Generic JWT plugin policy
by Marc Savy
Hi,
I just pushed a (very simple) generic JWT plugin policy to master.
To try it out right now you will need to build it. Just check out the
apiman/apiman-plugins repo and execute `mvn clean install`. The plugin
coordinates will be G: io.apiman.plugins A: apiman-plugins-jwt-policy V:
1.2.9-SNAPSHOT.
It isn't yet as feature-rich as the Keycloak plugin, but you can:
- Require JWT.
- Require claims (e.g. sub = foo).
- Require transport security (TLS, SSL).
- Require JWT be cryptographically signed (aka. JWS).
- Validate JWT against a provided public key.
- Remove auth tokens (prevent them reaching the backend).
- Set maximum clock skew.
I'll expand on this shortly to add something that will hopefully add some
commonly-used features from the Keycloak plugin:
- Allow extraction of roles for authorization
- Forward token fields as headers (e.g. X-Sub = sub)
Regards,
Marc
7 years, 4 months
Stream closed / Broken Pipe issues with custom plugin
by David Rush
Good afternoon,
I'm having issues with on a production API which has started to receive high volumes of traffic. At peak volume times I see many exceptions being thrown in the logs. The stack is indicating that an error occurred in the policy chain, but when it tries to write the error to the response the connection has been closed. There seems to be a couple of flavors of IOException (broken pipe or stream closed from undertow). My plugin is calling chain.doApply(request) when it succeeds but the stack trace is indicating there is then an exception being caught in doApply(Chain.java:153). I am on version 1.2.2-Final.
2017-01-05 18:28:49,095 ERROR [stderr] (default task-17) java.io.IOException: UT010029: Stream is closed
2017-01-05 18:28:49,095 ERROR [stderr] (default task-17) at io.undertow.servlet.spec.ServletOutputStreamImpl.write(ServletOutputStreamImpl.java:136)
2017-01-05 18:28:49,095 ERROR [stderr] (default task-17) at io.undertow.servlet.spec.ServletOutputStreamImpl.write(ServletOutputStreamImpl.java:128)
2017-01-05 18:28:49,095 ERROR [stderr] (default task-17) at io.apiman.gateway.platforms.servlet.GatewayServlet$4.write(GatewayServlet.java:406)
2017-01-05 18:28:49,095 ERROR [stderr] (default task-17) at io.apiman.gateway.platforms.servlet.GatewayServlet$4.write(GatewayServlet.java:395)
2017-01-05 18:28:49,095 ERROR [stderr] (default task-17) at io.apiman.gateway.engine.impl.DefaultPolicyErrorWriter.write(DefaultPolicyErrorWriter.java:87)
2017-01-05 18:28:49,095 ERROR [stderr] (default task-17) at io.apiman.gateway.platforms.servlet.GatewayServlet.writeError(GatewayServlet.java:392)
2017-01-05 18:28:49,095 ERROR [stderr] (default task-17) at io.apiman.gateway.platforms.servlet.GatewayServlet$1.handle(GatewayServlet.java:210)
2017-01-05 18:28:49,095 ERROR [stderr] (default task-17) at io.apiman.gateway.platforms.servlet.GatewayServlet$1.handle(GatewayServlet.java:157)
2017-01-05 18:28:49,095 ERROR [stderr] (default task-17) at io.apiman.gateway.engine.impl.ApiRequestExecutorImpl.lambda$wrapResultHandler$0(ApiRequestExecutorImpl.java:159)
2017-01-05 18:28:49,095 ERROR [stderr] (default task-17) at io.apiman.gateway.engine.impl.ApiRequestExecutorImpl.lambda$createPolicyErrorHandler$17(ApiRequestExecutorImpl.java:614)
2017-01-05 18:28:49,095 ERROR [stderr] (default task-17) at io.apiman.gateway.engine.policy.Chain.throwError(Chain.java:249)
2017-01-05 18:28:49,095 ERROR [stderr] (default task-17) at io.apiman.gateway.engine.policy.Chain.doApply(Chain.java:153)
2017-01-05 18:28:49,096 ERROR [stderr] (default task-17) at com.markit.ondemand.auth.apiman.plugins.pingfed_oauth_policy.PingFedOauthPolicy.doSuccess(PingFedOauthPolicy.java:114)
2017-01-05 18:28:49,096 ERROR [stderr] (default task-17) at com.markit.ondemand.auth.apiman.plugins.pingfed_oauth_policy.PingFedOauthPolicy.access$100(PingFedOauthPolicy.java:38)
2017-01-05 18:28:49,096 ERROR [stderr] (default task-17) at com.markit.ondemand.auth.apiman.plugins.pingfed_oauth_policy.PingFedOauthPolicy$2.handle(PingFedOauthPolicy.java:193)
2017-01-05 18:28:49,096 ERROR [stderr] (default task-17) at com.markit.ondemand.auth.apiman.plugins.pingfed_oauth_policy.PingFedOauthPolicy$2.handle(PingFedOauthPolicy.java:174)
2017-01-05 18:28:49,096 ERROR [stderr] (default task-17) at io.apiman.gateway.platforms.servlet.components.HttpClientRequestImpl.end(HttpClientRequestImpl.java:140)
2017-01-05 18:28:49,096 ERROR [stderr] (default task-17) at com.markit.ondemand.auth.apiman.plugins.pingfed_oauth_policy.PingFedOauthPolicy.retrieveAccessTokenFromPing(PingFedOauthPolicy.java:232)
2017-01-05 18:28:49,096 ERROR [stderr] (default task-17) at com.markit.ondemand.auth.apiman.plugins.pingfed_oauth_policy.PingFedOauthPolicy.retrieveAccessTokenFromPing(PingFedOauthPolicy.java:174)
2017-01-05 18:28:49,096 ERROR [stderr] (default task-17) at com.markit.ondemand.auth.apiman.plugins.pingfed_oauth_policy.PingFedOauthPolicy.doApply(PingFedOauthPolicy.java:83)
2017-01-05 18:28:49,096 ERROR [stderr] (default task-17) at com.markit.ondemand.auth.apiman.plugins.pingfed_oauth_policy.PingFedOauthPolicy.doApply(PingFedOauthPolicy.java:38)
My plugin is making either an external request to ElasticSearch or an HTTP request using IHttpClientComponent and then calling chain.doApply or chain.doFailure from within the IAsyncResultHandler handle method. Is there a problem with that pattern?
