClientImpl</StatsProviderImpl>
>>
>> <!-- DAS REST API configuration -->
>> <DASRestApiURL>https://localhost:9444</DASRestApiURL>
>> <DASRestApiUsername>${admin.username}</DASRestApiUsername>
>> <DASRestApiPassword>${admin.password}</DASRestApiPassword>
>>
>> <!-- Below property is used to skip trying to connect to event
>> receiver nodes when publishing events even if
>> the stats enabled flag is set to true. -->
>> <SkipEventReceiverConnection>false</SkipEventReceiverConnection>
>>
>> <!-- API Usage Data Publisher. -->
>> <PublisherClass>org.wso2.carbon.apimgt.usage.publisher.APIMg
>> tUsageDataBridgeDataPublisher</PublisherClass>
>>
>> <!-- If below property set to true,then the response message size
>> will be calculated and publish
>> with each successful API invocation event. -->
>> <PublishResponseMessageSize>false</PublishResponseMessageSize>
>> <!-- Data publishing stream names and versions of API requests,
>> responses and faults. If the default values
>> are changed, the toolbox also needs to be changed
>> accordingly. -->
>> <Streams>
>> <Request>
>> <Name>org.wso2.apimgt.statistics.request</Name>
>> <Version>1.1.0</Version>
>> </Request>
>> <Response>
>> <Name>org.wso2.apimgt.statistics.response</Name>
>> <Version>1.1.0</Version>
>> </Response>
>> <Fault>
>> <Name>org.wso2.apimgt.statistics.fault</Name>
>> <Version>1.0.0</Version>
>> </Fault>
>> <Throttle>
>> <Name>org.wso2.apimgt.statistics.throttle</Name>
>> <Version>1.0.0</Version>
>> </Throttle>
>> <Workflow>
>> <Name>org.wso2.apimgt.statistics.workflow</Name>
>> <Version>1.0.0</Version>
>> </Workflow>
>> <ExecutionTime>
>> <Name>org.wso2.apimgt.statistics.execution.time</Name>
>> <Version>1.0.0</Version>
>> </ExecutionTime>
>> <AlertTypes>
>> <Name>org.wso2.analytics.apim.alertStakeholderInfo</Name>
>> <Version>1.0.0</Version>
>> </AlertTypes>
>> </Streams>
>>
>> </Analytics>
>>
>> <!--
>> API key validator configuration used by API key manager (IS), API
>> store and API gateway.
>> API gateway uses it to validate and authenticate users against
>> the provided API keys.
>> -->
>> <APIKeyValidator>
>> <!-- Server URL of the API key manager -->
>> <!--ServerURL>https://localhost:${mgt.transport.https.port}$
>> {carbon.context}services/</ServerURL-->
>> <ServerURL>https://localhost:9448/services/</ServerURL>
>>
>> <!-- Admin username for API key manager. -->
>> <Username>${admin.username}</Username>
>> <!-- Admin password for API key manager. -->
>> <Password>${admin.password}</Password>
>> <!--Username>admin</Username>
>> <Password>admin</Password-->
>>
>> <!-- Configurations related to enable thrift support for
>> key-management related communication.
>> If you want to switch back to Web Service Client, change the
>> value of "KeyValidatorClientType" to "WSClient".
>> In a distributed environment;
>> -If you are at the Gateway node, you need to point
>> "ThriftClientPort" value to the "ThriftServerPort" value given at
>> KeyManager node.
>> -If you need to start two API Manager instances in the same
>> machine, you need to give different ports to "ThriftServerPort" value in
>> two nodes.
>> -ThriftServerHost - Allows to configure a hostname for the
>> thrift server. It uses the carbon hostname by default.
>> -The Gateway uses this parameter to connect to the key validation
>> thrift service. -->
>> <KeyValidatorClientType>WSClient</KeyValidatorClientType>
>> <ThriftClientConnectionTimeOut>10000</ThriftClientConnection
>> TimeOut>
>> <!--ThriftClientPort>10397</ThriftClientPort-->
>>
>> <EnableThriftServer>false</EnableThriftServer>
>> <ThriftServerHost>localhost</ThriftServerHost>
>> <!--ThriftServerPort>10397</ThriftServerPort-->
>>
>> <!--ConnectionPool>
>> <MaxIdle>100</MaxIdle>
>> <InitIdleCapacity>50</InitIdleCapacity>
>> </ConnectionPool-->
>> <!-- Specifies the implementation to be used for
>> KeyValidationHandler. Steps for validating a token can be controlled by
>> plugging in a
>> custom KeyValidation Handler -->
>> <KeyValidationHandlerClassName>org.wso2.carbon.apimgt.
