Dear All,
We have 1 SOAP based api and 300+ SOAP methods(operations) in it.
There are 6 products having access to it and corresponding 6 apps too.
We need to limit access to product1/app1= first 10 methods,
product 2/app2= first 100 methods,
product/app 3,4,5,6=all 300 methods
We use OAuth 2.0 client credentials.
Any solution will be appreciated 🙂
Regards
Mathew
Solved! Go to Solution.
I am assuming this is completely SOAP coming to Apigee and to the backend (SOAP-SOAP).
Few options I can think are:
Option 1: (using OAuth scopes)
Option 2: (using Product Custom attributes)
Let me know if you have any questions
@Sujith Mathew - what is your security mechanism for this API in Apigee ? Are you using VerifyAPIKey or something else ? In other words when a call is made, how do you identify the API product ?
Thanks for rsponse , security mechanism is OAuth 2.0 ( the policy enforced is VerifyAccessToken)
The crux of the matter is we badly need a solution in 6 days . Any help is appreciated.
I am assuming this is completely SOAP coming to Apigee and to the backend (SOAP-SOAP).
Few options I can think are:
Option 1: (using OAuth scopes)
Option 2: (using Product Custom attributes)
Let me know if you have any questions
Option 1- dont you thik its complicated to implement?
Option 2- we have a limit of <20 custom attributes i presume
Option 1 - Yes but an option. Not really complicated. With OAuth scopes, thats how its done
Option 2 - No it is a single custom attribute. Look at my example, I have a single attribute as JSON payload.
Again you can tweak your logic as well. You can have methods includes or excludes (which ever is less). If includes is used, you can check if the incoming SOAPAction matches the custom attribute. The reverse if you use excludes in the custom attribute. Hope that clarifies
i like both options, but a client need to change his stub(client code) if i go for option 1. Agree?
for Option 2- do you have a sample proxy?
For option 1 - Client will have to request a token with scope as well
For option 2 - I don't have a sample. Not complicated. Just extract the SOAPAction from incoming message using ExtractVariables policy and then in the JavaScript policy, try and just check against the custom attributes to process or abort with a RaiseFault
If you share some sample SOAP messages for this service, I could help
User | Count |
---|---|
1 | |
1 | |
1 | |
1 | |
1 |