API Security Sample¶
Usecase¶
-
Prevent misuse or abuse of information or of any application resources exposed by an API
-
Ability to distinguish between internal, partner and public use of APIs via security controls and audits
-
Ability to trace back which apps are using what APIs (hence data or resources) with which user credentials, permissions and roles
-
Ability to support multiple security standards and protocols
-
Embed custom security algorithms globally or for selected services
-
Ability to enforce both authentication (are you a valid user) and authorization (are you permitted to perform this action) on APIs
Business Story¶
ABC organization is a mobile phone manufacturing company that has to expose their price details to the public. They also need to manage the salary details of all the employees, which should be visible to a certain set of employees under the finance department. These information should be exposed securely throught APIs for internal, partner, and public usage. The API invocations, service usage restrictions for employees, and changes made to the APIs shouls be tracked and custom security standards must be added. They need the users of their system to be authenticated to facilitate that only the permitted set of users are using the system and when the API invocation happens they need to authorize the users whether they are permitted to access the APIs.
Running the sample¶
- Start wso2am-2.2.0-updateX.
- Go to
<API-M_HOME>/sample-scenarios
. Execute therun.sh
file. Enter the scenario number as 4, when prompted.
User credentials¶
User | Username | Password |
---|---|---|
Super tenant | admin | admin |
Implement using WSO2 API Manager¶
- We need to create and API to get the salary details of the employees
- We need to have separate tenants to manage their APIs through tenants. For more details, see Managing Public, Partner vs Private APIs
- We need to enable audit logs to trace the API creations and API invocations. For example, to enable custom security algorithms we can use the Kerberos OAuth2 Grant.
- We can authorize the users through API Manager access tokens and we can use scopes to authorise the API consumers when consuming the APIS.
The audit logs are printed in the <API-M_HOME>/repository/logs/audit.log
file, when you run the sample.
After invoking and creating the APIs the audit logs will be similar to the following sample.
Expand to see the sample audit log...
[2017-12-22 11:48:03,227] INFO - '[email protected] [-1234]' logged in at [2017-12-22 11:48:03,226+0530]
[2017-12-22 11:48:03,341] INFO - '[email protected] [-1234]' logged in at [2017-12-22 11:48:03,339+0530]
[2017-12-22 11:48:09,390] INFO - '[email protected] [-1234]' logged in at [2017-12-22 11:48:09,389+0530]
[2017-12-22 11:48:09,398] INFO - Initiator : [email protected] | Action : Add User | Target : tom | Data : { Roles :Internal/subscriber, } | Result : Success
[2017-12-22 11:48:09,437] INFO - '[email protected] [-1234]' logged in at [2017-12-22 11:48:09,436+0530]
[2017-12-22 11:48:09,458] INFO - '[email protected] [-1234]' logged in at [2017-12-22 11:48:09,457+0530]
[2017-12-22 11:48:10,396] INFO - '[email protected] [-1234]' logged in at [2017-12-22 11:48:10,395+0530]
[2017-12-22 11:48:10,819] [email protected] [1] [AM] INFO - Initiator : Chris | Action : create | Target : 0 | Data : { Chris_Integration_Test_App } | Result : Success
[2017-12-22 11:48:10,941] [email protected] [1] [AM] INFO - Initiator : Chris | Action : update | Target : 1 | Data : { Chris_Integration_Test_App } | Result : Success