>> keymgt.handlers.DefaultKeyValidationHandler</KeyValidationHa
>> ndlerClassName>
>> </APIKeyValidator>
>>
>> <!-- Uncomment this section only if you are going to have an instance
>> other than KeyValidator as your KeyManager.
>> Unless a ThirdParty KeyManager is used, you don't need to
>> configure this section. -->
>> <!--APIKeyManager>
>> <KeyManagerClientImpl>org.wso2.carbon.apimgt.impl.AMDefaultK
>> eyManagerImpl</KeyManagerClientImpl>
>> <Configuration>
>> <ServerURL>https://localhost:${mgt.transport.https.port}${ca
>> rbon.context}services/</ServerURL>
>> <Username>${admin.username}</Username>
>> <Password>${admin.password}</Password>
>> <TokenURL>https://${carbon.local.ip}:${https.nio.port}/token
>> </TokenURL>
>> <RevokeURL>https://${carbon.local.ip}:${https.nio.port}/revo
>> ke</RevokeURL>
>> </Configuration>
>> </APIKeyManager-->
>>
>> <OAuthConfigurations>
>> <!-- Remove OAuth headers from outgoing message. -->
>> <!--RemoveOAuthHeadersFromOutMessage>true</RemoveOAuthHeader
>> sFromOutMessage-->
>> <!-- Scope used for marking Application Tokens. If a token is
>> generated with this scope, they will be treated as Application Access
>> Tokens -->
>> <ApplicationTokenScope>am_application_scope</ApplicationToke
>> nScope>
>> <!-- All scopes under the ScopeWhitelist element are not
>> validating against roles that has assigned to it.
>> By default ^device_.* and openid scopes have been white
>> listed internally. -->
>> <!--ScopeWhitelist>
>> <Scope>^device_.*</Scope>
>> <Scope>openid</Scope>
>> </ScopeWhitelist-->
>> <!-- Name of the token API -->
>> <TokenEndPointName>/oauth2/token</TokenEndPointName>
>> <!-- This the API URL for revoke API. When we revoke tokens
>> revoke requests should go through this
>> API deployed in API gateway. Then it will do cache
>> invalidations related to revoked tokens.
>> In distributed deployment we should configure this property
>> in key manager node by pointing
>> gateway https( /http, we recommend users to use 'https'
>> endpoints for security purpose) url.
>> Also please note that we should point gateway revoke service
>> to key manager -->
>> <RevokeAPIURL>https://localhost:${https.nio.port}/revoke</
>> RevokeAPIURL>
>> <!-- Whether to encrypt tokens when storing in the Database
>> Note: If changing this value to true, change the value of
>> <TokenPersistenceProcessor> to
>>
>> org.wso2.carbon.identity.oauth.tokenprocessor.EncryptionDecryptionPersistenceProcessor
>> in the identity.xml -->
>> <EncryptPersistedTokens>false</EncryptPersistedTokens>
>> </OAuthConfigurations>
>>
>> <!-- Settings related to managing API access tiers. -->
>> <TierManagement>
>> <!-- Enable the providers to expose their APIs over the special
>> 'Unlimited' tier which
>> basically disables tier based throttling for the specified
>> APIs. -->
>> <EnableUnlimitedTier>true</EnableUnlimitedTier>
>> </TierManagement>
>>
>> <!-- API Store Related Configurations -->
>> <APIStore>
>> <!--GroupingExtractor>org.wso2.carbon.apimgt.impl.DefaultGro
>> upIDExtractorImpl</GroupingExtractor-->
>> <!--This property is used to indicate how we do user name
>> comparision for token generation https://wso2.org/jira/browse/A
>> PIMANAGER-2225-->
>> <CompareCaseInsensitively>true</CompareCaseInsensitively>
>> <DisplayURL>false</DisplayURL>
>> <URL>https://localhost:${mgt.transport.https.port}/store</URL>
>>
>> <!-- Server URL of the API Store. -->
>> <ServerURL>https://localhost:${mgt.transport.https.port}${ca
>> rbon.context}services/</ServerURL>
>> <!-- Admin username for API Store. -->
>> <Username>${admin.username}</Username>
>>
>> <!-- Admin password for API Store. -->
>> <Password>${admin.password}</Password>
>> <!-- This parameter specifies whether to display multiple
>> versions of same
>> API or only showing the latest version of an API. -->
>> <DisplayMultipleVersions>false</DisplayMultipleVersions>
>> <!-- This parameter specifies whether to display all the APIs
>> [which are having DEPRECATED/PUBLISHED status] or only
>> display the APIs
>> with having their status is as 'PUBLISHED' -->
>> <DisplayAllAPIs>false</DisplayAllAPIs>
>> <!-- Uncomment this to limit the number of APIs in api the API
>> Store -->
>> <!--APIsPerPage>5</APIsPerPage-->
>>
>> <!-- This parameter specifies whether to display the comment
>> editing facility or not.
