Re: [Apiman-dev] Apiman - WS Security policy
by Eric Wittmann
Hi Benjamin - thanks for the excellent question. I will do my best to
answer and note that I am CC'ing the apiman-dev mailing list so others
can chime in.
First let me say that a WS-Security policy sounds great - we haven't
focused much on the WS-* protocols because we get much more demand for
managing REST APIs than SOAP APIs. That said, better SOAP support is
certainly on the radar. When that happens, my hope is that processing
the envelope might be a core part of the gateway and so implementing
policies that use information in there will be easier. Perhaps your
implementation can be the genesis of some of that work!
To your question - without core changes to apiman, the approach you
*need* to take is to have your policy implement IDataPolicy. I believe
you may have already tried that, and observed that you cannot send
proper policy failures from that method. You are right - that's
something we will need to fix! I think you should be able to throw a
runtime exception from the write(IApimanBuffer chunk) method if you
detect an error. However, this is a little bit hacky!
Instead, I suggest (if you're up for it) that we perhaps work together
to bake SOAP support directly into the core of apiman, such that the
SOAP envelope is read/parsed *before* the policy chain is executed. We
could expose, for example, the SOAP headers as a proper Map<> stored
either in the context or on the ApiRequest. This would allow you to
properly implement most (all?) WS-* protocols as proper apiman policies
in the apply(ApiRequest request) method.
Thoughts?
-Eric
On 3/24/2016 7:58 AM, Benjamin Kastelic wrote:
> Greetings,
>
> I first thought to write this question as an issue on Github, but it
> seemed better to write you a direct email.
>
> I am making a custom WS Security policy, that reads the body and check
> the UsernameToken security header. This works OK, but now I've hit a wall.
>
> In the doApply method I get the rawRequest object and read the body from
> the ServletInputStream of the request. The problem I'm facing now is
> that the input stream was read and it can't be reset back to it's
> initial state.
>
> I was also trying to implement the same logic in the requestDataHandler
> method, but I don't know if it is even possible to send a failure
> message to the request chain from there.
>
> Any suggesstions ?
>
> Best regards,
> Benjamin
8 years, 4 months
Merge Karaf branch to Master
by Charles Moulliard
Hi,
Can we consider to merge Karaf branch with Master - trunk ? What are the
steps that we have to take care in order to prepare the merge ?
Regards,
Charles
8 years, 4 months
Apiman CLI + Community Release
by Eric Wittmann
Hi Pete.
I was just doing a community release of 1.2.2.Final today and was
thinking about the CLI. Do you have any thoughts on how to
version/release the CLI whenever we do a community release?
Also, any thoughts on whether/how we should include the CLI in the
community distributions (zip files)?
-Eric
PS: @apiman-dev subscribers - feel free to offer thoughts/opinions! :)
8 years, 4 months
