Using WSO2 ESB's Entitlement Mediator with WSO2 IS 5.0.0

The concept behind usage of Entitlement to a proxy service is explained in the blog post Authentication and Authorization with WSO2 EBS & WSO2 IS.

Here is a step by step guide, how this can be done using WSO2 ESB 4.8.1 and WSO2 IS 5.0.0

General Settings
Ideally user-stores must be shared in between IS and ESB. But if you are testing this to the admin user, and since admin user resides in default in both servers with same permissions, you may not need to share the user stores.

Configuring WSO2 IS

• Start the WSO2 IS with port offset 1
• Login to the Management Console
• In Main menu, go to Entitlement --> PAP -->  Policy Administration
• Click on the "Add New Entitlement Policy" link
• Select "Basic Policy Editor"
• Configure the policy as below:  (Note that we have given the proxy name that we will create in ESB, as the Resource Name )

•  Click on Finish
• After creating click on the created policy as below. 

• 
  

• This will open up the policy in an XML editor. Change the rule effect to Permit and click on "Save Policy"

•  
•  
•  
•  
•  
•  
• Publish the policy to PDP as below:

Configuring WSO2 ESB

• Start the ESB and log in to the Management console
• Create a proxy service
• Inside the inSequence, add an entitlement Mediator with username and password, 'admin' and 'admin' and the IS services URL(Configuration steps for entitlement mediator can be found in Entitlement Mediator documentation)
• In the <onAccept> rule, add a send mediator and specify the address URI of echoService.
• Secure  the proxy service with Username Token policy
• The final config will look like below.

<?xml version="1.0" encoding="UTF-8"?>
<proxy xmlns="http://ws.apache.org/ns/synapse"
       name="echoProxy"
       transports="https"
       startOnLoad="true"
       trace="disable">
   <description/>
   <target>
      <inSequence>
         <log level="full">
            <property name="echoProxy" value="in Seq called"/>
         </log>
         <log level="full">
            <property name="EntitlementSequence" value="going to call entitlement service"/>
         </log>
         <entitlementService remoteServiceUrl="https://localhost:9444/services/"
                             remoteServiceUserName="admin"
                             remoteServicePassword="enc:kuv2MubUUveMyv6GeHrXr9il59ajJIqUI4eoYHcgGKf/BBFOWn96NTjJQI+wYbWjKW6r79S7L7ZzgYeWx7DlGbff5X3pBN2Gh9yV0BHP1E93QtFqR7uTWi141Tr7V7ZwScwNqJbiNoV+vyLbsqKJE7T3nP8Ih9Y6omygbcLcHzg="
                             callbackClass="org.wso2.carbon.identity.entitlement.mediator.callback.UTEntitlementCallbackHandler"
                             client="basicAuth">
            <onReject>
               <makefault version="soap12">
                  <code xmlns:soap12Env="http://www.w3.org/2003/05/soap-envelope"
                        value="soap12Env:Receiver"/>
                  <reason value="UNAUTHORIZED"/>
                  <node>node</node>
                  <role>role</role>
                  <detail>XACML Authorization Failed</detail>
               </makefault>
               <respond/>
            </onReject>
            <onAccept>
               <log level="full" separator=",">
                  <property name="EntitlementSequence************" value="OnAccept"/>
               </log>
               <send>
                  <endpoint>
                     <address uri="https://localhost:8243/services/echo">
                        <timeout>
                           <duration>30000</duration>
                           <responseAction>discard</responseAction>
                        </timeout>
                     </address>
                  </endpoint>
               </send>
               <log level="full" separator=",">
                  <property name="EntitlementSequence**************"
                            value="OnAccept after call to echo"/>
               </log>
            </onAccept>
            <obligations/>
            <advice/>
         </entitlementService>
         <log level="full">
            <property name="after entitlement" value="after entitlement"/>
         </log>
      </inSequence>
      <outSequence>
         <send/>
      </outSequence>
   </target>
   <policy key="conf:/repository/axis2/service-groups/testp/services/testp/policies/UTOverTransport"/>
   <parameter name="ScenarioID">scenario1</parameter>
   <enableSec/>
</proxy>
  

