Hello, Thank you for your answers.
I activated the DEBUG mode on the IS in the class org.wso2.carbon.apimgt.keymgt.service.APIKeyValidationService and I can see that the IS receives something because when I send a wrong OAuth token, its says [2017-06-16 12:10:00,563] ERROR {org.wso2.carbon.apimgt.impl.AMDefaultKeyManagerImpl} - Invalid OAuth Token : Invalid accessken And when I send a right one: [2017-06-16 14:19:52,028] DEBUG {org.wso2.carbon.apimgt.keymgt.service.APIKeyValidationService} - OAuth token response from Manager to gateway: , appName=myApp , userName=myUser@carbon.super , transactionId= , consumerKey=5bWQioSHWbt9I24xizeP0o20a , isAuthorized=true , responseTime=Fri Jun 16 14:19:52 CEST 2017 [2017-06-16 14:19:52,028] DEBUG {org.wso2.carbon.apimgt.keymgt.service.APIKeyValidationService} - APIKeyValidationInfoDTO bee returning : APIKeyValidationInfoDTO = { authorized:true , subscriber:admin , tier:Unlimited , type:PRODUCTION , userType:APPLICATION_USER , endUserToken:null , endUserName:myUser@carbon.super , applicationId:3 , applicationName:myApp , applicationr:Unlimited , validationStatus:0 , validityPeriod:2009000 , issuedTime:1497615592019 , apiName:MyAPI , consumerKey:5bWQioSH9I24xizeP0oxTw20a , spikeArrestLimit:0 , spikeArrestUnit:null , subscriberTenantDomain:carbon.super , stopOnQuotaReach:true ,iPublisher:admin]] We can see the authorized: true (if that means something) so it is like the API manager don't know how to interpret this message and take a shortcut to conclusion because of an Axis error. So from here, I don't know what to do :( Regards, Thomas 2017-06-16 13:13 GMT+02:00 Farasath Ahamed <farasa...@wso2.com>: > > > > > On Fri, Jun 16, 2017 at 4:37 PM, Rajith Roshan <raji...@wso2.com> wrote: > >> Hi Thomas, >> >> You need to subscribe to that particular api from the application you >> have generated access token. if there is no valid subscription then this >> error can happen. >> And also if you have assigned specif scopes to api resource , then the >> access token should also have that scopes when it was generated. >> This resource forbidden issue can occur due to above mentioned errors. >> > > In those cases shouldn't the error codes be different according to [1]. > > > <ams:fault xmlns:ams="http://wso2.org/apimanager/security"> > <ams:code>900900</ams:code> > <ams:message>Unclassified Authentication Failure</ams:message> > <ams:description>Resource forbidden</ams:description> > </ams:fault> > > Error code 900900. according [1] says that, > Backend service for key validation is not accessible when trying to invoke > an API > > > > > [1] https://docs.wso2.com/display/AM210/Error+Handling > > >> >> Thanks! >> Rajith >> >> On Fri, Jun 16, 2017 at 12:32 PM, Thomas LEGRAND < >> thomas.legr...@versusmind.eu> wrote: >> >>> Hello ! >>> >>> Sure. Here is my api-manager.xml AM configuration file: >>> >>> <APIManager> >>> <!-- JNDI name of the data source to be used by the API publisher, >>> API store and API >>> key manager. This data source should be defined in the >>> master-datasources.xml file >>> in conf/datasources directory. --> >>> <DataSourceName>jdbc/WSO2AM_DB</DataSourceName> >>> >>> <!-- This parameter is used when adding api management capability to >>> other products like GReg, AS, DSS etc.--> >>> <!--GatewayType>Synapse</GatewayType--> >>> <GatewayType>None</GatewayType> >>> >>> <!-- This parameter is used to enable the securevault support when >>> try to publish endpoint secured APIs. Values should be "true" or "false". >>> By default secure vault is disabled.--> >>> <EnableSecureVault>false</EnableSecureVault> >>> >>> <!-- Authentication manager configuration for API publisher and API >>> store. This is >>> a required configuration for both web applications as their >>> user authentication >>> logic relies on this. --> >>> <AuthManager> >>> <!-- Server URL of the Authentication service --> >>> <!