Access Control for API requests

This section guides you through the following areas:

Allowed IPs

When requests to an API are to be permitted from a set of known/trusted IPs only, you can achieve this by configuring a group of Allowed IPs through the Advanced Rate Limiting feature.

Creating the Advanced Rate Limit policy
  1. Login to the admin portal of WSO2 API Manager (https://<ip_address>:9443/admin).
  2. Under the Rate Limiting Policies tab and navigate to Advanced Policies.
  3. Click Add New Policy to add a new Rate Limit tier.

    Allowed IP add policy

  4. Fill the details as below and click Add Conditional Group.

    Allowed IP add conditional group

  5. Open the Conditional Group added and fill the details.

    Property Value
    IP Condition Type Specific IP
    IP Address E.g. 193.100.3.106
    Invert Condition Checked (If the 'Invert Condition' is checked, then the condition applies only to the IPs not mentioned in the 'IP Address'.)
    Request Count 0

    Following is an example configuration.

    New allow specific IP

    Save allow specific IP

    Note


    In the above configuration we are allowing a Specific IP address to access an API. You can allow a range of IPs as well by selecting IP Range for the IP Condition Type in the Conditional Group and specifying the range as follows.

    New allowed IP range

  6. Click Save.

    You have now successfully created the policy. Now we should engage this policy to an API.

Engage the policy with an API
  1. Login to API Publisher https://:9443/publisher.
  2. Select the API and go to the Resources menu.
  3. Enable API level under Operational Configuration and select the newly created rate limiting policy. Apply allowlist to API

  4. Save and Publish the API. Now the API will be accessible only by the IP specified in the rate limiting policy.

    Note

    The policy will be re-enforced for every unit time. Each time the policy is enforced a minimum of 1 request will be allowed to pass before blocking requests. Having a smaller unit time will increase the frequency of requests passing through. Hence, having an larger unit time is suitable to minimize the number of requests passing through.

Denying requests

By denying requests, you can protect servers from common attacks and abuse by users. For example, if a malicious user misuses the system, all requests received from that particular user can be completely blocked. Tenant administrative users can block requests based on the following parameters:

  • Block calls to specific APIs
  • Block all calls from a given application
  • Block requests coming from a specific IP address
  • Block a specific user from accessing APIs

To deny a request,

  1. Log in to the Admin Portal using the URL https://localhost:9443/admin and your admin credentials.
  2. Click Deny Policies under the Rate Limiting Policies section and click Add Policy.

    Add denied policy

Select the item to deny, enter a value and click Deny.

Select denied condition

Note

You can temporary switch on/off the denied condition by enabling/disabling the Condition status that is auto enabled when a denied condition is created.

Denied condition status

Denying PhoneVerification API

As described above you can deny requests for APIs, by Applications, to IP Addresses and for Users. Let's see how we can deny requests to an API.

  1. Log in to the Admin Portal using the URL https://localhost:9443/admin and your admin credentials.
  2. Click Deny Policies under the Rate Limiting Policies section and click Add Policy.
  3. Select API Context and provide the Context of PhoneVerification API with version as the Value.

    Select context deny

  4. Click Deny.

  5. Now login to API Developer Portal using the URL https://localhost:9443/devportal and invoke the API. You will see the following response.

    Denied api

Top