>> Default is "true". If user wants to disable, he must set
>> this param as "false" -->
>> <DisplayComments>true</DisplayComments>
>>
>> <!-- This parameter specifies whether to display the ratings or
>> not.
>> Default is "true". If user wants to disable, he must set
>> this param as "false" -->
>> <DisplayRatings>true</DisplayRatings>
>>
>> <!--set isStoreForumEnabled to false for disable forum in store-->
>> <!--isStoreForumEnabled>false</isStoreForumEnabled-->
>> </APIStore>
>>
>> <APIPublisher>
>> <DisplayURL>false</DisplayURL>
>> <URL>https://localhost:${mgt.transport.https.port}/publisher
>> </URL>
>> <!-- This parameter specifies enabling the capability of setting
>> API documentation level granular visibility levels.
>> By default any document associate with an API will have the
>> same permissions set as the API.With enabling below
>> property,it will show two additional permission levels as
>> visible only to all registered users in a particular
>> domain or only visible to API doc creator -->
>> <!--EnableAPIDocVisibilityLevels>true</EnableAPIDocVisibilit
>> yLevels-->
>> <!-- Uncomment this to limit the number of APIs in api the API
>> Publisher -->
>> <!--APIsPerPage>30</APIsPerPage-->
>> </APIPublisher>
>>
>> <!-- Status observers can be registered against the API Publisher to
>> listen for
>> API status update events. Each observer must implement the
>> APIStatusObserver
>> interface. Multiple observers can be engaged if necessary and in
>> such situations
>> they will be notified in the order they are defined here.
>> This configuration is unused from API Manager version 1.10.0 -->
>> <!--StatusObservers>
>> <Observer>org.wso2.carbon.apimgt.impl.observers.SimpleLoggin
>> gObserver</Observer>
>> </StatusObservers-->
>>
>> <!-- Use this configuration Create APIs at the Server startup -->
>> <StartupAPIPublisher>
>> <!-- Enable/Disable the API Startup Publisher -->
>> <Enabled>false</Enabled>
>>
>> <!-- Configuration to create APIs for local endpoints.
>> Endpoint will be computed as http://${carbon.local.ip}:${mg
>> t.transport.http.port}/Context.
>> Define many LocalAPI elements as below to create many APIs
>> for local Endpoints.
>> IconPath should be relative to CARBON_HOME. -->
>> <LocalAPIs>
>> <LocalAPI>
>> <Context>/resource</Context>
>> <Provider>admin</Provider>
>> <Version>1.0.0</Version>
>> <IconPath>none</IconPath>
>> <DocumentURL>none</DocumentURL>
>> <AuthType>Any</AuthType>
>> </LocalAPI>
>> </LocalAPIs>
>>
>> <!-- Configuration to create APIs for remote endpoints.
>> When Endpoint need to be defined use this configuration.
>> Define many API elements as below to create many APIs
>> for external Endpoints.
>> If you do not need to add Icon or Documentation set
>> 'none' as the value for IconPath & DocumentURL. -->
>> <!--APIs>
>> <API>
>> <Context>/resource</Context>
>> <Endpoint>http://localhost:9764/resource</Endpoint>
>> <Provider>admin</Provider>
>> <Version>1.0.0</Version>
>> <IconPath>none</IconPath>
>> <DocumentURL>none</DocumentURL>
>> <AuthType>Any</AuthType>
>> </API>
>> </APIs-->
>> </StartupAPIPublisher>
>>
>> <!-- Configuration to enable/disable sending CORS headers in the
>> Gateway response
>> and define the Access-Control-Allow-Origin header value.-->
>> <CORSConfiguration>
>> <!-- Configuration to enable/disable sending CORS headers from
>> the Gateway-->
>> <Enabled>true</Enabled>
>>
>> <!-- The value of the Access-Control-Allow-Origin header. Default
>> values are
>> API Store addresses, which is needed for swagger to
>> function. -->
>> <Access-Control-Allow-Origin>*</Access-Control-Allow-Origin>
>>
>> <!-- Configure Access-Control-Allow-Methods -->
>> <Access-Control-Allow-Methods>GET,PUT,POST,DELETE,PATCH,OPTI
>> ONS</Access-Control-Allow-Methods>
>>
>> <!-- Configure Access-Control-Allow-Headers -->
>> <Access-Control-Allow-Headers>authorization,Access-Control-A
>> llow-Origin,Content-Type,SOAPAction</Access-Control-Allow-Headers>
>>
>> <!-- Configure Access-Control-Allow-Credentials -->
>> <!-- Specifying this header to true means that the server allows
>> cookies (or other user credentials) to be included on cross-origin requests.
