Securing Your Service with OAuth2 Using WSO2 API Manager
If you host a service, You may need some access control on that service. Otherwise any one can access that service. In such case you can use WSO2 API Manager to achieve this easily. API Manager can secure your service with OAuth2.
I have a backend service host on apache tomcat server. It can be invoked both http GET and POST method.
if I send a bellow request, It will receive a response
http://localhost:8080/stockquote/getQuote?symbol=wso2
Response:
<getQuoteResponse>
<symbol>wso2</symbol>
<lastPrice>67.73111720684315</lastPrice>
<company>wso2 Company</company>
<timeStamp>Wed Mar 26 17:49:25 IST 2014</timeStamp></getQuoteResponse>
Then I am going to create an api on WSO API Manager (wso2am-1.6.0) and keep my actual backend service behind the API Manager.
Steps to create an api
1) First I start a wso2am-1.6.0
2) Login to Publisher using user credential admin
https://localhost:9443/publisher/
3) Add a api with below parameters.
Name : stockQuoteApi
Context : stockquote
Version : 1.0.0
Tier Availability : Gold
Production Endpoint : http://localhost:8080/stockquote/getQuote
With the above parameters, We can create an api successfully.
4) Publish the created api
Select the created api and change LifeCycle to Publish
Then We have to subscribe for the created api.
5) Login to Store using user credential admin then you can see the api cretaed
https://10.100.1.107:9443/store/
6) Then select the api. You can see the access URL of the created api "http://10.100.1.107:8280/stockQuote/1.0.0"
Then choose DefaultApplication in Applications drop down box lay on right corner.
7) Then Click On Subscribe button.
8) Then click On Generate button in Keys - Production. Then you can see the Access Token.
Now API Creation is completed.
Then Try to access the api. You can use any http client to access the service. Inv this case I am going to use curl.
Now I am trying to invoke the api with below command.
curl http://localhost:8280/stockQuote/1.0.0?symbol=wso2
Then I will receive a below response.
<ams:fault xmlns:ams="http://wso2.org/apimanager/security">
<ams:code>900902</ams:code>
<ams:message>Missing Credentials</ams:message>
<ams:description>Required OAuth credentials not provided</ams:description>
</ams:fault>
That means Your api is secured. So you need to provide the access token to invoke the service. You can find the access token in subscription page.
Then invoke the service with below command.
curl -H "Authorization :Bearer gQsoJqhYv15f_JiEVg46y44olcUa" http://localhost:8280/stockQuote/1.0.0?symbol=wso2
Now I get the correct response which is provided by my actual backend service running on tomcat server.
<getQuoteResponse>
<symbol>wso2</symbol>
<lastPrice>147.95183566530514</lastPrice>
<company>wso2 Company</company>
<timeStamp>Wed Mar 26 18:32:30 IST 2014</timeStamp></getQuoteResponse>
As the below api, You can create any number of api to secure your services. It is very easy and useful.
No comments:
Post a Comment