How can we ensure that a resource is accessible only from another resource within the same proxy ?

We have one resource "R1" calling another resource "R2" of the same API proxy. We want the second resource "R2" to be accessed by the first resource "R1" ONLY and do not want the second resource to be accessible directly over the internet. What is the best way to restrict access to the resource?

One possible solution could be to whitelist the IPs of the Apigee MessageProcessors using the AccessControl policy. Are there any other ways to achieve this?

1 6 243
6 REPLIES 6

Hi @AMAR DEVEGOWDA,

One option is setting a specific context variable (Ex- restrictedResourceEnable = true/false) in all your flows that need access to a particular resource. Validate this flag in your Flow Condition of your secured resource R2.

Having said that, what is the need for a secured resource? Is this to group some common Steps & execute them? Just curious 🙂

Thanks,

Abhishek

@Abhishek Subramanya

Thanks for your suggestion

@Abhishek Subramanya

Tried this, but it doesn't work 😞

The context variables are local for each transaction. That is when the context variable is set in the first resource, it won't be accessible by the second resource because the second resource is a whole new transaction with respect to Apigee.

Do you have any other suggestions ?

Hi @AMAR DEVEGOWDA,

You are correct, the apigee docs do say the same here -

Conditional flows: One or more flows, each of which has an associated condition. Conditional flows tell Edge, "When you see this, perform this logic." For example, when an API call is aGET on the /movies resource (the condition), transform the response to JSON (through a policy attached to the conditional flow). Only one flow executes per transaction—the first flow whose condition evaluates to true.

I found a work around to address your needs. Instead of creating a conditional flow in default proxy, you can create it instead in the target. You will end up having some constraints to pool all your policies within default proxy before calling the restricted conditional flow.

I have created a sample proxy with the above design. I have created two flows - Flow-1 & Flow-2. I am setting restrictedResourceEnable = true within Flow-1. I have also created a flow called Restricted in default endpoint. So only transactions that come from Flow-1 can access Restricted Flow.

multiflowaccess-rev1-2015-12-23.zip

Thanks,

Abhishek

Not applicable

If possible can you explain the use case rather than first and second resource. The question is not very clear to me.

Not applicable

AMAR DEVEGOWDA, Like @sriki77 and @Abhishek Subramanya , want to understand the use case but if you want to restrict a resource, you can create an internal Virtualhost which can only be called by the R1. (You can do a chaining by calling it on localhost).

See if you can put that resource in a new endpoint on the same apiproxy or if it can only be a flow, then you can add your new Vhost for the same endpoint where you have all resources. Either ways you can do local chaining and acheive what you wanted.

Refer this for more info

https://community.apigee.com/content/kbentry/10959/apigee-edge-adds-proxy-chaining-support-internal-...