Weird exception accessing to a API Manager protected resource

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Weird exception accessing to a API Manager protected resource

Thomas LEGRAND
Hello again,

I followed the tutorial in [1] to configure my Identity Server (IS) as a key manager for my API Manager (AM). When I create my Production & Sandbox applications in the AM, I can see service providers created in the IS. I configures them to use SAML to retrieve informations like the roles, if the authentication is successfull. And I can "exchange" my SAML assertion for a OAuth token. So, everything is cool, here.

But, when I try to reuse this OAuth token to access to a resource via the AM, it rejects me with this sweet message:

    <ams:fault xmlns:ams="http://wso2.org/apimanager/security">
      <ams:code>900900</ams:code>
      <ams:message>Unclassified Authentication Failure</ams:message>
      <ams:description>Resource forbidden</ams:description>
    </ams:fault>

But no errors in the logs but just a WARN. So, I activated the DEBUG mode and then, I can see some intersting things:

[2017-06-15 16:44:52,954]  WARN - APIAuthenticationHandler API authentication failure due to Unclassified Authentication Failure
[2017-06-15 16:44:52,954] DEBUG - APIAuthenticationHandler API authentication failed with error 900900
org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException: Resource forbidden
        at org.wso2.carbon.apimgt.gateway.handlers.security.keys.WSAPIKeyDataStore.getAPIKeyData(WSAPIKeyDataStore.java:51)
        at org.wso2.carbon.apimgt.gateway.handlers.security.APIKeyValidator.doGetKeyValidationInfo(APIKeyValidator.java:253)
        at org.wso2.carbon.apimgt.gateway.handlers.security.APIKeyValidator.getKeyValidationInfo(APIKeyValidator.java:209)
        at org.wso2.carbon.apimgt.gateway.handlers.security.oauth.OAuthAuthenticator.authenticate(OAuthAuthenticator.java:196)
        at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest(APIAuthenticationHandler.java:117)
        at org.apache.synapse.rest.API.process(API.java:325)
        at org.apache.synapse.rest.RESTRequestHandler.dispatchToAPI(RESTRequestHandler.java:90)
        at org.apache.synapse.rest.RESTRequestHandler.process(RESTRequestHandler.java:69)
        at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.injectMessage(Axis2SynapseEnvironment.java:304)
        at org.apache.synapse.core.axis2.SynapseMessageReceiver.receive(SynapseMessageReceiver.java:78)
        at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180)
        at org.apache.synapse.transport.passthru.ServerWorker.processNonEntityEnclosingRESTHandler(ServerWorker.java:325)
        at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:158)
        at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at java.lang.Thread.run(Thread.java:745)
Caused by: org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException: Error while accessing backend services for API key validation
        at org.wso2.carbon.apimgt.gateway.handlers.security.keys.APIKeyValidatorClient.getAPIKeyData(APIKeyValidatorClient.java:114)
        at org.wso2.carbon.apimgt.gateway.handlers.security.keys.WSAPIKeyDataStore.getAPIKeyData(WSAPIKeyDataStore.java:48)
        ... 16 more
Caused by: org.apache.axis2.AxisFault: org.apache.axis2.AxisFault: Mapping qname not fond for the package: java.util

From here, I don't know what to do since I tried some fancy URLs for the ServerURL value in the elements AuthManager and APIKeyValidator.
My IS has an offset of 5 so the port is 9448. Here is the URL I used to point to the IS server: https://localhost:9448/services/

Is there a way to know in which URL the IS deploy its Key Manager feature web services (WS)?
Should I reinstall the Key Manager feature in the IS?

Regards,

Thomas


_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Weird exception accessing to a API Manager protected resource

Farasath Ahamed
Would be better if you could share the api-manager.xml configuration file to see if there are any errors in configs.




Farasath Ahamed
Software Engineer, WSO2 Inc.; http://wso2.com
Mobile: <a href="tel:%2B94777603866" value="+94713149860" style="font-size:12.8px;color:rgb(17,85,204)" target="_blank">+94777603866
Twitter: @farazath619




On Thu, Jun 15, 2017 at 8:40 PM, Thomas LEGRAND <[hidden email]> wrote:
Hello again,

I followed the tutorial in [1] to configure my Identity Server (IS) as a key manager for my API Manager (AM). When I create my Production & Sandbox applications in the AM, I can see service providers created in the IS. I configures them to use SAML to retrieve informations like the roles, if the authentication is successfull. And I can "exchange" my SAML assertion for a OAuth token. So, everything is cool, here.

But, when I try to reuse this OAuth token to access to a resource via the AM, it rejects me with this sweet message:

    <ams:fault xmlns:ams="http://wso2.org/apimanager/security">
      <ams:code>900900</ams:code>
      <ams:message>Unclassified Authentication Failure</ams:message>
      <ams:description>Resource forbidden</ams:description>
    </ams:fault>

But no errors in the logs but just a WARN. So, I activated the DEBUG mode and then, I can see some intersting things:

[2017-06-15 16:44:52,954]  WARN - APIAuthenticationHandler API authentication failure due to Unclassified Authentication Failure
[2017-06-15 16:44:52,954] DEBUG - APIAuthenticationHandler API authentication failed with error 900900
org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException: Resource forbidden
        at org.wso2.carbon.apimgt.gateway.handlers.security.keys.WSAPIKeyDataStore.getAPIKeyData(WSAPIKeyDataStore.java:51)
        at org.wso2.carbon.apimgt.gateway.handlers.security.APIKeyValidator.doGetKeyValidationInfo(APIKeyValidator.java:253)
        at org.wso2.carbon.apimgt.gateway.handlers.security.APIKeyValidator.getKeyValidationInfo(APIKeyValidator.java:209)
        at org.wso2.carbon.apimgt.gateway.handlers.security.oauth.OAuthAuthenticator.authenticate(OAuthAuthenticator.java:196)
        at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest(APIAuthenticationHandler.java:117)
        at org.apache.synapse.rest.API.process(API.java:325)
        at org.apache.synapse.rest.RESTRequestHandler.dispatchToAPI(RESTRequestHandler.java:90)
        at org.apache.synapse.rest.RESTRequestHandler.process(RESTRequestHandler.java:69)
        at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.injectMessage(Axis2SynapseEnvironment.java:304)
        at org.apache.synapse.core.axis2.SynapseMessageReceiver.receive(SynapseMessageReceiver.java:78)
        at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180)
        at org.apache.synapse.transport.passthru.ServerWorker.processNonEntityEnclosingRESTHandler(ServerWorker.java:325)
        at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:158)
        at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at java.lang.Thread.run(Thread.java:745)
Caused by: org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException: Error while accessing backend services for API key validation
        at org.wso2.carbon.apimgt.gateway.handlers.security.keys.APIKeyValidatorClient.getAPIKeyData(APIKeyValidatorClient.java:114)
        at org.wso2.carbon.apimgt.gateway.handlers.security.keys.WSAPIKeyDataStore.getAPIKeyData(WSAPIKeyDataStore.java:48)
        ... 16 more
Caused by: org.apache.axis2.AxisFault: org.apache.axis2.AxisFault: Mapping qname not fond for the package: java.util

From here, I don't know what to do since I tried some fancy URLs for the ServerURL value in the elements AuthManager and APIKeyValidator.
My IS has an offset of 5 so the port is 9448. Here is the URL I used to point to the IS server: https://localhost:9448/services/

Is there a way to know in which URL the IS deploy its Key Manager feature web services (WS)?
Should I reinstall the Key Manager feature in the IS?

Regards,

Thomas


_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev



_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Weird exception accessing to a API Manager protected resource

Thomas LEGRAND
Hello !

Sure. Here is my api-manager.xml AM configuration file:

<APIManager>
    <!-- JNDI name of the data source to be used by the API publisher, API store and API
         key manager. This data source should be defined in the master-datasources.xml file
         in conf/datasources directory. -->
    <DataSourceName>jdbc/WSO2AM_DB</DataSourceName>

    <!-- This parameter is used when adding api management capability to other products like GReg, AS, DSS etc.-->
    <!--GatewayType>Synapse</GatewayType-->
<GatewayType>None</GatewayType>

    <!-- This parameter is used to enable the securevault support when try to publish endpoint secured APIs. Values should be "true" or "false".
    By default secure vault is disabled.-->
    <EnableSecureVault>false</EnableSecureVault>

    <!-- Authentication manager configuration for API publisher and API store. This is
         a required configuration for both web applications as their user authentication
         logic relies on this. -->
    <AuthManager>
        <!-- Server URL of the Authentication service -->
        <!--ServerURL>https://localhost:${mgt.transport.https.port}${carbon.context}services/</ServerURL-->
<ServerURL>https://localhost:9448/services/</ServerURL>
        <!-- Admin username for the Authentication manager. -->
        <Username>${admin.username}</Username>
        <!-- Admin password for the Authentication manager. -->
        <Password>${admin.password}</Password>
        <!-- Indicates whether the permissions checking of the user (on the Publisher and Store) should be done
           via a remote service. The check will be done on the local server when false. -->
        <CheckPermissionsRemotely>false</CheckPermissionsRemotely>
    </AuthManager>

    <JWTConfiguration>
        <!-- Enable/Disable JWT generation. Default is false. -->
        <!-- EnableJWTGeneration>false</EnableJWTGeneration-->

        <!-- Name of the security context header to be added to the validated requests. -->
        <JWTHeader>X-JWT-Assertion</JWTHeader>

        <!-- Fully qualified name of the class that will retrieve additional user claims
             to be appended to the JWT. If not specified no claims will be appended.If user wants to add all user claims in the
             jwt token, he needs to enable this parameter.
             The DefaultClaimsRetriever class adds user claims from the default carbon user store. -->
        <!--ClaimsRetrieverImplClass>org.wso2.carbon.apimgt.impl.token.DefaultClaimsRetriever</ClaimsRetrieverImplClass-->

        <!-- The dialectURI under which the claimURIs that need to be appended to the
             JWT are defined. Not used with custom ClaimsRetriever implementations. The
             same value is used in the keys for appending the default properties to the
             JWT. -->
        <!--ConsumerDialectURI>http://wso2.org/claims</ConsumerDialectURI-->

        <!-- Signature algorithm. Accepts "SHA256withRSA" or "NONE". To disable signing explicitly specify "NONE". -->
        <!--SignatureAlgorithm>SHA256withRSA</SignatureAlgorithm-->

        <!-- This parameter specifies which implementation should be used for generating the Token. JWTGenerator is the
    default implementation provided. -->
        <JWTGeneratorImpl>org.wso2.carbon.apimgt.keymgt.token.JWTGenerator</JWTGeneratorImpl>

        <!-- This parameter specifies which implementation should be used for generating the Token. For URL safe JWT
             Token generation the implementation is provided in URLSafeJWTGenerator -->
        <!--<JWTGeneratorImpl>org.wso2.carbon.apimgt.keymgt.token.URLSafeJWTGenerator</JWTGeneratorImpl>-->

        <!-- Remove UserName from JWT Token -->
        <!-- <RemoveUserNameFromJWTForApplicationToken>true</RemoveUserNameFromJWTForApplicationToken>-->
    </JWTConfiguration>

    <!-- Primary/secondary login configuration for APIstore. If user likes to keep two login attributes in a distributed setup, to login the APIstore,
he should configure this section. Primary login doesn't have a claimUri associated with it. But secondary login, which is a claim attribute,
is associated with a claimuri.-->
    <!--LoginConfig>
            <UserIdLogin  primary="true">
        <ClaimUri></ClaimUri>
        </UserIdLogin>
        <EmailLogin  primary="false">
            <ClaimUri>http://wso2.org/claims/emailaddress</ClaimUri>
        </EmailLogin>
    </LoginConfig-->

    <!-- Credentials for the API gateway admin server. This configuration
         is mainly used by the API publisher and store to connect to the API gateway and
         create/update published API configurations. -->
    <APIGateway>
        <!-- The environments to which an API will be published -->
        <Environments>
            <!-- Environments can be of different types. Allowed values are 'hybrid', 'production' and 'sandbox'.
                 An API deployed on a 'production' type gateway will only support production keys
                 An API deployed on a 'sandbox' type gateway will only support sandbox keys
                 An API deployed on a 'hybrid' type gateway will support both production and sandbox keys. -->
            <!-- api-console element specifies whether the environment should be listed in API Console or not -->
            <Environment type="hybrid" api-console="true">
                <Name>Production and Sandbox</Name>
                <Description>This is a hybrid gateway that handles both production and sandbox token traffic.</Description>
                <!-- Server URL of the API gateway -->
                <ServerURL>https://localhost:${mgt.transport.https.port}${carbon.context}services/</ServerURL>
       <!-- Admin username for the API gateway. -->
                <Username>${admin.username}</Username>
                <!-- Admin password for the API gateway.-->
                <Password>${admin.password}</Password>
                <!-- Endpoint URLs for the APIs hosted in this API gateway.-->
                <GatewayEndpoint>http://${carbon.local.ip}:${http.nio.port},https://${carbon.local.ip}:${https.nio.port}</GatewayEndpoint>
            </Environment>
        </Environments>
    </APIGateway>

    <CacheConfigurations>
   <!-- Enable/Disable token caching at the Gateway-->
        <EnableGatewayTokenCache>true</EnableGatewayTokenCache>
   <!-- Enable/Disable API resource caching at the Gateway-->
        <EnableGatewayResourceCache>true</EnableGatewayResourceCache>
        <!-- Enable/Disable API key validation information caching at key-management server -->
        <EnableKeyManagerTokenCache>false</EnableKeyManagerTokenCache>
        <!-- This parameter specifies whether Recently Added APIs will be loaded from the cache or not.
             If there are multiple API modification during a short time period, better to disable cache. -->
        <EnableRecentlyAddedAPICache>false</EnableRecentlyAddedAPICache>
   <!-- JWT claims Cache expiry in seconds -->
        <!--JWTClaimCacheExpiry>900</JWTClaimCacheExpiry-->
        <!-- Expiry time for the apim key mgt validation info cache -->
        <!--TokenCacheExpiry>900</TokenCacheExpiry-->
        <!-- This parameter specifies the expiration time of the TagCache. TagCache will
             only be created when this element is uncommented. When the specified
             time duration gets elapsed ,tag cache will get re-generated. -->
        <!--TagCacheDuration>120000</TagCacheDuration-->
    </CacheConfigurations>

    <!--
        API usage tracker configuration used by the DAS data publisher and
        Google Analytics publisher in API gateway.
    -->
    <Analytics>
        <!-- Enable Analytics for API Manager -->
        <Enabled>false</Enabled>

        <!-- Server URL of the remote DAS/CEP server used to collect statistics. Must
             be specified in protocol://hostname:port/ format.

             An event can also be published to multiple Receiver Groups each having 1 or more receivers. Receiver
             Groups are delimited by curly braces whereas receivers are delimited by commas.
             Ex - Multiple Receivers within a single group
             tcp://localhost:7612/,tcp://localhost:7613/,tcp://localhost:7614/

             Ex - Multiple Receiver Groups with two receivers each
             {tcp://localhost:7612/,tcp://localhost:7613},{tcp://localhost:7712/,tcp://localhost:7713/} -->
        <DASServerURL>{tcp://localhost:7612}</DASServerURL>
        <!--DASAuthServerURL>{ssl://localhost:7712}</DASAuthServerURL-->
        <!-- Administrator username to login to the remote DAS server. -->
        <DASUsername>${admin.username}</DASUsername>
        <!-- Administrator password to login to the remote DAS server. -->
        <DASPassword>${admin.password}</DASPassword>

        <!-- For APIM implemented Statistic client for RDBMS -->
        <StatsProviderImpl>org.wso2.carbon.apimgt.usage.client.impl.APIUsageStatisticsRdbmsClientImpl</StatsProviderImpl>

        <!-- DAS REST API configuration -->
        <DASRestApiURL>https://localhost:9444</DASRestApiURL>
        <DASRestApiUsername>${admin.username}</DASRestApiUsername>
        <DASRestApiPassword>${admin.password}</DASRestApiPassword>

        <!-- Below property is used to skip trying to connect to event receiver nodes when publishing events even if
            the stats enabled flag is set to true. -->
        <SkipEventReceiverConnection>false</SkipEventReceiverConnection>

        <!-- API Usage Data Publisher. -->
        <PublisherClass>org.wso2.carbon.apimgt.usage.publisher.APIMgtUsageDataBridgeDataPublisher</PublisherClass>

        <!-- If below property set to true,then the response message size will be calculated and publish
             with each successful API invocation event. -->
        <PublishResponseMessageSize>false</PublishResponseMessageSize>
        <!-- Data publishing stream names and versions of API requests, responses and faults. If the default values
            are changed, the toolbox also needs to be changed accordingly. -->
        <Streams>
            <Request>
                <Name>org.wso2.apimgt.statistics.request</Name>
                <Version>1.1.0</Version>
            </Request>
            <Response>
                <Name>org.wso2.apimgt.statistics.response</Name>
                <Version>1.1.0</Version>
            </Response>
            <Fault>
                <Name>org.wso2.apimgt.statistics.fault</Name>
                <Version>1.0.0</Version>
            </Fault>
            <Throttle>
                <Name>org.wso2.apimgt.statistics.throttle</Name>
                <Version>1.0.0</Version>
            </Throttle>
            <Workflow>
                <Name>org.wso2.apimgt.statistics.workflow</Name>
                <Version>1.0.0</Version>
            </Workflow>
            <ExecutionTime>
                <Name>org.wso2.apimgt.statistics.execution.time</Name>
                <Version>1.0.0</Version>
            </ExecutionTime>
   <AlertTypes>
                <Name>org.wso2.analytics.apim.alertStakeholderInfo</Name>
                <Version>1.0.0</Version>
            </AlertTypes>
        </Streams>

    </Analytics>

    <!--
        API key validator configuration used by API key manager (IS), API store and API gateway.
        API gateway uses it to validate and authenticate users against the provided API keys.
    -->
    <APIKeyValidator>
        <!-- Server URL of the API key manager -->
        <!--ServerURL>https://localhost:${mgt.transport.https.port}${carbon.context}services/</ServerURL-->
<ServerURL>https://localhost:9448/services/</ServerURL>

        <!-- Admin username for API key manager. -->
        <Username>${admin.username}</Username>
        <!-- Admin password for API key manager. -->
        <Password>${admin.password}</Password>
<!--Username>admin</Username>
<Password>admin</Password-->

        <!-- Configurations related to enable thrift support for key-management related communication.
             If you want to switch back to Web Service Client, change the value of "KeyValidatorClientType" to "WSClient".
             In a distributed environment;
             -If you are at the Gateway node, you need to point "ThriftClientPort" value to the "ThriftServerPort" value given at KeyManager node.
             -If you need to start two API Manager instances in the same machine, you need to give different ports to "ThriftServerPort" value in two nodes.
             -ThriftServerHost - Allows to configure a hostname for the thrift server. It uses the carbon hostname by default.
        -The Gateway uses this parameter to connect to the key validation thrift service. -->
        <KeyValidatorClientType>WSClient</KeyValidatorClientType>
        <ThriftClientConnectionTimeOut>10000</ThriftClientConnectionTimeOut>
        <!--ThriftClientPort>10397</ThriftClientPort-->

        <EnableThriftServer>false</EnableThriftServer>
        <ThriftServerHost>localhost</ThriftServerHost>
        <!--ThriftServerPort>10397</ThriftServerPort-->

        <!--ConnectionPool>
            <MaxIdle>100</MaxIdle>
            <InitIdleCapacity>50</InitIdleCapacity>
        </ConnectionPool-->
        <!-- Specifies the implementation to be used for KeyValidationHandler. Steps for validating a token can be controlled by plugging in a 
             custom KeyValidation Handler -->
        <KeyValidationHandlerClassName>org.wso2.carbon.apimgt.keymgt.handlers.DefaultKeyValidationHandler</KeyValidationHandlerClassName>
    </APIKeyValidator>

    <!-- Uncomment this section only if you are going to have an instance other than KeyValidator as your KeyManager.
         Unless a ThirdParty KeyManager is used, you don't need to configure this section. -->
    <!--APIKeyManager>
        <KeyManagerClientImpl>org.wso2.carbon.apimgt.impl.AMDefaultKeyManagerImpl</KeyManagerClientImpl>
        <Configuration>
            <ServerURL>https://localhost:${mgt.transport.https.port}${carbon.context}services/</ServerURL>
            <Username>${admin.username}</Username>
            <Password>${admin.password}</Password>
            <TokenURL>https://${carbon.local.ip}:${https.nio.port}/token</TokenURL>
            <RevokeURL>https://${carbon.local.ip}:${https.nio.port}/revoke</RevokeURL>
        </Configuration>
    </APIKeyManager-->

    <OAuthConfigurations>
        <!-- Remove OAuth headers from outgoing message. -->
        <!--RemoveOAuthHeadersFromOutMessage>true</RemoveOAuthHeadersFromOutMessage-->
        <!-- Scope used for marking Application Tokens. If a token is generated with this scope, they will be treated as Application Access Tokens -->
        <ApplicationTokenScope>am_application_scope</ApplicationTokenScope>
        <!-- All  scopes under the ScopeWhitelist element are not validating against roles that has assigned to it.
             By default ^device_.* and openid scopes have been white listed internally. -->
        <!--ScopeWhitelist>
            <Scope>^device_.*</Scope>
            <Scope>openid</Scope>
        </ScopeWhitelist-->
        <!-- Name of the token API -->
        <TokenEndPointName>/oauth2/token</TokenEndPointName>
        <!-- This the API URL for revoke API. When we revoke tokens revoke requests should go through this
             API deployed in API gateway. Then it will do cache invalidations related to revoked tokens.
             In distributed deployment we should configure this property in key manager node by pointing
             gateway https( /http, we recommend users to use 'https' endpoints for security purpose) url.
             Also please note that we should point gateway revoke service to key manager -->
        <RevokeAPIURL>https://localhost:${https.nio.port}/revoke</RevokeAPIURL>
        <!-- Whether to encrypt tokens when storing in the Database
        Note: If changing this value to true, change the value of <TokenPersistenceProcessor> to
        org.wso2.carbon.identity.oauth.tokenprocessor.EncryptionDecryptionPersistenceProcessor in the identity.xml -->
        <EncryptPersistedTokens>false</EncryptPersistedTokens>
    </OAuthConfigurations>

    <!-- Settings related to managing API access tiers. -->
    <TierManagement>
        <!-- Enable the providers to expose their APIs over the special 'Unlimited' tier which
             basically disables tier based throttling for the specified APIs. -->
        <EnableUnlimitedTier>true</EnableUnlimitedTier>
    </TierManagement>

    <!-- API Store Related Configurations -->
    <APIStore>
        <!--GroupingExtractor>org.wso2.carbon.apimgt.impl.DefaultGroupIDExtractorImpl</GroupingExtractor-->
        <!--This property is used to indicate how we do user name comparision for token generation https://wso2.org/jira/browse/APIMANAGER-2225-->
        <CompareCaseInsensitively>true</CompareCaseInsensitively>
        <DisplayURL>false</DisplayURL>
        <URL>https://localhost:${mgt.transport.https.port}/store</URL>

        <!-- Server URL of the API Store. -->
        <ServerURL>https://localhost:${mgt.transport.https.port}${carbon.context}services/</ServerURL>
        <!-- Admin username for API Store. -->
        <Username>${admin.username}</Username>

        <!-- Admin password for API Store. -->
        <Password>${admin.password}</Password>
        <!-- This parameter specifies whether to display multiple versions of same
             API or only showing the latest version of an API. -->
        <DisplayMultipleVersions>false</DisplayMultipleVersions>
        <!-- This parameter specifies whether to display all the APIs
             [which are having DEPRECATED/PUBLISHED status] or only display the APIs
             with having their status is as 'PUBLISHED' -->
        <DisplayAllAPIs>false</DisplayAllAPIs>
        <!-- Uncomment this to limit the number of APIs in api the API Store -->
        <!--APIsPerPage>5</APIsPerPage-->

        <!-- This parameter specifies whether to display the comment editing facility or not.
             Default is "true". If user wants to disable, he must set this param as "false" -->
        <DisplayComments>true</DisplayComments>

        <!-- This parameter specifies whether to display the ratings  or not.
             Default is "true". If user wants to disable, he must set this param as "false" -->
        <DisplayRatings>true</DisplayRatings>

        <!--set isStoreForumEnabled to false for disable forum in store-->
        <!--isStoreForumEnabled>false</isStoreForumEnabled-->
    </APIStore>

    <APIPublisher>
        <DisplayURL>false</DisplayURL>
        <URL>https://localhost:${mgt.transport.https.port}/publisher</URL>
        <!-- This parameter specifies enabling the capability of setting API documentation level granular visibility levels.
             By default any document associate with an API will have the same permissions set as the API.With enabling below
             property,it will show two additional permission levels as visible only to all registered users in a particular
             domain or only visible to API doc creator -->
        <!--EnableAPIDocVisibilityLevels>true</EnableAPIDocVisibilityLevels-->
        <!-- Uncomment this to limit the number of APIs in api the API Publisher -->
        <!--APIsPerPage>30</APIsPerPage-->
    </APIPublisher>

    <!-- Status observers can be registered against the API Publisher to listen for
         API status update events. Each observer must implement the APIStatusObserver
         interface. Multiple observers can be engaged if necessary and in such situations
         they will be notified in the order they are defined here. 
         This configuration is unused from API Manager version 1.10.0 -->
    <!--StatusObservers>
        <Observer>org.wso2.carbon.apimgt.impl.observers.SimpleLoggingObserver</Observer>
    </StatusObservers-->

    <!-- Use this configuration Create APIs at the Server startup -->
    <StartupAPIPublisher>
        <!-- Enable/Disable the API Startup Publisher -->
        <Enabled>false</Enabled>

        <!-- Configuration to create APIs for local endpoints.
             Endpoint will be computed as http://${carbon.local.ip}:${mgt.transport.http.port}/Context.
             Define many LocalAPI elements as below to create many APIs
             for local Endpoints.
             IconPath should be relative to CARBON_HOME. -->
        <LocalAPIs>
            <LocalAPI>
                <Context>/resource</Context>
                <Provider>admin</Provider>
                <Version>1.0.0</Version>
                <IconPath>none</IconPath>
                <DocumentURL>none</DocumentURL>
                <AuthType>Any</AuthType>
            </LocalAPI>
        </LocalAPIs>

        <!-- Configuration to create APIs for remote endpoints.
             When Endpoint need to be defined use this configuration.
             Define many API elements as below to create many APIs
             for external Endpoints.
             If you do not need to add Icon or Documentation set
             'none' as the value for IconPath & DocumentURL. -->
        <!--APIs>
            <API>
                <Context>/resource</Context>
                <Endpoint>http://localhost:9764/resource</Endpoint>
                <Provider>admin</Provider>
                <Version>1.0.0</Version>
                <IconPath>none</IconPath>
                <DocumentURL>none</DocumentURL>
                <AuthType>Any</AuthType>
            </API>
        </APIs-->
    </StartupAPIPublisher>

    <!-- Configuration to enable/disable sending CORS headers in the Gateway response
         and define the Access-Control-Allow-Origin header value.-->
    <CORSConfiguration>
        <!-- Configuration to enable/disable sending CORS headers from the Gateway-->
        <Enabled>true</Enabled>

        <!-- The value of the Access-Control-Allow-Origin header. Default values are
             API Store addresses, which is needed for swagger to function. -->
        <Access-Control-Allow-Origin>*</Access-Control-Allow-Origin>

        <!-- Configure Access-Control-Allow-Methods -->
        <Access-Control-Allow-Methods>GET,PUT,POST,DELETE,PATCH,OPTIONS</Access-Control-Allow-Methods>

        <!-- Configure Access-Control-Allow-Headers -->
        <Access-Control-Allow-Headers>authorization,Access-Control-Allow-Origin,Content-Type,SOAPAction</Access-Control-Allow-Headers>

        <!-- Configure Access-Control-Allow-Credentials -->
        <!-- Specifying this header to true means that the server allows cookies (or other user credentials) to be included on cross-origin requests.
             It is false by default and if you set it to true then make sure that the Access-Control-Allow-Origin header does not contain the wildcard (*) -->
        <Access-Control-Allow-Credentials>false</Access-Control-Allow-Credentials>
    </CORSConfiguration>
    
    <!-- This property is there to configure velocity log output into existing Log4j carbon Logger.
         You can enable this and set preferable Logger name. -->
    <!-- VelocityLogger>VELOCITY</VelocityLogger -->