[2017-12-22 11:48:11,132] INFO - Initiator : admin | Action : create | Target : 0 | Data : { admin_Integration_Test_App } | Result : Success
[2017-12-22 11:48:11,138] INFO - Initiator : admin | Action : update | Target : 2 | Data : { admin_Integration_Test_App } | Result : Success
[2017-12-22 11:48:12,437] INFO - '[email protected] [-1234]' logged in at [2017-12-22 11:48:12,436+0530]
[2017-12-22 11:48:12,709] INFO - '[email protected] [-1234]' logged in at [2017-12-22 11:48:12,709+0530]
[2017-12-22 11:48:12,813] INFO - '[email protected] [-1234]' logged in at [2017-12-22 11:48:12,813+0530]
[2017-12-22 11:48:12,880] INFO - '[email protected] [-1234]' logged in at [2017-12-22 11:48:12,879+0530]
[2017-12-22 11:48:12,909] INFO - '[email protected] [-1234]' logged in at [2017-12-22 11:48:12,909+0530]
[2017-12-22 11:48:13,116] INFO - '[email protected] [-1234]' logged in at [2017-12-22 11:48:13,116+0530]
[2017-12-22 11:48:13,207] INFO - '[email protected] [-1234]' logged in at [2017-12-22 11:48:13,207+0530]
[2017-12-22 11:48:13,234] INFO - '[email protected] [-1234]' logged in at [2017-12-22 11:48:13,234+0530]
[2017-12-22 11:48:13,293] INFO - '[email protected] [-1234]' logged in at [2017-12-22 11:48:13,293+0530]
[2017-12-22 11:48:13,342] INFO - '[email protected] [-1234]' logged in at [2017-12-22 11:48:13,341+0530]
[2017-12-22 11:48:13,425] INFO - '[email protected] [-1234]' logged in at [2017-12-22 11:48:13,425+0530]
[2017-12-22 11:48:13,484] INFO - '[email protected] [-1234]' logged in at [2017-12-22 11:48:13,484+0530]
[2017-12-22 11:48:13,503] ERROR - Illegal access attempt at [2017-12-22 11:48:13,0502] from IP address 127.0.0.1 while trying to authenticate access to service EventProcessorAdminService
[2017-12-22 11:48:13,509] INFO - '[email protected] [-1234]' logged in at [2017-12-22 11:48:13,509+0530]
[2017-12-22 11:48:13,594] INFO - '[email protected] [-1234]' logged in at [2017-12-22 11:48:13,593+0530]
[2017-12-22 11:48:14,449] [email protected]@finance.abc.com [1] [AM] INFO - {"performedBy":"Chris","action":"created","typ":"API","info":"{\"provider\":\"Chris-AT-finance.abc.com\",\"name\":\"Salary_details_API\",\"context\":\"\\\/t\\\/finance.abc.com\\\/salaries\\\/1.0.0\",\"version\":\"1.0.0\"}"}
[2017-12-22 11:48:14,911] INFO - '[email protected] [-1234]' logged in at [2017-12-22 11:48:14,910+0530]
[2017-12-22 11:48:15,003] INFO - '[email protected] [-1234]' logged in at [2017-12-22 11:48:15,003+0530]
[2017-12-22 11:48:15,175] INFO - '[email protected] [-1234]' logged in at [2017-12-22 11:48:15,175+0530]
[2017-12-22 11:48:15,629] INFO - {"performedBy":"admin","action":"created","typ":"API","info":"{\"provider\":\"admin\",\"name\":\"Mobile_stock_API\",\"context\":\"\\\/stocks\\\/1.0.0\",\"version\":\"1.0.0\"}"}
[2017-12-22 11:48:15,689] INFO - '[email protected] [-1234]' logged in at [2017-12-22 11:48:15,689+0530]
[2017-12-22 11:48:15,722] INFO - '[email protected] [-1234]' logged in at [2017-12-22 11:48:15,722+0530]
[2017-12-22 11:48:15,808] INFO - '[email protected] [-1234]' logged in at [2017-12-22 11:48:15,808+0530]
[2017-12-22 11:48:18,412] INFO - {"performedBy":"admin","action":"created","typ":"Application","info":"{\"tier\":\"Unlimited\",\"name\":\"Application_one\",\"callbackURL\":null}"}
[2017-12-22 11:48:18,507] INFO - '[email protected] [-1234]' logged in at [2017-12-22 11:48:18,507+0530]
[2017-12-22 11:48:18,512] INFO - Initiator : admin | Action : create | Target : 0 | Data : { admin_Application_one_PRODUCTION } | Result : Success
