Securing a REST proxy service in WSO2ESB

Question

Using WSO2ESB I am trying to add security and expose un-secured REST APIs running in WSO2DSS. Basically I want to store the username/password in the user store in ESB with roles and give access to APIs based on the roles. I understand client should send the authorization token in 'Authorization' http header. So how can I configure ESB to compare this token with user store and allow access to particular services only? I am using ESB because there are some transformations to be done on the response before sending it to client. Any broad ideas would help.

Thank you

Answer 1

You can create an API in ESB to proxy your beckend REST API. Then you can write a handler to authorize API calls. See this blog bost.

By the way, didn't you have a look at WSO2 API Manager? To manage your APIs, that's more suitable than ESB. If you have complex transformations, you can use ESB (fronted by APIM). If your mediation logic is not complex, you can do it inside APIM itself. See this doc for more information.

If you need more fine-grained authorization capability, you can use entitlement mediator with XACML policies. See this article for more information.

Answer 2

I am able to use HTTP Basic authentication with the the help of http://suhan-opensource.blogspot.co.uk/2016/08/wso2-dss-secure-data-service-using.html.

Please note that the latest version of WSO2ESB or DSS doesn't let you to add security directly from Management Console. Either use the Developer studio or edit the XML source directly.