restrict API Resources by their full path and verb

Not applicable

For certain resource paths at my base path, I'd like to only allow certain (GET, POST, PUT) requests. What is the best practice for accomplishing this?

Option 1:

Set variable 'flow.request.name' to include the request verb, and set path resources accordingly. (Approach described here: https://community.apigee.com/articles/2514/how-to-restrict-api-resources-by-their-full-path-a.html)

Option 2:

Build conditional flows that return status code 405 (method not allowed) if the verb & path combination is not allowed

0 8 723
8 REPLIES 8

Not applicable

Option 1 would get my vote... I might be a bit biased though.

The problem option 2 is that if you want to change the access control you would have to modify the proxy itself, either modifying the conditional flow or adding another one. This would have to be applied to all proxies that account for a particular product. Since a product is an entity that can encompass several proxies building in all of those rules could be cumbersome.

Will it work sure but seeing how it doesn't really scale to the scope a product is intended to encompass I would work with option 1 😉

what should I make of your note:

"You can use multiple * wildcards but you can't mix * and ** wildcards"

Can I have a resource path of: /*/*/resource1** ?

at the time the article was written using multiple * wildcards didn't work... I have heard whispers that this may not be the case anymore, saying that i have not personally validated that rumor.

I modified your js callout to just concatenate the verb and path suffix. There's no problem with that, correct?

try{
  context.setVariable('flow.resource.name','/'+
    context.getVariable('request.verb')+
    //context.getVariable('proxy.basepath')+
    context.getVariable('proxy.pathsuffix')
);
}catch(e){
    throw 'Error in Javascript';
}

The only problem you may run into is that you can have the same pathsuffix in multiple proxies which have different basepath's

so long as the product is comprised of one proxy w/ one basepath, then it shouldn't be an issue. thanks~

one downside of option 1 is that the error code returned is 401 (unauthorized) when it should be 405 (method not allowed). Is there a work-around?

apiguru
Participant II
@jasonbrown

How did you do the Option 2