>> It is false by default and if you set it to true then make
>> sure that the Access-Control-Allow-Origin header does not contain the
>> wildcard (*) -->
>> <Access-Control-Allow-Credentials>false</Access-Control-
>> Allow-Credentials>
>> </CORSConfiguration>
>>
>> <!-- This property is there to configure velocity log output into
>> existing Log4j carbon Logger.
>> You can enable this and set preferable Logger name. -->
>> <!-- VelocityLogger>VELOCITY</VelocityLogger -->
>>
>> <RESTAPI>
>> <!--Configure white-listed URIs of REST API. Accessing
>> white-listed URIs does not require credentials (does not require
>> Authorization header). -->
>> <WhiteListedURIs>
>> <WhiteListedURI>
>> <URI>/api/am/publisher/{version}/swagger.json</URI>
>> <HTTPMethods>GET,HEAD</HTTPMethods>
>> </WhiteListedURI>
>> <WhiteListedURI>
>> <URI>/api/am/store/{version}/swagger.json</URI>
>> <HTTPMethods>GET,HEAD</HTTPMethods>
>> </WhiteListedURI>
>> <WhiteListedURI>
>> <URI>/api/am/admin/{version}/swagger.json</URI>
>> <HTTPMethods>GET,HEAD</HTTPMethods>
>> </WhiteListedURI>
>> <WhiteListedURI>
>> <URI>/api/am/store/{version}/apis</URI>
>> <HTTPMethods>GET,HEAD</HTTPMethods>
>> </WhiteListedURI>
>> <WhiteListedURI>
>> <URI>/api/am/store/{version}/apis/{apiId}</URI>
>> <HTTPMethods>GET,HEAD</HTTPMethods>
>> </WhiteListedURI>
>> <WhiteListedURI>
>> <URI>/api/am/store/{version}/apis/{apiId}/swagger</URI>
>> <HTTPMethods>GET,HEAD</HTTPMethods>
>> </WhiteListedURI>
>> <WhiteListedURI>
>> <URI>/api/am/store/{version}/apis/{apiId}/documents</URI>
>> <HTTPMethods>GET,HEAD</HTTPMethods>
>> </WhiteListedURI>
>> <WhiteListedURI>
>> <URI>/api/am/store/{version}/a
>> pis/{apiId}/documents/{documentId}</URI>
>> <HTTPMethods>GET,HEAD</HTTPMethods>
>> </WhiteListedURI>
>> <WhiteListedURI>
>> <URI>/api/am/store/{version}/a
>> pis/{apiId}/documents/{documentId}/content</URI>
>> <HTTPMethods>GET,HEAD</HTTPMethods>
>> </WhiteListedURI>
>> <WhiteListedURI>
>> <URI>/api/am/store/{version}/apis/{apiId}/thumbnail</URI>
>> <HTTPMethods>GET,HEAD</HTTPMethods>
>> </WhiteListedURI>
>> <WhiteListedURI>
>> <URI>/api/am/store/{version}/tags</URI>
>> <HTTPMethods>GET,HEAD</HTTPMethods>
>> </WhiteListedURI>
>> <WhiteListedURI>
>> <URI>/api/am/store/{version}/tiers/{tierLevel}</URI>
>> <HTTPMethods>GET,HEAD</HTTPMethods>
>> </WhiteListedURI>
>> <WhiteListedURI>
>> <URI>/api/am/store/{version}/t
>> iers/{tierLevel}/{tierName}</URI>
>> <HTTPMethods>GET,HEAD</HTTPMethods>
>> </WhiteListedURI>
>> </WhiteListedURIs>
>> <ETagSkipList>
>> <ETagSkipURI>
>> <URI>/api/am/store/{version}/apis</URI>
>> <HTTPMethods>GET</HTTPMethods>
>> </ETagSkipURI>
>> <ETagSkipURI>
>> <URI>/api/am/store/{version}/apis/generate-sdk</URI>
>> <HTTPMethods>POST</HTTPMethods>
>> </ETagSkipURI>
>> <ETagSkipURI>
>> <URI>/api/am/store/{version}/apis/{apiId}/documents</URI>
>> <HTTPMethods>GET</HTTPMethods>
>> </ETagSkipURI>
>> <ETagSkipURI>
>> <URI>/api/am/store/{version}/applications</URI>
>> <HTTPMethods>GET</HTTPMethods>
>> </ETagSkipURI>
>> <ETagSkipURI>
>> <URI>/api/am/store/{version}/a
>> pplications/generate-keys</URI>
>> <HTTPMethods>POST</HTTPMethods>
>> </ETagSkipURI>
>> <ETagSkipURI>
>> <URI>/api/am/store/{version}/subscriptions</URI>
