[Apiman-user] applications without plans?

Tim Dudgeon tdudgeon.ml at gmail.com
Wed Oct 14 11:17:46 EDT 2015 

On 14/10/2015 14:57, Eric Wittmann wrote:
> That's an imaginative use of apiman and it should work precisely as 
> you have described it.  You are right that if you use applications, 
> then you must also have at least one plan.  The API key is necessary 
> in this situation because the gateway will need to know which 
> application is calling the service (so that it can pick the right set 
> of policies to apply).
Yes, I understand why that is necessary.
This is because the service is being called directly through the service 
owner's "path". e.g.
/apiman-gateway/ServiceOwnerOrg/service/1.0
Might it (in principle) be possible to access the service through the 
the application owners "path" e.g
/apiman-gateway/AppOwnerOrg/AppName/ServiceOwnerOrg/service/1.0

>
> Your only other solution would be a custom authentication policy, 
> which would obviously allow you to do whatever you wanted.  In that 
> scenario, you will presumably still need to identify the 
> application/organization in some way.  For example, each application 
> would need to identify itself via a custom http header, or a query 
> param, etc.
Yes, that might work. A sort of delegating authenticator that delegates 
to the appropriate realm based on a header param.
But it would not allow each organisation to provide custom policies. 
e.g. I have in mind that an individual organisation might want to add 
user based rate limiting to prevent one of its users using all the 
organisation's quota.

Tim
>
> -Eric
>
> On 10/14/2015 9:46 AM, Tim Dudgeon wrote:
>> I'm wanting to do something that may not be possible :-)
>>
>> I have a service that I want to offer to multiple organisations.
>> I want the users of each organisation to authenticate according to the
>> needs or that organisation (e.g. against their own LDAP server).
>> I do not want to have to handle API keys as I have lots of organisations
>> and lots of services and lots of versions of those services, so think
>> managing those keys will fast become a nightmare. I am happy to use the
>> service as a public service, as long as the user is authenticated and
>> authorized.
>>
>> e.g. I think what I want to do is create an application in each
>> organisation with a policy that does the authentication, and use a
>> public service that does the authorization based on expected role
>> granted to the user.
>> But the only way I can see to do this is to use plans, which involve the
>> need for API keys.
>>
>> Any ways to do this?
>>
>> Tim
>>
>> _______________________________________________
>> Apiman-user mailing list
>> Apiman-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/apiman-user
>>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/apiman-user/attachments/20151014/e31fc04b/attachment.html

More information about the Apiman-user mailing list