--ServerURL>https://localhost:${mgt.transport.https.port}$ >>> {carbon.context}services/</ServerURL--> >>> <ServerURL>https://localhost:9448/services/</ServerURL> >>> <!-- Admin username for the Authentication manager. --> >>> <Username>${admin.username}</Username> >>> <!-- Admin password for the Authentication manager. --> >>> <Password>${admin.password}</Password> >>> <!-- Indicates whether the permissions checking of the user (on >>> the Publisher and Store) should be done >>> via a remote service. The check will be done on the local >>> server when false. --> >>> <CheckPermissionsRemotely>false</CheckPermissionsRemotely> >>> </AuthManager> >>> >>> <JWTConfiguration> >>> <!-- Enable/Disable JWT generation. Default is false. --> >>> <!-- EnableJWTGeneration>false</EnableJWTGeneration--> >>> >>> <!-- Name of the security context header to be added to the >>> validated requests. --> >>> <JWTHeader>X-JWT-Assertion</JWTHeader> >>> >>> <!-- Fully qualified name of the class that will retrieve >>> additional user claims >>> to be appended to the JWT. If not specified no claims will >>> be appended.If user wants to add all user claims in the >>> jwt token, he needs to enable this parameter. >>> The DefaultClaimsRetriever class adds user claims from the >>> default carbon user store. --> >>> <!--ClaimsRetrieverImplClass>org.wso2.carbon.apimgt.impl.tok >>> en.DefaultClaimsRetriever</ClaimsRetrieverImplClass--> >>> >>> <!-- The dialectURI under which the claimURIs that need to be >>> appended to the >>> JWT are defined. Not used with custom ClaimsRetriever >>> implementations. The >>> same value is used in the keys for appending the default >>> properties to the >>> JWT. --> >>> <!--ConsumerDialectURI>http://wso2.org/claims</ConsumerDiale >>> ctURI--> >>> >>> <!-- Signature algorithm. Accepts "SHA256withRSA" or "NONE". To >>> disable signing explicitly specify "NONE". --> >>> <!--SignatureAlgorithm>SHA256withRSA</SignatureAlgorithm--> >>> >>> <!-- This parameter specifies which implementation should be >>> used for generating the Token. JWTGenerator is the >>> default implementation provided. --> >>> <JWTGeneratorImpl>org.wso2.carbon.apimgt.keymgt.token.JWTGen >>> erator</JWTGeneratorImpl> >>> >>> <!-- This parameter specifies which implementation should be >>> used for generating the Token. For URL safe JWT >>> Token generation the implementation is provided in >>> URLSafeJWTGenerator --> >>> <!--<JWTGeneratorImpl>org.wso2.carbon.apimgt.keymgt.token.UR >>> LSafeJWTGenerator</JWTGeneratorImpl>--> >>> >>> <!-- Remove UserName from JWT Token --> >>> <!-- <RemoveUserNameFromJWTForAppli >>> cationToken>true</RemoveUserNameFromJWTForApplicationToken>--> >>> </JWTConfiguration> >>> >>> <!-- Primary/secondary login configuration for APIstore. If user >>> likes to keep two login attributes in a distributed setup, to login the >>> APIstore, >>> he should configure this section. Primary login doesn't have a claimUri >>> associated with it. But secondary login, which is a claim attribute, >>> is associated with a claimuri.--> >>> <!--LoginConfig> >>> <UserIdLogin primary="true"> >>> <ClaimUri></ClaimUri> >>> </UserIdLogin> >>> <EmailLogin primary="false"> >>> <ClaimUri>http://wso2.org/claims/emailaddress</ClaimUri> >>> </EmailLogin> >>> </LoginConfig--> >>> >>> <!-- Credentials for the API gateway admin server. This configuration >>> is mainly used by the API publisher and store to connect to the >>> API gateway and >>> create/update published API configurations. --> >>> <APIGateway> >>> <!-- The environments to which an API will be published --> >>> <Environments> >>> <!-- Environments can be of different types. Allowed values >>> are 'hybrid', 'production' and 'sandbox'. >>> An API deployed on a 'production' type gateway will >>> only support production keys >>> An API deployed on a 'sandbox' type gateway will only >>> support sandbox keys >>> An API deployed on a 'hybrid' type gateway will support >>> both production and sandbox keys. --> >>> <!