    <RESTAPI>
        <!--Configure white-listed URIs of REST API. Accessing white-listed URIs does not require credentials (does not require Authorization header). -->
        <WhiteListedURIs>
            <WhiteListedURI>
                <URI>/api/am/publisher/{version}/swagger.json</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/store/{version}/swagger.json</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/admin/{version}/swagger.json</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/store/{version}/apis</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/store/{version}/apis/{apiId}</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/store/{version}/apis/{apiId}/swagger</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/store/{version}/apis/{apiId}/documents</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/store/{version}/apis/{apiId}/documents/{documentId}</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/store/{version}/apis/{apiId}/documents/{documentId}/content</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/store/{version}/apis/{apiId}/thumbnail</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/store/{version}/tags</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/store/{version}/tiers/{tierLevel}</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/store/{version}/tiers/{tierLevel}/{tierName}</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
        </WhiteListedURIs>
        <ETagSkipList>
            <ETagSkipURI>
                <URI>/api/am/store/{version}/apis</URI>
                <HTTPMethods>GET</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/store/{version}/apis/generate-sdk</URI>
                <HTTPMethods>POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/store/{version}/apis/{apiId}/documents</URI>
                <HTTPMethods>GET</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/store/{version}/applications</URI>
                <HTTPMethods>GET</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/store/{version}/applications/generate-keys</URI>
                <HTTPMethods>POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/store/{version}/subscriptions</URI>
                <HTTPMethods>GET,POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/store/{version}/tags</URI>
                <HTTPMethods>GET</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/store/{version}/tiers/{tierLevel}</URI>
                <HTTPMethods>GET</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/store/{version}/tiers/{tierLevel}/{tierName}</URI>
                <HTTPMethods>GET</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/apis</URI>
                <HTTPMethods>GET,POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/apis/{apiId}</URI>
                <HTTPMethods>GET,DELETE,PUT</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/apis/{apiId}/swagger</URI>
                <HTTPMethods>GET,PUT</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/apis/{apiId}/thumbnail</URI>
                <HTTPMethods>GET,POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/apis/{apiId}/change-lifecycle</URI>
                <HTTPMethods>POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/apis/{apiId}/copy-api</URI>
                <HTTPMethods>POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/applications/{applicationId}</URI>
                <HTTPMethods>GET</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/apis/{apiId}/documents</URI>
                <HTTPMethods>GET,POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/apis/{apiId}/documents/{documentId}/content</URI>
                <HTTPMethods>GET,POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/apis/{apiId}/documents/{documentId}</URI>
                <HTTPMethods>GET,PUT,DELETE</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/environments</URI>
                <HTTPMethods>GET</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/subscriptions</URI>
                <HTTPMethods>GET</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/subscriptions/block-subscription</URI>
                <HTTPMethods>POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/subscriptions/{subscriptionId}</URI>
                <HTTPMethods>GET</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/subscriptions/unblock-subscription</URI>
                <HTTPMethods>POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/tiers/{tierLevel}</URI>
                <HTTPMethods>GET,POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/tiers/{tierLevel}/{tierName}</URI>
                <HTTPMethods>GET,PUT,DELETE</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/tiers/update-permission</URI>
                <HTTPMethods>POST</HTTPMethods>
            </ETagSkipURI>
        </ETagSkipList>
    </RESTAPI>
    <ThrottlingConfigurations>
        <EnableAdvanceThrottling>true</EnableAdvanceThrottling>
        <DataPublisher>
            <Enabled>true</Enabled>
            <Type>Binary</Type>
            <ReceiverUrlGroup>tcp://${carbon.local.ip}:${receiver.url.port}</ReceiverUrlGroup>
            <AuthUrlGroup>ssl://${carbon.local.ip}:${auth.url.port}</AuthUrlGroup>
            <Username>${admin.username}</Username>
            <Password>${admin.password}</Password>
            <DataPublisherPool>
                <MaxIdle>1000</MaxIdle>
                <InitIdleCapacity>200</InitIdleCapacity>
            </DataPublisherPool>
            <DataPublisherThreadPool>
                <CorePoolSize>200</CorePoolSize>
                <MaxmimumPoolSize>1000</MaxmimumPoolSize>
                <KeepAliveTime>200</KeepAliveTime>
            </DataPublisherThreadPool>
        </DataPublisher>
        <PolicyDeployer>
            <ServiceURL>https://localhost:${mgt.transport.https.port}${carbon.context}services/</ServiceURL>
            <Username>${admin.username}</Username>
            <Password>${admin.password}</Password>
        </PolicyDeployer>
        <BlockCondition>
            <Enabled>true</Enabled>
            <!--InitDelay>300000</InitDelay>
            <Period>3600000</Period-->
        </BlockCondition>
        <JMSConnectionDetails>
            <Enabled>true</Enabled>
            <ServiceURL>tcp://${carbon.local.ip}:${jms.port}</ServiceURL>
            <Username>${admin.username}</Username>
            <Password>${admin.password}</Password>
            <Destination>throttleData</Destination>
            <!--InitDelay>300000</InitDelay-->
            <JMSConnectionParameters>
                <transport.jms.ConnectionFactoryJNDIName>TopicConnectionFactory</transport.jms.ConnectionFactoryJNDIName>
                <transport.jms.DestinationType>topic</transport.jms.DestinationType>
                <java.naming.factory.initial>org.wso2.andes.jndi.PropertiesFileInitialContextFactory</java.naming.factory.initial>
                <connectionfactory.TopicConnectionFactory>amqp://${jms.username}:${jms.password}@clientid/carbon?brokerlist='${jms.url}'</connectionfactory.TopicConnectionFactory>
            </JMSConnectionParameters>
            <JMSTaskManager>
                <MinThreadPoolSize>20</MinThreadPoolSize>
                <MaxThreadPoolSize>100</MaxThreadPoolSize>
                <KeepAliveTimeInMillis>1000</KeepAliveTimeInMillis>
                <JobQueueSize>10</JobQueueSize>
            </JMSTaskManager>
        </JMSConnectionDetails>
        <JMSEventPublisherParameters>
                <java.naming.factory.initial>org.wso2.andes.jndi.PropertiesFileInitialContextFactory</java.naming.factory.initial>
                <java.naming.provider.url>repository/conf/jndi.properties</java.naming.provider.url>
                <transport.jms.DestinationType>topic</transport.jms.DestinationType>
                <transport.jms.Destination>throttleData</transport.jms.Destination>
                <transport.jms.ConcurrentPublishers>allow</transport.jms.ConcurrentPublishers>
                <transport.jms.ConnectionFactoryJNDIName>TopicConnectionFactory</transport.jms.ConnectionFactoryJNDIName>
        </JMSEventPublisherParameters>
        <!--DefaultLimits>
            <SubscriptionTierLimits>
                <Gold>5000</Gold>
                <Silver>2000</Silver>
                <Bronze>1000</Bronze>
                <Unauthenticated>60</Unauthenticated>
            </SubscriptionTierLimits>
            <ApplicationTierLimits>
                <50PerMin>50</50PerMin>
                <20PerMin>20</20PerMin>
                <10PerMin>10</10PerMin>
            </ApplicationTierLimits>
            <ResourceLevelTierLimits>
                <50KPerMin>50000</50KPerMin>
                <20KPerMin>20000</20KPerMin>
                <10KPerMin>10000</10KPerMin>
            </ResourceLevelTierLimits>
        </DefaultLimits-->
        <EnableUnlimitedTier>true</EnableUnlimitedTier>
        <EnableHeaderConditions>false</EnableHeaderConditions>
        <EnableJWTClaimConditions>false</EnableJWTClaimConditions>
        <EnableQueryParamConditions>false</EnableQueryParamConditions>
    </ThrottlingConfigurations>
    
    <WorkflowConfigurations>
        <Enabled>false</Enabled>
    <ServerUrl>https://localhost:9445/bpmn</ServerUrl>  
    <ServerUser>${admin.username}</ServerUser>
    <ServerPassword>${admin.password}</ServerPassword>
    <WorkflowCallbackAPI>https://localhost:${mgt.transport.https.port}/api/am/publisher/v0.11/workflows/update-workflow-status</WorkflowCallbackAPI>
        <TokenEndPoint>https://localhost:${https.nio.port}/token</TokenEndPoint>
        <DCREndPoint>https://localhost:${mgt.transport.https.port}/client-registration/v0.11/register</DCREndPoint>
        <DCREndPointUser>${admin.username}</DCREndPointUser>
        <DCREndPointPassword>${admin.password}</DCREndPointPassword>
    </WorkflowConfigurations>

    <SwaggerCodegen>
        <ClientGeneration>
            <GroupId>org.wso2</GroupId>
            <ArtifactId>org.wso2.client.</ArtifactId>
            <ModelPackage>org.wso2.client.model.</ModelPackage>
            <ApiPackage>org.wso2.client.api.</ApiPackage>
            <!-- Configure supported languages/Frameworks as comma separated values,
             Supported Languages/Frameworks : android, java, scala, csharp, cpp, dart, flash, go, groovy, javascript, jmeter,
             nodejs, perl, php, python, ruby, swift, clojure, aspNet5, asyncScala, spring, csharpDotNet2, haskell-->
            <SupportedLanguages>java,android</SupportedLanguages>
        </ClientGeneration>
    </SwaggerCodegen>

</APIManager>

Do you need my IS one, too?

Regards,

Thomas

2017-06-15 22:16 GMT+02:00 Farasath Ahamed <[hidden email]>:
Would be better if you could share the api-manager.xml configuration file to see if there are any errors in configs.




Farasath Ahamed
Software Engineer, WSO2 Inc.; http://wso2.com
Mobile: <a href="tel:%2B94777603866" value="+94713149860" style="font-size:12.8px;color:rgb(17,85,204)" target="_blank">+94777603866
Twitter: @farazath619




On Thu, Jun 15, 2017 at 8:40 PM, Thomas LEGRAND <[hidden email]> wrote:
Hello again,

I followed the tutorial in [1] to configure my Identity Server (IS) as a key manager for my API Manager (AM). When I create my Production & Sandbox applications in the AM, I can see service providers created in the IS. I configures them to use SAML to retrieve informations like the roles, if the authentication is successfull. And I can "exchange" my SAML assertion for a OAuth token. So, everything is cool, here.

But, when I try to reuse this OAuth token to access to a resource via the AM, it rejects me with this sweet message:

    <ams:fault xmlns:ams="http://wso2.org/apimanager/security">
      <ams:code>900900</ams:code>
      <ams:message>Unclassified Authentication Failure</ams:message>
      <ams:description>Resource forbidden</ams:description>
    </ams:fault>

But no errors in the logs but just a WARN. So, I activated the DEBUG mode and then, I can see some intersting things:

[2017-06-15 16:44:52,954]  WARN - APIAuthenticationHandler API authentication failure due to Unclassified Authentication Failure
[2017-06-15 16:44:52,954] DEBUG - APIAuthenticationHandler API authentication failed with error 900900
org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException: Resource forbidden
        at org.wso2.carbon.apimgt.gateway.handlers.security.keys.WSAPIKeyDataStore.getAPIKeyData(WSAPIKeyDataStore.java:51)
        at org.wso2.carbon.apimgt.gateway.handlers.security.APIKeyValidator.doGetKeyValidationInfo(APIKeyValidator.java:253)
        at org.wso2.carbon.apimgt.gateway.handlers.security.APIKeyValidator.getKeyValidationInfo(APIKeyValidator.java:209)
        at org.wso2.carbon.apimgt.gateway.handlers.security.oauth.OAuthAuthenticator.authenticate(OAuthAuthenticator.java:196)
        at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest(APIAuthenticationHandler.java:117)
        at org.apache.synapse.rest.API.process(API.java:325)
        at org.apache.synapse.rest.RESTRequestHandler.dispatchToAPI(RESTRequestHandler.java:90)
        at org.apache.synapse.rest.RESTRequestHandler.process(RESTRequestHandler.java:69)
        at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.injectMessage(Axis2SynapseEnvironment.java:304)
        at org.apache.synapse.core.axis2.SynapseMessageReceiver.receive(SynapseMessageReceiver.java:78)
        at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180)
        at org.apache.synapse.transport.passthru.ServerWorker.processNonEntityEnclosingRESTHandler(ServerWorker.java:325)
        at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:158)
        at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at java.lang.Thread.run(Thread.java:745)
Caused by: org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException: Error while accessing backend services for API key validation
        at org.wso2.carbon.apimgt.gateway.handlers.security.keys.APIKeyValidatorClient.getAPIKeyData(APIKeyValidatorClient.java:114)
        at org.wso2.carbon.apimgt.gateway.handlers.security.keys.WSAPIKeyDataStore.getAPIKeyData(WSAPIKeyDataStore.java:48)
        ... 16 more
Caused by: org.apache.axis2.AxisFault: org.apache.axis2.AxisFault: Mapping qname not fond for the package: java.util

From here, I don't know what to do since I tried some fancy URLs for the ServerURL value in the elements AuthManager and APIKeyValidator.
My IS has an offset of 5 so the port is 9448. Here is the URL I used to point to the IS server: https://localhost:9448/services/

Is there a way to know in which URL the IS deploy its Key Manager feature web services (WS)?
Should I reinstall the Key Manager feature in the IS?

Regards,

Thomas


_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev




_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Weird exception accessing to a API Manager protected resource

Rajith Roshan
Hi Thomas,

You need to subscribe to that particular api from the application you have generated access token. if there is no valid subscription then this error can happen. 
And also if you have assigned specif scopes to api resource , then the access token should also have that scopes when it was generated.
This resource forbidden issue can occur due to above mentioned errors.

Thanks!
Rajith

On Fri, Jun 16, 2017 at 12:32 PM, Thomas LEGRAND <[hidden email]> wrote:
Hello !

Sure. Here is my api-manager.xml AM configuration file:

<APIManager>
    <!-- JNDI name of the data source to be used by the API publisher, API store and API
         key manager. This data source should be defined in the master-datasources.xml file
         in conf/datasources directory. -->
    <DataSourceName>jdbc/WSO2AM_DB</DataSourceName>

    <!-- This parameter is used when adding api management capability to other products like GReg, AS, DSS etc.-->
    <!--GatewayType>Synapse</GatewayType-->
<GatewayType>None</GatewayType>

    <!-- This parameter is used to enable the securevault support when try to publish endpoint secured APIs. Values should be "true" or "false".
    By default secure vault is disabled.-->
    <EnableSecureVault>false</EnableSecureVault>

    <!-- Authentication manager configuration for API publisher and API store. This is
         a required configuration for both web applications as their user authentication
         logic relies on this. -->
    <AuthManager>
        <!-- Server URL of the Authentication service -->
        <!--ServerURL>https://localhost:${mgt.transport.https.port}${carbon.context}services/</ServerURL-->
<ServerURL>https://localhost:9448/services/</ServerURL>
        <!-- Admin username for the Authentication manager. -->
        <Username>${admin.username}</Username>
        <!-- Admin password for the Authentication manager. -->
        <Password>${admin.password}</Password>
        <!-- Indicates whether the permissions checking of the user (on the Publisher and Store) should be done
           via a remote service. The check will be done on the local server when false. -->
        <CheckPermissionsRemotely>false</CheckPermissionsRemotely>
    </AuthManager>

    <JWTConfiguration>
        <!-- Enable/Disable JWT generation. Default is false. -->
        <!-- EnableJWTGeneration>false</EnableJWTGeneration-->

        <!-- Name of the security context header to be added to the validated requests. -->
        <JWTHeader>X-JWT-Assertion</JWTHeader>

        <!-- Fully qualified name of the class that will retrieve additional user claims
             to be appended to the JWT. If not specified no claims will be appended.If user wants to add all user claims in the
             jwt token, he needs to enable this parameter.
             The DefaultClaimsRetriever class adds user claims from the default carbon user store. -->
        <!--ClaimsRetrieverImplClass>org.wso2.carbon.apimgt.impl.token.DefaultClaimsRetriever</ClaimsRetrieverImplClass-->

        <!-- The dialectURI under which the claimURIs that need to be appended to the
             JWT are defined. Not used with custom ClaimsRetriever implementations. The
             same value is used in the keys for appending the default properties to the
             JWT. -->
        <!--ConsumerDialectURI>http://wso2.org/claims</ConsumerDialectURI-->

        <!-- Signature algorithm. Accepts "SHA256withRSA" or "NONE". To disable signing explicitly specify "NONE". -->
        <!--SignatureAlgorithm>SHA256withRSA</SignatureAlgorithm-->

        <!-- This parameter specifies which implementation should be used for generating the Token. JWTGenerator is the
    default implementation provided. -->
        <JWTGeneratorImpl>org.wso2.carbon.apimgt.keymgt.token.JWTGenerator</JWTGeneratorImpl>

        <!-- This parameter specifies which implementation should be used for generating the Token. For URL safe JWT
             Token generation the implementation is provided in URLSafeJWTGenerator -->
        <!--<JWTGeneratorImpl>org.wso2.carbon.apimgt.keymgt.token.URLSafeJWTGenerator</JWTGeneratorImpl>-->

        <!-- Remove UserName from JWT Token -->
        <!-- <RemoveUserNameFromJWTForApplicationToken>true</RemoveUserNameFromJWTForApplicationToken>-->
    </JWTConfiguration>

    <!-- Primary/secondary login configuration for APIstore. If user likes to keep two login attributes in a distributed setup, to login the APIstore,
he should configure this section. Primary login doesn't have a claimUri associated with it. But secondary login, which is a claim attribute,
is associated with a claimuri.-->
    <!--LoginConfig>
            <UserIdLogin  primary="true">
        <ClaimUri></ClaimUri>
        </UserIdLogin>
        <EmailLogin  primary="false">
            <ClaimUri>http://wso2.org/claims/emailaddress</ClaimUri>
        </EmailLogin>
    </LoginConfig-->

    <!-- Credentials for the API gateway admin server. This configuration
         is mainly used by the API publisher and store to connect to the API gateway and
         create/update published API configurations. -->
    <APIGateway>
        <!-- The environments to which an API will be published -->
        <Environments>
            <!-- Environments can be of different types. Allowed values are 'hybrid', 'production' and 'sandbox'.
                 An API deployed on a 'production' type gateway will only support production keys
                 An API deployed on a 'sandbox' type gateway will only support sandbox keys
                 An API deployed on a 'hybrid' type gateway will support both production and sandbox keys. -->
            <!-- api-console element specifies whether the environment should be listed in API Console or not -->
            <Environment type="hybrid" api-console="true">
                <Name>Production and Sandbox</Name>
                <Description>This is a hybrid gateway that handles both production and sandbox token traffic.</Description>
                <!-- Server URL of the API gateway -->
                <ServerURL>https://localhost:${mgt.transport.https.port}${carbon.context}services/</ServerURL>
       <!-- Admin username for the API gateway. -->
                <Username>${admin.username}</Username>
                <!-- Admin password for the API gateway.-->
                <Password>${admin.password}</Password>
                <!-- Endpoint URLs for the APIs hosted in this API gateway.-->
                <GatewayEndpoint>http://${carbon.local.ip}:${http.nio.port},https://${carbon.local.ip}:${https.nio.port}</GatewayEndpoint>
            </Environment>
        </Environments>
    </APIGateway>

    <CacheConfigurations>
   <!-- Enable/Disable token caching at the Gateway-->
        <EnableGatewayTokenCache>true</EnableGatewayTokenCache>
   <!-- Enable/Disable API resource caching at the Gateway-->
        <EnableGatewayResourceCache>true</EnableGatewayResourceCache>
        <!-- Enable/Disable API key validation information caching at key-management server -->
        <EnableKeyManagerTokenCache>false</EnableKeyManagerTokenCache>
        <!-- This parameter specifies whether Recently Added APIs will be loaded from the cache or not.
             If there are multiple API modification during a short time period, better to disable cache. -->
        <EnableRecentlyAddedAPICache>false</EnableRecentlyAddedAPICache>
   <!-- JWT claims Cache expiry in seconds -->
        <!--JWTClaimCacheExpiry>900</JWTClaimCacheExpiry-->
        <!-- Expiry time for the apim key mgt validation info cache -->
        <!--TokenCacheExpiry>900</TokenCacheExpiry-->
        <!-- This parameter specifies the expiration time of the TagCache. TagCache will
             only be created when this element is uncommented. When the specified
             time duration gets elapsed ,tag cache will get re-generated. -->
        <!--TagCacheDuration>120000</TagCacheDuration-->
    </CacheConfigurations>

    <!--
        API usage tracker configuration used by the DAS data publisher and
        Google Analytics publisher in API gateway.
    -->
    <Analytics>
        <!-- Enable Analytics for API Manager -->
        <Enabled>false</Enabled>

        <!-- Server URL of the remote DAS/CEP server used to collect statistics. Must
             be specified in protocol://hostname:port/ format.

             An event can also be published to multiple Receiver Groups each having 1 or more receivers. Receiver
             Groups are delimited by curly braces whereas receivers are delimited by commas.
             Ex - Multiple Receivers within a single group
             tcp://localhost:7612/,tcp://localhost:7613/,tcp://localhost:7614/

             Ex - Multiple Receiver Groups with two receivers each
             {tcp://localhost:7612/,tcp://localhost:7613},{tcp://localhost:7712/,tcp://localhost:7713/} -->
        <DASServerURL>{tcp://localhost:7612}</DASServerURL>
        <!--DASAuthServerURL>{ssl://localhost:7712}</DASAuthServerURL-->
        <!-- Administrator username to login to the remote DAS server. -->
        <DASUsername>${admin.username}</DASUsername>
        <!-- Administrator password to login to the remote DAS server. -->
        <DASPassword>${admin.password}</DASPassword>

        <!-- For APIM implemented Statistic client for RDBMS -->
        <StatsProviderImpl>org.wso2.carbon.apimgt.usage.client.impl.APIUsageStatisticsRdbmsClientImpl</StatsProviderImpl>

        <!-- DAS REST API configuration -->
        <DASRestApiURL>https://localhost:9444</DASRestApiURL>
        <DASRestApiUsername>${admin.username}</DASRestApiUsername>
        <DASRestApiPassword>${admin.password}</DASRestApiPassword>

        <!-- Below property is used to skip trying to connect to event receiver nodes when publishing events even if
            the stats enabled flag is set to true. -->
        <SkipEventReceiverConnection>false</SkipEventReceiverConnection>

        <!-- API Usage Data Publisher. -->
        <PublisherClass>org.wso2.carbon.apimgt.usage.publisher.APIMgtUsageDataBridgeDataPublisher</PublisherClass>

        <!-- If below property set to true,then the response message size will be calculated and publish
             with each successful API invocation event. -->
        <PublishResponseMessageSize>false</PublishResponseMessageSize>
        <!-- Data publishing stream names and versions of API requests, responses and faults. If the default values
            are changed, the toolbox also needs to be changed accordingly. -->
        <Streams>
            <Request>
                <Name>org.wso2.apimgt.statistics.request</Name>
                <Version>1.1.0</Version>
            </Request>
            <Response>
                <Name>org.wso2.apimgt.statistics.response</Name>
                <Version>1.1.0</Version>
            </Response>
            <Fault>
                <Name>org.wso2.apimgt.statistics.fault</Name>
                <Version>1.0.0</Version>
            </Fault>
            <Throttle>
                <Name>org.wso2.apimgt.statistics.throttle</Name>
                <Version>1.0.0</Version>
            </Throttle>
            <Workflow>
                <Name>org.wso2.apimgt.statistics.workflow</Name>
                <Version>1.0.0</Version>
            </Workflow>
            <ExecutionTime>
                <Name>org.wso2.apimgt.statistics.execution.time</Name>
                <Version>1.0.0</Version>
            </ExecutionTime>
   <AlertTypes>
                <Name>org.wso2.analytics.apim.alertStakeholderInfo</Name>
                <Version>1.0.0</Version>
            </AlertTypes>
        </Streams>

    </Analytics>

    <!--
        API key validator configuration used by API key manager (IS), API store and API gateway.
        API gateway uses it to validate and authenticate users against the provided API keys.
    -->
    <APIKeyValidator>
        <!-- Server URL of the API key manager -->
        <!--ServerURL>https://localhost:${mgt.transport.https.port}${carbon.context}services/</ServerURL-->
<ServerURL>https://localhost:9448/services/</ServerURL>

        <!-- Admin username for API key manager. -->
        <Username>${admin.username}</Username>
        <!-- Admin password for API key manager. -->
        <Password>${admin.password}</Password>
<!--Username>admin</Username>
<Password>admin</Password-->

        <!-- Configurations related to enable thrift support for key-management related communication.
             If you want to switch back to Web Service Client, change the value of "KeyValidatorClientType" to "WSClient".
             In a distributed environment;
             -If you are at the Gateway node, you need to point "ThriftClientPort" value to the "ThriftServerPort" value given at KeyManager node.
             -If you need to start two API Manager instances in the same machine, you need to give different ports to "ThriftServerPort" value in two nodes.
             -ThriftServerHost - Allows to configure a hostname for the thrift server. It uses the carbon hostname by default.
        -The Gateway uses this parameter to connect to the key validation thrift service. -->
        <KeyValidatorClientType>WSClient</KeyValidatorClientType>
        <ThriftClientConnectionTimeOut>10000</ThriftClientConnectionTimeOut>
        <!--ThriftClientPort>10397</ThriftClientPort-->

        <EnableThriftServer>false</EnableThriftServer>
        <ThriftServerHost>localhost</ThriftServerHost>
        <!--ThriftServerPort>10397</ThriftServerPort-->

        <!--ConnectionPool>
            <MaxIdle>100</MaxIdle>
            <InitIdleCapacity>50</InitIdleCapacity>
        </ConnectionPool-->
        <!-- Specifies the implementation to be used for KeyValidationHandler. Steps for validating a token can be controlled by plugging in a 
             custom KeyValidation Handler -->
        <KeyValidationHandlerClassName>org.wso2.carbon.apimgt.keymgt.handlers.DefaultKeyValidationHandler</KeyValidationHandlerClassName>
    </APIKeyValidator>

    <!-- Uncomment this section only if you are going to have an instance other than KeyValidator as your KeyManager.
         Unless a ThirdParty KeyManager is used, you don't need to configure this section. -->
    <!--APIKeyManager>
        <KeyManagerClientImpl>org.wso2.carbon.apimgt.impl.AMDefaultKeyManagerImpl</KeyManagerClientImpl>
        <Configuration>
            <ServerURL>https://localhost:${mgt.transport.https.port}${carbon.context}services/</ServerURL>
            <Username>${admin.username}</Username>
            <Password>${admin.password}</Password>
            <TokenURL>https://${carbon.local.ip}:${https.nio.port}/token</TokenURL>
            <RevokeURL>https://${carbon.local.ip}:${https.nio.port}/revoke</RevokeURL>
        </Configuration>
    </APIKeyManager-->

    <OAuthConfigurations>
        <!-- Remove OAuth headers from outgoing message. -->
        <!--RemoveOAuthHeadersFromOutMessage>true</RemoveOAuthHeadersFromOutMessage-->
        <!-- Scope used for marking Application Tokens. If a token is generated with this scope, they will be treated as Application Access Tokens -->
        <ApplicationTokenScope>am_application_scope</ApplicationTokenScope>
        <!-- All  scopes under the ScopeWhitelist element are not validating against roles that has assigned to it.
             By default ^device_.* and openid scopes have been white listed internally. -->
        <!--ScopeWhitelist>
            <Scope>^device_.*</Scope>
            <Scope>openid</Scope>
        </ScopeWhitelist-->
        <!-- Name of the token API -->
        <TokenEndPointName>/oauth2/token</TokenEndPointName>
        <!-- This the API URL for revoke API. When we revoke tokens revoke requests should go through this
             API deployed in API gateway. Then it will do cache invalidations related to revoked tokens.
             In distributed deployment we should configure this property in key manager node by pointing
             gateway https( /http, we recommend users to use 'https' endpoints for security purpose) url.
             Also please note that we should point gateway revoke service to key manager -->
        <RevokeAPIURL>https://localhost:${https.nio.port}/revoke</RevokeAPIURL>
        <!-- Whether to encrypt tokens when storing in the Database
        Note: If changing this value to true, change the value of <TokenPersistenceProcessor> to
        org.wso2.carbon.identity.oauth.tokenprocessor.EncryptionDecryptionPersistenceProcessor in the identity.xml -->
        <EncryptPersistedTokens>false</EncryptPersistedTokens>
    </OAuthConfigurations>