Trying out the Proxy Service

• You can use the TryIt tool of the WSO2 ESB and invoke the proxy by providing username and password as 'admin' and 'admin'
• You will get the echoed response

Securing Plaintext Passwords of WSO2 Server Config Files

Watch the video
https://www.youtube.com/watch?v=OQOxEonP3UM&feature=youtu.be

Mobile App Type Classification

WSO2 Mobile

WSO2 is a world re-known Enterprise Middleware provider. Recently around 1-2 years ago, WSO2 started off with the WSO2 Mobile, a subsidiary of WSO2 Inc, the mother company.

WSO2 Enterprise Mobility Manager is a device and mobile app management platform developed by WSO2 Mobile. In order to get an idea of what these mobile apps, what types of apps are available etc, I did a bit of a research.

Mobiles, Smart phones, Tablet PCs, i-Pads all these were luxury high-tech items couple of years back. People quickly adapted to the usage of mobile phones with time.

In past 1-2 years, usage of smart devices in the world, had an exponential growth. Smart phones and devices penetrated the market easily because as they became more affordable, and the availability and competitiveness of 3G and 4G.

There are various applications in the mobile market which works on these devices. According to their characteristics there are 3 basic types of applications.


Reference: http://cdn.sixrevisions.com/0274-02_facebook_native_mobile_web_app.jpg

Native Apps

These are the apps that are installed on the device itself. These apps can be accessed via icons on the mobile device. Such apps are either coming along with the device or any custom apps can be downloaded from an application store. (Google Play store or Apple App store)

These apps are platform specific and can access any device feature such as camera, contact list, GPS etc. Because the platform dependency of the apps, development of such apps are expensive. You need to create the same app in different coding languages depending on the underlying OS of the device.
eg: 

• for Android devices - Java
• for iOS devices - Objective - C
• for Windows Phone - Visual C++

Also to function most of the native apps, device doesn’t need to be online.
If there are any new versions or updates available for the app, the device user needs to manually download them.

Mobile Web Apps

Mobile Web apps are stored in a remote server and the clients can access the webapp via a special URL through a mobile’s web browser.

Unlike in Native apps, these are not installed on the mobile device. Therefore these mobile web apps have only a limited amount of device’s features such as orientation, media etc.

Typically mobile web apps are written in HTML5. Also other languages as, CSS3, Javascript and other scripting languages like PHP, Rails and Python too are used.

As mobile apps are stored only in the remote server, the updates are applied directly to them. Therefore the users do not have to manually install any upgrades as they have to do in Native app upgrading.



As shown above, there are both pros and cons of both the mobile app approaches. Therefore, the mobile app developers introduced a concept of Hybrid Mobile apps to the market.

Hybrid Mobile Apps

As the name implies, these are like native apps running on the device, but are written in webapp development technologies like HTML5 and Java script. There is a web-to-native abstraction layer that enables the apps to access mobile app features such as camera, storage etc.

Hybrid apps are generally built like mobile webapps using HTML5 etc, and it is wrapped with a mobile platform specific container, so that it brings out the native feature. This way, both the development convenience and presence in the mobile app stores are achieved easily.

 

In essence, we can classify the types of mobile apps as below. 

Source: https://s3.amazonaws.com/dfc-wiki/en/images/c/c2/Native_html5_hybrid.png

How to call an Admin Service using JMeter

Recently I wanted to invoke an Admin service in API-Manager for a test. My objective was to create a JMeter test script which

• Login to the server as a TENANT
• Create an API as the tenant
• Publish the API
• MODIFY the API config with new properties
• Subscribe to the API
• Invoke the API and check the result. 

