• Uncategorized

    How to store additional attributes as key value pairs in WSO2 API Manager store application

    Problem In WSO2 API Manager store UI users will allowed to create applications to consume APIs. Its very common requirement to store some additional attributes along with application in addition to default attributes collect from user. API Manager store allowed users to store predefined attributes by adding additional information. Sometimes those attributes do not sufficient as sometimes we do not know all attributes when we configure servers. Also in some scenarios we will need to store attributes as key value pairs and we might not know what are they keys. In this post we will discuss how to implement solution for that requirement. With this customization you will be able…

  • Uncategorized

    Configure Log Rotating for http access logs in WSO2 API Manager and EI

    It is possible to rotate logs based on time intervals by changing the configurations of the catalina-server.xml (in <Product_Home>/repository/conf/tomcat) by adding the fileDateFormat attribute to the AccessLogValve. This is explained in the following documents [1,2] as well. If you add any additional parameters defined in document[2] then those will effect to runtime as underlying runtime picks them. However this works as expected in Linux environments. But due to file naming limitations, the above pattern may need changes in some other environments.If you need further assistance please let us know. Please find sample conf below. <Valve className="org.apache.catalina.valves.AccessLogValve" directory="${carbon.home}/repository/logs" prefix="http_access_" suffix=".log" pattern="combined" fileDateFormat="yyyy-MM-dd.HH"/> [1]https://docs.wso2.com/display/ADMIN44x/HTTP+Access+Logging[2]https://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Access_Log_Valve

  • Uncategorized

    Fix WSO2 API Manager Publisher endpoint testing and WSDL failures due to SSL issues.

    In this post we will discuss about SSL issues related to importing WSDLs, testing endpoints in WSO2 API Publisher UI. Sometimes you will not be able to publish soap API when wsdl requires mutual ssl. In such cases we will need additional configurations to support that. Some users usually misunderstood this with mutual SSL profile support we have for gateways. Supported Transports. WSO2 API Manager supports various types of transport which makes it capable of receiving and sending messages over a multitude of transport and application level protocols. In this scenario, two types of transports are involved: Passthrough Transport Servlet Transport PassThrough Transport is a non-blocking HTTP transport implementation based on…

  • Uncategorized

    Validate JWT issued from WSO2 API Manager at web service

    What is JWT? JSON Web Token (JWT) represents claims to be transferred between two parties. The claims in a JWT are encoded as a JavaScript Object Notation (JSON) object that is used as the payload of a JSON Web Signature (JWS) structure or as the plain text of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed. A JWToken is self-­contained, so when we create one, it will have all the necessary pieces needed inside it. To authenticate end users, the API manager passes attributes of the API invoker to the back-end API implementation. JWT is used to represent claims that are transferred between the end…

  • Uncategorized

    WSO2 API Manager Fixing Alert page blocking from XSS Valve

    Problem In WSO2 API Manager we have added filter to detect XSS attacks. This filter will detect vulnerabilities and block them. Sometimes this can block legitimate URLs too as they can meet filter criteria. In such cases we need to configure filter to skip them. As example we can consider blocking alert page from this filter. You will see below stack trace when you go through the admin console to the analytics section to setup alerts. Sample Error log TID: [-1234] [] [2019-07-16 15:46:45,737] ERROR {org.wso2.carbon.tomcat.ext.valves.CompositeValve} - Could not handle request: /publisher/site/blocks/manage-alerts/ajax/manage-alerts.jag{org.wso2.carbon.tom cat.ext.valves.CompositeValve} javax.servlet.ServletException: Possible XSS Attack. Suspicious code : Alertat org.wso2.carbon.ui.valve.XSSValve.validateParameters(XSSValve.java:111) Solution The patterns that are checked in order to mitigate XSS vulnerabilities…

  • Uncategorized

    How to deploy WSO2 API Microgateway in Google Kubernetes Engine

    WSO2 API Microgateway is a lightweight message processor for APIs. It is used for message security, transport security, routing, and other common API management related quality of service (QoS) functions. It can process incoming and outgoing messages while collecting information required for usage metering and throttling. In this article we will see how we can deploy microgateway in gcloud kubernetes runtime using auto generated containers. You can have your API Manager node deployed in you local machine or cloud deployment. First deploy sample pizzashack API by clicking deploy sample API in publisher UI. Then go to API implement page and provide globally accessible URL as we are going to deploy…

  • Uncategorized

    How to run your MSF4J Application in cloud foundry run time.

    Pivotal CloudFoundry (PCF) is a Platform as a Services (PaaS) solution originally developed by VMWare and later moved to Pivotal Software Inc, a joint venture by EMC, VMWare and General Electric. PCF is the commercial version of the open source Cloud Foundry solution which includes additional commercial features such as the operations manager, enterprise services, extensions, support, docs, etc. In this article we will see how we can deploy microservice developed using MSF4J in PCF runtime. WSO2 Microservices Framework for Java (MSF4J) is a lightweight high performance framework for developing & running microservices. WSO2 MSF4J is one of the highest performing lightweight Java microservices frameworks. The following graphs show the…

  • Uncategorized

    How to use OAuth 2.0 secured back end in WSO2 API Manager

    WSO2 API Manager supports basic auth and digest auth secured back ends. That means when user need to create API for basic auth secured back end then they can provide basic auth credentials in API. Users allowed to update properties required to communicate with secured back end servers. WSO2 OAuth mediator can be used for generating OAuth2 tokens for talking to service endpoints secured with OAuth2 protocol in WSO2 ESB/Integrator and API Manager. You can go to this(https://github.com/npamudika/wso2-oauth-mediator ) link and clone repo and follow instructions listed in readme file. This mediator can be used for generating OAuth2 tokens for talking to service endpoints secured with OAuth2 protocol. It supports for both…

  • Uncategorized

    How to use Java scrip mediator to modify outgoing message body during mediation flow – WSO2 ESB/ API Manager

    Here in this post we will see how we can use Java scrip mediator to modify outgoing message body during mediation flow. Below is the sample API configuration i used for this sample. As you can see here i will extract password field from incoming message and send it as symbol to back end service. Since i need to check what actually pass to back end server i added TCPMon between gateway and back end server. That is why 8888 port is appear there.  <api name="TestAPI" context="/test"> <resource methods="POST" url-mapping="/status" faultSequence="fault"> <inSequence> <script language="js">var symbol = mc.getPayloadXML()..*::password.toString(); mc.setPayloadXML( &lt;m:getQuote xmlns:m="http://services.samples/xsd"&gt; &lt;m:request&gt; &lt;m:symbol&gt;{symbol}&lt;/m:symbol&gt; &lt;/m:request&gt; &lt;/m:getQuote&gt;);</script> <send> <endpoint name="test-I_APIproductionEndpoint_0"> <http uri-template="http://127.0.0.1:8888/"/> </endpoint>…

  • Uncategorized

    Batch API – API chaining scenario

    In this example, we have two back­end services and one proxy service. WSDLs for the examples can be found in the  zip file attached. This service is in the WSO2 API manager and it is exposed to customers. This service accepts an ID and a credit amount for its credit operation. A request coming to this service is served by two back­end services. PersonInfoService The PersonInfoService provides the name and address information about a requestor when the ID is given. So, this is the first service being called by the CreditProxy service deployed in the API The CreditService is the actual service that does the crediting. It is called by…