Yes, I understand why that is necessary.
This is because the service is being called directly through the service
owner's "path". e.g.
/apiman-gateway/ServiceOwnerOrg/service/1.0
Might it (in principle) be possible to access the service through the
the application owners "path" e.g
/apiman-gateway/AppOwnerOrg/AppName/ServiceOwnerOrg/service/1.0
Not at present. It's technically possible, but would require some core
changes to how the gateway processes the inbound request.
Yes, that might work. A sort of delegating authenticator that
delegates
to the appropriate realm based on a header param.
But it would not allow each organisation to provide custom policies.
e.g. I have in mind that an individual organisation might want to add
user based rate limiting to prevent one of its users using all the
organisation's quota.
One possibility is that each Organization that wants to 'consume' the
service could create their own version of it. This would allow each Org
to configure the service with whatever policies are necessary. Each
org's service would simply point to managed endpoint of the canonical
service in apiman.
For example:
* Organization "Foo" publishes a public service named "bar"
-> the Implementation endpoint is set to
http://real-api.com/bar
-> service is configured with some policies, optionally
* Organization "A" publishes a public service named "bar"
-> the Implementation endpoint is set to
http://apiman:8080/apiman-gateway/Foo/bar/1.0
-> org-specific policies can be configured here
* Organization "B" does the *same* thing that A did, but with different
policies
* Organization "C" does the *same* thing that A did, but with different
policies
* Etc
Note: apiman 1.1.8.Final has a bug in the CachingESRegistry which will
actually cause the above to fail, but it will work fine in 1.1.9.Final
-Eric