From lists at comiti.name Fri Apr 1 09:45:04 2016 From: lists at comiti.name (enrico) Date: Fri, 1 Apr 2016 15:45:04 +0200 Subject: [Apiman-user] apiman 1.2.3 and eap 6.4 Message-ID: Hi all, looks like support for eap 64 was dropped in favour of eap 7. Is it possible to run the latest Apiman in 6.4 in a NON-hackish mode, or simply this is something you advise against? BTW documentation http://www.apiman.io/latest/installation-guide.html#_installing_in_jboss_eap_6_4 still refers to EAP64 with a broken link for downloads. Thanks in advance for any pointers. Best regards, Enrico From eric.wittmann at redhat.com Sat Apr 2 10:14:34 2016 From: eric.wittmann at redhat.com (Eric Wittmann) Date: Sat, 2 Apr 2016 10:14:34 -0400 Subject: [Apiman-user] apiman 1.2.3 and eap 6.4 In-Reply-To: References: Message-ID: <56FFD3CA.1070708@redhat.com> Hi Enrico. It is possible to run apiman on EAP 6.4. My recommendation would be to start with the EAP7 distribution and strip out Keycloak. All of apiman's deployments *should* work fine in EAP 6.4. If you provide your own (e.g. external) Keycloak server, then everything else should be relatively trivial to get working. If you have trouble, we're happy to help you work through it. Also - thanks for the note about the production guide. I'll get that updated asap. -Eric On 4/1/2016 9:45 AM, enrico wrote: > Hi all, > > looks like support for eap 64 was dropped in favour of eap 7. > > Is it possible to run the latest Apiman in 6.4 in a NON-hackish mode, > or simply this is something you advise against? > > BTW documentation > http://www.apiman.io/latest/installation-guide.html#_installing_in_jboss_eap_6_4 > still refers to EAP64 with a broken link for downloads. > > Thanks in advance for any pointers. > > Best regards, > Enrico > _______________________________________________ > Apiman-user mailing list > Apiman-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/apiman-user > From eric.wittmann at redhat.com Thu Apr 14 08:06:22 2016 From: eric.wittmann at redhat.com (Eric Wittmann) Date: Thu, 14 Apr 2016 08:06:22 -0400 Subject: [Apiman-user] APIMAN Question - regarding soap endpoint In-Reply-To: References: Message-ID: <570F87BE.1050501@redhat.com> Hi Gareth. Sorry you didn't get a response in IRC. I'm pretty good about answering stuff like that when I'm around - but we're probably in rather different timezones. In any case, apiman doesn't automatically modify the URLs found in the response body. However there is a policy that can do that - it's called the URL Rewriting Policy. It requires a bit of configuration (a regular expression to match the specific URLs you want it to rewrite, as well as the replacement value). Give it a try, and let us know if you need a bit of help with the configuration. -Eric On 4/14/2016 6:43 AM, Gareth Healy wrote: > Hi guys, > > Hope you dont mind me asking you directly, tried via the IRC room but > the internet is currently not the best with the customer i am with at > the moment. Asked the following on irc: > > gahealy : hey guys, am using upstream APIMan, on OSE > 3.1. Am proxying a WS and have the following Q from a customer: > [11:04am] gahealy : One thing I noticed the SOAP > endpoint url has not been repointed to the proxy is that a gap in the > Apiman service? > [11:04am] gahealy : > [11:04am] gahealy : name="SOAPService_Binding" binding="tns:SOAPService_Binding"> > [11:04am] gahealy : > > [11:04am] gahealy : > > -- > Gareth Healy > UKI Middleware Consultant > Red Hat UK Ltd > 200 Fowler Avenue > Farnborough, Hants > GU14 7JP, UK > > Mobile: +44(0)7818511214 > E-Mail: gahealy at redhat.com > > Registered in England and Wales under Company Registration No. 03798903 From eric.wittmann at redhat.com Thu Apr 14 09:01:30 2016 From: eric.wittmann at redhat.com (Eric Wittmann) Date: Thu, 14 Apr 2016 09:01:30 -0400 Subject: [Apiman-user] APIMAN Question - regarding soap endpoint In-Reply-To: References: <570F87BE.1050501@redhat.com> Message-ID: <570F94AA.6020600@redhat.com> http://www.apiman.io/blog/configuration/production/offline/2016/04/05/locked-down-network.html :) On 4/14/2016 8:48 AM, Gareth Healy wrote: > Hi Eric, > > Thanks for the reply, will have a look at that. > > As a side note, noticed that when i click on the "Manage Plugins" page, > i get the following error: > > 12:36:09,819 INFO [stdout] (default task-60) WARN: plugin registry > failed to load - > http://cdn.rawgit.com/apiman/apiman-plugin-registry/1.2.1.Final/registry.json > 12:36:09,821 ERROR [io.undertow.request] (default task-60) UT005023: > Exception handling request to /apiman/plugins/availablePlugins: > org.jboss.resteasy.spi.UnhandledException: Response is committed, > can't handle exception > at > org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:148) > [resteasy-jaxrs-3.0.10.Final.jar:] > at > org.jboss.resteasy.core.SynchronousDispatcher.writeResponse(SynchronousDispatcher.java:432) > [resteasy-jaxrs-3.0.10.Final.jar:] > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:376) > [resteasy-jaxrs-3.0.10.Final.jar:] > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179) > [resteasy-jaxrs-3.0.10.Final.jar:] > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220) > [resteasy-jaxrs-3.0.10.Final.jar:] > > Which will because i am in a restricted internet zone. Is this a known > issue? as i'd presume this will cause issues for customers with > no-internet requirements. > > On Thu, Apr 14, 2016 at 1:06 PM, Eric Wittmann > wrote: > > Hi Gareth. > > Sorry you didn't get a response in IRC. I'm pretty good about > answering stuff like that when I'm around - but we're probably in > rather different timezones. > > In any case, apiman doesn't automatically modify the URLs found in > the response body. However there is a policy that can do that - > it's called the URL Rewriting Policy. It requires a bit of > configuration (a regular expression to match the specific URLs you > want it to rewrite, as well as the replacement value). > > Give it a try, and let us know if you need a bit of help with the > configuration. > > -Eric > > On 4/14/2016 6:43 AM, Gareth Healy wrote: > > Hi guys, > > Hope you dont mind me asking you directly, tried via the IRC > room but > the internet is currently not the best with the customer i am > with at > the moment. Asked the following on irc: > > gahealy : hey guys, am using upstream APIMan, on OSE > 3.1. Am proxying a WS and have the following Q from a customer: > [11:04am] gahealy : One thing I noticed the SOAP > endpoint url has not been repointed to the proxy is that a gap > in the > Apiman service? > [11:04am] gahealy : > [11:04am] gahealy : name="SOAPService_Binding" binding="tns:SOAPService_Binding"> > [11:04am] gahealy : > location="http://dev-host1.devtest-istesb.bp.com:25201/mappingProvider/"/> > [11:04am] gahealy : > > -- > Gareth Healy > UKI Middleware Consultant > Red Hat UK Ltd > 200 Fowler Avenue > Farnborough, Hants > GU14 7JP, UK > > Mobile: +44(0)7818511214 > E-Mail: gahealy at redhat.com > > > > Registered in England and Wales under Company Registration No. > 03798903 > > > > > -- > Gareth Healy > UKI Middleware Consultant > Red Hat UK Ltd > 200 Fowler Avenue > Farnborough, Hants > GU14 7JP, UK > > Mobile: +44(0)7818511214 > E-Mail: gahealy at redhat.com > > Registered in England and Wales under Company Registration No. 03798903 From gahealy at redhat.com Thu Apr 14 08:48:12 2016 From: gahealy at redhat.com (Gareth Healy) Date: Thu, 14 Apr 2016 13:48:12 +0100 Subject: [Apiman-user] APIMAN Question - regarding soap endpoint In-Reply-To: <570F87BE.1050501@redhat.com> References: <570F87BE.1050501@redhat.com> Message-ID: Hi Eric, Thanks for the reply, will have a look at that. As a side note, noticed that when i click on the "Manage Plugins" page, i get the following error: 12:36:09,819 INFO [stdout] (default task-60) WARN: plugin registry failed to load - http://cdn.rawgit.com/apiman/apiman-plugin-registry/1.2.1.Final/registry.json 12:36:09,821 ERROR [io.undertow.request] (default task-60) UT005023: Exception handling request to /apiman/plugins/availablePlugins: org.jboss.resteasy.spi.UnhandledException: Response is committed, can't handle exception at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:148) [resteasy-jaxrs-3.0.10.Final.jar:] at org.jboss.resteasy.core.SynchronousDispatcher.writeResponse(SynchronousDispatcher.java:432) [resteasy-jaxrs-3.0.10.Final.jar:] at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:376) [resteasy-jaxrs-3.0.10.Final.jar:] at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179) [resteasy-jaxrs-3.0.10.Final.jar:] at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220) [resteasy-jaxrs-3.0.10.Final.jar:] Which will because i am in a restricted internet zone. Is this a known issue? as i'd presume this will cause issues for customers with no-internet requirements. On Thu, Apr 14, 2016 at 1:06 PM, Eric Wittmann wrote: > Hi Gareth. > > Sorry you didn't get a response in IRC. I'm pretty good about answering > stuff