    <!-- Settings related to managing API access tiers. -->
    <TierManagement>
        <!-- Enable the providers to expose their APIs over the special 'Unlimited' tier which
             basically disables tier based throttling for the specified APIs. -->
        <EnableUnlimitedTier>true</EnableUnlimitedTier>
    </TierManagement>

    <!-- API Store Related Configurations -->
    <APIStore>
        <!--GroupingExtractor>org.wso2.carbon.apimgt.impl.DefaultGroupIDExtractorImpl</GroupingExtractor-->
        <!--This property is used to indicate how we do user name comparision for token generation https://wso2.org/jira/browse/APIMANAGER-2225-->
        <CompareCaseInsensitively>true</CompareCaseInsensitively>
        <DisplayURL>false</DisplayURL>
        <URL>https://localhost:${mgt.transport.https.port}/store</URL>

        <!-- Server URL of the API Store. -->
        <ServerURL>https://localhost:${mgt.transport.https.port}${carbon.context}services/</ServerURL>
        <!-- Admin username for API Store. -->
        <Username>${admin.username}</Username>

        <!-- Admin password for API Store. -->
        <Password>${admin.password}</Password>
        <!-- This parameter specifies whether to display multiple versions of same
             API or only showing the latest version of an API. -->
        <DisplayMultipleVersions>false</DisplayMultipleVersions>
        <!-- This parameter specifies whether to display all the APIs
             [which are having DEPRECATED/PUBLISHED status] or only display the APIs
             with having their status is as 'PUBLISHED' -->
        <DisplayAllAPIs>false</DisplayAllAPIs>
        <!-- Uncomment this to limit the number of APIs in api the API Store -->
        <!--APIsPerPage>5</APIsPerPage-->

        <!-- This parameter specifies whether to display the comment editing facility or not.
             Default is "true". If user wants to disable, he must set this param as "false" -->
        <DisplayComments>true</DisplayComments>

        <!-- This parameter specifies whether to display the ratings  or not.
             Default is "true". If user wants to disable, he must set this param as "false" -->
        <DisplayRatings>true</DisplayRatings>

        <!--set isStoreForumEnabled to false for disable forum in store-->
        <!--isStoreForumEnabled>false</isStoreForumEnabled-->
    </APIStore>

    <APIPublisher>
        <DisplayURL>false</DisplayURL>
        <URL>https://localhost:${mgt.transport.https.port}/publisher</URL>
        <!-- This parameter specifies enabling the capability of setting API documentation level granular visibility levels.
             By default any document associate with an API will have the same permissions set as the API.With enabling below
             property,it will show two additional permission levels as visible only to all registered users in a particular
             domain or only visible to API doc creator -->
        <!--EnableAPIDocVisibilityLevels>true</EnableAPIDocVisibilityLevels-->
        <!-- Uncomment this to limit the number of APIs in api the API Publisher -->
        <!--APIsPerPage>30</APIsPerPage-->
    </APIPublisher>

    <!-- Status observers can be registered against the API Publisher to listen for
         API status update events. Each observer must implement the APIStatusObserver
         interface. Multiple observers can be engaged if necessary and in such situations
         they will be notified in the order they are defined here. 
         This configuration is unused from API Manager version 1.10.0 -->
    <!--StatusObservers>
        <Observer>org.wso2.carbon.apimgt.impl.observers.SimpleLoggingObserver</Observer>
    </StatusObservers-->

    <!-- Use this configuration Create APIs at the Server startup -->
    <StartupAPIPublisher>
        <!-- Enable/Disable the API Startup Publisher -->
        <Enabled>false</Enabled>

        <!-- Configuration to create APIs for local endpoints.
             Endpoint will be computed as http://${carbon.local.ip}:${mgt.transport.http.port}/Context.
             Define many LocalAPI elements as below to create many APIs
             for local Endpoints.
             IconPath should be relative to CARBON_HOME. -->
        <LocalAPIs>
            <LocalAPI>
                <Context>/resource</Context>
                <Provider>admin</Provider>
                <Version>1.0.0</Version>
                <IconPath>none</IconPath>
                <DocumentURL>none</DocumentURL>
                <AuthType>Any</AuthType>
            </LocalAPI>
        </LocalAPIs>

        <!-- Configuration to create APIs for remote endpoints.
             When Endpoint need to be defined use this configuration.
             Define many API elements as below to create many APIs
             for external Endpoints.
             If you do not need to add Icon or Documentation set
             'none' as the value for IconPath & DocumentURL. -->
        <!--APIs>
            <API>
                <Context>/resource</Context>
                <Endpoint>http://localhost:9764/resource</Endpoint>
                <Provider>admin</Provider>
                <Version>1.0.0</Version>
                <IconPath>none</IconPath>
                <DocumentURL>none</DocumentURL>
                <AuthType>Any</AuthType>
            </API>
        </APIs-->
    </StartupAPIPublisher>

    <!-- Configuration to enable/disable sending CORS headers in the Gateway response
         and define the Access-Control-Allow-Origin header value.-->
    <CORSConfiguration>
        <!-- Configuration to enable/disable sending CORS headers from the Gateway-->
        <Enabled>true</Enabled>

        <!-- The value of the Access-Control-Allow-Origin header. Default values are
             API Store addresses, which is needed for swagger to function. -->
        <Access-Control-Allow-Origin>*</Access-Control-Allow-Origin>

        <!-- Configure Access-Control-Allow-Methods -->
        <Access-Control-Allow-Methods>GET,PUT,POST,DELETE,PATCH,OPTIONS</Access-Control-Allow-Methods>

        <!-- Configure Access-Control-Allow-Headers -->
        <Access-Control-Allow-Headers>authorization,Access-Control-Allow-Origin,Content-Type,SOAPAction</Access-Control-Allow-Headers>

        <!-- Configure Access-Control-Allow-Credentials -->
        <!-- Specifying this header to true means that the server allows cookies (or other user credentials) to be included on cross-origin requests.
             It is false by default and if you set it to true then make sure that the Access-Control-Allow-Origin header does not contain the wildcard (*) -->
        <Access-Control-Allow-Credentials>false</Access-Control-Allow-Credentials>
    </CORSConfiguration>
    
    <!-- This property is there to configure velocity log output into existing Log4j carbon Logger.
         You can enable this and set preferable Logger name. -->
    <!-- VelocityLogger>VELOCITY</VelocityLogger -->

    <RESTAPI>
        <!--Configure white-listed URIs of REST API. Accessing white-listed URIs does not require credentials (does not require Authorization header). -->
        <WhiteListedURIs>
            <WhiteListedURI>
                <URI>/api/am/publisher/{version}/swagger.json</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/store/{version}/swagger.json</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/admin/{version}/swagger.json</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/store/{version}/apis</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/store/{version}/apis/{apiId}</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/store/{version}/apis/{apiId}/swagger</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/store/{version}/apis/{apiId}/documents</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/store/{version}/apis/{apiId}/documents/{documentId}</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/store/{version}/apis/{apiId}/documents/{documentId}/content</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/store/{version}/apis/{apiId}/thumbnail</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/store/{version}/tags</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/store/{version}/tiers/{tierLevel}</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/store/{version}/tiers/{tierLevel}/{tierName}</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
        </WhiteListedURIs>
        <ETagSkipList>
            <ETagSkipURI>
                <URI>/api/am/store/{version}/apis</URI>
                <HTTPMethods>GET</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/store/{version}/apis/generate-sdk</URI>
                <HTTPMethods>POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/store/{version}/apis/{apiId}/documents</URI>
                <HTTPMethods>GET</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/store/{version}/applications</URI>
                <HTTPMethods>GET</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/store/{version}/applications/generate-keys</URI>
                <HTTPMethods>POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/store/{version}/subscriptions</URI>
                <HTTPMethods>GET,POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/store/{version}/tags</URI>
                <HTTPMethods>GET</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/store/{version}/tiers/{tierLevel}</URI>
                <HTTPMethods>GET</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/store/{version}/tiers/{tierLevel}/{tierName}</URI>
                <HTTPMethods>GET</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/apis</URI>
                <HTTPMethods>GET,POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/apis/{apiId}</URI>
                <HTTPMethods>GET,DELETE,PUT</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/apis/{apiId}/swagger</URI>
                <HTTPMethods>GET,PUT</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/apis/{apiId}/thumbnail</URI>
                <HTTPMethods>GET,POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/apis/{apiId}/change-lifecycle</URI>
                <HTTPMethods>POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/apis/{apiId}/copy-api</URI>
                <HTTPMethods>POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/applications/{applicationId}</URI>
                <HTTPMethods>GET</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/apis/{apiId}/documents</URI>
                <HTTPMethods>GET,POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/apis/{apiId}/documents/{documentId}/content</URI>
                <HTTPMethods>GET,POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/apis/{apiId}/documents/{documentId}</URI>
                <HTTPMethods>GET,PUT,DELETE</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/environments</URI>
                <HTTPMethods>GET</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/subscriptions</URI>
                <HTTPMethods>GET</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/subscriptions/block-subscription</URI>
                <HTTPMethods>POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/subscriptions/{subscriptionId}</URI>
                <HTTPMethods>GET</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/subscriptions/unblock-subscription</URI>
                <HTTPMethods>POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/tiers/{tierLevel}</URI>
                <HTTPMethods>GET,POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/tiers/{tierLevel}/{tierName}</URI>
                <HTTPMethods>GET,PUT,DELETE</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/tiers/update-permission</URI>
                <HTTPMethods>POST</HTTPMethods>
            </ETagSkipURI>
        </ETagSkipList>
    </RESTAPI>
    <ThrottlingConfigurations>
        <EnableAdvanceThrottling>true</EnableAdvanceThrottling>
        <DataPublisher>
            <Enabled>true</Enabled>
            <Type>Binary</Type>
            <ReceiverUrlGroup>tcp://${carbon.local.ip}:${receiver.url.port}</ReceiverUrlGroup>
            <AuthUrlGroup>ssl://${carbon.local.ip}:${auth.url.port}</AuthUrlGroup>
            <Username>${admin.username}</Username>
            <Password>${admin.password}</Password>
            <DataPublisherPool>
                <MaxIdle>1000</MaxIdle>
                <InitIdleCapacity>200</InitIdleCapacity>
            </DataPublisherPool>
            <DataPublisherThreadPool>
                <CorePoolSize>200</CorePoolSize>
                <MaxmimumPoolSize>1000</MaxmimumPoolSize>
                <KeepAliveTime>200</KeepAliveTime>
            </DataPublisherThreadPool>
        </DataPublisher>
        <PolicyDeployer>
            <ServiceURL>https://localhost:${mgt.transport.https.port}${carbon.context}services/</ServiceURL>
            <Username>${admin.username}</Username>
            <Password>${admin.password}</Password>
        </PolicyDeployer>
        <BlockCondition>
            <Enabled>true</Enabled>
            <!--InitDelay>300000</InitDelay>
            <Period>3600000</Period-->
        </BlockCondition>
        <JMSConnectionDetails>
            <Enabled>true</Enabled>
            <ServiceURL>tcp://${carbon.local.ip}:${jms.port}</ServiceURL>
            <Username>${admin.username}</Username>
            <Password>${admin.password}</Password>
            <Destination>throttleData</Destination>
            <!--InitDelay>300000</InitDelay-->
            <JMSConnectionParameters>
                <transport.jms.ConnectionFactoryJNDIName>TopicConnectionFactory</transport.jms.ConnectionFactoryJNDIName>
                <transport.jms.DestinationType>topic</transport.jms.DestinationType>
                <java.naming.factory.initial>org.wso2.andes.jndi.PropertiesFileInitialContextFactory</java.naming.factory.initial>
                <connectionfactory.TopicConnectionFactory>amqp://${jms.username}:${jms.password}@clientid/carbon?brokerlist='${jms.url}'</connectionfactory.TopicConnectionFactory>
            </JMSConnectionParameters>
            <JMSTaskManager>
                <MinThreadPoolSize>20</MinThreadPoolSize>
                <MaxThreadPoolSize>100</MaxThreadPoolSize>
                <KeepAliveTimeInMillis>1000</KeepAliveTimeInMillis>
                <JobQueueSize>10</JobQueueSize>
            </JMSTaskManager>
        </JMSConnectionDetails>
        <JMSEventPublisherParameters>
                <java.naming.factory.initial>org.wso2.andes.jndi.PropertiesFileInitialContextFactory</java.naming.factory.initial>
                <java.naming.provider.url>repository/conf/jndi.properties</java.naming.provider.url>
                <transport.jms.DestinationType>topic</transport.jms.DestinationType>
                <transport.jms.Destination>throttleData</transport.jms.Destination>
                <transport.jms.ConcurrentPublishers>allow</transport.jms.ConcurrentPublishers>
                <transport.jms.ConnectionFactoryJNDIName>TopicConnectionFactory</transport.jms.ConnectionFactoryJNDIName>
        </JMSEventPublisherParameters>
        <!--DefaultLimits>
            <SubscriptionTierLimits>
                <Gold>5000</Gold>
                <Silver>2000</Silver>
                <Bronze>1000</Bronze>
                <Unauthenticated>60</Unauthenticated>
            </SubscriptionTierLimits>
            <ApplicationTierLimits>
                <50PerMin>50</50PerMin>
                <20PerMin>20</20PerMin>
                <10PerMin>10</10PerMin>
            </ApplicationTierLimits>
            <ResourceLevelTierLimits>
                <50KPerMin>50000</50KPerMin>
                <20KPerMin>20000</20KPerMin>
                <10KPerMin>10000</10KPerMin>
            </ResourceLevelTierLimits>
        </DefaultLimits-->
        <EnableUnlimitedTier>true</EnableUnlimitedTier>
        <EnableHeaderConditions>false</EnableHeaderConditions>
        <EnableJWTClaimConditions>false</EnableJWTClaimConditions>
        <EnableQueryParamConditions>false</EnableQueryParamConditions>
    </ThrottlingConfigurations>
    
    <WorkflowConfigurations>
        <Enabled>false</Enabled>
    <ServerUrl>https://localhost:9445/bpmn</ServerUrl>  
    <ServerUser>${admin.username}</ServerUser>
    <ServerPassword>${admin.password}</ServerPassword>
    <WorkflowCallbackAPI>https://localhost:${mgt.transport.https.port}/api/am/publisher/v0.11/workflows/update-workflow-status</WorkflowCallbackAPI>
        <TokenEndPoint>https://localhost:${https.nio.port}/token</TokenEndPoint>
        <DCREndPoint>https://localhost:${mgt.transport.https.port}/client-registration/v0.11/register</DCREndPoint>
        <DCREndPointUser>${admin.username}</DCREndPointUser>
        <DCREndPointPassword>${admin.password}</DCREndPointPassword>
    </WorkflowConfigurations>

    <SwaggerCodegen>
        <ClientGeneration>
            <GroupId>org.wso2</GroupId>
            <ArtifactId>org.wso2.client.</ArtifactId>
            <ModelPackage>org.wso2.client.model.</ModelPackage>
            <ApiPackage>org.wso2.client.api.</ApiPackage>
            <!-- Configure supported languages/Frameworks as comma separated values,
             Supported Languages/Frameworks : android, java, scala, csharp, cpp, dart, flash, go, groovy, javascript, jmeter,
             nodejs, perl, php, python, ruby, swift, clojure, aspNet5, asyncScala, spring, csharpDotNet2, haskell-->
            <SupportedLanguages>java,android</SupportedLanguages>
        </ClientGeneration>
    </SwaggerCodegen>

</APIManager>

Do you need my IS one, too?

Regards,

Thomas

2017-06-15 22:16 GMT+02:00 Farasath Ahamed <[hidden email]>:
Would be better if you could share the api-manager.xml configuration file to see if there are any errors in configs.




Farasath Ahamed
Software Engineer, WSO2 Inc.; http://wso2.com
Mobile: <a href="tel:%2B94777603866" value="+94713149860" style="font-size:12.8px;color:rgb(17,85,204)" target="_blank">+94777603866
Twitter: @farazath619




On Thu, Jun 15, 2017 at 8:40 PM, Thomas LEGRAND <[hidden email]> wrote:
Hello again,

I followed the tutorial in [1] to configure my Identity Server (IS) as a key manager for my API Manager (AM). When I create my Production & Sandbox applications in the AM, I can see service providers created in the IS. I configures them to use SAML to retrieve informations like the roles, if the authentication is successfull. And I can "exchange" my SAML assertion for a OAuth token. So, everything is cool, here.

But, when I try to reuse this OAuth token to access to a resource via the AM, it rejects me with this sweet message:

    <ams:fault xmlns:ams="http://wso2.org/apimanager/security">
      <ams:code>900900</ams:code>
      <ams:message>Unclassified Authentication Failure</ams:message>
      <ams:description>Resource forbidden</ams:description>
    </ams:fault>

But no errors in the logs but just a WARN. So, I activated the DEBUG mode and then, I can see some intersting things:

[2017-06-15 16:44:52,954]  WARN - APIAuthenticationHandler API authentication failure due to Unclassified Authentication Failure
[2017-06-15 16:44:52,954] DEBUG - APIAuthenticationHandler API authentication failed with error 900900
org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException: Resource forbidden
        at org.wso2.carbon.apimgt.gateway.handlers.security.keys.WSAPIKeyDataStore.getAPIKeyData(WSAPIKeyDataStore.java:51)
        at org.wso2.carbon.apimgt.gateway.handlers.security.APIKeyValidator.doGetKeyValidationInfo(APIKeyValidator.java:253)
        at org.wso2.carbon.apimgt.gateway.handlers.security.APIKeyValidator.getKeyValidationInfo(APIKeyValidator.java:209)
        at org.wso2.carbon.apimgt.gateway.handlers.security.oauth.OAuthAuthenticator.authenticate(OAuthAuthenticator.java:196)
        at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest(APIAuthenticationHandler.java:117)
        at org.apache.synapse.rest.API.process(API.java:325)
        at org.apache.synapse.rest.RESTRequestHandler.dispatchToAPI(RESTRequestHandler.java:90)
        at org.apache.synapse.rest.RESTRequestHandler.process(RESTRequestHandler.java:69)
        at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.injectMessage(Axis2SynapseEnvironment.java:304)
        at org.apache.synapse.core.axis2.SynapseMessageReceiver.receive(SynapseMessageReceiver.java:78)
        at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180)
        at org.apache.synapse.transport.passthru.ServerWorker.processNonEntityEnclosingRESTHandler(ServerWorker.java:325)
        at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:158)
        at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at java.lang.Thread.run(Thread.java:745)
Caused by: org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException: Error while accessing backend services for API key validation
        at org.wso2.carbon.apimgt.gateway.handlers.security.keys.APIKeyValidatorClient.getAPIKeyData(APIKeyValidatorClient.java:114)
        at org.wso2.carbon.apimgt.gateway.handlers.security.keys.WSAPIKeyDataStore.getAPIKeyData(WSAPIKeyDataStore.java:48)
        ... 16 more
Caused by: org.apache.axis2.AxisFault: org.apache.axis2.AxisFault: Mapping qname not fond for the package: java.util

From here, I don't know what to do since I tried some fancy URLs for the ServerURL value in the elements AuthManager and APIKeyValidator.
My IS has an offset of 5 so the port is 9448. Here is the URL I used to point to the IS server: https://localhost:9448/services/

Is there a way to know in which URL the IS deploy its Key Manager feature web services (WS)?
Should I reinstall the Key Manager feature in the IS?

Regards,

Thomas


_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev




_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev




--
Rajith Roshan
Software Engineer, WSO2 Inc.
Mobile: <a href="tel:%2B94-71-554-8430" value="+94715548430" target="_blank">+94-717-064-214

_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Weird exception accessing to a API Manager protected resource

Farasath Ahamed




On Fri, Jun 16, 2017 at 4:37 PM, Rajith Roshan <[hidden email]> wrote:
Hi Thomas,

You need to subscribe to that particular api from the application you have generated access token. if there is no valid subscription then this error can happen. 
And also if you have assigned specif scopes to api resource , then the access token should also have that scopes when it was generated.
This resource forbidden issue can occur due to above mentioned errors.

In those cases shouldn't the error codes be different according to [1].


    <ams:fault xmlns:ams="http://wso2.org/apimanager/security">
      <ams:code>900900</ams:code>
      <ams:message>Unclassified Authentication Failure</ams:message>
      <ams:description>Resource forbidden</ams:description>
    </ams:fault>

Error code 900900. according [1] says that,
Backend service for key validation is not accessible when trying to invoke an API




 

Thanks!
Rajith

On Fri, Jun 16, 2017 at 12:32 PM, Thomas LEGRAND <[hidden email]> wrote:
Hello !

Sure. Here is my api-manager.xml AM configuration file:

<APIManager>
    <!-- JNDI name of the data source to be used by the API publisher, API store and API
         key manager. This data source should be defined in the master-datasources.xml file
         in conf/datasources directory. -->
    <DataSourceName>jdbc/WSO2AM_DB</DataSourceName>

    <!-- This parameter is used when adding api management capability to other products like GReg, AS, DSS etc.-->
    <!--GatewayType>Synapse</GatewayType-->
<GatewayType>None</GatewayType>

    <!-- This parameter is used to enable the securevault support when try to publish endpoint secured APIs. Values should be "true" or "false".
    By default secure vault is disabled.-->
    <EnableSecureVault>false</EnableSecureVault>

    <!-- Authentication manager configuration for API publisher and API store. This is
         a required configuration for both web applications as their user authentication
         logic relies on this. -->
    <AuthManager>
        <!-- Server URL of the Authentication service -->
        <!--ServerURL>https://localhost:${mgt.transport.https.port}${carbon.context}services/</ServerURL-->
<ServerURL>https://localhost:9448/services/</ServerURL>
        <!-- Admin username for the Authentication manager. -->
        <Username>${admin.username}</Username>
        <!-- Admin password for the Authentication manager. -->
        <Password>${admin.password}</Password>
        <!-- Indicates whether the permissions checking of the user (on the Publisher and Store) should be done
           via a remote service. The check will be done on the local server when false. -->
        <CheckPermissionsRemotely>false</CheckPermissionsRemotely>
    </AuthManager>

    <JWTConfiguration>
        <!-- Enable/Disable JWT generation. Default is false. -->
        <!-- EnableJWTGeneration>false</EnableJWTGeneration-->

        <!-- Name of the security context header to be added to the validated requests. -->
        <JWTHeader>X-JWT-Assertion</JWTHeader>

        <!-- Fully qualified name of the class that will retrieve additional user claims
             to be appended to the JWT. If not specified no claims will be appended.If user wants to add all user claims in the
             jwt token, he needs to enable this parameter.
             The DefaultClaimsRetriever class adds user claims from the default carbon user store. -->
        <!--ClaimsRetrieverImplClass>org.wso2.carbon.apimgt.impl.token.DefaultClaimsRetriever</ClaimsRetrieverImplClass-->

        <!-- The dialectURI under which the claimURIs that need to be appended to the
             JWT are defined. Not used with custom ClaimsRetriever implementations. The
             same value is used in the keys for appending the default properties to the
             JWT. -->
        <!--ConsumerDialectURI>http://wso2.org/claims</ConsumerDialectURI-->

        <!-- Signature algorithm. Accepts "SHA256withRSA" or "NONE". To disable signing explicitly specify "NONE". -->
        <!--SignatureAlgorithm>SHA256withRSA</SignatureAlgorithm-->

        <!-- This parameter specifies which implementation should be used for generating the Token. JWTGenerator is the
    default implementation provided. -->
        <JWTGeneratorImpl>org.wso2.carbon.apimgt.keymgt.token.JWTGenerator</JWTGeneratorImpl>

        <!-- This parameter specifies which implementation should be used for generating the Token. For URL safe JWT
             Token generation the implementation is provided in URLSafeJWTGenerator -->
        <!--<JWTGeneratorImpl>org.wso2.carbon.apimgt.keymgt.token.URLSafeJWTGenerator</JWTGeneratorImpl>-->

        <!-- Remove UserName from JWT Token -->
        <!-- <RemoveUserNameFromJWTForApplicationToken>true</RemoveUserNameFromJWTForApplicationToken>-->
    </JWTConfiguration>

    <!-- Primary/secondary login configuration for APIstore. If user likes to keep two login attributes in a distributed setup, to login the APIstore,
he should configure this section. Primary login doesn't have a claimUri associated with it. But secondary login, which is a claim attribute,
is associated with a claimuri.-->
    <!--LoginConfig>
            <UserIdLogin  primary="true">
        <ClaimUri></ClaimUri>
        </UserIdLogin>
        <EmailLogin  primary="false">
            <ClaimUri>http://wso2.org/claims/emailaddress</ClaimUri>
        </EmailLogin>
    </LoginConfig-->

    <!-- Credentials for the API gateway admin server. This configuration
         is mainly used by the API publisher and store to connect to the API gateway and
         create/update published API configurations. -->
    <APIGateway>
        <!-- The environments to which an API will be published -->
        <Environments>
            <!-- Environments can be of different types. Allowed values are 'hybrid', 'production' and 'sandbox'.
                 An API deployed on a 'production' type gateway will only support production keys
                 An API deployed on a 'sandbox' type gateway will only support sandbox keys
                 An API deployed on a 'hybrid' type gateway will support both production and sandbox keys. -->
            <!-- api-console element specifies whether the environment should be listed in API Console or not -->
            <Environment type="hybrid" api-console="true">
                <Name>Production and Sandbox</Name>
                <Description>This is a hybrid gateway that handles both production and sandbox token traffic.</Description>
                <!-- Server URL of the API gateway -->
                <ServerURL>https://localhost:${mgt.transport.https.port}${carbon.context}services/</ServerURL>
       <!-- Admin username for the API gateway. -->
                <Username>${admin.username}</Username>
                <!-- Admin password for the API gateway.-->
                <Password>${admin.password}</Password>
                <!-- Endpoint URLs for the APIs hosted in this API gateway.-->
                <GatewayEndpoint>http://${carbon.local.ip}:${http.nio.port},https://${carbon.local.ip}:${https.nio.port}</GatewayEndpoint>
            </Environment>
        </Environments>
    </APIGateway>

    <CacheConfigurations>
   <!-- Enable/Disable token caching at the Gateway-->
        <EnableGatewayTokenCache>true</EnableGatewayTokenCache>
   <!-- Enable/Disable API resource caching at the Gateway-->
        <EnableGatewayResourceCache>true</EnableGatewayResourceCache>
        <!-- Enable/Disable API key validation information caching at key-management server -->
        <EnableKeyManagerTokenCache>false</EnableKeyManagerTokenCache>
        <!-- This parameter specifies whether Recently Added APIs will be loaded from the cache or not.
             If there are multiple API modification during a short time period, better to disable cache. -->
        <EnableRecentlyAddedAPICache>false</EnableRecentlyAddedAPICache>
   <!-- JWT claims Cache expiry in seconds -->
        <!--JWTClaimCacheExpiry>900</JWTClaimCacheExpiry-->
        <!-- Expiry time for the apim key mgt validation info cache -->
        <!--TokenCacheExpiry>900</TokenCacheExpiry-->
        <!-- This parameter specifies the expiration time of the TagCache. TagCache will
             only be created when this element is uncommented. When the specified
             time duration gets elapsed ,tag cache will get re-generated. -->
        <!--TagCacheDuration>120000</TagCacheDuration-->
    </CacheConfigurations>

    <!--
        API usage tracker configuration used by the DAS data publisher and
        Google Analytics publisher in API gateway.
    -->
    <Analytics>
        <!-- Enable Analytics for API Manager -->
        <Enabled>false</Enabled>

        <!-- Server URL of the remote DAS/CEP server used to collect statistics. Must
             be specified in protocol://hostname:port/ format.