>> <HTTPMethods>GET,POST</HTTPMethods>
>> </ETagSkipURI>
>> <ETagSkipURI>
>> <URI>/api/am/store/{version}/tags</URI>
>> <HTTPMethods>GET</HTTPMethods>
>> </ETagSkipURI>
>> <ETagSkipURI>
>> <URI>/api/am/store/{version}/tiers/{tierLevel}</URI>
>> <HTTPMethods>GET</HTTPMethods>
>> </ETagSkipURI>
>> <ETagSkipURI>
>> <URI>/api/am/store/{version}/t
>> iers/{tierLevel}/{tierName}</URI>
>> <HTTPMethods>GET</HTTPMethods>
>> </ETagSkipURI>
>> <ETagSkipURI>
>> <URI>/api/am/publisher/{version}/apis</URI>
>> <HTTPMethods>GET,POST</HTTPMethods>
>> </ETagSkipURI>
>> <ETagSkipURI>
>> <URI>/api/am/publisher/{version}/apis/{apiId}</URI>
>> <HTTPMethods>GET,DELETE,PUT</HTTPMethods>
>> </ETagSkipURI>
>> <ETagSkipURI>
>> <URI>/api/am/publisher/{versio
>> n}/apis/{apiId}/swagger</URI>
>> <HTTPMethods>GET,PUT</HTTPMethods>
>> </ETagSkipURI>
>> <ETagSkipURI>
>> <URI>/api/am/publisher/{version}/apis/{apiId}/thumbnail</
>> URI>
>> <HTTPMethods>GET,POST</HTTPMethods>
>> </ETagSkipURI>
>> <ETagSkipURI>
>> <URI>/api/am/publisher/{versio
>> n}/apis/{apiId}/change-lifecycle</URI>
>> <HTTPMethods>POST</HTTPMethods>
>> </ETagSkipURI>
>> <ETagSkipURI>
>> <URI>/api/am/publisher/{versio
>> n}/apis/{apiId}/copy-api</URI>
>> <HTTPMethods>POST</HTTPMethods>
>> </ETagSkipURI>
>> <ETagSkipURI>
>> <URI>/api/am/publisher/{versio
>> n}/applications/{applicationId}</URI>
>> <HTTPMethods>GET</HTTPMethods>
>> </ETagSkipURI>
>> <ETagSkipURI>
>> <URI>/api/am/publisher/{version}/apis/{apiId}/documents</
>> URI>
>> <HTTPMethods>GET,POST</HTTPMethods>
>> </ETagSkipURI>
>> <ETagSkipURI>
>> <URI>/api/am/publisher/{version}/apis/{apiId}/documents/{
>> documentId}/content</URI>
>> <HTTPMethods>GET,POST</HTTPMethods>
>> </ETagSkipURI>
>> <ETagSkipURI>
>> <URI>/api/am/publisher/{version}/apis/{apiId}/documents/{
>> documentId}</URI>
>> <HTTPMethods>GET,PUT,DELETE</HTTPMethods>
>> </ETagSkipURI>
>> <ETagSkipURI>
>> <URI>/api/am/publisher/{version}/environments</URI>
>> <HTTPMethods>GET</HTTPMethods>
>> </ETagSkipURI>
>> <ETagSkipURI>
>> <URI>/api/am/publisher/{version}/subscriptions</URI>
>> <HTTPMethods>GET</HTTPMethods>
>> </ETagSkipURI>
>> <ETagSkipURI>
>> <URI>/api/am/publisher/{versio
>> n}/subscriptions/block-subscription</URI>
>> <HTTPMethods>POST</HTTPMethods>
>> </ETagSkipURI>
>> <ETagSkipURI>
>> <URI>/api/am/publisher/{versio
>> n}/subscriptions/{subscriptionId}</URI>
>> <HTTPMethods>GET</HTTPMethods>
>> </ETagSkipURI>
>> <ETagSkipURI>
>> <URI>/api/am/publisher/{version}/subscriptions/unblock-
>> subscription</URI>
>> <HTTPMethods>POST</HTTPMethods>
>> </ETagSkipURI>
>> <ETagSkipURI>
>> <URI>/api/am/publisher/{version}/tiers/{tierLevel}</URI>
>> <HTTPMethods>GET,POST</HTTPMethods>
>> </ETagSkipURI>
>> <ETagSkipURI>
>> <URI>/api/am/publisher/{versio
>> n}/tiers/{tierLevel}/{tierName}</URI>
>> <HTTPMethods>GET,PUT,DELETE</HTTPMethods>
>> </ETagSkipURI>
>> <ETagSkipURI>
>> <URI>/api/am/publisher/{versio
>> n}/tiers/update-permission</URI>
>> <HTTPMethods>POST</HTTPMethods>
>> </ETagSkipURI>
>> </ETagSkipList>
>> </RESTAPI>
>> <ThrottlingConfigurations>
>> <EnableAdvanceThrottling>true</EnableAdvanceThrottling>
>> <DataPublisher>
>> <Enabled>true</Enabled>
>> <Type>Binary</Type>
>> <ReceiverUrlGroup>tcp://${carbon.local.ip}:${receiver.url.