Any help you can provide would be great.
Thanks,
[IHS Markit]<https://ihsmarkit.com/>
David Rush
Director, API Development | Markit Digital
5775 Flatiron Parkway | Boulder, CO 80301
P: +1 303 583 4244 Main: +1 303 417 9999
david.rush(a)ihsmarkit.com<mailto:david.rush@ihsmarkit.com>
________________________________
This e-mail, including accompanying communications and attachments, is strictly confidential and only for the intended recipient. Any retention, use or disclosure not expressly authorised by Markit is prohibited. This email is subject to all waivers and other terms at the following link: http://www.markit.com/en/about/legal/email-disclaimer.page
Please visit http://www.markit.com/en/about/contact/contact-us.page for contact information on our offices worldwide.
7 years, 4 months
Stream closed / Broken Pipe issues with custom plugin
by David Rush
Good afternoon,
I'm having issues with on a production API which has started to receive high volumes of traffic. At peak volume times I see many exceptions being thrown in the logs. The stack is indicating that an error occurred in the policy chain, but when it tries to write the error to the response the connection has been closed. There seems to be a couple of flavors of IOException (broken pipe or stream closed from undertow). My plugin is calling chain.doApply(request) when it succeeds but the stack trace is indicating there is then an exception being caught in doApply(Chain.java:153). I am on version 1.2.2-Final.
2017-01-05 18:28:49,095 ERROR [stderr] (default task-17) java.io.IOException: UT010029: Stream is closed
2017-01-05 18:28:49,095 ERROR [stderr] (default task-17) at io.undertow.servlet.spec.ServletOutputStreamImpl.write(ServletOutputStreamImpl.java:136)
2017-01-05 18:28:49,095 ERROR [stderr] (default task-17) at io.undertow.servlet.spec.ServletOutputStreamImpl.write(ServletOutputStreamImpl.java:128)
2017-01-05 18:28:49,095 ERROR [stderr] (default task-17) at io.apiman.gateway.platforms.servlet.GatewayServlet$4.write(GatewayServlet.java:406)
2017-01-05 18:28:49,095 ERROR [stderr] (default task-17) at io.apiman.gateway.platforms.servlet.GatewayServlet$4.write(GatewayServlet.java:395)
2017-01-05 18:28:49,095 ERROR [stderr] (default task-17) at io.apiman.gateway.engine.impl.DefaultPolicyErrorWriter.write(DefaultPolicyErrorWriter.java:87)
2017-01-05 18:28:49,095 ERROR [stderr] (default task-17) at io.apiman.gateway.platforms.servlet.GatewayServlet.writeError(GatewayServlet.java:392)
2017-01-05 18:28:49,095 ERROR [stderr] (default task-17) at io.apiman.gateway.platforms.servlet.GatewayServlet$1.handle(GatewayServlet.java:210)
2017-01-05 18:28:49,095 ERROR [stderr] (default task-17) at io.apiman.gateway.platforms.servlet.GatewayServlet$1.handle(GatewayServlet.java:157)
2017-01-05 18:28:49,095 ERROR [stderr] (default task-17) at io.apiman.gateway.engine.impl.ApiRequestExecutorImpl.lambda$wrapResultHandler$0(ApiRequestExecutorImpl.java:159)
2017-01-05 18:28:49,095 ERROR [stderr] (default task-17) at io.apiman.gateway.engine.impl.ApiRequestExecutorImpl.lambda$createPolicyErrorHandler$17(ApiRequestExecutorImpl.java:614)
2017-01-05 18:28:49,095 ERROR [stderr] (default task-17) at io.apiman.gateway.engine.policy.Chain.throwError(Chain.java:249)
2017-01-05 18:28:49,095 ERROR [stderr] (default task-17) at io.apiman.gateway.engine.policy.Chain.doApply(Chain.java:153)
2017-01-05 18:28:49,096 ERROR [stderr] (default task-17) at com.markit.ondemand.auth.apiman.plugins.pingfed_oauth_policy.PingFedOauthPolicy.doSuccess(PingFedOauthPolicy.java:114)
2017-01-05 18:28:49,096 ERROR [stderr] (default task-17) at com.markit.ondemand.auth.apiman.plugins.pingfed_oauth_policy.PingFedOauthPolicy.access$100(PingFedOauthPolicy.java:38)