             An event can also be published to multiple Receiver Groups each having 1 or more receivers. Receiver
             Groups are delimited by curly braces whereas receivers are delimited by commas.
             Ex - Multiple Receivers within a single group
             tcp://localhost:7612/,tcp://localhost:7613/,tcp://localhost:7614/

             Ex - Multiple Receiver Groups with two receivers each
             {tcp://localhost:7612/,tcp://localhost:7613},{tcp://localhost:7712/,tcp://localhost:7713/} -->
        <DASServerURL>{tcp://localhost:7612}</DASServerURL>
        <!--DASAuthServerURL>{ssl://localhost:7712}</DASAuthServerURL-->
        <!-- Administrator username to login to the remote DAS server. -->
        <DASUsername>${admin.username}</DASUsername>
        <!-- Administrator password to login to the remote DAS server. -->
        <DASPassword>${admin.password}</DASPassword>

        <!-- For APIM implemented Statistic client for RDBMS -->
        <StatsProviderImpl>org.wso2.carbon.apimgt.usage.client.impl.APIUsageStatisticsRdbmsClientImpl</StatsProviderImpl>

        <!-- DAS REST API configuration -->
        <DASRestApiURL>https://localhost:9444</DASRestApiURL>
        <DASRestApiUsername>${admin.username}</DASRestApiUsername>
        <DASRestApiPassword>${admin.password}</DASRestApiPassword>

        <!-- Below property is used to skip trying to connect to event receiver nodes when publishing events even if
            the stats enabled flag is set to true. -->
        <SkipEventReceiverConnection>false</SkipEventReceiverConnection>

        <!-- API Usage Data Publisher. -->
        <PublisherClass>org.wso2.carbon.apimgt.usage.publisher.APIMgtUsageDataBridgeDataPublisher</PublisherClass>

        <!-- If below property set to true,then the response message size will be calculated and publish
             with each successful API invocation event. -->
        <PublishResponseMessageSize>false</PublishResponseMessageSize>
        <!-- Data publishing stream names and versions of API requests, responses and faults. If the default values
            are changed, the toolbox also needs to be changed accordingly. -->
        <Streams>
            <Request>
                <Name>org.wso2.apimgt.statistics.request</Name>
                <Version>1.1.0</Version>
            </Request>
            <Response>
                <Name>org.wso2.apimgt.statistics.response</Name>
                <Version>1.1.0</Version>
            </Response>
            <Fault>
                <Name>org.wso2.apimgt.statistics.fault</Name>
                <Version>1.0.0</Version>
            </Fault>
            <Throttle>
                <Name>org.wso2.apimgt.statistics.throttle</Name>
                <Version>1.0.0</Version>
            </Throttle>
            <Workflow>
                <Name>org.wso2.apimgt.statistics.workflow</Name>
                <Version>1.0.0</Version>
            </Workflow>
            <ExecutionTime>
                <Name>org.wso2.apimgt.statistics.execution.time</Name>
                <Version>1.0.0</Version>
            </ExecutionTime>
   <AlertTypes>
                <Name>org.wso2.analytics.apim.alertStakeholderInfo</Name>
                <Version>1.0.0</Version>
            </AlertTypes>
        </Streams>

    </Analytics>

    <!--
        API key validator configuration used by API key manager (IS), API store and API gateway.
        API gateway uses it to validate and authenticate users against the provided API keys.
    -->
    <APIKeyValidator>
        <!-- Server URL of the API key manager -->
        <!--ServerURL>https://localhost:${mgt.transport.https.port}${carbon.context}services/</ServerURL-->
<ServerURL>https://localhost:9448/services/</ServerURL>

        <!-- Admin username for API key manager. -->
        <Username>${admin.username}</Username>
        <!-- Admin password for API key manager. -->
        <Password>${admin.password}</Password>
<!--Username>admin</Username>
<Password>admin</Password-->

        <!-- Configurations related to enable thrift support for key-management related communication.
             If you want to switch back to Web Service Client, change the value of "KeyValidatorClientType" to "WSClient".
             In a distributed environment;
             -If you are at the Gateway node, you need to point "ThriftClientPort" value to the "ThriftServerPort" value given at KeyManager node.
             -If you need to start two API Manager instances in the same machine, you need to give different ports to "ThriftServerPort" value in two nodes.
             -ThriftServerHost - Allows to configure a hostname for the thrift server. It uses the carbon hostname by default.
        -The Gateway uses this parameter to connect to the key validation thrift service. -->
        <KeyValidatorClientType>WSClient</KeyValidatorClientType>
        <ThriftClientConnectionTimeOut>10000</ThriftClientConnectionTimeOut>
        <!--ThriftClientPort>10397</ThriftClientPort-->

        <EnableThriftServer>false</EnableThriftServer>
        <ThriftServerHost>localhost</ThriftServerHost>
        <!--ThriftServerPort>10397</ThriftServerPort-->

        <!--ConnectionPool>
            <MaxIdle>100</MaxIdle>
            <InitIdleCapacity>50</InitIdleCapacity>
        </ConnectionPool-->
        <!-- Specifies the implementation to be used for KeyValidationHandler. Steps for validating a token can be controlled by plugging in a 
             custom KeyValidation Handler -->
        <KeyValidationHandlerClassName>org.wso2.carbon.apimgt.keymgt.handlers.DefaultKeyValidationHandler</KeyValidationHandlerClassName>
    </APIKeyValidator>

    <!-- Uncomment this section only if you are going to have an instance other than KeyValidator as your KeyManager.
         Unless a ThirdParty KeyManager is used, you don't need to configure this section. -->
    <!--APIKeyManager>
        <KeyManagerClientImpl>org.wso2.carbon.apimgt.impl.AMDefaultKeyManagerImpl</KeyManagerClientImpl>
        <Configuration>
            <ServerURL>https://localhost:${mgt.transport.https.port}${carbon.context}services/</ServerURL>
            <Username>${admin.username}</Username>
            <Password>${admin.password}</Password>
            <TokenURL>https://${carbon.local.ip}:${https.nio.port}/token</TokenURL>
            <RevokeURL>https://${carbon.local.ip}:${https.nio.port}/revoke</RevokeURL>
        </Configuration>
    </APIKeyManager-->

    <OAuthConfigurations>
        <!-- Remove OAuth headers from outgoing message. -->
        <!--RemoveOAuthHeadersFromOutMessage>true</RemoveOAuthHeadersFromOutMessage-->
        <!-- Scope used for marking Application Tokens. If a token is generated with this scope, they will be treated as Application Access Tokens -->
        <ApplicationTokenScope>am_application_scope</ApplicationTokenScope>
        <!-- All  scopes under the ScopeWhitelist element are not validating against roles that has assigned to it.
             By default ^device_.* and openid scopes have been white listed internally. -->
        <!--ScopeWhitelist>
            <Scope>^device_.*</Scope>
            <Scope>openid</Scope>
        </ScopeWhitelist-->
        <!-- Name of the token API -->
        <TokenEndPointName>/oauth2/token</TokenEndPointName>
        <!-- This the API URL for revoke API. When we revoke tokens revoke requests should go through this
             API deployed in API gateway. Then it will do cache invalidations related to revoked tokens.
             In distributed deployment we should configure this property in key manager node by pointing
             gateway https( /http, we recommend users to use 'https' endpoints for security purpose) url.
             Also please note that we should point gateway revoke service to key manager -->
        <RevokeAPIURL>https://localhost:${https.nio.port}/revoke</RevokeAPIURL>
        <!-- Whether to encrypt tokens when storing in the Database
        Note: If changing this value to true, change the value of <TokenPersistenceProcessor> to
        org.wso2.carbon.identity.oauth.tokenprocessor.EncryptionDecryptionPersistenceProcessor in the identity.xml -->
        <EncryptPersistedTokens>false</EncryptPersistedTokens>
    </OAuthConfigurations>

    <!-- Settings related to managing API access tiers. -->
    <TierManagement>
        <!-- Enable the providers to expose their APIs over the special 'Unlimited' tier which
             basically disables tier based throttling for the specified APIs. -->
        <EnableUnlimitedTier>true</EnableUnlimitedTier>
    </TierManagement>

    <!-- API Store Related Configurations -->
    <APIStore>
        <!--GroupingExtractor>org.wso2.carbon.apimgt.impl.DefaultGroupIDExtractorImpl</GroupingExtractor-->
        <!--This property is used to indicate how we do user name comparision for token generation https://wso2.org/jira/browse/APIMANAGER-2225-->
        <CompareCaseInsensitively>true</CompareCaseInsensitively>
        <DisplayURL>false</DisplayURL>
        <URL>https://localhost:${mgt.transport.https.port}/store</URL>

        <!-- Server URL of the API Store. -->
        <ServerURL>https://localhost:${mgt.transport.https.port}${carbon.context}services/</ServerURL>
        <!-- Admin username for API Store. -->
        <Username>${admin.username}</Username>

        <!-- Admin password for API Store. -->
        <Password>${admin.password}</Password>
        <!-- This parameter specifies whether to display multiple versions of same
             API or only showing the latest version of an API. -->
        <DisplayMultipleVersions>false</DisplayMultipleVersions>
        <!-- This parameter specifies whether to display all the APIs
             [which are having DEPRECATED/PUBLISHED status] or only display the APIs
             with having their status is as 'PUBLISHED' -->
        <DisplayAllAPIs>false</DisplayAllAPIs>
        <!-- Uncomment this to limit the number of APIs in api the API Store -->
        <!--APIsPerPage>5</APIsPerPage-->

        <!-- This parameter specifies whether to display the comment editing facility or not.
             Default is "true". If user wants to disable, he must set this param as "false" -->
        <DisplayComments>true</DisplayComments>

        <!-- This parameter specifies whether to display the ratings  or not.
             Default is "true". If user wants to disable, he must set this param as "false" -->
        <DisplayRatings>true</DisplayRatings>

        <!--set isStoreForumEnabled to false for disable forum in store-->
        <!--isStoreForumEnabled>false</isStoreForumEnabled-->
    </APIStore>

    <APIPublisher>
        <DisplayURL>false</DisplayURL>
        <URL>https://localhost:${mgt.transport.https.port}/publisher</URL>
        <!-- This parameter specifies enabling the capability of setting API documentation level granular visibility levels.
             By default any document associate with an API will have the same permissions set as the API.With enabling below
             property,it will show two additional permission levels as visible only to all registered users in a particular
             domain or only visible to API doc creator -->
        <!--EnableAPIDocVisibilityLevels>true</EnableAPIDocVisibilityLevels-->
        <!-- Uncomment this to limit the number of APIs in api the API Publisher -->
        <!--APIsPerPage>30</APIsPerPage-->
    </APIPublisher>

    <!-- Status observers can be registered against the API Publisher to listen for
         API status update events. Each observer must implement the APIStatusObserver
         interface. Multiple observers can be engaged if necessary and in such situations
         they will be notified in the order they are defined here. 
         This configuration is unused from API Manager version 1.10.0 -->
    <!--StatusObservers>
        <Observer>org.wso2.carbon.apimgt.impl.observers.SimpleLoggingObserver</Observer>
    </StatusObservers-->

    <!-- Use this configuration Create APIs at the Server startup -->
    <StartupAPIPublisher>
        <!-- Enable/Disable the API Startup Publisher -->
        <Enabled>false</Enabled>

        <!-- Configuration to create APIs for local endpoints.
             Endpoint will be computed as http://${carbon.local.ip}:${mgt.transport.http.port}/Context.
             Define many LocalAPI elements as below to create many APIs
             for local Endpoints.
             IconPath should be relative to CARBON_HOME. -->
        <LocalAPIs>
            <LocalAPI>
                <Context>/resource</Context>
                <Provider>admin</Provider>
                <Version>1.0.0</Version>
                <IconPath>none</IconPath>
                <DocumentURL>none</DocumentURL>
                <AuthType>Any</AuthType>
            </LocalAPI>
        </LocalAPIs>

        <!-- Configuration to create APIs for remote endpoints.
             When Endpoint need to be defined use this configuration.
             Define many API elements as below to create many APIs
             for external Endpoints.
             If you do not need to add Icon or Documentation set
             'none' as the value for IconPath & DocumentURL. -->
        <!--APIs>
            <API>
                <Context>/resource</Context>
                <Endpoint>http://localhost:9764/resource</Endpoint>
                <Provider>admin</Provider>
                <Version>1.0.0</Version>
                <IconPath>none</IconPath>
                <DocumentURL>none</DocumentURL>
                <AuthType>Any</AuthType>
            </API>
        </APIs-->
    </StartupAPIPublisher>

    <!-- Configuration to enable/disable sending CORS headers in the Gateway response
         and define the Access-Control-Allow-Origin header value.-->
    <CORSConfiguration>
        <!-- Configuration to enable/disable sending CORS headers from the Gateway-->
        <Enabled>true</Enabled>

        <!-- The value of the Access-Control-Allow-Origin header. Default values are
             API Store addresses, which is needed for swagger to function. -->
        <Access-Control-Allow-Origin>*</Access-Control-Allow-Origin>

        <!-- Configure Access-Control-Allow-Methods -->
        <Access-Control-Allow-Methods>GET,PUT,POST,DELETE,PATCH,OPTIONS</Access-Control-Allow-Methods>

        <!-- Configure Access-Control-Allow-Headers -->
        <Access-Control-Allow-Headers>authorization,Access-Control-Allow-Origin,Content-Type,SOAPAction</Access-Control-Allow-Headers>

        <!-- Configure Access-Control-Allow-Credentials -->
        <!-- Specifying this header to true means that the server allows cookies (or other user credentials) to be included on cross-origin requests.
             It is false by default and if you set it to true then make sure that the Access-Control-Allow-Origin header does not contain the wildcard (*) -->
        <Access-Control-Allow-Credentials>false</Access-Control-Allow-Credentials>
    </CORSConfiguration>
    
    <!-- This property is there to configure velocity log output into existing Log4j carbon Logger.
         You can enable this and set preferable Logger name. -->
    <!-- VelocityLogger>VELOCITY</VelocityLogger -->

    <RESTAPI>
        <!--Configure white-listed URIs of REST API. Accessing white-listed URIs does not require credentials (does not require Authorization header). -->
        <WhiteListedURIs>
            <WhiteListedURI>
                <URI>/api/am/publisher/{version}/swagger.json</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/store/{version}/swagger.json</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/admin/{version}/swagger.json</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/store/{version}/apis</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/store/{version}/apis/{apiId}</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/store/{version}/apis/{apiId}/swagger</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/store/{version}/apis/{apiId}/documents</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/store/{version}/apis/{apiId}/documents/{documentId}</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/store/{version}/apis/{apiId}/documents/{documentId}/content</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/store/{version}/apis/{apiId}/thumbnail</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/store/{version}/tags</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/store/{version}/tiers/{tierLevel}</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/store/{version}/tiers/{tierLevel}/{tierName}</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
        </WhiteListedURIs>
        <ETagSkipList>
            <ETagSkipURI>
                <URI>/api/am/store/{version}/apis</URI>
                <HTTPMethods>GET</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/store/{version}/apis/generate-sdk</URI>
                <HTTPMethods>POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/store/{version}/apis/{apiId}/documents</URI>
                <HTTPMethods>GET</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/store/{version}/applications</URI>
                <HTTPMethods>GET</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/store/{version}/applications/generate-keys</URI>
                <HTTPMethods>POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/store/{version}/subscriptions</URI>
                <HTTPMethods>GET,POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/store/{version}/tags</URI>
                <HTTPMethods>GET</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/store/{version}/tiers/{tierLevel}</URI>
                <HTTPMethods>GET</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/store/{version}/tiers/{tierLevel}/{tierName}</URI>
                <HTTPMethods>GET</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/apis</URI>
                <HTTPMethods>GET,POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/apis/{apiId}</URI>
                <HTTPMethods>GET,DELETE,PUT</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/apis/{apiId}/swagger</URI>
                <HTTPMethods>GET,PUT</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/apis/{apiId}/thumbnail</URI>
                <HTTPMethods>GET,POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/apis/{apiId}/change-lifecycle</URI>
                <HTTPMethods>POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/apis/{apiId}/copy-api</URI>
                <HTTPMethods>POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/applications/{applicationId}</URI>
                <HTTPMethods>GET</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/apis/{apiId}/documents</URI>
                <HTTPMethods>GET,POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/apis/{apiId}/documents/{documentId}/content</URI>
                <HTTPMethods>GET,POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/apis/{apiId}/documents/{documentId}</URI>
                <HTTPMethods>GET,PUT,DELETE</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/environments</URI>
                <HTTPMethods>GET</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/subscriptions</URI>
                <HTTPMethods>GET</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/subscriptions/block-subscription</URI>
                <HTTPMethods>POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/subscriptions/{subscriptionId}</URI>
                <HTTPMethods>GET</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/subscriptions/unblock-subscription</URI>
                <HTTPMethods>POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/tiers/{tierLevel}</URI>
                <HTTPMethods>GET,POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/tiers/{tierLevel}/{tierName}</URI>
                <HTTPMethods>GET,PUT,DELETE</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/tiers/update-permission</URI>
                <HTTPMethods>POST</HTTPMethods>
            </ETagSkipURI>
        </ETagSkipList>
    </RESTAPI>
    <ThrottlingConfigurations>
        <EnableAdvanceThrottling>true</EnableAdvanceThrottling>
        <DataPublisher>
            <Enabled>true</Enabled>
            <Type>Binary</Type>
            <ReceiverUrlGroup>tcp://${carbon.local.ip}:${receiver.url.port}</ReceiverUrlGroup>
            <AuthUrlGroup>ssl://${carbon.local.ip}:${auth.url.port}</AuthUrlGroup>
            <Username>${admin.username}</Username>
            <Password>${admin.password}</Password>
            <DataPublisherPool>
                <MaxIdle>1000</MaxIdle>
                <InitIdleCapacity>200</InitIdleCapacity>
            </DataPublisherPool>
            <DataPublisherThreadPool>
                <CorePoolSize>200</CorePoolSize>
                <MaxmimumPoolSize>1000</MaxmimumPoolSize>
                <KeepAliveTime>200</KeepAliveTime>
            </DataPublisherThreadPool>
        </DataPublisher>
        <PolicyDeployer>
            <ServiceURL>https://localhost:${mgt.transport.https.port}${carbon.context}services/</ServiceURL>
            <Username>${admin.username}</Username>
            <Password>${admin.password}</Password>
        </PolicyDeployer>
        <BlockCondition>
            <Enabled>true</Enabled>
            <!--InitDelay>300000</InitDelay>
            <Period>3600000</Period-->
        </BlockCondition>
        <JMSConnectionDetails>
            <Enabled>true</Enabled>
            <ServiceURL>tcp://${carbon.local.ip}:${jms.port}</ServiceURL>
            <Username>${admin.username}</Username>
            <Password>${admin.password}</Password>
            <Destination>throttleData</Destination>
            <!--InitDelay>300000</InitDelay-->
            <JMSConnectionParameters>
                <transport.jms.ConnectionFactoryJNDIName>TopicConnectionFactory</transport.jms.ConnectionFactoryJNDIName>
                <transport.jms.DestinationType>topic</transport.jms.DestinationType>
                <java.naming.factory.initial>org.wso2.andes.jndi.PropertiesFileInitialContextFactory</java.naming.factory.initial>
                <connectionfactory.TopicConnectionFactory>amqp://${jms.username}:${jms.password}@clientid/carbon?brokerlist='${jms.url}'</connectionfactory.TopicConnectionFactory>
            </JMSConnectionParameters>
            <JMSTaskManager>
                <MinThreadPoolSize>20</MinThreadPoolSize>
                <MaxThreadPoolSize>100</MaxThreadPoolSize>
                <KeepAliveTimeInMillis>1000</KeepAliveTimeInMillis>
                <JobQueueSize>10</JobQueueSize>
            </JMSTaskManager>
        </JMSConnectionDetails>
        <JMSEventPublisherParameters>
                <java.naming.factory.initial>org.wso2.andes.jndi.PropertiesFileInitialContextFactory</java.naming.factory.initial>
                <java.naming.provider.url>repository/conf/jndi.properties</java.naming.provider.url>
                <transport.jms.DestinationType>topic</transport.jms.DestinationType>
                <transport.jms.Destination>throttleData</transport.jms.Destination>
                <transport.jms.ConcurrentPublishers>allow</transport.jms.ConcurrentPublishers>
                <transport.jms.ConnectionFactoryJNDIName>TopicConnectionFactory</transport.jms.ConnectionFactoryJNDIName>
        </JMSEventPublisherParameters>
        <!--DefaultLimits>
            <SubscriptionTierLimits>
                <Gold>5000</Gold>
                <Silver>2000</Silver>
                <Bronze>1000</Bronze>
                <Unauthenticated>60</Unauthenticated>
            </SubscriptionTierLimits>
            <ApplicationTierLimits>
                <50PerMin>50</50PerMin>
                <20PerMin>20</20PerMin>
                <10PerMin>10</10PerMin>
            </ApplicationTierLimits>
            <ResourceLevelTierLimits>
                <50KPerMin>50000</50KPerMin>
                <20KPerMin>20000</20KPerMin>
                <10KPerMin>10000</10KPerMin>
            </ResourceLevelTierLimits>
        </DefaultLimits-->
        <EnableUnlimitedTier>true</EnableUnlimitedTier>
        <EnableHeaderConditions>false</EnableHeaderConditions>
        <EnableJWTClaimConditions>false</EnableJWTClaimConditions>
        <EnableQueryParamConditions>false</EnableQueryParamConditions>
    </ThrottlingConfigurations>
    
    <WorkflowConfigurations>
        <Enabled>false</Enabled>
    <ServerUrl>https://localhost:9445/bpmn</ServerUrl>  
    <ServerUser>${admin.username}</ServerUser>
    <ServerPassword>${admin.password}</ServerPassword>
    <WorkflowCallbackAPI>https://localhost:${mgt.transport.https.port}/api/am/publisher/v0.11/workflows/update-workflow-status</WorkflowCallbackAPI>
        <TokenEndPoint>https://localhost:${https.nio.port}/token</TokenEndPoint>
        <DCREndPoint>https://localhost:${mgt.transport.https.port}/client-registration/v0.11/register</DCREndPoint>
        <DCREndPointUser>${admin.username}</DCREndPointUser>
        <DCREndPointPassword>${admin.password}</DCREndPointPassword>
    </WorkflowConfigurations>

    <SwaggerCodegen>
        <ClientGeneration>
            <GroupId>org.wso2</GroupId>
            <ArtifactId>org.wso2.client.</ArtifactId>
            <ModelPackage>org.wso2.client.model.</ModelPackage>
            <ApiPackage>org.wso2.client.api.</ApiPackage>
            <!-- Configure supported languages/Frameworks as comma separated values,
             Supported Languages/Frameworks : android, java, scala, csharp, cpp, dart, flash, go, groovy, javascript, jmeter,
             nodejs, perl, php, python, ruby, swift, clojure, aspNet5, asyncScala, spring, csharpDotNet2, haskell-->
            <SupportedLanguages>java,android</SupportedLanguages>
        </ClientGeneration>
    </SwaggerCodegen>

</APIManager>

Do you need my IS one, too?

Regards,

Thomas

2017-06-15 22:16 GMT+02:00 Farasath Ahamed <[hidden email]>:
Would be better if you could share the api-manager.xml configuration file to see if there are any errors in configs.




Farasath Ahamed
Software Engineer, WSO2 Inc.; http://wso2.com
Mobile: <a href="tel:%2B94777603866" value="+94713149860" style="font-size:12.8px;color:rgb(17,85,204)" target="_blank">+94777603866
Twitter: @farazath619




On Thu, Jun 15, 2017 at 8:40 PM, Thomas LEGRAND <[hidden email]> wrote:
Hello again,

I followed the tutorial in [1] to configure my Identity Server (IS) as a key manager for my API Manager (AM). When I create my Production & Sandbox applications in the AM, I can see service providers created in the IS. I configures them to use SAML to retrieve informations like the roles, if the authentication is successfull. And I can "exchange" my SAML assertion for a OAuth token. So, everything is cool, here.

But, when I try to reuse this OAuth token to access to a resource via the AM, it rejects me with this sweet message:

    <ams:fault xmlns:ams="http://wso2.org/apimanager/security">
      <ams:code>900900</ams:code>
      <ams:message>Unclassified Authentication Failure</ams:message>
      <ams:description>Resource forbidden</ams:description>
    </ams:fault>

But no errors in the logs but just a WARN. So, I activated the DEBUG mode and then, I can see some intersting things:

[2017-06-15 16:44:52,954]  WARN - APIAuthenticationHandler API authentication failure due to Unclassified Authentication Failure
[2017-06-15 16:44:52,954] DEBUG - APIAuthenticationHandler API authentication failed with error 900900
org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException: Resource forbidden
        at org.wso2.carbon.apimgt.gateway.handlers.security.keys.WSAPIKeyDataStore.getAPIKeyData(WSAPIKeyDataStore.java:51)
        at org.wso2.carbon.apimgt.gateway.handlers.security.APIKeyValidator.doGetKeyValidationInfo(APIKeyValidator.java:253)
        at org.wso2.carbon.apimgt.gateway.handlers.security.APIKeyValidator.getKeyValidationInfo(APIKeyValidator.java:209)
        at org.wso2.carbon.apimgt.gateway.handlers.security.oauth.OAuthAuthenticator.authenticate(OAuthAuthenticator.java:196)
        at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest(APIAuthenticationHandler.java:117)
        at org.apache.synapse.rest.API.process(API.java:325)
        at org.apache.synapse.rest.RESTRequestHandler.dispatchToAPI(RESTRequestHandler.java:90)
        at org.apache.synapse.rest.RESTRequestHandler.process(RESTRequestHandler.java:69)
        at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.injectMessage(Axis2SynapseEnvironment.java:304)
        at org.apache.synapse.core.axis2.SynapseMessageReceiver.receive(SynapseMessageReceiver.java:78)
        at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180)
        at org.apache.synapse.transport.passthru.ServerWorker.processNonEntityEnclosingRESTHandler(ServerWorker.java:325)
        at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:158)
        at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at java.lang.Thread.run(Thread.java:745)
Caused by: org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException: Error while accessing backend services for API key validation
        at org.wso2.carbon.apimgt.gateway.handlers.security.keys.APIKeyValidatorClient.getAPIKeyData(APIKeyValidatorClient.java:114)
        at org.wso2.carbon.apimgt.gateway.handlers.security.keys.WSAPIKeyDataStore.getAPIKeyData(WSAPIKeyDataStore.java:48)
        ... 16 more
Caused by: org.apache.axis2.AxisFault: org.apache.axis2.AxisFault: Mapping qname not fond for the package: java.util

From here, I don't know what to do since I tried some fancy URLs for the ServerURL value in the elements AuthManager and APIKeyValidator.
My IS has an offset of 5 so the port is 9448. Here is the URL I used to point to the IS server: https://localhost:9448/services/

Is there a way to know in which URL the IS deploy its Key Manager feature web services (WS)?
Should I reinstall the Key Manager feature in the IS?

Regards,

Thomas


_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev




_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev




--
Rajith Roshan
Software Engineer, WSO2 Inc.
Mobile: <a href="tel:%2B94-71-554-8430" value="+94715548430" target="_blank">+94-717-064-214


_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Weird exception accessing to a API Manager protected resource

Thomas LEGRAND
Hello,

Thank you for your answers.

I activated the DEBUG mode on the IS in the class org.wso2.carbon.apimgt.keymgt.service.APIKeyValidationService and I can see that the IS receives something because when I send a wrong OAuth token, its says 

[2017-06-16 12:10:00,563] ERROR {org.wso2.carbon.apimgt.impl.AMDefaultKeyManagerImpl} -  Invalid OAuth Token : Invalid accessken

And when I send a right one:

[2017-06-16 14:19:52,028] DEBUG {org.wso2.carbon.apimgt.keymgt.service.APIKeyValidationService} -  OAuth token response from Manager to gateway:  , appName=myApp , userName=[hidden email] , transactionId= , consumerKey=5bWQioSHWbt9I24xizeP0o20a , isAuthorized=true , responseTime=Fri Jun 16 14:19:52 CEST 2017
[2017-06-16 14:19:52,028] DEBUG {org.wso2.carbon.apimgt.keymgt.service.APIKeyValidationService} -  APIKeyValidationInfoDTO bee returning : APIKeyValidationInfoDTO = { authorized:true , subscriber:admin , tier:Unlimited , type:PRODUCTION , userType:APPLICATION_USER , endUserToken:null , endUserName:[hidden email] , applicationId:3 , applicationName:myApp  , applicationr:Unlimited , validationStatus:0 , validityPeriod:2009000 , issuedTime:1497615592019 , apiName:MyAPI , consumerKey:5bWQioSH9I24xizeP0oxTw20a , spikeArrestLimit:0 , spikeArrestUnit:null , subscriberTenantDomain:carbon.super , stopOnQuotaReach:true ,iPublisher:admin]]

We can see the authorized: true (if that means something) so it is like the API manager don't know how to interpret this message and take a shortcut to conclusion because of an Axis error. So from here, I don't know what to do :(

Regards,

Thomas



2017-06-16 13:13 GMT+02:00 Farasath Ahamed <[hidden email]>:




On Fri, Jun 16, 2017 at 4:37 PM, Rajith Roshan <[hidden email]> wrote:
Hi Thomas,

You need to subscribe to that particular api from the application you have generated access token. if there is no valid subscription then this error can happen. 
And also if you have assigned specif scopes to api resource , then the access token should also have that scopes when it was generated.
This resource forbidden issue can occur due to above mentioned errors.