like that when I'm around - but we're probably in rather different > timezones. > > In any case, apiman doesn't automatically modify the URLs found in the > response body. However there is a policy that can do that - it's called > the URL Rewriting Policy. It requires a bit of configuration (a regular > expression to match the specific URLs you want it to rewrite, as well as > the replacement value). > > Give it a try, and let us know if you need a bit of help with the > configuration. > > -Eric > > On 4/14/2016 6:43 AM, Gareth Healy wrote: > >> Hi guys, >> >> Hope you dont mind me asking you directly, tried via the IRC room but >> the internet is currently not the best with the customer i am with at >> the moment. Asked the following on irc: >> >> gahealy : hey guys, am using upstream APIMan, on OSE >> 3.1. Am proxying a WS and have the following Q from a customer: >> [11:04am] gahealy : One thing I noticed the SOAP >> endpoint url has not been repointed to the proxy is that a gap in the >> Apiman service? >> [11:04am] gahealy : >> [11:04am] gahealy : > name="SOAPService_Binding" binding="tns:SOAPService_Binding"> >> [11:04am] gahealy : >> >> [11:04am] gahealy : >> >> -- >> Gareth Healy >> UKI Middleware Consultant >> Red Hat UK Ltd >> 200 Fowler Avenue >> Farnborough, Hants >> GU14 7JP, UK >> >> Mobile: +44(0)7818511214 >> E-Mail: gahealy at redhat.com >> >> Registered in England and Wales under Company Registration No. 03798903 >> > -- Gareth Healy UKI Middleware Consultant Red Hat UK Ltd 200 Fowler Avenue Farnborough, Hants GU14 7JP, UK Mobile: +44(0)7818511214 E-Mail: gahealy at redhat.com Registered in England and Wales under Company Registration No. 03798903 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/apiman-user/attachments/20160414/cb2fb906/attachment-0001.html From gahealy at redhat.com Thu Apr 14 09:09:21 2016 From: gahealy at redhat.com (Gareth Healy) Date: Thu, 14 Apr 2016 14:09:21 +0100 Subject: [Apiman-user] APIMAN Question - regarding soap endpoint In-Reply-To: <570F94AA.6020600@redhat.com> References: <570F87BE.1050501@redhat.com> <570F94AA.6020600@redhat.com> Message-ID: Thanks :) On Thu, Apr 14, 2016 at 2:01 PM, Eric Wittmann wrote: > > http://www.apiman.io/blog/configuration/production/offline/2016/04/05/locked-down-network.html > > :) > > > On 4/14/2016 8:48 AM, Gareth Healy wrote: > >> Hi Eric, >> >> Thanks for the reply, will have a look at that. >> >> As a side note, noticed that when i click on the "Manage Plugins" page, >> i get the following error: >> >> 12:36:09,819 INFO [stdout] (default task-60) WARN: plugin registry >> failed to load - >> >> http://cdn.rawgit.com/apiman/apiman-plugin-registry/1.2.1.Final/registry.json >> 12:36:09,821 ERROR [io.undertow.request] (default task-60) UT005023: >> Exception handling request to /apiman/plugins/availablePlugins: >> org.jboss.resteasy.spi.UnhandledException: Response is committed, >> can't handle exception >> at >> >> org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:148) >> [resteasy-jaxrs-3.0.10.Final.jar:] >> at >> >> org.jboss.resteasy.core.SynchronousDispatcher.writeResponse(SynchronousDispatcher.java:432) >> [resteasy-jaxrs-3.0.10.Final.jar:] >> at >> >> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:376) >> [resteasy-jaxrs-3.0.10.Final.jar:] >> at >> >> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179) >> [resteasy-jaxrs-3.0.10.Final.jar:] >> at >> >> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220) >> [resteasy-jaxrs-3.0.10.Final.jar:] >> >> Which will because i am in a restricted internet zone. Is this a known >> issue? as i'd presume this will cause issues for customers with >> no-internet requirements. >> >> On Thu, Apr 14, 2016 at 1:06 PM, Eric Wittmann > > wrote: >> >> Hi Gareth. >> >> Sorry you didn't get a response in IRC. I'm pretty good about >> answering stuff like that when I'm around - but we're probably in >> rather different timezones. >> >> In any case, apiman doesn't automatically modify the URLs found in >> the response body. However there is a policy that can do that - >> it's called the URL Rewriting Policy. It requires a bit of >> configuration (a regular expression to match the specific URLs you >> want it to rewrite, as well as the replacement value). >> >> Give it a try, and let us know if you need a bit of help with the >> configuration. >> >> -Eric >> >> On 4/14/2016 6:43 AM, Gareth Healy wrote: >> >> Hi guys, >> >> Hope you dont mind me asking you directly, tried via the IRC >> room but >> the internet is currently not the best with the customer i am >> with at >> the moment. Asked the following on irc: >> >> gahealy : hey guys, am using upstream APIMan, on >> OSE >> 3.1. Am proxying a WS and have the following Q from a customer: >> [11:04am] gahealy : One thing I noticed the SOAP >> endpoint url has not been repointed to the proxy is that a gap >> in the >> Apiman service? >> [11:04am] gahealy : >> [11:04am] gahealy : > name="SOAPService_Binding" binding="tns:SOAPService_Binding"> >> [11:04am] gahealy : >> > location=" >> http://dev-host1.devtest-istesb.bp.com:25201/mappingProvider/"/> >> [11:04am] gahealy : >> >> -- >> Gareth Healy >> UKI Middleware Consultant >> Red Hat UK Ltd >> 200 Fowler Avenue >> Farnborough, Hants >> GU14 7JP, UK >> >> Mobile: +44(0)7818511214 >> E-Mail: gahealy at redhat.com >> > >> >> Registered in England and Wales under Company Registration No. >> 03798903 >> >> >> >> >> -- >> Gareth Healy >> UKI Middleware Consultant >> Red Hat UK Ltd >> 200 Fowler Avenue >> Farnborough, Hants >> GU14 7JP, UK >> >> Mobile: +44(0)7818511214 >> E-Mail: gahealy at redhat.com >> >> Registered in England and Wales under Company Registration No. 03798903 >> > -- Gareth Healy UKI Middleware Consultant Red Hat UK Ltd 200 Fowler Avenue Farnborough, Hants GU14 7JP, UK Mobile: +44(0)7818511214 E-Mail: gahealy at redhat.com Registered in England and Wales under Company Registration No. 03798903 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/apiman-user/attachments/20160414/87338117/attachment.html From cstolte at ebsco.com Mon Apr 18 15:33:25 2016 From: cstolte at ebsco.com (Christopher Stolte) Date: Mon, 18 Apr 2016 19:33:25 +0000 Subject: [Apiman-user] Changing gateway endpoints Message-ID: Hi All, I am trying to change the gateway endpoint so that managed endpoints for my services have a public URL under my control (for example maybe http://my.domain.com/apis). I found this discussion: http://lists.jboss.org/pipermail/apiman-user/2015-October/000324.html Is changing the gateway WAR the only way to achieve this? Maybe I'm missing a more obvious way to affect the managed endpoint? If that is the way to go about it, can someone give me an idea of where in the code to do that? Thanks for any help! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/apiman-user/attachments/20160418/f20558f4/attachment.html From eric.wittmann at redhat.com Tue Apr 19 10:32:26 2016 From: eric.wittmann at redhat.com (Eric Wittmann) Date: Tue, 19 Apr 2016 10:32:26 -0400 Subject: [Apiman-user] Changing gateway endpoints In-Reply-To: References: Message-ID: <5716417A.9060304@redhat.com> Assuming you are running apiman in WildFly or EAP (typical use) here is what you need to do to change the apiman endpoint: 1) Modify the "jboss-web.xml" file inside the apiman-gateway.war file (you can find it in WEB-INF). 2) Change the to whatever you want it to be 3) Deploy the changed WAR to EAP/WildFly 4) Profit! Here is the file in question within the apiman source code: https://github.com/apiman/apiman/blob/master/gateway/platforms/war/wildfly8/gateway/src/main/webapp/WEB-INF/jboss-web.xml#L3 If you are running apiman on tomcat or jetty, you'll need to do something different - so let me know. :) -Eric On 4/18/2016 3:33 PM, Christopher Stolte wrote: > Hi All, > > > I am trying to change the gateway endpoint so that managed endpoints for > my services have a public URL under my control (for example maybe > http://my.domain.com/apis). I found this discussion: > > > http://lists.jboss.org/pipermail/apiman-user/2015-October/000324.html > > > Is changing the gateway WAR the only way to achieve this? Maybe I'm > missing a more obvious way to affect the managed endpoint? If that is > the way to go about it, can someone give me an idea of where in the code > to do that? > > > Thanks for any help! > > > > _______________________________________________ > Apiman-user mailing list > Apiman-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/apiman-user > From cstolte at ebsco.com Tue Apr 19 14:46:21 2016 From: cstolte at ebsco.com (Christopher Stolte) Date: Tue, 19 Apr 2016 18:46:21 +0000 Subject: [Apiman-user] Changing gateway endpoints In-Reply-To: <5716417A.9060304@redhat.com> References: , <5716417A.9060304@redhat.com> Message-ID: Thanks Eric. I am using Wildfly 10, and I followed your instructions accordingly. It works great for an API that I created after the change, but a pre-existing published API doesn't get proxied