>> port}</ReceiverUrlGroup>
>> <AuthUrlGroup>ssl://${carbon.local.ip}:${auth.url.port}</Aut
>> hUrlGroup>
>> <Username>${admin.username}</Username>
>> <Password>${admin.password}</Password>
>> <DataPublisherPool>
>> <MaxIdle>1000</MaxIdle>
>> <InitIdleCapacity>200</InitIdleCapacity>
>> </DataPublisherPool>
>> <DataPublisherThreadPool>
>> <CorePoolSize>200</CorePoolSize>
>> <MaxmimumPoolSize>1000</MaxmimumPoolSize>
>> <KeepAliveTime>200</KeepAliveTime>
>> </DataPublisherThreadPool>
>> </DataPublisher>
>> <PolicyDeployer>
>> <ServiceURL>https://localhost:${mgt.transport.https.port}${c
>> arbon.context}services/</ServiceURL>
>> <Username>${admin.username}</Username>
>> <Password>${admin.password}</Password>
>> </PolicyDeployer>
>> <BlockCondition>
>> <Enabled>true</Enabled>
>> <!--InitDelay>300000</InitDelay>
>> <Period>3600000</Period-->
>> </BlockCondition>
>> <JMSConnectionDetails>
>> <Enabled>true</Enabled>
>> <ServiceURL>tcp://${carbon.local.ip}:${jms.port}</ServiceURL>
>> <Username>${admin.username}</Username>
>> <Password>${admin.password}</Password>
>> <Destination>throttleData</Destination>
>> <!--InitDelay>300000</InitDelay-->
>> <JMSConnectionParameters>
>> <transport.jms.ConnectionFacto
>> ryJNDIName>TopicConnectionFactory</transport.jms.ConnectionF
>> actoryJNDIName>
>> <transport.jms.DestinationType>topic</transport.jms.
>> DestinationType>
>> <java.naming.factory.initial>o
>> rg.wso2.andes.jndi.PropertiesFileInitialContextFactory</
>> java.naming.factory.initial>
>> <connectionfactory.TopicConnectionFactory>amqp://${jms.
>> username}:${jms.password}@clientid/carbon?brokerlist='${
>> jms.url}'</connectionfactory.TopicConnectionFactory>
>> </JMSConnectionParameters>
>> <JMSTaskManager>
>> <MinThreadPoolSize>20</MinThreadPoolSize>
>> <MaxThreadPoolSize>100</MaxThreadPoolSize>
>> <KeepAliveTimeInMillis>1000</KeepAliveTimeInMillis>
>> <JobQueueSize>10</JobQueueSize>
>> </JMSTaskManager>
>> </JMSConnectionDetails>
>> <JMSEventPublisherParameters>
>> <java.naming.factory.initial>o
>> rg.wso2.andes.jndi.PropertiesFileInitialContextFactory</
>> java.naming.factory.initial>
>> <java.naming.provider.url>repo
>> sitory/conf/jndi.properties</java.naming.provider.url>
>> <transport.jms.DestinationType>topic</transport.jms.