In those cases shouldn't the error codes be different according to [1].


    <ams:fault xmlns:ams="http://wso2.org/apimanager/security">
      <ams:code>900900</ams:code>
      <ams:message>Unclassified Authentication Failure</ams:message>
      <ams:description>Resource forbidden</ams:description>
    </ams:fault>

Error code 900900. according [1] says that,
Backend service for key validation is not accessible when trying to invoke an API




 

Thanks!
Rajith

On Fri, Jun 16, 2017 at 12:32 PM, Thomas LEGRAND <[hidden email]> wrote:
Hello !

Sure. Here is my api-manager.xml AM configuration file:

<APIManager>
    <!-- JNDI name of the data source to be used by the API publisher, API store and API
         key manager. This data source should be defined in the master-datasources.xml file
         in conf/datasources directory. -->
    <DataSourceName>jdbc/WSO2AM_DB</DataSourceName>

    <!-- This parameter is used when adding api management capability to other products like GReg, AS, DSS etc.-->
    <!--GatewayType>Synapse</GatewayType-->
<GatewayType>None</GatewayType>

    <!-- This parameter is used to enable the securevault support when try to publish endpoint secured APIs. Values should be "true" or "false".
    By default secure vault is disabled.-->
    <EnableSecureVault>false</EnableSecureVault>

    <!-- Authentication manager configuration for API publisher and API store. This is
         a required configuration for both web applications as their user authentication
         logic relies on this. -->
    <AuthManager>
        <!-- Server URL of the Authentication service -->
        <!--ServerURL>https://localhost:${mgt.transport.https.port}${carbon.context}services/</ServerURL-->
<ServerURL>https://localhost:9448/services/</ServerURL>
        <!-- Admin username for the Authentication manager. -->
        <Username>${admin.username}</Username>
        <!-- Admin password for the Authentication manager. -->
        <Password>${admin.password}</Password>
        <!-- Indicates whether the permissions checking of the user (on the Publisher and Store) should be done
           via a remote service. The check will be done on the local server when false. -->
        <CheckPermissionsRemotely>false</CheckPermissionsRemotely>
    </AuthManager>

    <JWTConfiguration>
        <!-- Enable/Disable JWT generation. Default is false. -->
        <!-- EnableJWTGeneration>false</EnableJWTGeneration-->

        <!-- Name of the security context header to be added to the validated requests. -->
        <JWTHeader>X-JWT-Assertion</JWTHeader>

        <!-- Fully qualified name of the class that will retrieve additional user claims
             to be appended to the JWT. If not specified no claims will be appended.If user wants to add all user claims in the
             jwt token, he needs to enable this parameter.
             The DefaultClaimsRetriever class adds user claims from the default carbon user store. -->
        <!--ClaimsRetrieverImplClass>org.wso2.carbon.apimgt.impl.token.DefaultClaimsRetriever</ClaimsRetrieverImplClass-->

        <!-- The dialectURI under which the claimURIs that need to be appended to the
             JWT are defined. Not used with custom ClaimsRetriever implementations. The
             same value is used in the keys for appending the default properties to the
             JWT. -->
        <!--ConsumerDialectURI>http://wso2.org/claims</ConsumerDialectURI-->

        <!-- Signature algorithm. Accepts "SHA256withRSA" or "NONE". To disable signing explicitly specify "NONE". -->
        <!--SignatureAlgorithm>SHA256withRSA</SignatureAlgorithm-->

        <!-- This parameter specifies which implementation should be used for generating the Token. JWTGenerator is the
    default implementation provided. -->
        <JWTGeneratorImpl>org.wso2.carbon.apimgt.keymgt.token.JWTGenerator</JWTGeneratorImpl>

        <!-- This parameter specifies which implementation should be used for generating the Token. For URL safe JWT
             Token generation the implementation is provided in URLSafeJWTGenerator -->
        <!--<JWTGeneratorImpl>org.wso2.carbon.apimgt.keymgt.token.URLSafeJWTGenerator</JWTGeneratorImpl>-->

        <!-- Remove UserName from JWT Token -->
        <!-- <RemoveUserNameFromJWTForApplicationToken>true</RemoveUserNameFromJWTForApplicationToken>-->
    </JWTConfiguration>

    <!-- Primary/secondary login configuration for APIstore. If user likes to keep two login attributes in a distributed setup, to login the APIstore,
he should configure this section. Primary login doesn't have a claimUri associated with it. But secondary login, which is a claim attribute,
is associated with a claimuri.-->
    <!--LoginConfig>
            <UserIdLogin  primary="true">
        <ClaimUri></ClaimUri>
        </UserIdLogin>
        <EmailLogin  primary="false">
            <ClaimUri>http://wso2.org/claims/emailaddress</ClaimUri>
        </EmailLogin>
    </LoginConfig-->

    <!-- Credentials for the API gateway admin server. This configuration
         is mainly used by the API publisher and store to connect to the API gateway and
         create/update published API configurations. -->
    <APIGateway>
        <!-- The environments to which an API will be published -->
        <Environments>
            <!-- Environments can be of different types. Allowed values are 'hybrid', 'production' and 'sandbox'.
                 An API deployed on a 'production' type gateway will only support production keys
                 An API deployed on a 'sandbox' type gateway will only support sandbox keys
                 An API deployed on a 'hybrid' type gateway will support both production and sandbox keys. -->
            <!-- api-console element specifies whether the environment should be listed in API Console or not -->
            <Environment type="hybrid" api-console="true">
                <Name>Production and Sandbox</Name>
                <Description>This is a hybrid gateway that handles both production and sandbox token traffic.</Description>
                <!-- Server URL of the API gateway -->
                <ServerURL>https://localhost:${mgt.transport.https.port}${carbon.context}services/</ServerURL>
       <!-- Admin username for the API gateway. -->
                <Username>${admin.username}</Username>
                <!-- Admin password for the API gateway.-->
                <Password>${admin.password}</Password>
                <!-- Endpoint URLs for the APIs hosted in this API gateway.-->
                <GatewayEndpoint>http://${carbon.local.ip}:${http.nio.port},https://${carbon.local.ip}:${https.nio.port}</GatewayEndpoint>
            </Environment>
        </Environments>
    </APIGateway>

    <CacheConfigurations>
   <!-- Enable/Disable token caching at the Gateway-->
        <EnableGatewayTokenCache>true</EnableGatewayTokenCache>
   <!-- Enable/Disable API resource caching at the Gateway-->
        <EnableGatewayResourceCache>true</EnableGatewayResourceCache>
        <!-- Enable/Disable API key validation information caching at key-management server -->
        <EnableKeyManagerTokenCache>false</EnableKeyManagerTokenCache>
        <!-- This parameter specifies whether Recently Added APIs will be loaded from the cache or not.
             If there are multiple API modification during a short time period, better to disable cache. -->
        <EnableRecentlyAddedAPICache>false</EnableRecentlyAddedAPICache>
   <!-- JWT claims Cache expiry in seconds -->
        <!--JWTClaimCacheExpiry>900</JWTClaimCacheExpiry-->
        <!-- Expiry time for the apim key mgt validation info cache -->
        <!--TokenCacheExpiry>900</TokenCacheExpiry-->
        <!-- This parameter specifies the expiration time of the TagCache. TagCache will
             only be created when this element is uncommented. When the specified
             time duration gets elapsed ,tag cache will get re-generated. -->
        <!--TagCacheDuration>120000</TagCacheDuration-->
    </CacheConfigurations>

    <!--
        API usage tracker configuration used by the DAS data publisher and
        Google Analytics publisher in API gateway.
    -->
    <Analytics>
        <!-- Enable Analytics for API Manager -->
        <Enabled>false</Enabled>

        <!-- Server URL of the remote DAS/CEP server used to collect statistics. Must
             be specified in protocol://hostname:port/ format.

             An event can also be published to multiple Receiver Groups each having 1 or more receivers. Receiver
             Groups are delimited by curly braces whereas receivers are delimited by commas.
             Ex - Multiple Receivers within a single group
             tcp://localhost:7612/,tcp://localhost:7613/,tcp://localhost:7614/

             Ex - Multiple Receiver Groups with two receivers each
             {tcp://localhost:7612/,tcp://localhost:7613},{tcp://localhost:7712/,tcp://localhost:7713/} -->
        <DASServerURL>{tcp://localhost:7612}</DASServerURL>
        <!--DASAuthServerURL>{ssl://localhost:7712}</DASAuthServerURL-->
        <!-- Administrator username to login to the remote DAS server. -->
        <DASUsername>${admin.username}</DASUsername>
        <!-- Administrator password to login to the remote DAS server. -->
        <DASPassword>${admin.password}</DASPassword>

        <!-- For APIM implemented Statistic client for RDBMS -->
        <StatsProviderImpl>org.wso2.carbon.apimgt.usage.client.impl.APIUsageStatisticsRdbmsClientImpl</StatsProviderImpl>

        <!-- DAS REST API configuration -->
        <DASRestApiURL>https://localhost:9444</DASRestApiURL>
        <DASRestApiUsername>${admin.username}</DASRestApiUsername>
        <DASRestApiPassword>${admin.password}</DASRestApiPassword>

        <!-- Below property is used to skip trying to connect to event receiver nodes when publishing events even if
            the stats enabled flag is set to true. -->
        <SkipEventReceiverConnection>false</SkipEventReceiverConnection>

        <!-- API Usage Data Publisher. -->
        <PublisherClass>org.wso2.carbon.apimgt.usage.publisher.APIMgtUsageDataBridgeDataPublisher</PublisherClass>

        <!-- If below property set to true,then the response message size will be calculated and publish
             with each successful API invocation event. -->
        <PublishResponseMessageSize>false</PublishResponseMessageSize>
        <!-- Data publishing stream names and versions of API requests, responses and faults. If the default values
            are changed, the toolbox also needs to be changed accordingly. -->
        <Streams>
            <Request>
                <Name>org.wso2.apimgt.statistics.request</Name>
                <Version>1.1.0</Version>
            </Request>
            <Response>
                <Name>org.wso2.apimgt.statistics.response</Name>
                <Version>1.1.0</Version>
            </Response>
            <Fault>
                <Name>org.wso2.apimgt.statistics.fault</Name>
                <Version>1.0.0</Version>
            </Fault>
            <Throttle>
                <Name>org.wso2.apimgt.statistics.throttle</Name>
                <Version>1.0.0</Version>
            </Throttle>
            <Workflow>
                <Name>org.wso2.apimgt.statistics.workflow</Name>
                <Version>1.0.0</Version>
            </Workflow>
            <ExecutionTime>
                <Name>org.wso2.apimgt.statistics.execution.time</Name>
                <Version>1.0.0</Version>
            </ExecutionTime>
   <AlertTypes>
                <Name>org.wso2.analytics.apim.alertStakeholderInfo</Name>
                <Version>1.0.0</Version>
            </AlertTypes>
        </Streams>

    </Analytics>

    <!--
        API key validator configuration used by API key manager (IS), API store and API gateway.
        API gateway uses it to validate and authenticate users against the provided API keys.
    -->
    <APIKeyValidator>
        <!-- Server URL of the API key manager -->
        <!--ServerURL>https://localhost:${mgt.transport.https.port}${carbon.context}services/</ServerURL-->
<ServerURL>https://localhost:9448/services/</ServerURL>

        <!-- Admin username for API key manager. -->
        <Username>${admin.username}</Username>
        <!-- Admin password for API key manager. -->
        <Password>${admin.password}</Password>
<!--Username>admin</Username>
<Password>admin</Password-->

        <!-- Configurations related to enable thrift support for key-management related communication.
             If you want to switch back to Web Service Client, change the value of "KeyValidatorClientType" to "WSClient".
             In a distributed environment;
             -If you are at the Gateway node, you need to point "ThriftClientPort" value to the "ThriftServerPort" value given at KeyManager node.
             -If you need to start two API Manager instances in the same machine, you need to give different ports to "ThriftServerPort" value in two nodes.
             -ThriftServerHost - Allows to configure a hostname for the thrift server. It uses the carbon hostname by default.
        -The Gateway uses this parameter to connect to the key validation thrift service. -->
        <KeyValidatorClientType>WSClient</KeyValidatorClientType>
        <ThriftClientConnectionTimeOut>10000</ThriftClientConnectionTimeOut>
        <!--ThriftClientPort>10397</ThriftClientPort-->

        <EnableThriftServer>false</EnableThriftServer>
        <ThriftServerHost>localhost</ThriftServerHost>
        <!--ThriftServerPort>10397</ThriftServerPort-->

        <!--ConnectionPool>
            <MaxIdle>100</MaxIdle>
            <InitIdleCapacity>50</InitIdleCapacity>
        </ConnectionPool-->
        <!-- Specifies the implementation to be used for KeyValidationHandler. Steps for validating a token can be controlled by plugging in a 
             custom KeyValidation Handler -->
        <KeyValidationHandlerClassName>org.wso2.carbon.apimgt.keymgt.handlers.DefaultKeyValidationHandler</KeyValidationHandlerClassName>
    </APIKeyValidator>

    <!-- Uncomment this section only if you are going to have an instance other than KeyValidator as your KeyManager.
         Unless a ThirdParty KeyManager is used, you don't need to configure this section. -->
    <!--APIKeyManager>
        <KeyManagerClientImpl>org.wso2.carbon.apimgt.impl.AMDefaultKeyManagerImpl</KeyManagerClientImpl>
        <Configuration>
            <ServerURL>https://localhost:${mgt.transport.https.port}${carbon.context}services/</ServerURL>
            <Username>${admin.username}</Username>
            <Password>${admin.password}</Password>
            <TokenURL>https://${carbon.local.ip}:${https.nio.port}/token</TokenURL>
            <RevokeURL>https://${carbon.local.ip}:${https.nio.port}/revoke</RevokeURL>
        </Configuration>
    </APIKeyManager-->

    <OAuthConfigurations>
        <!-- Remove OAuth headers from outgoing message. -->
        <!--RemoveOAuthHeadersFromOutMessage>true</RemoveOAuthHeadersFromOutMessage-->
        <!-- Scope used for marking Application Tokens. If a token is generated with this scope, they will be treated as Application Access Tokens -->
        <ApplicationTokenScope>am_application_scope</ApplicationTokenScope>
        <!-- All  scopes under the ScopeWhitelist element are not validating against roles that has assigned to it.
             By default ^device_.* and openid scopes have been white listed internally. -->
        <!--ScopeWhitelist>
            <Scope>^device_.*</Scope>
            <Scope>openid</Scope>
        </ScopeWhitelist-->
        <!-- Name of the token API -->
        <TokenEndPointName>/oauth2/token</TokenEndPointName>
        <!-- This the API URL for revoke API. When we revoke tokens revoke requests should go through this
             API deployed in API gateway. Then it will do cache invalidations related to revoked tokens.
             In distributed deployment we should configure this property in key manager node by pointing
             gateway https( /http, we recommend users to use 'https' endpoints for security purpose) url.
             Also please note that we should point gateway revoke service to key manager -->
        <RevokeAPIURL>https://localhost:${https.nio.port}/revoke</RevokeAPIURL>
        <!-- Whether to encrypt tokens when storing in the Database
        Note: If changing this value to true, change the value of <TokenPersistenceProcessor> to
        org.wso2.carbon.identity.oauth.tokenprocessor.EncryptionDecryptionPersistenceProcessor in the identity.xml -->
        <EncryptPersistedTokens>false</EncryptPersistedTokens>
    </OAuthConfigurations>

    <!-- Settings related to managing API access tiers. -->
    <TierManagement>
        <!-- Enable the providers to expose their APIs over the special 'Unlimited' tier which
             basically disables tier based throttling for the specified APIs. -->
        <EnableUnlimitedTier>true</EnableUnlimitedTier>
    </TierManagement>

    <!-- API Store Related Configurations -->
    <APIStore>
        <!--GroupingExtractor>org.wso2.carbon.apimgt.impl.DefaultGroupIDExtractorImpl</GroupingExtractor-->
        <!--This property is used to indicate how we do user name comparision for token generation https://wso2.org/jira/browse/APIMANAGER-2225-->
        <CompareCaseInsensitively>true</CompareCaseInsensitively>
        <DisplayURL>false</DisplayURL>
        <URL>https://localhost:${mgt.transport.https.port}/store</URL>

        <!-- Server URL of the API Store. -->
        <ServerURL>https://localhost:${mgt.transport.https.port}${carbon.context}services/</ServerURL>
        <!-- Admin username for API Store. -->
        <Username>${admin.username}</Username>

        <!-- Admin password for API Store. -->
        <Password>${admin.password}</Password>
        <!-- This parameter specifies whether to display multiple versions of same
             API or only showing the latest version of an API. -->
        <DisplayMultipleVersions>false</DisplayMultipleVersions>
        <!-- This parameter specifies whether to display all the APIs
             [which are having DEPRECATED/PUBLISHED status] or only display the APIs
             with having their status is as 'PUBLISHED' -->
        <DisplayAllAPIs>false</DisplayAllAPIs>
        <!-- Uncomment this to limit the number of APIs in api the API Store -->
        <!--APIsPerPage>5</APIsPerPage-->

        <!-- This parameter specifies whether to display the comment editing facility or not.
             Default is "true". If user wants to disable, he must set this param as "false" -->
        <DisplayComments>true</DisplayComments>

        <!-- This parameter specifies whether to display the ratings  or not.
             Default is "true". If user wants to disable, he must set this param as "false" -->
        <DisplayRatings>true</DisplayRatings>

        <!--set isStoreForumEnabled to false for disable forum in store-->
        <!--isStoreForumEnabled>false</isStoreForumEnabled-->
    </APIStore>

    <APIPublisher>
        <DisplayURL>false</DisplayURL>
        <URL>https://localhost:${mgt.transport.https.port}/publisher</URL>
        <!-- This parameter specifies enabling the capability of setting API documentation level granular visibility levels.
             By default any document associate with an API will have the same permissions set as the API.With enabling below
             property,it will show two additional permission levels as visible only to all registered users in a particular
             domain or only visible to API doc creator -->
        <!--EnableAPIDocVisibilityLevels>true</EnableAPIDocVisibilityLevels-->
        <!-- Uncomment this to limit the number of APIs in api the API Publisher -->
        <!--APIsPerPage>30</APIsPerPage-->
    </APIPublisher>

    <!-- Status observers can be registered against the API Publisher to listen for
         API status update events. Each observer must implement the APIStatusObserver
         interface. Multiple observers can be engaged if necessary and in such situations
         they will be notified in the order they are defined here. 
         This configuration is unused from API Manager version 1.10.0 -->
    <!--StatusObservers>
        <Observer>org.wso2.carbon.apimgt.impl.observers.SimpleLoggingObserver</Observer>
    </StatusObservers-->

    <!-- Use this configuration Create APIs at the Server startup -->
    <StartupAPIPublisher>
        <!-- Enable/Disable the API Startup Publisher -->
        <Enabled>false</Enabled>

        <!-- Configuration to create APIs for local endpoints.
             Endpoint will be computed as http://${carbon.local.ip}:${mgt.transport.http.port}/Context.
             Define many LocalAPI elements as below to create many APIs
             for local Endpoints.
             IconPath should be relative to CARBON_HOME. -->
        <LocalAPIs>
            <LocalAPI>
                <Context>/resource</Context>
                <Provider>admin</Provider>
                <Version>1.0.0</Version>
                <IconPath>none</IconPath>
                <DocumentURL>none</DocumentURL>
                <AuthType>Any</AuthType>
            </LocalAPI>
        </LocalAPIs>

        <!-- Configuration to create APIs for remote endpoints.
             When Endpoint need to be defined use this configuration.
             Define many API elements as below to create many APIs
             for external Endpoints.
             If you do not need to add Icon or Documentation set
             'none' as the value for IconPath & DocumentURL. -->
        <!--APIs>
            <API>
                <Context>/resource</Context>
                <Endpoint>http://localhost:9764/resource</Endpoint>
                <Provider>admin</Provider>
                <Version>1.0.0</Version>
                <IconPath>none</IconPath>
                <DocumentURL>none</DocumentURL>
                <AuthType>Any</AuthType>
            </API>
        </APIs-->
    </StartupAPIPublisher>

    <!-- Configuration to enable/disable sending CORS headers in the Gateway response
         and define the Access-Control-Allow-Origin header value.-->
    <CORSConfiguration>
        <!-- Configuration to enable/disable sending CORS headers from the Gateway-->
        <Enabled>true</Enabled>

        <!-- The value of the Access-Control-Allow-Origin header. Default values are
             API Store addresses, which is needed for swagger to function. -->
        <Access-Control-Allow-Origin>*</Access-Control-Allow-Origin>

        <!-- Configure Access-Control-Allow-Methods -->
        <Access-Control-Allow-Methods>GET,PUT,POST,DELETE,PATCH,OPTIONS</Access-Control-Allow-Methods>

        <!-- Configure Access-Control-Allow-Headers -->
        <Access-Control-Allow-Headers>authorization,Access-Control-Allow-Origin,Content-Type,SOAPAction</Access-Control-Allow-Headers>

        <!-- Configure Access-Control-Allow-Credentials -->
        <!-- Specifying this header to true means that the server allows cookies (or other user credentials) to be included on cross-origin requests.
             It is false by default and if you set it to true then make sure that the Access-Control-Allow-Origin header does not contain the wildcard (*) -->
        <Access-Control-Allow-Credentials>false</Access-Control-Allow-Credentials>
    </CORSConfiguration>
    
    <!-- This property is there to configure velocity log output into existing Log4j carbon Logger.
         You can enable this and set preferable Logger name. -->
    <!-- VelocityLogger>VELOCITY</VelocityLogger -->

    <RESTAPI>
        <!--Configure white-listed URIs of REST API. Accessing white-listed URIs does not require credentials (does not require Authorization header). -->
        <WhiteListedURIs>
            <WhiteListedURI>
                <URI>/api/am/publisher/{version}/swagger.json</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/store/{version}/swagger.json</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/admin/{version}/swagger.json</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/store/{version}/apis</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/store/{version}/apis/{apiId}</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/store/{version}/apis/{apiId}/swagger</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/store/{version}/apis/{apiId}/documents</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/store/{version}/apis/{apiId}/documents/{documentId}</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/store/{version}/apis/{apiId}/documents/{documentId}/content</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/store/{version}/apis/{apiId}/thumbnail</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/store/{version}/tags</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/store/{version}/tiers/{tierLevel}</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/store/{version}/tiers/{tierLevel}/{tierName}</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
        </WhiteListedURIs>
        <ETagSkipList>
            <ETagSkipURI>
                <URI>/api/am/store/{version}/apis</URI>
                <HTTPMethods>GET</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/store/{version}/apis/generate-sdk</URI>
                <HTTPMethods>POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/store/{version}/apis/{apiId}/documents</URI>
                <HTTPMethods>GET</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/store/{version}/applications</URI>
                <HTTPMethods>GET</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/store/{version}/applications/generate-keys</URI>
                <HTTPMethods>POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/store/{version}/subscriptions</URI>
                <HTTPMethods>GET,POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/store/{version}/tags</URI>
                <HTTPMethods>GET</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/store/{version}/tiers/{tierLevel}</URI>
                <HTTPMethods>GET</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/store/{version}/tiers/{tierLevel}/{tierName}</URI>
                <HTTPMethods>GET</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/apis</URI>
                <HTTPMethods>GET,POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/apis/{apiId}</URI>
                <HTTPMethods>GET,DELETE,PUT</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/apis/{apiId}/swagger</URI>
                <HTTPMethods>GET,PUT</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/apis/{apiId}/thumbnail</URI>
                <HTTPMethods>GET,POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/apis/{apiId}/change-lifecycle</URI>
                <HTTPMethods>POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/apis/{apiId}/copy-api</URI>
                <HTTPMethods>POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/applications/{applicationId}</URI>
                <HTTPMethods>GET</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/apis/{apiId}/documents</URI>
                <HTTPMethods>GET,POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/apis/{apiId}/documents/{documentId}/content</URI>
                <HTTPMethods>GET,POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/apis/{apiId}/documents/{documentId}</URI>
                <HTTPMethods>GET,PUT,DELETE</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/environments</URI>
                <HTTPMethods>GET</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/subscriptions</URI>
                <HTTPMethods>GET</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/subscriptions/block-subscription</URI>
                <HTTPMethods>POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/subscriptions/{subscriptionId}</URI>
                <HTTPMethods>GET</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/subscriptions/unblock-subscription</URI>
                <HTTPMethods>POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/tiers/{tierLevel}</URI>
                <HTTPMethods>GET,POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/tiers/{tierLevel}/{tierName}</URI>
                <HTTPMethods>GET,PUT,DELETE</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/tiers/update-permission</URI>
                <HTTPMethods>POST</HTTPMethods>
            </ETagSkipURI>
        </ETagSkipList>
    </RESTAPI>
    <ThrottlingConfigurations>
        <EnableAdvanceThrottling>true</EnableAdvanceThrottling>
        <DataPublisher>
            <Enabled>true</Enabled>
            <Type>Binary</Type>
            <ReceiverUrlGroup>tcp://${carbon.local.ip}:${receiver.url.port}</ReceiverUrlGroup>
            <AuthUrlGroup>ssl://${carbon.local.ip}:${auth.url.port}</AuthUrlGroup>
            <Username>${admin.username}</Username>
            <Password>${admin.password}</Password>
            <DataPublisherPool>
                <MaxIdle>1000</MaxIdle>
                <InitIdleCapacity>200</InitIdleCapacity>
            </DataPublisherPool>
            <DataPublisherThreadPool>
                <CorePoolSize>200</CorePoolSize>
                <MaxmimumPoolSize>1000</MaxmimumPoolSize>
                <KeepAliveTime>200</KeepAliveTime>
            </DataPublisherThreadPool>
        </DataPublisher>
        <PolicyDeployer>
            <ServiceURL>https://localhost:${mgt.transport.https.port}${carbon.context}services/</ServiceURL>
            <Username>${admin.username}</Username>
            <Password>${admin.password}</Password>
        </PolicyDeployer>
        <BlockCondition>
            <Enabled>true</Enabled>
            <!--InitDelay>300000</InitDelay>
            <Period>3600000</Period-->
        </BlockCondition>
        <JMSConnectionDetails>
            <Enabled>true</Enabled>
            <ServiceURL>tcp://${carbon.local.ip}:${jms.port}</ServiceURL>
            <Username>${admin.username}</Username>
            <Password>${admin.password}</Password>
            <Destination>throttleData</Destination>
            <!--InitDelay>300000</InitDelay-->
            <JMSConnectionParameters>
                <transport.jms.ConnectionFactoryJNDIName>TopicConnectionFactory</transport.jms.ConnectionFactoryJNDIName>
                <transport.jms.DestinationType>topic</transport.jms.DestinationType>
                <java.naming.factory.initial>org.wso2.andes.jndi.PropertiesFileInitialContextFactory</java.naming.factory.initial>
                <connectionfactory.TopicConnectionFactory>amqp://${jms.username}:${jms.password}@clientid/carbon?brokerlist='${jms.url}'</connectionfactory.TopicConnectionFactory>
            </JMSConnectionParameters>
            <JMSTaskManager>
                <MinThreadPoolSize>20</MinThreadPoolSize>
                <MaxThreadPoolSize>100</MaxThreadPoolSize>
                <KeepAliveTimeInMillis>1000</KeepAliveTimeInMillis>
                <JobQueueSize>10</JobQueueSize>
            </JMSTaskManager>
        </JMSConnectionDetails>
        <JMSEventPublisherParameters>
                <java.naming.factory.initial>org.wso2.andes.jndi.PropertiesFileInitialContextFactory</java.naming.factory.initial>
                <java.naming.provider.url>repository/conf/jndi.properties</java.naming.provider.url>
                <transport.jms.DestinationType>topic</transport.jms.DestinationType>
                <transport.jms.Destination>throttleData</transport.jms.Destination>
                <transport.jms.ConcurrentPublishers>allow</transport.jms.ConcurrentPublishers>
                <transport.jms.ConnectionFactoryJNDIName>TopicConnectionFactory</transport.jms.ConnectionFactoryJNDIName>
        </JMSEventPublisherParameters>
        <!--DefaultLimits>
            <SubscriptionTierLimits>
                <Gold>5000</Gold>
                <Silver>2000</Silver>
                <Bronze>1000</Bronze>
                <Unauthenticated>60</Unauthenticated>
            </SubscriptionTierLimits>
            <ApplicationTierLimits>
                <50PerMin>50</50PerMin>
                <20PerMin>20</20PerMin>
                <10PerMin>10</10PerMin>
            </ApplicationTierLimits>
            <ResourceLevelTierLimits>
                <50KPerMin>50000</50KPerMin>
                <20KPerMin>20000</20KPerMin>
                <10KPerMin>10000</10KPerMin>
            </ResourceLevelTierLimits>
        </DefaultLimits-->
        <EnableUnlimitedTier>true</EnableUnlimitedTier>
        <EnableHeaderConditions>false</EnableHeaderConditions>
        <EnableJWTClaimConditions>false</EnableJWTClaimConditions>
        <EnableQueryParamConditions>false</EnableQueryParamConditions>
    </ThrottlingConfigurations>
    
    <WorkflowConfigurations>
        <Enabled>false</Enabled>
    <ServerUrl>https://localhost:9445/bpmn</ServerUrl>  
    <ServerUser>${admin.username}</ServerUser>
    <ServerPassword>${admin.password}</ServerPassword>
    <WorkflowCallbackAPI>https://localhost:${mgt.transport.https.port}/api/am/publisher/v0.11/workflows/update-workflow-status</WorkflowCallbackAPI>
        <TokenEndPoint>https://localhost:${https.nio.port}/token</TokenEndPoint>
        <DCREndPoint>https://localhost:${mgt.transport.https.port}/client-registration/v0.11/register</DCREndPoint>
        <DCREndPointUser>${admin.username}</DCREndPointUser>
        <DCREndPointPassword>${admin.password}</DCREndPointPassword>
    </WorkflowConfigurations>

    <SwaggerCodegen>
        <ClientGeneration>
            <GroupId>org.wso2</GroupId>
            <ArtifactId>org.wso2.client.</ArtifactId>
            <ModelPackage>org.wso2.client.model.</ModelPackage>
            <ApiPackage>org.wso2.client.api.</ApiPackage>
            <!-- Configure supported languages/Frameworks as comma separated values,
             Supported Languages/Frameworks : android, java, scala, csharp, cpp, dart, flash, go, groovy, javascript, jmeter,
             nodejs, perl, php, python, ruby, swift, clojure, aspNet5, asyncScala, spring, csharpDotNet2, haskell-->
            <SupportedLanguages>java,android</SupportedLanguages>
        </ClientGeneration>
    </SwaggerCodegen>

</APIManager>

Do you need my IS one, too?