2017-01-05 18:28:49,096 ERROR [stderr] (default task-17) at com.markit.ondemand.auth.apiman.plugins.pingfed_oauth_policy.PingFedOauthPolicy$2.handle(PingFedOauthPolicy.java:193)
2017-01-05 18:28:49,096 ERROR [stderr] (default task-17) at com.markit.ondemand.auth.apiman.plugins.pingfed_oauth_policy.PingFedOauthPolicy$2.handle(PingFedOauthPolicy.java:174)
2017-01-05 18:28:49,096 ERROR [stderr] (default task-17) at io.apiman.gateway.platforms.servlet.components.HttpClientRequestImpl.end(HttpClientRequestImpl.java:140)
2017-01-05 18:28:49,096 ERROR [stderr] (default task-17) at com.markit.ondemand.auth.apiman.plugins.pingfed_oauth_policy.PingFedOauthPolicy.retrieveAccessTokenFromPing(PingFedOauthPolicy.java:232)
2017-01-05 18:28:49,096 ERROR [stderr] (default task-17) at com.markit.ondemand.auth.apiman.plugins.pingfed_oauth_policy.PingFedOauthPolicy.retrieveAccessTokenFromPing(PingFedOauthPolicy.java:174)
2017-01-05 18:28:49,096 ERROR [stderr] (default task-17) at com.markit.ondemand.auth.apiman.plugins.pingfed_oauth_policy.PingFedOauthPolicy.doApply(PingFedOauthPolicy.java:83)
2017-01-05 18:28:49,096 ERROR [stderr] (default task-17) at com.markit.ondemand.auth.apiman.plugins.pingfed_oauth_policy.PingFedOauthPolicy.doApply(PingFedOauthPolicy.java:38)
My plugin is making either an external request to ElasticSearch or an HTTP request using IHttpClientComponent and then calling chain.doApply or chain.doFailure from within the IAsyncResultHandler handle method. Is there a problem with that pattern?
Any help you can provide would be great.
Thanks,
[IHS Markit]<https://ihsmarkit.com/>
David Rush
Director, API Development | Markit Digital
5775 Flatiron Parkway | Boulder, CO 80301
P: +1 303 583 4244 Main: +1 303 417 9999
david.rush(a)ihsmarkit.com<mailto:david.rush@ihsmarkit.com>
________________________________
This e-mail, including accompanying communications and attachments, is strictly confidential and only for the intended recipient. Any retention, use or disclosure not expressly authorised by Markit is prohibited. This email is subject to all waivers and other terms at the following link: http://www.markit.com/en/about/legal/email-disclaimer.page
Please visit http://www.markit.com/en/about/contact/contact-us.page for contact information on our offices worldwide.
7 years, 4 months
How to configure CORS in APIMan? Problems with Headers in ajax
by Celso Agra
Hi all,
It's me again!
So, I was looking for some solutions about my issue, and I found this:
https://issues.jboss.org/browse/APIMAN-516
It seems this issue still occurs with me. I tries to send some headers via
ajax, and get this response:
> XMLHttpRequest cannot load https://apiman.url. Response to preflight
> request doesn't pass access control check: No 'Access-Control-Allow-Origin'
> header is present on the requested resource. Origin '
> http://192.168.56.22:8080' is therefore not allowed access. The response
> had HTTP status code 500.
Here is the Response Headers:
> Connection:close
> Content-Type:application/json
> Date:Wed, 28 Dec 2016 13:54:08 GMT
> Server:Apache/2.4.18 (Ubuntu)
> Transfer-Encoding:chunked
> X-Gateway-Error:API not public.
> X-Powered-By:Undertow/1
and
Here is the Request Headers:
> Accept:*/*
> Accept-Encoding:gzip, deflate, sdch, br
> Accept-Language:pt-BR,pt;q=0.8,en-US;q=0.6,en;q=0.4
> Access-Control-Request-Headers:authorization, x-api-key
> Access-Control-Request-Method:GET
> Connection:keep-alive
> Host: apiman.url
> Origin:http://192.168.56.22:8080
> Referer:http://192.168.56.22:8080/app
> User-Agent:Mozilla/5.0 ...
> Query String Parameters
> view source
> view URL encoded
Does anyone has the same problem?
Best regards,
--
---
*Celso Agra*
7 years, 4 months