[Apiman-dev] Apiman - WS Security policy

[Benjamin Kastelic]

Hi,

I temporarily solved the problem by storing the request body, which is
contained in ApiRequest.rawRequest object, in a temporary buffer. I then
process the data (authentication) and based on the results proceed with the
policy chain or report a failure. Then in the end() method of the
requestDataHandler method I write the contents of my temporary buffer using
super.write(IApimanBuffer). That way I can forward the request to then ext
policy in the chain. But this is still a hacky way of doing this.

I would be glad to help with extending SOAP support. But I would need a few
pointers where to start. The way of storing SOAP headers in the ApiRequest
object seems like a good idea.

2016-03-24 18:40 GMT+01:00 Eric Wittmann <eric.wittmann at redhat.com>:

> Hi Benjamin - thanks for the excellent question.  I will do my best to
> answer and note that I am CC'ing the apiman-dev mailing list so others can
> chime in.
>
> First let me say that a WS-Security policy sounds great - we haven't
> focused much on the WS-* protocols because we get much more demand for
> managing REST APIs than SOAP APIs.  That said, better SOAP support is
> certainly on the radar.  When that happens, my hope is that processing the
> envelope might be a core part of the gateway and so implementing policies
> that use information in there will be easier.  Perhaps your implementation
> can be the genesis of some of that work!
>
> To your question - without core changes to apiman, the approach you *need*
> to take is to have your policy implement IDataPolicy.  I believe you may
> have already tried that, and observed that you cannot send proper policy
> failures from that method.  You are right - that's something we will need
> to fix!  I think you should be able to throw a runtime exception from the
> write(IApimanBuffer chunk) method if you detect an error.  However, this is
> a little bit hacky!
>
> Instead, I suggest (if you're up for it) that we perhaps work together to
> bake SOAP support directly into the core of apiman, such that the SOAP
> envelope is read/parsed *before* the policy chain is executed.  We could
> expose, for example, the SOAP headers as a proper Map<> stored either in
> the context or on the ApiRequest.  This would allow you to properly
> implement most (all?) WS-* protocols as proper apiman policies in the
> apply(ApiRequest request) method.
>
> Thoughts?
>
> -Eric
>
>
> On 3/24/2016 7:58 AM, Benjamin Kastelic wrote:
>
>> Greetings,
>>
>> I first thought to write this question as an issue on Github, but it
>> seemed better to write you a direct email.
>>
>> I am making a custom WS Security policy, that reads the body and check
>> the UsernameToken security header. This works OK, but now I've hit a wall.
>>
>> In the doApply method I get the rawRequest object and read the body from
>> the ServletInputStream of the request. The problem I'm facing now is
>> that the input stream was read and it can't be reset back to it's
>> initial state.
>>
>> I was also trying to implement the same logic in the requestDataHandler
>> method, but I don't know if it is even possible to send a failure
>> message to the request chain from there.
>>
>> Any suggesstions ?
>>
>> Best regards,
>> Benjamin
>>
>


-- 
Lp, Benjamin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/apiman-dev/attachments/20160326/a0eb5122/attachment.html