[2017-12-22 11:48:18,514] INFO - Initiator : admin | Action : update | Target : 3 | Data : { admin_Application_one_PRODUCTION } | Result : Success
[2017-12-22 11:48:18,520] INFO - Initiator : admin | Action : update | Target : 3 | Data : { admin_Application_one_PRODUCTION } | Result : Success
[2017-12-22 11:48:18,671] INFO - {"performedBy":"admin","action":"updated","typ":"Application","info":"{\"Generated keys for application\":\"Application_one\"}"}
[2017-12-22 11:48:18,720] INFO - {"performedBy":"admin","action":"created","typ":"Subscription","info":"{\"application_name\":\"Application_one\",\"tier\":\"Unlimited\",\"provider\":\"admin\",\"api_name\":\"Mobile_stock_API\",\"application_id\":2}"}
[2017-12-22 11:48:18,732] INFO - '[email protected] [-1234]' logged in at [2017-12-22 11:48:18,732+0530]
[2017-12-22 11:48:18,884] INFO - '[email protected] [-1234]' logged in at [2017-12-22 11:48:18,884+0530] from IP address
[2017-12-22 11:48:19,823] INFO - {"performedBy":"admin","action":"created","typ":"Application","info":"{\"tier\":\"Unlimited\",\"name\":\"Application_two\",\"callbackURL\":null}"}
[2017-12-22 11:48:19,848] INFO - Initiator : admin | Action : create | Target : 0 | Data : { admin_Application_two_PRODUCTION } | Result : Success
[2017-12-22 11:48:19,851] INFO - Initiator : admin | Action : update | Target : 4 | Data : { admin_Application_two_PRODUCTION } | Result : Success
[2017-12-22 11:48:19,854] INFO - Initiator : admin | Action : update | Target : 4 | Data : { admin_Application_two_PRODUCTION } | Result : Success
[2017-12-22 11:48:19,888] INFO - {"performedBy":"admin","action":"updated","typ":"Application","info":"{\"Generated keys for application\":\"Application_two\"}"}
[2017-12-22 11:48:19,904] INFO - {"performedBy":"admin","action":"created","typ":"Subscription","info":"{\"application_name\":\"Application_two\",\"tier\":\"Unlimited\",\"provider\":\"admin\",\"api_name\":\"Mobile_stock_API\",\"application_id\":3}"}
[2017-12-22 11:48:19,908] INFO - '[email protected] [-1234]' logged in at [2017-12-22 11:48:19,908+0530]
When analysing the audit logs
-
This log show that a user has been created
[2017-12-22 11:48:09,398] INFO - Initiator : [email protected] | Action : Add User | Target : tom | Data : { Roles :Internal/subscriber, } | Result : Success
-
This log show that an application has been created
[2017-12-22 11:48:10,819] [email protected] [1] [AM] INFO - Initiator : Chris | Action : create | Target : 0 | Data : { Chris_Integration_Test_App } | Result : Success
-
This log show the API creation of the Salary details API
[2017-12-22 11:48:14,449] [email protected]@finance.abc.com [1] [AM] INFO - {"performedBy":"Chris","action":"created","typ":"API","info":"{\"provider\":\"Chris-AT-finance.abc.com\",\"name\":\"Salary_details_API\",\"context\":\"\\\/t\\\/finance.abc.com\\\/salaries\\\/1.0.0\",\"version\":\"1.0.0\"}"}
These data can be viewed via WSO2 API Manager Analytics server. For more details, see copy_API Governance.
Assume that the GET
resource in the Salary API should be restricted for admin role users. Follow the steps below to restrict the resource for a particular role.
-
Create a scope named
new_scope.
Assign scope to the admin role. -
When you execute the sample, it invokes the API without this scope.
Note
You will see the following error in the audit log if the access token does not allow you to access the requested resource.
WARN - APIAuthenticationHandler API authentication failure
-
Executing the sample also invokes the
GET
resource and return the response as shown below.