Hi community,
I'm wondering if you have any ideas on whether this is expected behaviour.
I'm using Shared Flows as a way to create re-usable shared security profiles/policies. Their configuration is being driven by variables (custom.scopes, custom.ratelimit, etc.)
At the moment I have one policy, but would like to have a few which can be selected through variables to reduce APIProxy configuration to a few values in an AssignMessage.
eg. SecurityPolicy-1: OAuth + Spike Arrest SecurityPolicy-2: APIKey + Spike Arrest SecurityPolicy-n: +
Summary of API Proxy flow:
Proxy Preflow:
<PreFlow name="PreFlow"> <Request> <Step> <Condition>(request.verb != "OPTIONS")</Condition> <Name>Set.SecurityProfile</Name> </Step> <Step> <Condition>(request.verb != "OPTIONS")</Condition> <Name>Sec-Profile</Name> </Step> </Request> <Response/> </PreFlow> Policies: 1. AssignMessage: <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <AssignMessage async="false" continueOnError="false" enabled="true" name="Set.SecurityProfile"> <DisplayName>Set.SecurityProfile</DisplayName> <Properties/> <AssignVariable> <!-- Used to set the Security Profile Shared Flow --> <Name>custom.profile</Name> <Value>Sec-Profile-1</Value> <Ref/> </AssignVariable> <AssignVariable> <!-- Used to set the OAuth scopes to enforce --> <Name>custom.scopes</Name> <Value>resource:read resource:read</Value> <Ref/> </AssignVariable> <AssignVariable> <!-- Used to set the spike rate limit --> <Name>custom.ratelimit</Name> <Value>20ps</Value> <Ref/> </AssignVariable> <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables> <AssignTo createNew="false" transport="http" type="request"/> </AssignMessage> 2. FlowCallout: <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <FlowCallout async="false" continueOnError="false" enabled="true" name="Sec-Profile"> <DisplayName>Sec-Profile</DisplayName> <FaultRules/> <Properties/> <SharedFlowBundle>{custom.profile}</SharedFlowBundle> </FlowCallout>
From the trace, it seems like the SharedFlowBundle value is not accepting variables.
Is there another way to do this type of thing?
Unfortunately, dynamic values for the SharedFlowBundle is not supported. What you can do is lets say you have 2 different Security Shared flows - "SF-Security-1 and SF-Security-2", you can have them called within your proxy using Conditions
<PreFlow name="PreFlow"> <Request> <Step> <Condition>(request.verb != "OPTIONS")</Condition> <Name>Set.SecurityProfile</Name> </Step> <Step> <Condition>(request.verb != "OPTIONS") and (request.header.apikey != null)</Condition> <Name>FC-Security-1</Name> </Step> <Step> <Condition>(request.verb != "OPTIONS") and (request.header.Authorization != null)</Condition> <Name>FC-Security-2</Name> </Step> </Request> <Response/> </PreFlow>
and within these Flow Callouts, you can have the appropriate Shared flows
FC-Security-1:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <FlowCallout async="false" continueOnError="false" enabled="true" name="FC-Security-1"> <DisplayName>FC-Security-1</DisplayName> <FaultRules/> <Properties/> <SharedFlowBundle>SF-Security-1</SharedFlowBundle> </FlowCallout>
FC-Security-2:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <FlowCallout async="false" continueOnError="false" enabled="true" name="FC-Security-2"> <DisplayName>FC-Security-2</DisplayName> <FaultRules/> <Properties/> <SharedFlowBundle>SF-Security-2</SharedFlowBundle> </FlowCallout>
Hope this helps !
User | Count |
---|---|
7 | |
2 | |
2 | |
2 | |
1 |