correctly anymore. Instead, I get a 500 "API not found." In that case the managed endpoint is shown correctly through the manager UI - it just doesn't serve up properly. Generally this is the sort of config that would be done before anybody starts publishing APIs, and it's not likely to change, but just for my understanding, do you know why the pre-existing one would be broken? In any event thank you for you help - I'm enjoying exploring this cool product! ________________________________________ From: Eric Wittmann Sent: Tuesday, April 19, 2016 10:32:26 AM To: Christopher Stolte; apiman-user at lists.jboss.org Subject: Re: [Apiman-user] Changing gateway endpoints Assuming you are running apiman in WildFly or EAP (typical use) here is what you need to do to change the apiman endpoint: 1) Modify the "jboss-web.xml" file inside the apiman-gateway.war file (you can find it in WEB-INF). 2) Change the to whatever you want it to be 3) Deploy the changed WAR to EAP/WildFly 4) Profit! Here is the file in question within the apiman source code: https://github.com/apiman/apiman/blob/master/gateway/platforms/war/wildfly8/gateway/src/main/webapp/WEB-INF/jboss-web.xml#L3 If you are running apiman on tomcat or jetty, you'll need to do something different - so let me know. :) -Eric On 4/18/2016 3:33 PM, Christopher Stolte wrote: > Hi All, > > > I am trying to change the gateway endpoint so that managed endpoints for > my services have a public URL under my control (for example maybe > http://my.domain.com/apis). I found this discussion: > > > http://lists.jboss.org/pipermail/apiman-user/2015-October/000324.html > > > Is changing the gateway WAR the only way to achieve this? Maybe I'm > missing a more obvious way to affect the managed endpoint? If that is > the way to go about it, can someone give me an idea of where in the code > to do that? > > > Thanks for any help! > > > > _______________________________________________ > Apiman-user mailing list > Apiman-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/apiman-user > From obilalamiae at gmail.com Thu Apr 21 04:46:23 2016 From: obilalamiae at gmail.com (lamiae obila) Date: Thu, 21 Apr 2016 10:46:23 +0200 Subject: [Apiman-user] Questions about Plugins Message-ID: I want to add a new identity source to the basic autentication plugin, do I create a new component or just a plugin of my identity source overriding the basic authentication policy? -- *OBILA Lamiae* ?l?ve ing?nieur INSA Centre Val de Loire Tel: 0634172110 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/apiman-user/attachments/20160421/968206ea/attachment.html From eric.wittmann at redhat.com Thu Apr 21 07:40:40 2016 From: eric.wittmann at redhat.com (Eric Wittmann) Date: Thu, 21 Apr 2016 07:40:40 -0400 Subject: [Apiman-user] Questions about Plugins In-Reply-To: References: Message-ID: <5718BC38.7010200@redhat.com> There's currently no way to extend the basic auth policy with a new source of identity. Your best choice is probably to just create your own custom basic authentication policy. You can certainly copy/paste any code from the apiman basic auth policy implementation as a starting point. -Eric On 4/21/2016 4:46 AM, lamiae obila wrote: > I want to add a new identity source to the basic autentication plugin, > do I create a new component or just a plugin of my identity source > overriding the basic authentication policy? > > -- > *OBILA Lamiae* > ?l?ve ing?nieur > INSA Centre Val de Loire > Tel: 0634172110 > > > _______________________________________________ > Apiman-user mailing list > Apiman-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/apiman-user > From scott at xigole.com Mon Apr 25 17:31:25 2016 From: scott at xigole.com (Scott Dunbar) Date: Mon, 25 Apr 2016 15:31:25 -0600 Subject: [Apiman-user] Client secret key and/or APIMAN-282 Message-ID: Hello, I'm evaluating apiman for a use case and am trying to get my head around a requirement that I have and how that fits in with apiman. I have normal username/password users that I can use the Keycloak OAuth token system for and that works fine. I'm interested in using some sort of api key for server to server communication. Ultimately a customer wants to encode a single key and not get an OAuth token that expires. If I understand the way that the client API's work I believe that I can implement this through there but I want to make sure I'm understanding correctly. I think that I would implement two plans. The "public" plan would include the policies that