Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Current »

The API Manager allows us to do some simple ESB style mediation on inbound requests.  We can use this to make some simple security checks, like checking the source IP against a known list.

This check is done after the normal OAuth checks. If you don't want to require users to do normal OAuth authentication then on the "Manage" tab of the publisher interface, in the "Resources" section, select "None" as the authentication requirement (instead of the default "Application & Application User".

To enable custom mediation on inbound requests: on the "Implement" tab of the publisher interface, enable "Enable Message Mediation" and then upload a file for the "In Flow".

To make IP Verification easier, UCSD provides a custom mediator (already installed) which can be invoked like this:

IP Verification Mediation
<?xml version="1.0" encoding="UTF-8"?>
<sequence xmlns="http://ws.apache.org/ns/synapse" name="VerifyLouisIP_2">
    <class name="edu.ucsd.its.soa.wso2.esb.ucsd_custom_mediators.VerifyIP">
        <property name="rules">
            <rules>
                <allow>132.239.181.86</allow>
                <allow>132.239.181.86-132.239.181.87</allow>
                <allow>132.239.181.86/24</allow>
                <deny>127.0.0.1</deny>
            </rules>
        </property>
    </class>
</sequence>

The VerifyIP mediator will process the rules in order, stopping on the first matching rule.  If no rule matches or a deny rule matches then the request is rejected with a 403 response.

Rules may be defined as:

  • String Matches ex: 216.58.193.206
  • Regex Matches ex: 216.58.193.*
  • Range Matches ex: 216.58.193.206-216.58.193.207
  • CIDR Matches ex: 216.58.193.0/24

There have been problems when uploading a sequence with a "name" attribute that has been previously used. We recommend adding a version number to be end of the name and incrementing it every time you upload a new version. Old versions do not appear to be removed automatically, but can be by an administrator if needed. Sequences are not shared across APIs, if you wish to use the same on on multiple APIs either upload it to each API or if it's a generic solution consider submitting it to the APIM administrators for addition to the general pool (which is shared by all APIs).

  • No labels