To modify the API's synapse config with new properties, I had to invoke the updateApiForTenant  operation in https://localhost:9443/services/RestApiAdmin service.

Step 1: Authorize the service
Created a HTTP Authorization Manager and passed the username and the password as follows:

<stringProp name="Authorization.url">https://${server}:9443/services/RestApiAdmin.RestApiAdminHttpsSoap11Endpoint/</stringProp>

                   <stringProp name="Authorization.username">admin</stringProp>
                    <stringProp name="Authorization.password">admin</stringProp>                    <stringProp name="Authorization.password">admin</stringProp>                    <stringProp name="Authorization.domain"></stringProp>                    <stringProp name="Authorization.realm"></stringProp>


The required input were the API name, Tenant domain and the API Data. Passing API data was bit tricky. For API data, what is required was the entire API's synapse configuration as a string. After a bit of a struggle, with some assistance, I could figure out the way to pass the API Data.

I passed the entire synapse config in a ![CDATA[     ]]

Hope this will help you!!!

Achieve EIP- Enterprise Integration Patterns with WSO2 ESB

When enterprises seek for an integration solution, one basic aspect they always look for is, EIP. 

Gregor Hohpe, the ex-Google Architect has written a book on the widely used integration patterns.

WSO2 ESB, which is a world renown message mediation, routing and integration engine, has compiled a guide on EIP with WSO2 ESB.

This guide explains how WSO2 ESB can be configured to operate in each pattern with sample configurations. This contains:

• Introduction to the pattern
• Example business scenario
• Sample configuration to achieve the above use case
• Explanation on how each configuration operates

Visit, read the comprehensive guide and get your enterprise going with the EIP!!! 

WSO2 ESB becomes Fastest ESB again.. ESB Performance Round 7.5

WSO2 has done another round of performance test with the WSO2 ESB latest release, WSO2 ESB 4.8.1

The performance test results is being published in the WSO2 Library article: ESB Performance Round 7.5

The study shows how the latest WSO2 ESB outperforms a number of other open source ESBs. A summary of the observation is below:

The above figure clearly shows how high performant WSO2 ESB is, over the other vendors.

Want to experience a speedy and smooth integration in your enterprise??
Visit WSO2 ESB page and download today.
You can read more on WSO2 ESB in the latest ESB documentation.  

Advertising with WSO2 API Manager by Publishing to External API Store

 In WSO2 API Manager 1.5.0, we don't have the support of API sharing across tenants because with the current design, there is not way to replicate API metadata that should be written to the databases and registries along with the API configurations. Therefore, there is no straightforward approach to replicate a set of tenant APIs from one tenant to others.

 

But we have the Advertising feature, where we have the capability of displaying APIs published by tenant 1, in tenant 2's API store. However, tenant 2's users will not be able to subscribe to the APIs published by tenant 1.

To do this, you need to uncomment the <ExternalAPIStores> element in $APIM_HOME/repository/conf/api-manager.xml. Tenant's external API stores can be configured as follows by giving the tenant domain, tenant admin's user name and password
     <ExternalAPIStore id="Store1" type="wso2">
            <DisplayName>Store1</DisplayName>
            <Endpoint>http://localhost:9763/store?tenant=abc.com</Endpoint>
            <Username>abc@abc.com</Username>
            <Password>abc123</Password>
        </ExternalAPIStore>

Imagine you logged into the API Publisher as the tenant xyz.com. Then in the UI, there will be a tab available saying "External API Store". There, you will be able to see all the External tenant details you have configured earlier via the api-manager.xml. Now tenant xyz.com can publish its API, so that tenant abc.com too can see it.
Now if you login to tenant abc.com's API store, you will see the API advertised or published by tenant xyz.com. (But still tenant abc.com will not be able to subscribe to it using abc.com's credentials. )

Await for the next WSO2 API Manager release, which will allow you to subscribe to the Advertised API regardless of the tenant.