Regards,

Thomas

2017-06-15 22:16 GMT+02:00 Farasath Ahamed <[hidden email]>:
Would be better if you could share the api-manager.xml configuration file to see if there are any errors in configs.




Farasath Ahamed
Software Engineer, WSO2 Inc.; http://wso2.com
Mobile: <a href="tel:%2B94777603866" value="+94713149860" style="font-size:12.8px;color:rgb(17,85,204)" target="_blank">+94777603866
Twitter: @farazath619




On Thu, Jun 15, 2017 at 8:40 PM, Thomas LEGRAND <[hidden email]> wrote:
Hello again,

I followed the tutorial in [1] to configure my Identity Server (IS) as a key manager for my API Manager (AM). When I create my Production & Sandbox applications in the AM, I can see service providers created in the IS. I configures them to use SAML to retrieve informations like the roles, if the authentication is successfull. And I can "exchange" my SAML assertion for a OAuth token. So, everything is cool, here.

But, when I try to reuse this OAuth token to access to a resource via the AM, it rejects me with this sweet message:

    <ams:fault xmlns:ams="http://wso2.org/apimanager/security">
      <ams:code>900900</ams:code>
      <ams:message>Unclassified Authentication Failure</ams:message>
      <ams:description>Resource forbidden</ams:description>
    </ams:fault>

But no errors in the logs but just a WARN. So, I activated the DEBUG mode and then, I can see some intersting things:

[2017-06-15 16:44:52,954]  WARN - APIAuthenticationHandler API authentication failure due to Unclassified Authentication Failure
[2017-06-15 16:44:52,954] DEBUG - APIAuthenticationHandler API authentication failed with error 900900
org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException: Resource forbidden
        at org.wso2.carbon.apimgt.gateway.handlers.security.keys.WSAPIKeyDataStore.getAPIKeyData(WSAPIKeyDataStore.java:51)
        at org.wso2.carbon.apimgt.gateway.handlers.security.APIKeyValidator.doGetKeyValidationInfo(APIKeyValidator.java:253)
        at org.wso2.carbon.apimgt.gateway.handlers.security.APIKeyValidator.getKeyValidationInfo(APIKeyValidator.java:209)
        at org.wso2.carbon.apimgt.gateway.handlers.security.oauth.OAuthAuthenticator.authenticate(OAuthAuthenticator.java:196)
        at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest(APIAuthenticationHandler.java:117)
        at org.apache.synapse.rest.API.process(API.java:325)
        at org.apache.synapse.rest.RESTRequestHandler.dispatchToAPI(RESTRequestHandler.java:90)
        at org.apache.synapse.rest.RESTRequestHandler.process(RESTRequestHandler.java:69)
        at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.injectMessage(Axis2SynapseEnvironment.java:304)
        at org.apache.synapse.core.axis2.SynapseMessageReceiver.receive(SynapseMessageReceiver.java:78)
        at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180)
        at org.apache.synapse.transport.passthru.ServerWorker.processNonEntityEnclosingRESTHandler(ServerWorker.java:325)
        at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:158)
        at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at java.lang.Thread.run(Thread.java:745)
Caused by: org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException: Error while accessing backend services for API key validation
        at org.wso2.carbon.apimgt.gateway.handlers.security.keys.APIKeyValidatorClient.getAPIKeyData(APIKeyValidatorClient.java:114)
        at org.wso2.carbon.apimgt.gateway.handlers.security.keys.WSAPIKeyDataStore.getAPIKeyData(WSAPIKeyDataStore.java:48)
        ... 16 more
Caused by: org.apache.axis2.AxisFault: org.apache.axis2.AxisFault: Mapping qname not fond for the package: java.util

From here, I don't know what to do since I tried some fancy URLs for the ServerURL value in the elements AuthManager and APIKeyValidator.
My IS has an offset of 5 so the port is 9448. Here is the URL I used to point to the IS server: https://localhost:9448/services/

Is there a way to know in which URL the IS deploy its Key Manager feature web services (WS)?
Should I reinstall the Key Manager feature in the IS?

Regards,

Thomas


_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev




_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev




--
Rajith Roshan
Software Engineer, WSO2 Inc.
Mobile: <a href="tel:%2B94-71-554-8430" value="+94715548430" target="_blank">+94-717-064-214



_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Weird exception accessing to a API Manager protected resource

Rajith Roshan
Hi Thomas,

When you calling the token endpoint using saml response, could you please add the scope=default parameter as well in the request. For ex :[1].
Let us know it if works. (Just want to verify , because scope is an optional parameter. )

[1] - curl -X POST -u "QlthIzYUOK5DS0BXW8Cy8uFJjKAa:XFfgPmTbMaQ5eScc0rSnAW9ZIgwa" -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" -d "scope=deafult&grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion=nrkelgerte..............ufw" https://{host}:{port}/oauth2/token

Thanks!
Rajith

On Fri, Jun 16, 2017 at 1:46 PM, Thomas LEGRAND <[hidden email]> wrote:
Hello,

Thank you for your answers.

I activated the DEBUG mode on the IS in the class org.wso2.carbon.apimgt.keymgt.service.APIKeyValidationService and I can see that the IS receives something because when I send a wrong OAuth token, its says 

[2017-06-16 12:10:00,563] ERROR {org.wso2.carbon.apimgt.impl.AMDefaultKeyManagerImpl} -  Invalid OAuth Token : Invalid accessken

And when I send a right one:

[2017-06-16 14:19:52,028] DEBUG {org.wso2.carbon.apimgt.keymgt.service.APIKeyValidationService} -  OAuth token response from Manager to gateway:  , appName=myApp , userName=[hidden email] , transactionId= , consumerKey=5bWQioSHWbt9I24xizeP0o20a , isAuthorized=true , responseTime=Fri Jun 16 14:19:52 CEST 2017
[2017-06-16 14:19:52,028] DEBUG {org.wso2.carbon.apimgt.keymgt.service.APIKeyValidationService} -  APIKeyValidationInfoDTO bee returning : APIKeyValidationInfoDTO = { authorized:true , subscriber:admin , tier:Unlimited , type:PRODUCTION , userType:APPLICATION_USER , endUserToken:null , endUserName:myUser@carbon.super , applicationId:3 , applicationName:myApp  , applicationr:Unlimited , validationStatus:0 , validityPeriod:2009000 , issuedTime:1497615592019 , apiName:MyAPI , consumerKey:5bWQioSH9I24xizeP0oxTw20a , spikeArrestLimit:0 , spikeArrestUnit:null , subscriberTenantDomain:carbon.super , stopOnQuotaReach:true ,iPublisher:admin]]

We can see the authorized: true (if that means something) so it is like the API manager don't know how to interpret this message and take a shortcut to conclusion because of an Axis error. So from here, I don't know what to do :(

Regards,

Thomas



2017-06-16 13:13 GMT+02:00 Farasath Ahamed <[hidden email]>:




On Fri, Jun 16, 2017 at 4:37 PM, Rajith Roshan <[hidden email]> wrote:
Hi Thomas,

You need to subscribe to that particular api from the application you have generated access token. if there is no valid subscription then this error can happen. 
And also if you have assigned specif scopes to api resource , then the access token should also have that scopes when it was generated.
This resource forbidden issue can occur due to above mentioned errors.

In those cases shouldn't the error codes be different according to [1].


    <ams:fault xmlns:ams="http://wso2.org/apimanager/security">
      <ams:code>900900</ams:code>
      <ams:message>Unclassified Authentication Failure</ams:message>
      <ams:description>Resource forbidden</ams:description>
    </ams:fault>

Error code 900900. according [1] says that,
Backend service for key validation is not accessible when trying to invoke an API




 

Thanks!
Rajith

On Fri, Jun 16, 2017 at 12:32 PM, Thomas LEGRAND <[hidden email]> wrote:
Hello !

Sure. Here is my api-manager.xml AM configuration file:

<APIManager>
    <!-- JNDI name of the data source to be used by the API publisher, API store and API
         key manager. This data source should be defined in the master-datasources.xml file
         in conf/datasources directory. -->
    <DataSourceName>jdbc/WSO2AM_DB</DataSourceName>

    <!-- This parameter is used when adding api management capability to other products like GReg, AS, DSS etc.-->
    <!--GatewayType>Synapse</GatewayType-->
<GatewayType>None</GatewayType>

    <!-- This parameter is used to enable the securevault support when try to publish endpoint secured APIs. Values should be "true" or "false".
    By default secure vault is disabled.-->
    <EnableSecureVault>false</EnableSecureVault>

    <!-- Authentication manager configuration for API publisher and API store. This is
         a required configuration for both web applications as their user authentication
         logic relies on this. -->
    <AuthManager>
        <!-- Server URL of the Authentication service -->
        <!--ServerURL>https://localhost:${mgt.transport.https.port}${carbon.context}services/</ServerURL-->
<ServerURL>https://localhost:9448/services/</ServerURL>
        <!-- Admin username for the Authentication manager. -->
        <Username>${admin.username}</Username>
        <!-- Admin password for the Authentication manager. -->
        <Password>${admin.password}</Password>
        <!-- Indicates whether the permissions checking of the user (on the Publisher and Store) should be done
           via a remote service. The check will be done on the local server when false. -->
        <CheckPermissionsRemotely>false</CheckPermissionsRemotely>
    </AuthManager>

    <JWTConfiguration>
        <!-- Enable/Disable JWT generation. Default is false. -->
        <!-- EnableJWTGeneration>false</EnableJWTGeneration-->

        <!-- Name of the security context header to be added to the validated requests. -->
        <JWTHeader>X-JWT-Assertion</JWTHeader>

        <!-- Fully qualified name of the class that will retrieve additional user claims
             to be appended to the JWT. If not specified no claims will be appended.If user wants to add all user claims in the
             jwt token, he needs to enable this parameter.
             The DefaultClaimsRetriever class adds user claims from the default carbon user store. -->
        <!--ClaimsRetrieverImplClass>org.wso2.carbon.apimgt.impl.token.DefaultClaimsRetriever</ClaimsRetrieverImplClass-->

        <!-- The dialectURI under which the claimURIs that need to be appended to the
             JWT are defined. Not used with custom ClaimsRetriever implementations. The
             same value is used in the keys for appending the default properties to the
             JWT. -->
        <!--ConsumerDialectURI>http://wso2.org/claims</ConsumerDialectURI-->

        <!-- Signature algorithm. Accepts "SHA256withRSA" or "NONE". To disable signing explicitly specify "NONE". -->
        <!--SignatureAlgorithm>SHA256withRSA</SignatureAlgorithm-->

        <!-- This parameter specifies which implementation should be used for generating the Token. JWTGenerator is the
    default implementation provided. -->
        <JWTGeneratorImpl>org.wso2.carbon.apimgt.keymgt.token.JWTGenerator</JWTGeneratorImpl>

        <!-- This parameter specifies which implementation should be used for generating the Token. For URL safe JWT
             Token generation the implementation is provided in URLSafeJWTGenerator -->
        <!--<JWTGeneratorImpl>org.wso2.carbon.apimgt.keymgt.token.URLSafeJWTGenerator</JWTGeneratorImpl>-->

        <!-- Remove UserName from JWT Token -->
        <!-- <RemoveUserNameFromJWTForApplicationToken>true</RemoveUserNameFromJWTForApplicationToken>-->
    </JWTConfiguration>

    <!-- Primary/secondary login configuration for APIstore. If user likes to keep two login attributes in a distributed setup, to login the APIstore,
he should configure this section. Primary login doesn't have a claimUri associated with it. But secondary login, which is a claim attribute,
is associated with a claimuri.-->
    <!--LoginConfig>
            <UserIdLogin  primary="true">
        <ClaimUri></ClaimUri>
        </UserIdLogin>
        <EmailLogin  primary="false">
            <ClaimUri>http://wso2.org/claims/emailaddress</ClaimUri>
        </EmailLogin>
    </LoginConfig-->

    <!-- Credentials for the API gateway admin server. This configuration
         is mainly used by the API publisher and store to connect to the API gateway and
         create/update published API configurations. -->
    <APIGateway>
        <!-- The environments to which an API will be published -->
        <Environments>
            <!-- Environments can be of different types. Allowed values are 'hybrid', 'production' and 'sandbox'.
                 An API deployed on a 'production' type gateway will only support production keys
                 An API deployed on a 'sandbox' type gateway will only support sandbox keys
                 An API deployed on a 'hybrid' type gateway will support both production and sandbox keys. -->
            <!-- api-console element specifies whether the environment should be listed in API Console or not -->
            <Environment type="hybrid" api-console="true">
                <Name>Production and Sandbox</Name>
                <Description>This is a hybrid gateway that handles both production and sandbox token traffic.</Description>
                <!-- Server URL of the API gateway -->
                <ServerURL>https://localhost:${mgt.transport.https.port}${carbon.context}services/</ServerURL>
       <!-- Admin username for the API gateway. -->
                <Username>${admin.username}</Username>
                <!-- Admin password for the API gateway.-->
                <Password>${admin.password}</Password>
                <!-- Endpoint URLs for the APIs hosted in this API gateway.-->
                <GatewayEndpoint>http://${carbon.local.ip}:${http.nio.port},https://${carbon.local.ip}:${https.nio.port}</GatewayEndpoint>
            </Environment>
        </Environments>
    </APIGateway>

    <CacheConfigurations>
   <!-- Enable/Disable token caching at the Gateway-->
        <EnableGatewayTokenCache>true</EnableGatewayTokenCache>
   <!-- Enable/Disable API resource caching at the Gateway-->
        <EnableGatewayResourceCache>true</EnableGatewayResourceCache>
        <!-- Enable/Disable API key validation information caching at key-management server -->
        <EnableKeyManagerTokenCache>false</EnableKeyManagerTokenCache>
        <!-- This parameter specifies whether Recently Added APIs will be loaded from the cache or not.
             If there are multiple API modification during a short time period, better to disable cache. -->
        <EnableRecentlyAddedAPICache>false</EnableRecentlyAddedAPICache>
   <!-- JWT claims Cache expiry in seconds -->
        <!--JWTClaimCacheExpiry>900</JWTClaimCacheExpiry-->
        <!-- Expiry time for the apim key mgt validation info cache -->
        <!--TokenCacheExpiry>900</TokenCacheExpiry-->
        <!-- This parameter specifies the expiration time of the TagCache. TagCache will
             only be created when this element is uncommented. When the specified
             time duration gets elapsed ,tag cache will get re-generated. -->
        <!--TagCacheDuration>120000</TagCacheDuration-->
    </CacheConfigurations>

    <!--
        API usage tracker configuration used by the DAS data publisher and
        Google Analytics publisher in API gateway.
    -->
    <Analytics>
        <!-- Enable Analytics for API Manager -->
        <Enabled>false</Enabled>

        <!-- Server URL of the remote DAS/CEP server used to collect statistics. Must
             be specified in protocol://hostname:port/ format.

             An event can also be published to multiple Receiver Groups each having 1 or more receivers. Receiver
             Groups are delimited by curly braces whereas receivers are delimited by commas.
             Ex - Multiple Receivers within a single group
             tcp://localhost:7612/,tcp://localhost:7613/,tcp://localhost:7614/

             Ex - Multiple Receiver Groups with two receivers each
             {tcp://localhost:7612/,tcp://localhost:7613},{tcp://localhost:7712/,tcp://localhost:7713/} -->
        <DASServerURL>{tcp://localhost:7612}</DASServerURL>
        <!--DASAuthServerURL>{ssl://localhost:7712}</DASAuthServerURL-->
        <!-- Administrator username to login to the remote DAS server. -->
        <DASUsername>${admin.username}</DASUsername>
        <!-- Administrator password to login to the remote DAS server. -->
        <DASPassword>${admin.password}</DASPassword>

        <!-- For APIM implemented Statistic client for RDBMS -->
        <StatsProviderImpl>org.wso2.carbon.apimgt.usage.client.impl.APIUsageStatisticsRdbmsClientImpl</StatsProviderImpl>

        <!-- DAS REST API configuration -->
        <DASRestApiURL>https://localhost:9444</DASRestApiURL>
        <DASRestApiUsername>${admin.username}</DASRestApiUsername>
        <DASRestApiPassword>${admin.password}</DASRestApiPassword>

        <!-- Below property is used to skip trying to connect to event receiver nodes when publishing events even if
            the stats enabled flag is set to true. -->
        <SkipEventReceiverConnection>false</SkipEventReceiverConnection>

        <!-- API Usage Data Publisher. -->
        <PublisherClass>org.wso2.carbon.apimgt.usage.publisher.APIMgtUsageDataBridgeDataPublisher</PublisherClass>

        <!-- If below property set to true,then the response message size will be calculated and publish
             with each successful API invocation event. -->
        <PublishResponseMessageSize>false</PublishResponseMessageSize>
        <!-- Data publishing stream names and versions of API requests, responses and faults. If the default values
            are changed, the toolbox also needs to be changed accordingly. -->
        <Streams>
            <Request>
                <Name>org.wso2.apimgt.statistics.request</Name>
                <Version>1.1.0</Version>
            </Request>
            <Response>
                <Name>org.wso2.apimgt.statistics.response</Name>
                <Version>1.1.0</Version>
            </Response>
            <Fault>
                <Name>org.wso2.apimgt.statistics.fault</Name>
                <Version>1.0.0</Version>
            </Fault>
            <Throttle>
                <Name>org.wso2.apimgt.statistics.throttle</Name>
                <Version>1.0.0</Version>
            </Throttle>
            <Workflow>
                <Name>org.wso2.apimgt.statistics.workflow</Name>
                <Version>1.0.0</Version>
            </Workflow>
            <ExecutionTime>
                <Name>org.wso2.apimgt.statistics.execution.time</Name>
                <Version>1.0.0</Version>
            </ExecutionTime>
   <AlertTypes>
                <Name>org.wso2.analytics.apim.alertStakeholderInfo</Name>
                <Version>1.0.0</Version>
            </AlertTypes>
        </Streams>

    </Analytics>

    <!--
        API key validator configuration used by API key manager (IS), API store and API gateway.
        API gateway uses it to validate and authenticate users against the provided API keys.
    -->
    <APIKeyValidator>
        <!-- Server URL of the API key manager -->
        <!--ServerURL>https://localhost:${mgt.transport.https.port}${carbon.context}services/</ServerURL-->
<ServerURL>https://localhost:9448/services/</ServerURL>

        <!-- Admin username for API key manager. -->
        <Username>${admin.username}</Username>
        <!-- Admin password for API key manager. -->
        <Password>${admin.password}</Password>
<!--Username>admin</Username>
<Password>admin</Password-->

        <!-- Configurations related to enable thrift support for key-management related communication.
             If you want to switch back to Web Service Client, change the value of "KeyValidatorClientType" to "WSClient".
             In a distributed environment;
             -If you are at the Gateway node, you need to point "ThriftClientPort" value to the "ThriftServerPort" value given at KeyManager node.
             -If you need to start two API Manager instances in the same machine, you need to give different ports to "ThriftServerPort" value in two nodes.
             -ThriftServerHost - Allows to configure a hostname for the thrift server. It uses the carbon hostname by default.
        -The Gateway uses this parameter to connect to the key validation thrift service. -->
        <KeyValidatorClientType>WSClient</KeyValidatorClientType>
        <ThriftClientConnectionTimeOut>10000</ThriftClientConnectionTimeOut>
        <!--ThriftClientPort>10397</ThriftClientPort-->

        <EnableThriftServer>false</EnableThriftServer>
        <ThriftServerHost>localhost</ThriftServerHost>
        <!--ThriftServerPort>10397</ThriftServerPort-->

        <!--ConnectionPool>
            <MaxIdle>100</MaxIdle>
            <InitIdleCapacity>50</InitIdleCapacity>
        </ConnectionPool-->
        <!-- Specifies the implementation to be used for KeyValidationHandler. Steps for validating a token can be controlled by plugging in a 
             custom KeyValidation Handler -->
        <KeyValidationHandlerClassName>org.wso2.carbon.apimgt.keymgt.handlers.DefaultKeyValidationHandler</KeyValidationHandlerClassName>
    </APIKeyValidator>

    <!-- Uncomment this section only if you are going to have an instance other than KeyValidator as your KeyManager.
         Unless a ThirdParty KeyManager is used, you don't need to configure this section. -->
    <!--APIKeyManager>
        <KeyManagerClientImpl>org.wso2.carbon.apimgt.impl.AMDefaultKeyManagerImpl</KeyManagerClientImpl>
        <Configuration>
            <ServerURL>https://localhost:${mgt.transport.https.port}${carbon.context}services/</ServerURL>
            <Username>${admin.username}</Username>
            <Password>${admin.password}</Password>
            <TokenURL>https://${carbon.local.ip}:${https.nio.port}/token</TokenURL>
            <RevokeURL>https://${carbon.local.ip}:${https.nio.port}/revoke</RevokeURL>
        </Configuration>
    </APIKeyManager-->

    <OAuthConfigurations>
        <!-- Remove OAuth headers from outgoing message. -->
        <!--RemoveOAuthHeadersFromOutMessage>true</RemoveOAuthHeadersFromOutMessage-->
        <!-- Scope used for marking Application Tokens. If a token is generated with this scope, they will be treated as Application Access Tokens -->
        <ApplicationTokenScope>am_application_scope</ApplicationTokenScope>
        <!-- All  scopes under the ScopeWhitelist element are not validating against roles that has assigned to it.
             By default ^device_.* and openid scopes have been white listed internally. -->
        <!--ScopeWhitelist>
            <Scope>^device_.*</Scope>
            <Scope>openid</Scope>
        </ScopeWhitelist-->
        <!-- Name of the token API -->
        <TokenEndPointName>/oauth2/token</TokenEndPointName>
        <!-- This the API URL for revoke API. When we revoke tokens revoke requests should go through this
             API deployed in API gateway. Then it will do cache invalidations related to revoked tokens.
             In distributed deployment we should configure this property in key manager node by pointing
             gateway https( /http, we recommend users to use 'https' endpoints for security purpose) url.
             Also please note that we should point gateway revoke service to key manager -->
        <RevokeAPIURL>https://localhost:${https.nio.port}/revoke</RevokeAPIURL>
        <!-- Whether to encrypt tokens when storing in the Database
        Note: If changing this value to true, change the value of <TokenPersistenceProcessor> to
        org.wso2.carbon.identity.oauth.tokenprocessor.EncryptionDecryptionPersistenceProcessor in the identity.xml -->
        <EncryptPersistedTokens>false</EncryptPersistedTokens>
    </OAuthConfigurations>

    <!-- Settings related to managing API access tiers. -->
    <TierManagement>
        <!-- Enable the providers to expose their APIs over the special 'Unlimited' tier which
             basically disables tier based throttling for the specified APIs. -->
        <EnableUnlimitedTier>true</EnableUnlimitedTier>
    </TierManagement>

    <!-- API Store Related Configurations -->
    <APIStore>
        <!--GroupingExtractor>org.wso2.carbon.apimgt.impl.DefaultGroupIDExtractorImpl</GroupingExtractor-->
        <!--This property is used to indicate how we do user name comparision for token generation https://wso2.org/jira/browse/APIMANAGER-2225-->
        <CompareCaseInsensitively>true</CompareCaseInsensitively>
        <DisplayURL>false</DisplayURL>
        <URL>https://localhost:${mgt.transport.https.port}/store</URL>

        <!-- Server URL of the API Store. -->
        <ServerURL>https://localhost:${mgt.transport.https.port}${carbon.context}services/</ServerURL>
        <!-- Admin username for API Store. -->
        <Username>${admin.username}</Username>

        <!-- Admin password for API Store. -->
        <Password>${admin.password}</Password>
        <!-- This parameter specifies whether to display multiple versions of same
             API or only showing the latest version of an API. -->
        <DisplayMultipleVersions>false</DisplayMultipleVersions>
        <!-- This parameter specifies whether to display all the APIs
             [which are having DEPRECATED/PUBLISHED status] or only display the APIs
             with having their status is as 'PUBLISHED' -->
        <DisplayAllAPIs>false</DisplayAllAPIs>
        <!-- Uncomment this to limit the number of APIs in api the API Store -->
        <!--APIsPerPage>5</APIsPerPage-->

        <!-- This parameter specifies whether to display the comment editing facility or not.
             Default is "true". If user wants to disable, he must set this param as "false" -->
        <DisplayComments>true</DisplayComments>

        <!-- This parameter specifies whether to display the ratings  or not.
             Default is "true". If user wants to disable, he must set this param as "false" -->
        <DisplayRatings>true</DisplayRatings>

        <!--set isStoreForumEnabled to false for disable forum in store-->
        <!--isStoreForumEnabled>false</isStoreForumEnabled-->
    </APIStore>

    <APIPublisher>
        <DisplayURL>false</DisplayURL>
        <URL>https://localhost:${mgt.transport.https.port}/publisher</URL>
        <!-- This parameter specifies enabling the capability of setting API documentation level granular visibility levels.
             By default any document associate with an API will have the same permissions set as the API.With enabling below
             property,it will show two additional permission levels as visible only to all registered users in a particular
             domain or only visible to API doc creator -->
        <!--EnableAPIDocVisibilityLevels>true</EnableAPIDocVisibilityLevels-->
        <!-- Uncomment this to limit the number of APIs in api the API Publisher -->
        <!--APIsPerPage>30</APIsPerPage-->
    </APIPublisher>

    <!-- Status observers can be registered against the API Publisher to listen for
         API status update events. Each observer must implement the APIStatusObserver
         interface. Multiple observers can be engaged if necessary and in such situations
         they will be notified in the order they are defined here. 
         This configuration is unused from API Manager version 1.10.0 -->
    <!--StatusObservers>
        <Observer>org.wso2.carbon.apimgt.impl.observers.SimpleLoggingObserver</Observer>
    </StatusObservers-->