I want (Oauth and role based authorization) and use Oauth. Then I would create a client API for the server-to-server communication and that would use a different plan that, assuming that the api key was correct, would not have any other policies. Obviously that means that the key is very private. Am I thinking of this the right way? The advantage of the client API path is that I could shut down a "server" (i.e. the server of a customer interacting with our server) in one shot by unregistering the client. The APIMAN-282 method would work too in that I could create a single user for the customer and lock that account if I wanted to block access. Of course, the APIMAN-282 enhancement is still in progress and I'm not sure it will see the light of day. So the short question is is the two pronged approach the way to go without an APIMAN-282 type of policy? Thanks for your help. -- Scott Dunbar Cell: 303 667 6343 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.jboss.org/pipermail/apiman-user/attachments/20160425/77ff3316/attachment.html From eric.wittmann at redhat.com Tue Apr 26 08:00:51 2016 From: eric.wittmann at redhat.com (Eric Wittmann) Date: Tue, 26 Apr 2016 08:00:51 -0400 Subject: [Apiman-user] Client secret key and/or APIMAN-282 In-Reply-To: References: Message-ID: <571F5873.6080604@redhat.com> Hi Scott. Let me make sure I understand the requirement. You have two paths to your API: 1) "public" endpoint that anyone can use, but requires authentication via OAuth (and has other policies enforced) 2) "b2b" endpoint only usable by specific clients via an API Key and no OAuth required If this is correct, then you might consider another option, which is to have two APIs pointed to the same back-end API. So if you are managing an "Inventory" API (for example) you could manage it twice in apiman: * Public Inventory API * B2B Inventory API And then you can configure the Public one with a bunch of policies, including OAuth. It would have a public apiman endpoint *without* any sort of API key. Conversely, the B2B API could be configured with one or more plans, and would require Client Apps (and thus API Keys) to be created for each server connecting to it. The major downside to this approach is that it would split your metrics data across the two APIs. --- One thing to mention about API Keys in apiman - they aren't really *secure* out of the box. Whenever a Client App is created, an API key is generated - but by default it's just a java UUID. For additional security, you could generate your own keys in a couple of ways. Just something to keep in mind (perhaps a future discussion if necessary). -Eric On 4/25/2016 5:31 PM, Scott Dunbar wrote: > Hello, > I'm evaluating apiman for a use case and am trying to get my head around > a requirement that I have and how that fits in with apiman. > > I have normal username/password users that I can use the Keycloak OAuth > token system for and that works fine. I'm interested in using some sort > of api key for server to server communication. Ultimately a customer > wants to encode a single key and not get an OAuth token that expires. > If I understand the way that the client API's work I believe that I can > implement this through there but I want to make sure I'm understanding > correctly. > > I think that I would implement two plans. The "public" plan would > include the policies that I want (Oauth and role based authorization) > and use Oauth. Then I would create a client API for the > server-to-server communication and that would use a different plan that, > assuming that the api key was correct, would not have any other > policies. Obviously that means that the key is very private. > > Am I thinking of this the right way? The advantage of the client API > path is that I could shut down a "server" (i.e. the server of a customer > interacting with our server) in one shot by unregistering the client. > The APIMAN-282 method would work too in that I could create a single > user for the customer and lock that account if I wanted to block > access. Of course, the APIMAN-282 enhancement is still in progress and > I'm not sure it will see the light of day. > > So the short question is is the two pronged approach the way to go > without an APIMAN-282 type of policy? > > Thanks for your help. > > > -- > Scott Dunbar > Cell: 303 667 6343 > > > _______________________________________________ > Apiman-user mailing list > Apiman-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/apiman-user >