>> DestinationType>
>> <transport.jms.Destination>thr
>> ottleData</transport.jms.Destination>
>> <transport.jms.ConcurrentPubli
>> shers>allow</transport.jms.ConcurrentPublishers>
>> <transport.jms.ConnectionFacto
>> ryJNDIName>TopicConnectionFactory</transport.jms.ConnectionF
>> actoryJNDIName>
>> </JMSEventPublisherParameters>
>> <!--DefaultLimits>
>> <SubscriptionTierLimits>
>> <Gold>5000</Gold>
>> <Silver>2000</Silver>
>> <Bronze>1000</Bronze>
>> <Unauthenticated>60</Unauthenticated>
>> </SubscriptionTierLimits>
>> <ApplicationTierLimits>
>> <50PerMin>50</50PerMin>
>> <20PerMin>20</20PerMin>
>> <10PerMin>10</10PerMin>
>> </ApplicationTierLimits>
>> <ResourceLevelTierLimits>
>> <50KPerMin>50000</50KPerMin>
>> <20KPerMin>20000</20KPerMin>
>> <10KPerMin>10000</10KPerMin>
>> </ResourceLevelTierLimits>
>> </DefaultLimits-->
>> <EnableUnlimitedTier>true</EnableUnlimitedTier>
>> <EnableHeaderConditions>false</EnableHeaderConditions>
>> <EnableJWTClaimConditions>false</EnableJWTClaimConditions>
>> <EnableQueryParamConditions>false</EnableQueryParamConditions>
>> </ThrottlingConfigurations>
>>
>> <WorkflowConfigurations>
>> <Enabled>false</Enabled>
>> <ServerUrl>https://localhost:9445/bpmn</ServerUrl>
>> <ServerUser>${admin.username}</ServerUser>
>> <ServerPassword>${admin.password}</ServerPassword>
>> <WorkflowCallbackAPI>https://localhost:${mgt.transport.https
>> .port}/api/am/publisher/v0.11/workflows/update-workflow-
>> status</WorkflowCallbackAPI>
>> <TokenEndPoint>https://localhost:${https.nio.port}/token</
>> TokenEndPoint>
>> <DCREndPoint>https://localhost:${mgt.transport.https.port}/
>> client-registration/v0.11/register</DCREndPoint>
>> <DCREndPointUser>${admin.username}</DCREndPointUser>
>> <DCREndPointPassword>${admin.password}</DCREndPointPassword>
>> </WorkflowConfigurations>
>>
>> <SwaggerCodegen>
>> <ClientGeneration>
>> <GroupId>org.wso2</GroupId>
>> <ArtifactId>org.wso2.client.</ArtifactId>
>> <ModelPackage>org.wso2.client.model.</ModelPackage>
>> <ApiPackage>org.wso2.client.api.</ApiPackage>
>> <!-- Configure supported languages/Frameworks as comma
>> separated values,
>> Supported Languages/Frameworks : android, java, scala,
>> csharp, cpp, dart, flash, go, groovy, javascript, jmeter,
>> nodejs, perl, php, python, ruby, swift, clojure, aspNet5,
>> asyncScala, spring, csharpDotNet2, haskell-->
>> <SupportedLanguages>java,android</SupportedLanguages>
>> </ClientGeneration>
>> </SwaggerCodegen>
>>
>> </APIManager>
>>
>> Do you need my IS one, too?
>>
>> Regards,
>>
>> Thomas
>>
>> 2017-06-15 22:16 GMT+02:00 Farasath Ahamed <[email protected]>:
>>
>>> Would be better if you could share the api-manager.xml configuration
>>> file to see if there are any errors in configs.
>>>
>>>
>>>
>>>
>>> Farasath Ahamed
>>> Software Engineer, WSO2 Inc.; http://wso2.com
>>> Mobile: +94777603866
>>> Blog: blog.farazath.com
>>> Twitter: @farazath619 <https://twitter.com/farazath619>
>>> <http://wso2.com/signature>
>>>
>>>
>>>
>>> On Thu, Jun 15, 2017 at 8:40 PM, Thomas LEGRAND <
>>> [email protected]> wrote:
>>>
>>>> Hello again,
>>>>
>>>> I followed the tutorial in [1] to configure my Identity Server (IS) as
>>>> a key manager for my API Manager (AM). When I create my Production &
>>>> Sandbox applications in the AM, I can see service providers created in the
>>>> IS. I configures them to use SAML to retrieve informations like the roles,
>>>> if the authentication is successfull. And I can "exchange" my SAML
>>>> assertion for a OAuth token. So, everything is cool, here.
