WSO2 API Manager provides support for both REST and SOAP
based web services. However the API Manager doesn’t support WS Standards. The
API Manager and the WSO2 ESB can be used in conjunction to support WS Standards
to API’s exposed via the API Manager. In this blog we look at how WSO2 API
Manager can be used with the WSO2 ESB to secure and expose a SOAP based API.
Given below is a diagram depicting the message flow on how
WS-Security is implemented using WSO2 API manager and WSO2 ESB.
The message from the client would be encrypted using the
public key of the ESB. The encrypted message would be sent along with the acquired OAuth token to the API Manager. The API Manager would validate the OAuth token and enforce throttling on the message. The API Manager would send the
encrypted message to the ESB. The ESB would decrypt the content of the message using
its own private key and send the request to the backend service.
Once the response is received from the backend service, the
ESB would encrypt the message using client’s public key and send it to the API
Manager. The API Manager would pass-through the message back to the client. The
client would decrypt the message using its own private key.
This type of a scenario is useful in a case where
1.WS-Security needs to be enforced but cannot be enforced
directly at the backend service (hence needs be enforced in an intermediary
stage in the message flow).
2. Client should be provided with a portal to explore and
subscribe to API’s.
3. API Publisher wants to manage life-cycle and manage API
versioning of the exposed API’s.
4. Throttling and other security mechanisms has to be
enforced on-top of WS-Security.
5. Statistics on API invocations needs to be gathered.
No comments:
Post a Comment