    <!-- Use this configuration Create APIs at the Server startup -->
    <StartupAPIPublisher>
        <!-- Enable/Disable the API Startup Publisher -->
        <Enabled>false</Enabled>

        <!-- Configuration to create APIs for local endpoints.
             Endpoint will be computed as http://${carbon.local.ip}:${mgt.transport.http.port}/Context.
             Define many LocalAPI elements as below to create many APIs
             for local Endpoints.
             IconPath should be relative to CARBON_HOME. -->
        <LocalAPIs>
            <LocalAPI>
                <Context>/resource</Context>
                <Provider>admin</Provider>
                <Version>1.0.0</Version>
                <IconPath>none</IconPath>
                <DocumentURL>none</DocumentURL>
                <AuthType>Any</AuthType>
            </LocalAPI>
        </LocalAPIs>

        <!-- Configuration to create APIs for remote endpoints.
             When Endpoint need to be defined use this configuration.
             Define many API elements as below to create many APIs
             for external Endpoints.
             If you do not need to add Icon or Documentation set
             'none' as the value for IconPath & DocumentURL. -->
        <!--APIs>
            <API>
                <Context>/resource</Context>
                <Endpoint>http://localhost:9764/resource</Endpoint>
                <Provider>admin</Provider>
                <Version>1.0.0</Version>
                <IconPath>none</IconPath>
                <DocumentURL>none</DocumentURL>
                <AuthType>Any</AuthType>
            </API>
        </APIs-->
    </StartupAPIPublisher>

    <!-- Configuration to enable/disable sending CORS headers in the Gateway response
         and define the Access-Control-Allow-Origin header value.-->
    <CORSConfiguration>
        <!-- Configuration to enable/disable sending CORS headers from the Gateway-->
        <Enabled>true</Enabled>

        <!-- The value of the Access-Control-Allow-Origin header. Default values are
             API Store addresses, which is needed for swagger to function. -->
        <Access-Control-Allow-Origin>*</Access-Control-Allow-Origin>

        <!-- Configure Access-Control-Allow-Methods -->
        <Access-Control-Allow-Methods>GET,PUT,POST,DELETE,PATCH,OPTIONS</Access-Control-Allow-Methods>

        <!-- Configure Access-Control-Allow-Headers -->
        <Access-Control-Allow-Headers>authorization,Access-Control-Allow-Origin,Content-Type,SOAPAction</Access-Control-Allow-Headers>

        <!-- Configure Access-Control-Allow-Credentials -->
        <!-- Specifying this header to true means that the server allows cookies (or other user credentials) to be included on cross-origin requests.
             It is false by default and if you set it to true then make sure that the Access-Control-Allow-Origin header does not contain the wildcard (*) -->
        <Access-Control-Allow-Credentials>false</Access-Control-Allow-Credentials>
    </CORSConfiguration>
    
    <!-- This property is there to configure velocity log output into existing Log4j carbon Logger.
         You can enable this and set preferable Logger name. -->
    <!-- VelocityLogger>VELOCITY</VelocityLogger -->

    <RESTAPI>
        <!--Configure white-listed URIs of REST API. Accessing white-listed URIs does not require credentials (does not require Authorization header). -->
        <WhiteListedURIs>
            <WhiteListedURI>
                <URI>/api/am/publisher/{version}/swagger.json</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/store/{version}/swagger.json</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/admin/{version}/swagger.json</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/store/{version}/apis</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/store/{version}/apis/{apiId}</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/store/{version}/apis/{apiId}/swagger</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/store/{version}/apis/{apiId}/documents</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/store/{version}/apis/{apiId}/documents/{documentId}</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/store/{version}/apis/{apiId}/documents/{documentId}/content</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/store/{version}/apis/{apiId}/thumbnail</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/store/{version}/tags</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/store/{version}/tiers/{tierLevel}</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/store/{version}/tiers/{tierLevel}/{tierName}</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
        </WhiteListedURIs>
        <ETagSkipList>
            <ETagSkipURI>
                <URI>/api/am/store/{version}/apis</URI>
                <HTTPMethods>GET</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/store/{version}/apis/generate-sdk</URI>
                <HTTPMethods>POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/store/{version}/apis/{apiId}/documents</URI>
                <HTTPMethods>GET</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/store/{version}/applications</URI>
                <HTTPMethods>GET</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/store/{version}/applications/generate-keys</URI>
                <HTTPMethods>POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/store/{version}/subscriptions</URI>
                <HTTPMethods>GET,POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/store/{version}/tags</URI>
                <HTTPMethods>GET</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/store/{version}/tiers/{tierLevel}</URI>
                <HTTPMethods>GET</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/store/{version}/tiers/{tierLevel}/{tierName}</URI>
                <HTTPMethods>GET</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/apis</URI>
                <HTTPMethods>GET,POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/apis/{apiId}</URI>
                <HTTPMethods>GET,DELETE,PUT</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/apis/{apiId}/swagger</URI>
                <HTTPMethods>GET,PUT</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/apis/{apiId}/thumbnail</URI>
                <HTTPMethods>GET,POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/apis/{apiId}/change-lifecycle</URI>
                <HTTPMethods>POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/apis/{apiId}/copy-api</URI>
                <HTTPMethods>POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/applications/{applicationId}</URI>
                <HTTPMethods>GET</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/apis/{apiId}/documents</URI>
                <HTTPMethods>GET,POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/apis/{apiId}/documents/{documentId}/content</URI>
                <HTTPMethods>GET,POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/apis/{apiId}/documents/{documentId}</URI>
                <HTTPMethods>GET,PUT,DELETE</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/environments</URI>
                <HTTPMethods>GET</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/subscriptions</URI>
                <HTTPMethods>GET</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/subscriptions/block-subscription</URI>
                <HTTPMethods>POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/subscriptions/{subscriptionId}</URI>
                <HTTPMethods>GET</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/subscriptions/unblock-subscription</URI>
                <HTTPMethods>POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/tiers/{tierLevel}</URI>
                <HTTPMethods>GET,POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/tiers/{tierLevel}/{tierName}</URI>
                <HTTPMethods>GET,PUT,DELETE</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/tiers/update-permission</URI>
                <HTTPMethods>POST</HTTPMethods>
            </ETagSkipURI>
        </ETagSkipList>
    </RESTAPI>
    <ThrottlingConfigurations>
        <EnableAdvanceThrottling>true</EnableAdvanceThrottling>
        <DataPublisher>
            <Enabled>true</Enabled>
            <Type>Binary</Type>
            <ReceiverUrlGroup>tcp://${carbon.local.ip}:${receiver.url.port}</ReceiverUrlGroup>
            <AuthUrlGroup>ssl://${carbon.local.ip}:${auth.url.port}</AuthUrlGroup>
            <Username>${admin.username}</Username>
            <Password>${admin.password}</Password>
            <DataPublisherPool>
                <MaxIdle>1000</MaxIdle>
                <InitIdleCapacity>200</InitIdleCapacity>
            </DataPublisherPool>
            <DataPublisherThreadPool>
                <CorePoolSize>200</CorePoolSize>
                <MaxmimumPoolSize>1000</MaxmimumPoolSize>
                <KeepAliveTime>200</KeepAliveTime>
            </DataPublisherThreadPool>
        </DataPublisher>
        <PolicyDeployer>
            <ServiceURL>https://localhost:${mgt.transport.https.port}${carbon.context}services/</ServiceURL>
            <Username>${admin.username}</Username>
            <Password>${admin.password}</Password>
        </PolicyDeployer>
        <BlockCondition>
            <Enabled>true</Enabled>
            <!--InitDelay>300000</InitDelay>
            <Period>3600000</Period-->
        </BlockCondition>
        <JMSConnectionDetails>
            <Enabled>true</Enabled>
            <ServiceURL>tcp://${carbon.local.ip}:${jms.port}</ServiceURL>
            <Username>${admin.username}</Username>
            <Password>${admin.password}</Password>
            <Destination>throttleData</Destination>
            <!--InitDelay>300000</InitDelay-->
            <JMSConnectionParameters>
                <transport.jms.ConnectionFactoryJNDIName>TopicConnectionFactory</transport.jms.ConnectionFactoryJNDIName>
                <transport.jms.DestinationType>topic</transport.jms.DestinationType>
                <java.naming.factory.initial>org.wso2.andes.jndi.PropertiesFileInitialContextFactory</java.naming.factory.initial>
                <connectionfactory.TopicConnectionFactory>amqp://${jms.username}:${jms.password}@clientid/carbon?brokerlist='${jms.url}'</connectionfactory.TopicConnectionFactory>
            </JMSConnectionParameters>
            <JMSTaskManager>
                <MinThreadPoolSize>20</MinThreadPoolSize>
                <MaxThreadPoolSize>100</MaxThreadPoolSize>
                <KeepAliveTimeInMillis>1000</KeepAliveTimeInMillis>
                <JobQueueSize>10</JobQueueSize>
            </JMSTaskManager>
        </JMSConnectionDetails>
        <JMSEventPublisherParameters>
                <java.naming.factory.initial>org.wso2.andes.jndi.PropertiesFileInitialContextFactory</java.naming.factory.initial>
                <java.naming.provider.url>repository/conf/jndi.properties</java.naming.provider.url>
                <transport.jms.DestinationType>topic</transport.jms.DestinationType>
                <transport.jms.Destination>throttleData</transport.jms.Destination>
                <transport.jms.ConcurrentPublishers>allow</transport.jms.ConcurrentPublishers>
                <transport.jms.ConnectionFactoryJNDIName>TopicConnectionFactory</transport.jms.ConnectionFactoryJNDIName>
        </JMSEventPublisherParameters>
        <!--DefaultLimits>
            <SubscriptionTierLimits>
                <Gold>5000</Gold>
                <Silver>2000</Silver>
                <Bronze>1000</Bronze>
                <Unauthenticated>60</Unauthenticated>
            </SubscriptionTierLimits>
            <ApplicationTierLimits>
                <50PerMin>50</50PerMin>
                <20PerMin>20</20PerMin>
                <10PerMin>10</10PerMin>
            </ApplicationTierLimits>
            <ResourceLevelTierLimits>
                <50KPerMin>50000</50KPerMin>
                <20KPerMin>20000</20KPerMin>
                <10KPerMin>10000</10KPerMin>
            </ResourceLevelTierLimits>
        </DefaultLimits-->
        <EnableUnlimitedTier>true</EnableUnlimitedTier>
        <EnableHeaderConditions>false</EnableHeaderConditions>
        <EnableJWTClaimConditions>false</EnableJWTClaimConditions>
        <EnableQueryParamConditions>false</EnableQueryParamConditions>
    </ThrottlingConfigurations>
    
    <WorkflowConfigurations>
        <Enabled>false</Enabled>
    <ServerUrl>https://localhost:9445/bpmn</ServerUrl>  
    <ServerUser>${admin.username}</ServerUser>
    <ServerPassword>${admin.password}</ServerPassword>
    <WorkflowCallbackAPI>https://localhost:${mgt.transport.https.port}/api/am/publisher/v0.11/workflows/update-workflow-status</WorkflowCallbackAPI>
        <TokenEndPoint>https://localhost:${https.nio.port}/token</TokenEndPoint>
        <DCREndPoint>https://localhost:${mgt.transport.https.port}/client-registration/v0.11/register</DCREndPoint>
        <DCREndPointUser>${admin.username}</DCREndPointUser>
        <DCREndPointPassword>${admin.password}</DCREndPointPassword>
    </WorkflowConfigurations>

    <SwaggerCodegen>
        <ClientGeneration>
            <GroupId>org.wso2</GroupId>
            <ArtifactId>org.wso2.client.</ArtifactId>
            <ModelPackage>org.wso2.client.model.</ModelPackage>
            <ApiPackage>org.wso2.client.api.</ApiPackage>
            <!-- Configure supported languages/Frameworks as comma separated values,
             Supported Languages/Frameworks : android, java, scala, csharp, cpp, dart, flash, go, groovy, javascript, jmeter,
             nodejs, perl, php, python, ruby, swift, clojure, aspNet5, asyncScala, spring, csharpDotNet2, haskell-->
            <SupportedLanguages>java,android</SupportedLanguages>
        </ClientGeneration>
    </SwaggerCodegen>

</APIManager>

Do you need my IS one, too?

Regards,

Thomas

2017-06-15 22:16 GMT+02:00 Farasath Ahamed <[hidden email]>:
Would be better if you could share the api-manager.xml configuration file to see if there are any errors in configs.




Farasath Ahamed
Software Engineer, WSO2 Inc.; http://wso2.com
Mobile: <a href="tel:%2B94777603866" value="+94713149860" style="font-size:12.8px;color:rgb(17,85,204)" target="_blank">+94777603866
Twitter: @farazath619




On Thu, Jun 15, 2017 at 8:40 PM, Thomas LEGRAND <[hidden email]> wrote:
Hello again,

I followed the tutorial in [1] to configure my Identity Server (IS) as a key manager for my API Manager (AM). When I create my Production & Sandbox applications in the AM, I can see service providers created in the IS. I configures them to use SAML to retrieve informations like the roles, if the authentication is successfull. And I can "exchange" my SAML assertion for a OAuth token. So, everything is cool, here.

But, when I try to reuse this OAuth token to access to a resource via the AM, it rejects me with this sweet message:

    <ams:fault xmlns:ams="http://wso2.org/apimanager/security">
      <ams:code>900900</ams:code>
      <ams:message>Unclassified Authentication Failure</ams:message>
      <ams:description>Resource forbidden</ams:description>
    </ams:fault>

But no errors in the logs but just a WARN. So, I activated the DEBUG mode and then, I can see some intersting things:

[2017-06-15 16:44:52,954]  WARN - APIAuthenticationHandler API authentication failure due to Unclassified Authentication Failure
[2017-06-15 16:44:52,954] DEBUG - APIAuthenticationHandler API authentication failed with error 900900
org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException: Resource forbidden
        at org.wso2.carbon.apimgt.gateway.handlers.security.keys.WSAPIKeyDataStore.getAPIKeyData(WSAPIKeyDataStore.java:51)
        at org.wso2.carbon.apimgt.gateway.handlers.security.APIKeyValidator.doGetKeyValidationInfo(APIKeyValidator.java:253)
        at org.wso2.carbon.apimgt.gateway.handlers.security.APIKeyValidator.getKeyValidationInfo(APIKeyValidator.java:209)
        at org.wso2.carbon.apimgt.gateway.handlers.security.oauth.OAuthAuthenticator.authenticate(OAuthAuthenticator.java:196)
        at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest(APIAuthenticationHandler.java:117)
        at org.apache.synapse.rest.API.process(API.java:325)
        at org.apache.synapse.rest.RESTRequestHandler.dispatchToAPI(RESTRequestHandler.java:90)
        at org.apache.synapse.rest.RESTRequestHandler.process(RESTRequestHandler.java:69)
        at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.injectMessage(Axis2SynapseEnvironment.java:304)
        at org.apache.synapse.core.axis2.SynapseMessageReceiver.receive(SynapseMessageReceiver.java:78)
        at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180)
        at org.apache.synapse.transport.passthru.ServerWorker.processNonEntityEnclosingRESTHandler(ServerWorker.java:325)
        at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:158)
        at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at java.lang.Thread.run(Thread.java:745)
Caused by: org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException: Error while accessing backend services for API key validation
        at org.wso2.carbon.apimgt.gateway.handlers.security.keys.APIKeyValidatorClient.getAPIKeyData(APIKeyValidatorClient.java:114)
        at org.wso2.carbon.apimgt.gateway.handlers.security.keys.WSAPIKeyDataStore.getAPIKeyData(WSAPIKeyDataStore.java:48)
        ... 16 more
Caused by: org.apache.axis2.AxisFault: org.apache.axis2.AxisFault: Mapping qname not fond for the package: java.util

From here, I don't know what to do since I tried some fancy URLs for the ServerURL value in the elements AuthManager and APIKeyValidator.
My IS has an offset of 5 so the port is 9448. Here is the URL I used to point to the IS server: https://localhost:9448/services/

Is there a way to know in which URL the IS deploy its Key Manager feature web services (WS)?
Should I reinstall the Key Manager feature in the IS?

Regards,

Thomas


_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev




_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev




--
Rajith Roshan
Software Engineer, WSO2 Inc.
Mobile: <a href="tel:%2B94-71-554-8430" value="+94715548430" target="_blank">+94-717-064-214





--
Rajith Roshan
Software Engineer, WSO2 Inc.
Mobile: <a href="tel:%2B94-71-554-8430" value="+94715548430" target="_blank">+94-717-064-214

_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Weird exception accessing to a API Manager protected resource

Thomas LEGRAND
Hello Rajith,

Since I added the scope param with the value set to default, that works. To recap:

First, I sent via POST method, the following params on https://localhost:9448/oauth2/token (9448 because I added an offset of 5 on the IS):

Authorization: Basic <ENCODED_KEY:SECRET>
Content-Type: application/x-www-form-urlencoded
 
grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion=<MY_BADASS_ENCODED_ASSERTION>

It returned me something like that:

{"access_token":"462ad833-138b-300b-a596-abab3ab369e0","refresh_token":"8a918d88-7aec-3967-8f05-b60b91fc6d47","token_type":"Bearer","expires_in":2118}

We can see that the scope is not returned, here. And when I try to access to a resource via API Manager with  the header parameter Authorization set to "Bearer 462ad833-138b-300b-a596-abab3ab369e0", I was kicked.

So, I fixed my code as you suggested. This time, I sent via POST method, the following params on https://localhost:9448/oauth2/token (9448 because I added an offset of 5 on the IS):

Authorization: Basic <ENCODED_KEY:SECRET>
Content-Type: application/x-www-form-urlencoded
 
scope=default&grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion=<MY_BADASS_ENCODED_ASSERTION>

It returned me something like that:

{"access_token":"64a98dfa-35e3-3091-9dde-43f4a71e51ec","refresh_token":"280e3788-4f3f-3e66-a0cc-0b7d9dc934d5","scope":"default","token_type":"Bearer","expires_in":2380}

We can see that the scope has been returned, here.  And when I try to access to a resource via API Manager with  the header parameter Authorization set to "Bearer 64a98dfa-35e3-3091-9dde-43f4a71e51ec", I receive my right JSON response from the service protected by the API Manager.

So, that is cool, thank you very much for your help. :)

Regards,

Thomas

2017-06-18 16:32 GMT+02:00 Rajith Roshan <[hidden email]>:
Hi Thomas,

When you calling the token endpoint using saml response, could you please add the scope=default parameter as well in the request. For ex :[1].
Let us know it if works. (Just want to verify , because scope is an optional parameter. )

[1] - curl -X POST -u "QlthIzYUOK5DS0BXW8Cy8uFJjKAa:XFfgPmTbMaQ5eScc0rSnAW9ZIgwa" -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" -d "scope=deafult&grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion=nrkelgerte..............ufw" https://{host}:{port}/oauth2/token

Thanks!
Rajith

On Fri, Jun 16, 2017 at 1:46 PM, Thomas LEGRAND <[hidden email]> wrote:
Hello,

Thank you for your answers.

I activated the DEBUG mode on the IS in the class org.wso2.carbon.apimgt.keymgt.service.APIKeyValidationService and I can see that the IS receives something because when I send a wrong OAuth token, its says 

[2017-06-16 12:10:00,563] ERROR {org.wso2.carbon.apimgt.impl.AMDefaultKeyManagerImpl} -  Invalid OAuth Token : Invalid accessken

And when I send a right one:

[2017-06-16 14:19:52,028] DEBUG {org.wso2.carbon.apimgt.keymgt.service.APIKeyValidationService} -  OAuth token response from Manager to gateway:  , appName=myApp , userName=[hidden email] , transactionId= , consumerKey=5bWQioSHWbt9I24xizeP0o20a , isAuthorized=true , responseTime=Fri Jun 16 14:19:52 CEST 2017
[2017-06-16 14:19:52,028] DEBUG {org.wso2.carbon.apimgt.keymgt.service.APIKeyValidationService} -  APIKeyValidationInfoDTO bee returning : APIKeyValidationInfoDTO = { authorized:true , subscriber:admin , tier:Unlimited , type:PRODUCTION , userType:APPLICATION_USER , endUserToken:null , endUserName:[hidden email]r , applicationId:3 , applicationName:myApp  , applicationr:Unlimited , validationStatus:0 , validityPeriod:2009000 , issuedTime:1497615592019 , apiName:MyAPI , consumerKey:5bWQioSH9I24xizeP0oxTw20a , spikeArrestLimit:0 , spikeArrestUnit:null , subscriberTenantDomain:carbon.super , stopOnQuotaReach:true ,iPublisher:admin]]

We can see the authorized: true (if that means something) so it is like the API manager don't know how to interpret this message and take a shortcut to conclusion because of an Axis error. So from here, I don't know what to do :(

Regards,

Thomas



2017-06-16 13:13 GMT+02:00 Farasath Ahamed <[hidden email]>:




On Fri, Jun 16, 2017 at 4:37 PM, Rajith Roshan <[hidden email]> wrote:
Hi Thomas,

You need to subscribe to that particular api from the application you have generated access token. if there is no valid subscription then this error can happen. 
And also if you have assigned specif scopes to api resource , then the access token should also have that scopes when it was generated.
This resource forbidden issue can occur due to above mentioned errors.

In those cases shouldn't the error codes be different according to [1].


    <ams:fault xmlns:ams="http://wso2.org/apimanager/security">
      <ams:code>900900</ams:code>
      <ams:message>Unclassified Authentication Failure</ams:message>
      <ams:description>Resource forbidden</ams:description>
    </ams:fault>

Error code 900900. according [1] says that,
Backend service for key validation is not accessible when trying to invoke an API




 

Thanks!
Rajith

On Fri, Jun 16, 2017 at 12:32 PM, Thomas LEGRAND <[hidden email]> wrote:
Hello !

Sure. Here is my api-manager.xml AM configuration file:

<APIManager>
    <!-- JNDI name of the data source to be used by the API publisher, API store and API
         key manager. This data source should be defined in the master-datasources.xml file
         in conf/datasources directory. -->
    <DataSourceName>jdbc/WSO2AM_DB</DataSourceName>

    <!-- This parameter is used when adding api management capability to other products like GReg, AS, DSS etc.-->
    <!--GatewayType>Synapse</GatewayType-->
<GatewayType>None</GatewayType>

    <!-- This parameter is used to enable the securevault support when try to publish endpoint secured APIs. Values should be "true" or "false".
    By default secure vault is disabled.-->
    <EnableSecureVault>false</EnableSecureVault>

    <!-- Authentication manager configuration for API publisher and API store. This is
         a required configuration for both web applications as their user authentication
         logic relies on this. -->
    <AuthManager>
        <!-- Server URL of the Authentication service -->
        <!--ServerURL>https://localhost:${mgt.transport.https.port}${carbon.context}services/</ServerURL-->
<ServerURL>https://localhost:9448/services/</ServerURL>
        <!-- Admin username for the Authentication manager. -->
        <Username>${admin.username}</Username>
        <!-- Admin password for the Authentication manager. -->
        <Password>${admin.password}</Password>
        <!-- Indicates whether the permissions checking of the user (on the Publisher and Store) should be done
           via a remote service. The check will be done on the local server when false. -->
        <CheckPermissionsRemotely>false</CheckPermissionsRemotely>
    </AuthManager>

    <JWTConfiguration>
        <!-- Enable/Disable JWT generation. Default is false. -->
        <!-- EnableJWTGeneration>false</EnableJWTGeneration-->

        <!-- Name of the security context header to be added to the validated requests. -->
        <JWTHeader>X-JWT-Assertion</JWTHeader>

        <!-- Fully qualified name of the class that will retrieve additional user claims
             to be appended to the JWT. If not specified no claims will be appended.If user wants to add all user claims in the
             jwt token, he needs to enable this parameter.
             The DefaultClaimsRetriever class adds user claims from the default carbon user store. -->
        <!--ClaimsRetrieverImplClass>org.wso2.carbon.apimgt.impl.token.DefaultClaimsRetriever</ClaimsRetrieverImplClass-->

        <!-- The dialectURI under which the claimURIs that need to be appended to the
             JWT are defined. Not used with custom ClaimsRetriever implementations. The
             same value is used in the keys for appending the default properties to the
             JWT. -->
        <!--ConsumerDialectURI>http://wso2.org/claims</ConsumerDialectURI-->

        <!-- Signature algorithm. Accepts "SHA256withRSA" or "NONE". To disable signing explicitly specify "NONE". -->
        <!--SignatureAlgorithm>SHA256withRSA</SignatureAlgorithm-->

        <!-- This parameter specifies which implementation should be used for generating the Token. JWTGenerator is the
    default implementation provided. -->
        <JWTGeneratorImpl>org.wso2.carbon.apimgt.keymgt.token.JWTGenerator</JWTGeneratorImpl>

        <!-- This parameter specifies which implementation should be used for generating the Token. For URL safe JWT
             Token generation the implementation is provided in URLSafeJWTGenerator -->
        <!--<JWTGeneratorImpl>org.wso2.carbon.apimgt.keymgt.token.URLSafeJWTGenerator</JWTGeneratorImpl>-->

        <!-- Remove UserName from JWT Token -->
        <!-- <RemoveUserNameFromJWTForApplicationToken>true</RemoveUserNameFromJWTForApplicationToken>-->
    </JWTConfiguration>

    <!-- Primary/secondary login configuration for APIstore. If user likes to keep two login attributes in a distributed setup, to login the APIstore,
he should configure this section. Primary login doesn't have a claimUri associated with it. But secondary login, which is a claim attribute,
is associated with a claimuri.-->
    <!--LoginConfig>
            <UserIdLogin  primary="true">
        <ClaimUri></ClaimUri>
        </UserIdLogin>
        <EmailLogin  primary="false">
            <ClaimUri>http://wso2.org/claims/emailaddress</ClaimUri>
        </EmailLogin>
    </LoginConfig-->

    <!-- Credentials for the API gateway admin server. This configuration
         is mainly used by the API publisher and store to connect to the API gateway and
         create/update published API configurations. -->
    <APIGateway>
        <!-- The environments to which an API will be published -->
        <Environments>
            <!-- Environments can be of different types. Allowed values are 'hybrid', 'production' and 'sandbox'.
                 An API deployed on a 'production' type gateway will only support production keys
                 An API deployed on a 'sandbox' type gateway will only support sandbox keys
                 An API deployed on a 'hybrid' type gateway will support both production and sandbox keys. -->
            <!-- api-console element specifies whether the environment should be listed in API Console or not -->
            <Environment type="hybrid" api-console="true">
                <Name>Production and Sandbox</Name>
                <Description>This is a hybrid gateway that handles both production and sandbox token traffic.</Description>
                <!-- Server URL of the API gateway -->
                <ServerURL>https://localhost:${mgt.transport.https.port}${carbon.context}services/</ServerURL>
       <!-- Admin username for the API gateway. -->
                <Username>${admin.username}</Username>
                <!-- Admin password for the API gateway.-->
                <Password>${admin.password}</Password>
                <!-- Endpoint URLs for the APIs hosted in this API gateway.-->
                <GatewayEndpoint>http://${carbon.local.ip}:${http.nio.port},https://${carbon.local.ip}:${https.nio.port}</GatewayEndpoint>
            </Environment>
        </Environments>
    </APIGateway>

    <CacheConfigurations>
   <!-- Enable/Disable token caching at the Gateway-->
        <EnableGatewayTokenCache>true</EnableGatewayTokenCache>
   <!-- Enable/Disable API resource caching at the Gateway-->
        <EnableGatewayResourceCache>true</EnableGatewayResourceCache>
        <!-- Enable/Disable API key validation information caching at key-management server -->
        <EnableKeyManagerTokenCache>false</EnableKeyManagerTokenCache>
        <!-- This parameter specifies whether Recently Added APIs will be loaded from the cache or not.
             If there are multiple API modification during a short time period, better to disable cache. -->
        <EnableRecentlyAddedAPICache>false</EnableRecentlyAddedAPICache>
   <!-- JWT claims Cache expiry in seconds -->
        <!--JWTClaimCacheExpiry>900</JWTClaimCacheExpiry-->
        <!-- Expiry time for the apim key mgt validation info cache -->
        <!--TokenCacheExpiry>900</TokenCacheExpiry-->
        <!-- This parameter specifies the expiration time of the TagCache. TagCache will
             only be created when this element is uncommented. When the specified
             time duration gets elapsed ,tag cache will get re-generated. -->
        <!--TagCacheDuration>120000</TagCacheDuration-->
    </CacheConfigurations>

    <!--
        API usage tracker configuration used by the DAS data publisher and
        Google Analytics publisher in API gateway.
    -->
    <Analytics>
        <!-- Enable Analytics for API Manager -->
        <Enabled>false</Enabled>

        <!-- Server URL of the remote DAS/CEP server used to collect statistics. Must
             be specified in protocol://hostname:port/ format.