-- api-console element specifies whether the environment >>> should be listed in API Console or not --> >>> <Environment type="hybrid" api-console="true"> >>> <Name>Production and Sandbox</Name> >>> <Description>This is a hybrid gateway that handles both >>> production and sandbox token traffic.</Description> >>> <!-- Server URL of the API gateway --> >>> <ServerURL>https://localhost:$ >>> {mgt.transport.https.port}${carbon.context}services/</ServerURL> >>> <!-- Admin username for the API gateway. --> >>> <Username>${admin.username}</Username> >>> <!-- Admin password for the API gateway.--> >>> <Password>${admin.password}</Password> >>> <!-- Endpoint URLs for the APIs hosted in this API >>> gateway.--> >>> <GatewayEndpoint>http://${carb >>> on.local.ip}:${http.nio.port},https://${carbon.local.ip}:${h >>> ttps.nio.port}</GatewayEndpoint> >>> </Environment> >>> </Environments> >>> </APIGateway> >>> >>> <CacheConfigurations> >>> <!-- Enable/Disable token caching at the Gateway--> >>> <EnableGatewayTokenCache>true</EnableGatewayTokenCache> >>> <!-- Enable/Disable API resource caching at the Gateway--> >>> <EnableGatewayResourceCache>true</EnableGatewayResourceCache> >>> <!-- Enable/Disable API key validation information caching at >>> key-management server --> >>> <EnableKeyManagerTokenCache>false</EnableKeyManagerTokenCache> >>> <!-- This parameter specifies whether Recently Added APIs will >>> be loaded from the cache or not. >>> If there are multiple API modification during a short time >>> period, better to disable cache. --> >>> <EnableRecentlyAddedAPICache>false</EnableRecentlyAddedAPICache> >>> <!-- JWT claims Cache expiry in seconds --> >>> <!--JWTClaimCacheExpiry>900</JWTClaimCacheExpiry--> >>> <!-- Expiry time for the apim key mgt validation info cache --> >>> <!--TokenCacheExpiry>900</TokenCacheExpiry--> >>> <!-- This parameter specifies the expiration time of the >>> TagCache. TagCache will >>> only be created when this element is uncommented. When the >>> specified >>> time duration gets elapsed ,tag cache will get >>> re-generated. --> >>> <!--TagCacheDuration>120000</TagCacheDuration--> >>> </CacheConfigurations> >>> >>> <!-- >>> API usage tracker configuration used by the DAS data publisher >>> and >>> Google Analytics publisher in API gateway. >>> --> >>> <Analytics> >>> <!-- Enable Analytics for API Manager --> >>> <Enabled>false</Enabled> >>> >>> <!-- Server URL of the remote DAS/CEP server used to collect >>> statistics. Must >>> be specified in protocol://hostname:port/ format. >>> >>> An event can also be published to multiple Receiver Groups >>> each having 1 or more receivers. Receiver >>> Groups are delimited by curly braces whereas receivers are >>> delimited by commas. >>> Ex - Multiple Receivers within a single group >>> tcp://localhost:7612/,tcp://localhost:7613/,tcp://localhost >>> :7614/ >>> >>> Ex - Multiple Receiver Groups with two receivers each >>> {tcp://localhost:7612/,tcp://localhost:7613},{tcp://localho >>> st:7712/,tcp://localhost:7713/} --> >>> <DASServerURL>{tcp://localhost:7612}</DASServerURL> >>> <!--DASAuthServerURL>{ssl://localhost:7712}</DASAuthServerURL--> >>> <!-- Administrator username to login to the remote DAS server. >>> --> >>> <DASUsername>${admin.username}</DASUsername> >>> <!-- Administrator password to login to the remote DAS server. >>> --> >>> <DASPassword>${admin.password}</DASPassword> >>> >>> <!-- For APIM implemented Statistic client for RDBMS --> >>> <StatsProviderImpl>org.wso2.carbon.apimgt.usage.client.impl. >>> APIUsageStatisticsRdbmsClientImpl</StatsProviderImpl> >>> >>> <!-- DAS REST API configuration --> >>> <DASRestApiURL>https://localhost:9444</DASRestApiURL> >>> <DASRestApiUsername>${admin.username}</DASRestApiUsername> >>> <DASRestApiPassword>${admin.password}</DASRestApiPassword> >>> >>> <!