This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

limit access for SOAP web methods in apigee api

Posted on 04-08-2020 04:22 AM
sjm2000
Silver 1
Silver 1
Reply posted on --/--/---- --:-- AM

Dear All,

We have 1 SOAP based api and 300+ SOAP methods(operations) in it.

There are 6 products having access to it and corresponding 6 apps too.

We need to limit access to product1/app1= first 10 methods,

product 2/app2= first 100 methods,

product/app 3,4,5,6=all 300 methods

We use OAuth 2.0 client credentials.

Any solution will be appreciated 🙂

Regards

Mathew

Solved Solved
0 9 278
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
ssvaidyanathan
Staff
Reply posted on --/--/---- --:-- AM
@Sujith Mathew

I am assuming this is completely SOAP coming to Apigee and to the backend (SOAP-SOAP).

Few options I can think are:

Option 1: (using OAuth scopes)

  1. Split your proxy to multiple conditional flows (based on SOAPAction)
  2. Use VerifyAccessToken for each flow and check for that scope in the token
  3. This means you will need to request for the scope while minting the token in the OAuth token call

Option 2: (using Product Custom attributes)

  1. Set the list of SOAPActions that has allow permission to the Product as custom attribute to the Product. For example if Product A has access to two SOAPAction say "x" and "y", you can set the custom attribute with some key and value as a JSON array ["x", "y"]
  2. In the proxy, extract the SOAPAction from the request
  3. Once you verify the token, fetch the custom attribute flow variable and check that against the custom attribute list with the SOAPAction using a JavaScript policy
  4. If found, allow, else RaiseFault

Let me know if you have any questions

View solution in original post

Jump to Solution
9 REPLIES 9

Posted on --/--/---- --:-- AM
ssvaidyanathan
Staff
Reply posted on --/--/---- --:-- AM

@Sujith Mathew - what is your security mechanism for this API in Apigee ? Are you using VerifyAPIKey or something else ? In other words when a call is made, how do you identify the API product ?

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
sjm2000
Silver 1
Silver 1
In response to ssvaidyanathan
Reply posted on --/--/---- --:-- AM

Thanks for rsponse , security mechanism is OAuth 2.0 ( the policy enforced is VerifyAccessToken)

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
sjm2000
Silver 1
Silver 1
In response to sjm2000
Reply posted on --/--/---- --:-- AM

The crux of the matter is we badly need a solution in 6 days . Any help is appreciated.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
ssvaidyanathan
Staff
Reply posted on --/--/---- --:-- AM
@Sujith Mathew

I am assuming this is completely SOAP coming to Apigee and to the backend (SOAP-SOAP).

Few options I can think are:

Option 1: (using OAuth scopes)

  1. Split your proxy to multiple conditional flows (based on SOAPAction)
  2. Use VerifyAccessToken for each flow and check for that scope in the token
  3. This means you will need to request for the scope while minting the token in the OAuth token call

Option 2: (using Product Custom attributes)

  1. Set the list of SOAPActions that has allow permission to the Product as custom attribute to the Product. For example if Product A has access to two SOAPAction say "x" and "y", you can set the custom attribute with some key and value as a JSON array ["x", "y"]
  2. In the proxy, extract the SOAPAction from the request
  3. Once you verify the token, fetch the custom attribute flow variable and check that against the custom attribute list with the SOAPAction using a JavaScript policy
  4. If found, allow, else RaiseFault

Let me know if you have any questions

Jump to Solution

Posted on --/--/---- --:-- AM
sjm2000
Silver 1
Silver 1
In response to ssvaidyanathan
Reply posted on --/--/---- --:-- AM

Option 1- dont you thik its complicated to implement?

Option 2- we have a limit of <20 custom attributes i presume

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
ssvaidyanathan
Staff
In response to sjm2000
Reply posted on --/--/---- --:-- AM

Option 1 - Yes but an option. Not really complicated. With OAuth scopes, thats how its done

Option 2 - No it is a single custom attribute. Look at my example, I have a single attribute as JSON payload.

Again you can tweak your logic as well. You can have methods includes or excludes (which ever is less). If includes is used, you can check if the incoming SOAPAction matches the custom attribute. The reverse if you use excludes in the custom attribute. Hope that clarifies

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
sjm2000
Silver 1
Silver 1
In response to ssvaidyanathan
Reply posted on --/--/---- --:-- AM

i like both options, but a client need to change his stub(client code) if i go for option 1. Agree?

for Option 2- do you have a sample proxy?

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
ssvaidyanathan
Staff
In response to sjm2000
Reply posted on --/--/---- --:-- AM

For option 1 - Client will have to request a token with scope as well

For option 2 - I don't have a sample. Not complicated. Just extract the SOAPAction from incoming message using ExtractVariables policy and then in the JavaScript policy, try and just check against the custom attributes to process or abort with a RaiseFault

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
ssvaidyanathan
Staff
In response to ssvaidyanathan
Reply posted on --/--/---- --:-- AM

If you share some sample SOAP messages for this service, I could help

Jump to Solution