             An event can also be published to multiple Receiver Groups each having 1 or more receivers. Receiver
             Groups are delimited by curly braces whereas receivers are delimited by commas.
             Ex - Multiple Receivers within a single group
             tcp://localhost:7612/,tcp://localhost:7613/,tcp://localhost:7614/

             Ex - Multiple Receiver Groups with two receivers each
             {tcp://localhost:7612/,tcp://localhost:7613},{tcp://localhost:7712/,tcp://localhost:7713/} -->
        <DASServerURL>{tcp://localhost:7612}</DASServerURL>
        <!--DASAuthServerURL>{ssl://localhost:7712}</DASAuthServerURL-->
        <!-- Administrator username to login to the remote DAS server. -->
        <DASUsername>${admin.username}</DASUsername>
        <!-- Administrator password to login to the remote DAS server. -->
        <DASPassword>${admin.password}</DASPassword>

        <!-- For APIM implemented Statistic client for RDBMS -->
        <StatsProviderImpl>org.wso2.carbon.apimgt.usage.client.impl.APIUsageStatisticsRdbmsClientImpl</StatsProviderImpl>

        <!-- DAS REST API configuration -->
        <DASRestApiURL>https://localhost:9444</DASRestApiURL>
        <DASRestApiUsername>${admin.username}</DASRestApiUsername>
        <DASRestApiPassword>${admin.password}</DASRestApiPassword>

        <!-- Below property is used to skip trying to connect to event receiver nodes when publishing events even if
            the stats enabled flag is set to true. -->
        <SkipEventReceiverConnection>false</SkipEventReceiverConnection>

        <!-- API Usage Data Publisher. -->
        <PublisherClass>org.wso2.carbon.apimgt.usage.publisher.APIMgtUsageDataBridgeDataPublisher</PublisherClass>

        <!-- If below property set to true,then the response message size will be calculated and publish
             with each successful API invocation event. -->
        <PublishResponseMessageSize>false</PublishResponseMessageSize>
        <!-- Data publishing stream names and versions of API requests, responses and faults. If the default values
            are changed, the toolbox also needs to be changed accordingly. -->
        <Streams>
            <Request>
                <Name>org.wso2.apimgt.statistics.request</Name>
                <Version>1.1.0</Version>
            </Request>
            <Response>
                <Name>org.wso2.apimgt.statistics.response</Name>
                <Version>1.1.0</Version>
            </Response>
            <Fault>
                <Name>org.wso2.apimgt.statistics.fault</Name>
                <Version>1.0.0</Version>
            </Fault>
            <Throttle>
                <Name>org.wso2.apimgt.statistics.throttle</Name>
                <Version>1.0.0</Version>
            </Throttle>
            <Workflow>
                <Name>org.wso2.apimgt.statistics.workflow</Name>
                <Version>1.0.0</Version>
            </Workflow>
            <ExecutionTime>
                <Name>org.wso2.apimgt.statistics.execution.time</Name>
                <Version>1.0.0</Version>
            </ExecutionTime>
   <AlertTypes>
                <Name>org.wso2.analytics.apim.alertStakeholderInfo</Name>
                <Version>1.0.0</Version>
            </AlertTypes>
        </Streams>

    </Analytics>

    <!--
        API key validator configuration used by API key manager (IS), API store and API gateway.
        API gateway uses it to validate and authenticate users against the provided API keys.
    -->
    <APIKeyValidator>
        <!-- Server URL of the API key manager -->
        <!--ServerURL>https://localhost:${mgt.transport.https.port}${carbon.context}services/</ServerURL-->
<ServerURL>https://localhost:9448/services/</ServerURL>

        <!-- Admin username for API key manager. -->
        <Username>${admin.username}</Username>
        <!-- Admin password for API key manager. -->
        <Password>${admin.password}</Password>
<!--Username>admin</Username>
<Password>admin</Password-->

        <!-- Configurations related to enable thrift support for key-management related communication.
             If you want to switch back to Web Service Client, change the value of "KeyValidatorClientType" to "WSClient".
             In a distributed environment;
             -If you are at the Gateway node, you need to point "ThriftClientPort" value to the "ThriftServerPort" value given at KeyManager node.
             -If you need to start two API Manager instances in the same machine, you need to give different ports to "ThriftServerPort" value in two nodes.
             -ThriftServerHost - Allows to configure a hostname for the thrift server. It uses the carbon hostname by default.
        -The Gateway uses this parameter to connect to the key validation thrift service. -->
        <KeyValidatorClientType>WSClient</KeyValidatorClientType>
        <ThriftClientConnectionTimeOut>10000</ThriftClientConnectionTimeOut>
        <!--ThriftClientPort>10397</ThriftClientPort-->

        <EnableThriftServer>false</EnableThriftServer>
        <ThriftServerHost>localhost</ThriftServerHost>
        <!--ThriftServerPort>10397</ThriftServerPort-->

        <!--ConnectionPool>
            <MaxIdle>100</MaxIdle>
            <InitIdleCapacity>50</InitIdleCapacity>
        </ConnectionPool-->
        <!-- Specifies the implementation to be used for KeyValidationHandler. Steps for validating a token can be controlled by plugging in a 
             custom KeyValidation Handler -->
        <KeyValidationHandlerClassName>org.wso2.carbon.apimgt.keymgt.handlers.DefaultKeyValidationHandler</KeyValidationHandlerClassName>
    </APIKeyValidator>

    <!-- Uncomment this section only if you are going to have an instance other than KeyValidator as your KeyManager.
         Unless a ThirdParty KeyManager is used, you don't need to configure this section. -->
    <!--APIKeyManager>
        <KeyManagerClientImpl>org.wso2.carbon.apimgt.impl.AMDefaultKeyManagerImpl</KeyManagerClientImpl>
        <Configuration>
            <ServerURL>https://localhost:${mgt.transport.https.port}${carbon.context}services/</ServerURL>
            <Username>${admin.username}</Username>
            <Password>${admin.password}</Password>
            <TokenURL>https://${carbon.local.ip}:${https.nio.port}/token</TokenURL>
            <RevokeURL>https://${carbon.local.ip}:${https.nio.port}/revoke</RevokeURL>
        </Configuration>
    </APIKeyManager-->

    <OAuthConfigurations>
        <!-- Remove OAuth headers from outgoing message. -->
        <!--RemoveOAuthHeadersFromOutMessage>true</RemoveOAuthHeadersFromOutMessage-->
        <!-- Scope used for marking Application Tokens. If a token is generated with this scope, they will be treated as Application Access Tokens -->
        <ApplicationTokenScope>am_application_scope</ApplicationTokenScope>
        <!-- All  scopes under the ScopeWhitelist element are not validating against roles that has assigned to it.
             By default ^device_.* and openid scopes have been white listed internally. -->
        <!--ScopeWhitelist>
            <Scope>^device_.*</Scope>
            <Scope>openid</Scope>
        </ScopeWhitelist-->
        <!-- Name of the token API -->
        <TokenEndPointName>/oauth2/token</TokenEndPointName>
        <!-- This the API URL for revoke API. When we revoke tokens revoke requests should go through this
             API deployed in API gateway. Then it will do cache invalidations related to revoked tokens.
             In distributed deployment we should configure this property in key manager node by pointing
             gateway https( /http, we recommend users to use 'https' endpoints for security purpose) url.
             Also please note that we should point gateway revoke service to key manager -->
        <RevokeAPIURL>https://localhost:${https.nio.port}/revoke</RevokeAPIURL>
        <!-- Whether to encrypt tokens when storing in the Database
        Note: If changing this value to true, change the value of <TokenPersistenceProcessor> to
        org.wso2.carbon.identity.oauth.tokenprocessor.EncryptionDecryptionPersistenceProcessor in the identity.xml -->
        <EncryptPersistedTokens>false</EncryptPersistedTokens>
    </OAuthConfigurations>

    <!-- Settings related to managing API access tiers. -->
    <TierManagement>
        <!-- Enable the providers to expose their APIs over the special 'Unlimited' tier which
             basically disables tier based throttling for the specified APIs. -->
        <EnableUnlimitedTier>true</EnableUnlimitedTier>
    </TierManagement>

    <!-- API Store Related Configurations -->
    <APIStore>
        <!--GroupingExtractor>org.wso2.carbon.apimgt.impl.DefaultGroupIDExtractorImpl</GroupingExtractor-->
        <!--This property is used to indicate how we do user name comparision for token generation https://wso2.org/jira/browse/APIMANAGER-2225-->
        <CompareCaseInsensitively>true</CompareCaseInsensitively>
        <DisplayURL>false</DisplayURL>
        <URL>https://localhost:${mgt.transport.https.port}/store</URL>

        <!-- Server URL of the API Store. -->
        <ServerURL>https://localhost:${mgt.transport.https.port}${carbon.context}services/</ServerURL>
        <!-- Admin username for API Store. -->
        <Username>${admin.username}</Username>

        <!-- Admin password for API Store. -->
        <Password>${admin.password}</Password>
        <!-- This parameter specifies whether to display multiple versions of same
             API or only showing the latest version of an API. -->
        <DisplayMultipleVersions>false</DisplayMultipleVersions>
        <!-- This parameter specifies whether to display all the APIs
             [which are having DEPRECATED/PUBLISHED status] or only display the APIs
             with having their status is as 'PUBLISHED' -->
        <DisplayAllAPIs>false</DisplayAllAPIs>
        <!-- Uncomment this to limit the number of APIs in api the API Store -->
        <!--APIsPerPage>5</APIsPerPage-->

        <!-- This parameter specifies whether to display the comment editing facility or not.
             Default is "true". If user wants to disable, he must set this param as "false" -->
        <DisplayComments>true</DisplayComments>

        <!-- This parameter specifies whether to display the ratings  or not.
             Default is "true". If user wants to disable, he must set this param as "false" -->
        <DisplayRatings>true</DisplayRatings>

        <!--set isStoreForumEnabled to false for disable forum in store-->
        <!--isStoreForumEnabled>false</isStoreForumEnabled-->
    </APIStore>

    <APIPublisher>
        <DisplayURL>false</DisplayURL>
        <URL>https://localhost:${mgt.transport.https.port}/publisher</URL>
        <!-- This parameter specifies enabling the capability of setting API documentation level granular visibility levels.
             By default any document associate with an API will have the same permissions set as the API.With enabling below
             property,it will show two additional permission levels as visible only to all registered users in a particular
             domain or only visible to API doc creator -->
        <!--EnableAPIDocVisibilityLevels>true</EnableAPIDocVisibilityLevels-->
        <!-- Uncomment this to limit the number of APIs in api the API Publisher -->
        <!--APIsPerPage>30</APIsPerPage-->
    </APIPublisher>

    <!-- Status observers can be registered against the API Publisher to listen for
         API status update events. Each observer must implement the APIStatusObserver
         interface. Multiple observers can be engaged if necessary and in such situations
         they will be notified in the order they are defined here. 
         This configuration is unused from API Manager version 1.10.0 -->
    <!--StatusObservers>
        <Observer>org.wso2.carbon.apimgt.impl.observers.SimpleLoggingObserver</Observer>
    </StatusObservers-->

    <!-- Use this configuration Create APIs at the Server startup -->
    <StartupAPIPublisher>
        <!-- Enable/Disable the API Startup Publisher -->
        <Enabled>false</Enabled>

        <!-- Configuration to create APIs for local endpoints.
             Endpoint will be computed as http://${carbon.local.ip}:${mgt.transport.http.port}/Context.
             Define many LocalAPI elements as below to create many APIs
             for local Endpoints.
             IconPath should be relative to CARBON_HOME. -->
        <LocalAPIs>
            <LocalAPI>
                <Context>/resource</Context>
                <Provider>admin</Provider>
                <Version>1.0.0</Version>
                <IconPath>none</IconPath>
                <DocumentURL>none</DocumentURL>
                <AuthType>Any</AuthType>
            </LocalAPI>
        </LocalAPIs>

        <!-- Configuration to create APIs for remote endpoints.
             When Endpoint need to be defined use this configuration.
             Define many API elements as below to create many APIs
             for external Endpoints.
             If you do not need to add Icon or Documentation set
             'none' as the value for IconPath & DocumentURL. -->
        <!--APIs>
            <API>
                <Context>/resource</Context>
                <Endpoint>http://localhost:9764/resource</Endpoint>
                <Provider>admin</Provider>
                <Version>1.0.0</Version>
                <IconPath>none</IconPath>
                <DocumentURL>none</DocumentURL>
                <AuthType>Any</AuthType>
            </API>
        </APIs-->
    </StartupAPIPublisher>

    <!-- Configuration to enable/disable sending CORS headers in the Gateway response
         and define the Access-Control-Allow-Origin header value.-->
    <CORSConfiguration>
        <!-- Configuration to enable/disable sending CORS headers from the Gateway-->
        <Enabled>true</Enabled>

        <!-- The value of the Access-Control-Allow-Origin header. Default values are
             API Store addresses, which is needed for swagger to function. -->
        <Access-Control-Allow-Origin>*</Access-Control-Allow-Origin>

        <!-- Configure Access-Control-Allow-Methods -->
        <Access-Control-Allow-Methods>GET,PUT,POST,DELETE,PATCH,OPTIONS</Access-Control-Allow-Methods>

        <!-- Configure Access-Control-Allow-Headers -->
        <Access-Control-Allow-Headers>authorization,Access-Control-Allow-Origin,Content-Type,SOAPAction</Access-Control-Allow-Headers>

        <!-- Configure Access-Control-Allow-Credentials -->
        <!-- Specifying this header to true means that the server allows cookies (or other user credentials) to be included on cross-origin requests.
             It is false by default and if you set it to true then make sure that the Access-Control-Allow-Origin header does not contain the wildcard (*) -->
        <Access-Control-Allow-Credentials>false</Access-Control-Allow-Credentials>
    </CORSConfiguration>
    
    <!-- This property is there to configure velocity log output into existing Log4j carbon Logger.
         You can enable this and set preferable Logger name. -->
    <!-- VelocityLogger>VELOCITY</VelocityLogger -->

    <RESTAPI>
        <!--Configure white-listed URIs of REST API. Accessing white-listed URIs does not require credentials (does not require Authorization header). -->
        <WhiteListedURIs>
            <WhiteListedURI>
                <URI>/api/am/publisher/{version}/swagger.json</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/store/{version}/swagger.json</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/admin/{version}/swagger.json</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/store/{version}/apis</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/store/{version}/apis/{apiId}</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/store/{version}/apis/{apiId}/swagger</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/store/{version}/apis/{apiId}/documents</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/store/{version}/apis/{apiId}/documents/{documentId}</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/store/{version}/apis/{apiId}/documents/{documentId}/content</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/store/{version}/apis/{apiId}/thumbnail</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/store/{version}/tags</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/store/{version}/tiers/{tierLevel}</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
            <WhiteListedURI>
                <URI>/api/am/store/{version}/tiers/{tierLevel}/{tierName}</URI>
                <HTTPMethods>GET,HEAD</HTTPMethods>
            </WhiteListedURI>
        </WhiteListedURIs>
        <ETagSkipList>
            <ETagSkipURI>
                <URI>/api/am/store/{version}/apis</URI>
                <HTTPMethods>GET</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/store/{version}/apis/generate-sdk</URI>
                <HTTPMethods>POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/store/{version}/apis/{apiId}/documents</URI>
                <HTTPMethods>GET</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/store/{version}/applications</URI>
                <HTTPMethods>GET</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/store/{version}/applications/generate-keys</URI>
                <HTTPMethods>POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/store/{version}/subscriptions</URI>
                <HTTPMethods>GET,POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/store/{version}/tags</URI>
                <HTTPMethods>GET</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/store/{version}/tiers/{tierLevel}</URI>
                <HTTPMethods>GET</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/store/{version}/tiers/{tierLevel}/{tierName}</URI>
                <HTTPMethods>GET</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/apis</URI>
                <HTTPMethods>GET,POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/apis/{apiId}</URI>
                <HTTPMethods>GET,DELETE,PUT</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/apis/{apiId}/swagger</URI>
                <HTTPMethods>GET,PUT</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/apis/{apiId}/thumbnail</URI>
                <HTTPMethods>GET,POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/apis/{apiId}/change-lifecycle</URI>
                <HTTPMethods>POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/apis/{apiId}/copy-api</URI>
                <HTTPMethods>POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/applications/{applicationId}</URI>
                <HTTPMethods>GET</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/apis/{apiId}/documents</URI>
                <HTTPMethods>GET,POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/apis/{apiId}/documents/{documentId}/content</URI>
                <HTTPMethods>GET,POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/apis/{apiId}/documents/{documentId}</URI>
                <HTTPMethods>GET,PUT,DELETE</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/environments</URI>
                <HTTPMethods>GET</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/subscriptions</URI>
                <HTTPMethods>GET</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/subscriptions/block-subscription</URI>
                <HTTPMethods>POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/subscriptions/{subscriptionId}</URI>
                <HTTPMethods>GET</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/subscriptions/unblock-subscription</URI>
                <HTTPMethods>POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/tiers/{tierLevel}</URI>
                <HTTPMethods>GET,POST</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/tiers/{tierLevel}/{tierName}</URI>
                <HTTPMethods>GET,PUT,DELETE</HTTPMethods>
            </ETagSkipURI>
            <ETagSkipURI>
                <URI>/api/am/publisher/{version}/tiers/update-permission</URI>
                <HTTPMethods>POST</HTTPMethods>
            </ETagSkipURI>
        </ETagSkipList>
    </RESTAPI>
    <ThrottlingConfigurations>
        <EnableAdvanceThrottling>true</EnableAdvanceThrottling>
        <DataPublisher>
            <Enabled>true</Enabled>
            <Type>Binary</Type>
            <ReceiverUrlGroup>tcp://${carbon.local.ip}:${receiver.url.port}</ReceiverUrlGroup>
            <AuthUrlGroup>ssl://${carbon.local.ip}:${auth.url.port}</AuthUrlGroup>
            <Username>${admin.username}</Username>
            <Password>${admin.password}</Password>
            <DataPublisherPool>
                <MaxIdle>1000</MaxIdle>
                <InitIdleCapacity>200</InitIdleCapacity>
            </DataPublisherPool>
            <DataPublisherThreadPool>
                <CorePoolSize>200</CorePoolSize>
                <MaxmimumPoolSize>1000</MaxmimumPoolSize>
                <KeepAliveTime>200</KeepAliveTime>
            </DataPublisherThreadPool>
        </DataPublisher>
        <PolicyDeployer>
            <ServiceURL>https://localhost:${mgt.transport.https.port}${carbon.context}services/</ServiceURL>
            <Username>${admin.username}</Username>
            <Password>${admin.password}</Password>
        </PolicyDeployer>
        <BlockCondition>
            <Enabled>true</Enabled>
            <!--InitDelay>300000</InitDelay>
            <Period>3600000</Period-->
        </BlockCondition>
        <JMSConnectionDetails>
            <Enabled>true</Enabled>
            <ServiceURL>tcp://${carbon.local.ip}:${jms.port}</ServiceURL>
            <Username>${admin.username}</Username>
            <Password>${admin.password}</Password>
            <Destination>throttleData</Destination>
            <!--InitDelay>300000</InitDelay-->
            <JMSConnectionParameters>
                <transport.jms.ConnectionFactoryJNDIName>TopicConnectionFactory</transport.jms.ConnectionFactoryJNDIName>
                <transport.jms.DestinationType>topic</transport.jms.DestinationType>
                <java.naming.factory.initial>org.wso2.andes.jndi.PropertiesFileInitialContextFactory</java.naming.factory.initial>
                <connectionfactory.TopicConnectionFactory>amqp://${jms.username}:${jms.password}@clientid/carbon?brokerlist='${jms.url}'</connectionfactory.TopicConnectionFactory>
            </JMSConnectionParameters>
            <JMSTaskManager>
                <MinThreadPoolSize>20</MinThreadPoolSize>
                <MaxThreadPoolSize>100</MaxThreadPoolSize>
                <KeepAliveTimeInMillis>1000</KeepAliveTimeInMillis>
                <JobQueueSize>10</JobQueueSize>
            </JMSTaskManager>
        </JMSConnectionDetails>
        <JMSEventPublisherParameters>
                <java.naming.factory.initial>org.wso2.andes.jndi.PropertiesFileInitialContextFactory</java.naming.factory.initial>
                <java.naming.provider.url>repository/conf/jndi.properties</java.naming.provider.url>
                <transport.jms.DestinationType>topic</transport.jms.DestinationType>
                <transport.jms.Destination>throttleData</transport.jms.Destination>
                <transport.jms.ConcurrentPublishers>allow</transport.jms.ConcurrentPublishers>
                <transport.jms.ConnectionFactoryJNDIName>TopicConnectionFactory</transport.jms.ConnectionFactoryJNDIName>
        </JMSEventPublisherParameters>
        <!--DefaultLimits>
            <SubscriptionTierLimits>
                <Gold>5000</Gold>
                <Silver>2000</Silver>
                <Bronze>1000</Bronze>
                <Unauthenticated>60</Unauthenticated>
            </SubscriptionTierLimits>
            <ApplicationTierLimits>
                <50PerMin>50</50PerMin>
                <20PerMin>20</20PerMin>
                <10PerMin>10</10PerMin>
            </ApplicationTierLimits>
            <ResourceLevelTierLimits>
                <50KPerMin>50000</50KPerMin>
                <20KPerMin>20000</20KPerMin>
                <10KPerMin>10000</10KPerMin>
            </ResourceLevelTierLimits>
        </DefaultLimits-->
        <EnableUnlimitedTier>true</EnableUnlimitedTier>
        <EnableHeaderConditions>false</EnableHeaderConditions>
        <EnableJWTClaimConditions>false</EnableJWTClaimConditions>
        <EnableQueryParamConditions>false</EnableQueryParamConditions>
    </ThrottlingConfigurations>
    
    <WorkflowConfigurations>
        <Enabled>false</Enabled>
    <ServerUrl>https://localhost:9445/bpmn</ServerUrl>  
    <ServerUser>${admin.username}</ServerUser>
    <ServerPassword>${admin.password}</ServerPassword>
    <WorkflowCallbackAPI>https://localhost:${mgt.transport.https.port}/api/am/publisher/v0.11/workflows/update-workflow-status</WorkflowCallbackAPI>
        <TokenEndPoint>https://localhost:${https.nio.port}/token</TokenEndPoint>
        <DCREndPoint>https://localhost:${mgt.transport.https.port}/client-registration/v0.11/register</DCREndPoint>
        <DCREndPointUser>${admin.username}</DCREndPointUser>
        <DCREndPointPassword>${admin.password}</DCREndPointPassword>
    </WorkflowConfigurations>

    <SwaggerCodegen>
        <ClientGeneration>
            <GroupId>org.wso2</GroupId>
            <ArtifactId>org.wso2.client.</ArtifactId>
            <ModelPackage>org.wso2.client.model.</ModelPackage>
            <ApiPackage>org.wso2.client.api.</ApiPackage>
            <!-- Configure supported languages/Frameworks as comma separated values,
             Supported Languages/Frameworks : android, java, scala, csharp, cpp, dart, flash, go, groovy, javascript, jmeter,
             nodejs, perl, php, python, ruby, swift, clojure, aspNet5, asyncScala, spring, csharpDotNet2, haskell-->
            <SupportedLanguages>java,android</SupportedLanguages>
        </ClientGeneration>
    </SwaggerCodegen>

</APIManager>

Do you need my IS one, too?

Regards,

Thomas

2017-06-15 22:16 GMT+02:00 Farasath Ahamed <[hidden email]>:
Would be better if you could share the api-manager.xml configuration file to see if there are any errors in configs.




Farasath Ahamed
Software Engineer, WSO2 Inc.; http://wso2.com
Mobile: <a href="tel:%2B94777603866" value="+94713149860" style="font-size:12.8px;color:rgb(17,85,204)" target="_blank">+94777603866
Twitter: @farazath619




On Thu, Jun 15, 2017 at 8:40 PM, Thomas LEGRAND <[hidden email]> wrote:
Hello again,

I followed the tutorial in [1] to configure my Identity Server (IS) as a key manager for my API Manager (AM). When I create my Production & Sandbox applications in the AM, I can see service providers created in the IS. I configures them to use SAML to retrieve informations like the roles, if the authentication is successfull. And I can "exchange" my SAML assertion for a OAuth token. So, everything is cool, here.

But, when I try to reuse this OAuth token to access to a resource via the AM, it rejects me with this sweet message:

    <ams:fault xmlns:ams="http://wso2.org/apimanager/security">
      <ams:code>900900</ams:code>
      <ams:message>Unclassified Authentication Failure</ams:message>
      <ams:description>Resource forbidden</ams:description>
    </ams:fault>

But no errors in the logs but just a WARN. So, I activated the DEBUG mode and then, I can see some intersting things:

[2017-06-15 16:44:52,954]  WARN - APIAuthenticationHandler API authentication failure due to Unclassified Authentication Failure
[2017-06-15 16:44:52,954] DEBUG - APIAuthenticationHandler API authentication failed with error 900900
org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException: Resource forbidden
        at org.wso2.carbon.apimgt.gateway.handlers.security.keys.WSAPIKeyDataStore.getAPIKeyData(WSAPIKeyDataStore.java:51)
        at org.wso2.carbon.apimgt.gateway.handlers.security.APIKeyValidator.doGetKeyValidationInfo(APIKeyValidator.java:253)
        at org.wso2.carbon.apimgt.gateway.handlers.security.APIKeyValidator.getKeyValidationInfo(APIKeyValidator.java:209)
        at org.wso2.carbon.apimgt.gateway.handlers.security.oauth.OAuthAuthenticator.authenticate(OAuthAuthenticator.java:196)
        at org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler.handleRequest(APIAuthenticationHandler.java:117)
        at org.apache.synapse.rest.API.process(API.java:325)
        at org.apache.synapse.rest.RESTRequestHandler.dispatchToAPI(RESTRequestHandler.java:90)
        at org.apache.synapse.rest.RESTRequestHandler.process(RESTRequestHandler.java:69)
        at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.injectMessage(Axis2SynapseEnvironment.java:304)
        at org.apache.synapse.core.axis2.SynapseMessageReceiver.receive(SynapseMessageReceiver.java:78)
        at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180)
        at org.apache.synapse.transport.passthru.ServerWorker.processNonEntityEnclosingRESTHandler(ServerWorker.java:325)
        at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:158)
        at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at java.lang.Thread.run(Thread.java:745)
Caused by: org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException: Error while accessing backend services for API key validation
        at org.wso2.carbon.apimgt.gateway.handlers.security.keys.APIKeyValidatorClient.getAPIKeyData(APIKeyValidatorClient.java:114)
        at org.wso2.carbon.apimgt.gateway.handlers.security.keys.WSAPIKeyDataStore.getAPIKeyData(WSAPIKeyDataStore.java:48)
        ... 16 more
Caused by: org.apache.axis2.AxisFault: org.apache.axis2.AxisFault: Mapping qname not fond for the package: java.util

From here, I don't know what to do since I tried some fancy URLs for the ServerURL value in the elements AuthManager and APIKeyValidator.
My IS has an offset of 5 so the port is 9448. Here is the URL I used to point to the IS server: https://localhost:9448/services/

Is there a way to know in which URL the IS deploy its Key Manager feature web services (WS)?
Should I reinstall the Key Manager feature in the IS?

Regards,

Thomas


_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev




_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev




--
Rajith Roshan
Software Engineer, WSO2 Inc.
Mobile: <a href="tel:%2B94-71-554-8430" value="+94715548430" target="_blank">+94-717-064-214





--
Rajith Roshan
Software Engineer, WSO2 Inc.
Mobile: <a href="tel:%2B94-71-554-8430" value="+94715548430" target="_blank">+94-717-064-214


_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev
Loading...