>>>>
>>>> But, when I try to reuse this OAuth token to access to a resource via
>>>> the AM, it rejects me with this sweet message:
>>>>
>>>> <ams:fault xmlns:ams="http://wso2.org/apimanager/security";>
>>>> <ams:code>900900</ams:code>
>>>> <ams:message>Unclassified Authentication Failure</ams:message>
>>>> <ams:description>Resource forbidden</ams:description>
>>>> </ams:fault>
>>>>
>>>> But no errors in the logs but just a WARN. So, I activated the DEBUG
>>>> mode and then, I can see some intersting things:
>>>>
>>>> [2017-06-15 16:44:52,954] WARN - APIAuthenticationHandler API
>>>> authentication failure due to Unclassified Authentication Failure
>>>> [2017-06-15 16:44:52,954] DEBUG - APIAuthenticationHandler API
>>>> authentication failed with error 900900
>>>> org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException:
>>>> Resource forbidden
>>>> at org.wso2.carbon.apimgt.gateway.handlers.security.keys.WSAPIK
>>>> eyDataStore.getAPIKeyData(WSAPIKeyDataStore.java:51)
>>>> at org.wso2.carbon.apimgt.gateway.handlers.security.APIKeyValid
>>>> ator.doGetKeyValidationInfo(APIKeyValidator.java:253)
>>>> at org.wso2.carbon.apimgt.gateway.handlers.security.APIKeyValid
>>>> ator.getKeyValidationInfo(APIKeyValidator.java:209)
>>>> at org.wso2.carbon.apimgt.gateway.handlers.security.oauth.OAuth
>>>> Authenticator.authenticate(OAuthAuthenticator.java:196)
>>>> at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenti
>>>> cationHandler.handleRequest(APIAuthenticationHandler.java:117)
>>>> at org.apache.synapse.rest.API.process(API.java:325)
>>>> at org.apache.synapse.rest.RESTRequestHandler.dispatchToAPI(RES
>>>> TRequestHandler.java:90)
>>>> at org.apache.synapse.rest.RESTRequestHandler.process(RESTReque
>>>> stHandler.java:69)
>>>> at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.inject
>>>> Message(Axis2SynapseEnvironment.java:304)
>>>> at org.apache.synapse.core.axis2.SynapseMessageReceiver.receive
>>>> (SynapseMessageReceiver.java:78)
>>>> at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:1
>>>> 80)
>>>> at org.apache.synapse.transport.passthru.ServerWorker.processNo
>>>> nEntityEnclosingRESTHandler(ServerWorker.java:325)
>>>> at org.apache.synapse.transport.passthru.ServerWorker.run(Serve
>>>> rWorker.java:158)
>>>> at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.r
>>>> un(NativeWorkerPool.java:172)
>>>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
>>>> Executor.java:1142)
>>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
>>>> lExecutor.java:617)
>>>> at java.lang.Thread.run(Thread.java:745)
>>>> Caused by:
>>>> org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException:
>>>> Error while accessing backend services for API key validation
>>>> at org.wso2.carbon.apimgt.gateway.handlers.security.keys.APIKey
>>>> ValidatorClient.getAPIKeyData(APIKeyValidatorClient.java:114)
>>>> at org.wso2.carbon.apimgt.gateway.handlers.security.keys.WSAPIK
>>>> eyDataStore.getAPIKeyData(WSAPIKeyDataStore.java:48)
>>>> ... 16 more
>>>> Caused by: org.apache.axis2.AxisFault: org.apache.axis2.AxisFault:
>>>> Mapping qname not fond for the package: java.util
>>>>
>>>> From here, I don't know what to do since I tried some fancy URLs for
>>>> the ServerURL value in the elements AuthManager and APIKeyValidator.
>>>> My IS has an offset of 5 so the port is 9448. Here is the URL I used to
>>>> point to the IS server: https://localhost:9448/services/
>>>>
>>>> Is there a way to know in which URL the IS deploy its Key Manager
>>>> feature web services (WS)?
>>>> Should I reinstall the Key Manager feature in the IS?
>>>>
>>>> Regards,
>>>>
>>>> Thomas
>>>>
>>>> [1] https://docs.wso2.com/display/AM210/Configuring+WSO2+Ide
>>>> ntity+Server+as+a+Key+Manager
>>>>
>>>> _______________________________________________
>>>> Dev mailing list
>>>> [email protected]
>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>>
>>>>
>>>
>>
>> _______________________________________________
>> Dev mailing list
>> [email protected]
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>
>
> --
> Rajith Roshan
> Software Engineer, WSO2 Inc.
> Mobile: +94-7 <%2B94-71-554-8430>17-064-214
>
_______________________________________________
Dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/dev
