Securing REST APIs

In most of the real-world use cases of REST, when a consumer attempts to access a privileged resource, access will be denied unless the consumer's credentials are provided in an Authorization header. By default, the Micro Integrator validates the credentials of the consumer (that is provided in the Authorization header) against the credentials of users that are registered in the user store connected to the server.


The Micro Integrator uses a Basic Auth handler for this purpose. If required, you can use a custom basic auth handler or other security implementations. Find out more about applying security to REST APIs.

Synapse configuration

Following is a sample REST API configuration that we can used to implement this scenario. See the instructions on how to build and run this example.


The basic auth handler is engaged in the API as follows:

    <handler class=""/>

See the REST API given below for an example of how the default basic auth handler is used.

<api xmlns="" name="StockQuoteAPI" context="/stockquote">
       <resource methods="GET" uri-template="/view/{symbol}">
             <payloadFactory media-type="xml">
                   <m0:getQuote xmlns:m0="http://services.samples">
                   <arg evaluator="xml" expression="get-property('uri.var.symbol')"/>
             <header name="Action" scope="default" value="urn:getQuote"/>
                   <address uri="http://localhost:9000/services/SimpleStockQuoteService" format="soap11"/>
        <handler class=""/>

Build and run

Create the artifacts:

  1. Set up WSO2 Integration Studio.
  2. Create an integration project with an ESB Configs module and an Composite Exporter.
  3. Create the rest API with the configurations given above.
  4. Deploy the artifacts in your Micro Integrator.

Configure an external user store.

Set up the back-end service:

  1. Download the back-end service.
  2. Extract the downloaded zip file.
  3. Open a terminal, navigate to the axis2Server/bin/ directory inside the extracted folder.
  4. Execute the following command to start the axis2server with the SimpleStockQuote back-end service:


Test the API:

  1. First, invoke the service using the following service URL without providing any user credentials:


    You can invoke the service using Postman or Curl.

    curl -v

    Note that you will receive the following error because the username and password are not passed and the service cannot be authenticated: 401 Unauthorized

  2. Now, invoke the service again by providing the credentials of a user that is registered in the user store that is hosted.


    Note that the credentials (YWRtaW46YWRtaW4=) given in the authorization header (Authorization: Basic YWRtaW46YWRtaW4=) are the Base64-encoded username and password in the following format: username:password.

    The request is passed to the back-end service and you will receive a response similar to what is shown below:

    <soapenv:Envelope xmlns:soapenv="">
                <ns:getQuoteResponse xmlns:ns="http://services.samples">
                    <ns:return xmlns:ax21="http://services.samples/xsd" xmlns:xsi="" xsi:type="ax21:GetQuoteResponse">
                        <ax21:lastTradeTimestamp>Mon Jul 30 15:10:56 IST 2018</ax21:lastTradeTimestamp>
                        <ax21:name>IBM Company</ax21:name>