-- Below property is used to skip trying to connect to event >>> receiver nodes when publishing events even if >>> the stats enabled flag is set to true. --> >>> <SkipEventReceiverConnection>false</SkipEventReceiverConnection> >>> >>> <!-- API Usage Data Publisher. --> >>> <PublisherClass>org.wso2.carbon.apimgt.usage.publisher.APIMg >>> tUsageDataBridgeDataPublisher</PublisherClass> >>> >>> <!-- If below property set to true,then the response message >>> size will be calculated and publish >>> with each successful API invocation event. --> >>> <PublishResponseMessageSize>false</PublishResponseMessageSize> >>> <!-- Data publishing stream names and versions of API requests, >>> responses and faults. If the default values >>> are changed, the toolbox also needs to be changed >>> accordingly. --> >>> <Streams> >>> <Request> >>> <Name>org.wso2.apimgt.statistics.request</Name> >>> <Version>1.1.0</Version> >>> </Request> >>> <Response> >>> <Name>org.wso2.apimgt.statistics.response</Name> >>> <Version>1.1.0</Version> >>> </Response> >>> <Fault> >>> <Name>org.wso2.apimgt.statistics.fault</Name> >>> <Version>1.0.0</Version> >>> </Fault> >>> <Throttle> >>> <Name>org.wso2.apimgt.statistics.throttle</Name> >>> <Version>1.0.0</Version> >>> </Throttle> >>> <Workflow> >>> <Name>org.wso2.apimgt.statistics.workflow</Name> >>> <Version>1.0.0</Version> >>> </Workflow> >>> <ExecutionTime> >>> <Name>org.wso2.apimgt.statistics.execution.time</Name> >>> <Version>1.0.0</Version> >>> </ExecutionTime> >>> <AlertTypes> >>> <Name>org.wso2.analytics.apim. >>> alertStakeholderInfo</Name> >>> <Version>1.0.0</Version> >>> </AlertTypes> >>> </Streams> >>> >>> </Analytics> >>> >>> <!-- >>> API key validator configuration used by API key manager (IS), >>> API store and API gateway. >>> API gateway uses it to validate and authenticate users against >>> the provided API keys. >>> --> >>> <APIKeyValidator> >>> <!-- Server URL of the API key manager --> >>> <!--ServerURL>https://localhost:${mgt.transport.https.port}$ >>> {carbon.context}services/</ServerURL--> >>> <ServerURL>https://localhost:9448/services/</ServerURL> >>> >>> <!-- Admin username for API key manager. --> >>> <Username>${admin.username}</Username> >>> <!-- Admin password for API key manager. --> >>> <Password>${admin.password}</Password> >>> <!--Username>admin</Username> >>> <Password>admin</Password--> >>> >>> <!-- Configurations related to enable thrift support for >>> key-management related communication. >>> If you want to switch back to Web Service Client, change >>> the value of "KeyValidatorClientType" to "WSClient". >>> In a distributed environment; >>> -If you are at the Gateway node, you need to point >>> "ThriftClientPort" value to the "ThriftServerPort" value given at >>> KeyManager node. >>> -If you need to start two API Manager instances in the same >>> machine, you need to give different ports to "ThriftServerPort" value in >>> two nodes. >>> -ThriftServerHost - Allows to configure a hostname for the >>> thrift server. It uses the carbon hostname by default. >>> -The Gateway uses this parameter to connect to the key >>> validation thrift service. --> >>> <KeyValidatorClientType>WSClient</KeyValidatorClientType> >>> <ThriftClientConnectionTimeOut>10000</ThriftClientConnection >>> TimeOut> >>> <!--ThriftClientPort>10397</ThriftClientPort--> >>> >>> <EnableThriftServer>false</EnableThriftServer> >>> <ThriftServerHost>localhost</ThriftServerHost> >>> <!--ThriftServerPort>10397</ThriftServerPort--> >>> >>> <!--ConnectionPool> >>> <MaxIdle>100</MaxIdle> >>> <InitIdleCapacity>50</InitIdleCapacity> >>> </ConnectionPool--> >>> <!-- Specifies the implementation to be used for >>> KeyValidationHandler. Steps for validating a token can be controlled by >>> plugging in a >>> custom KeyValidation Handler --> >>> <KeyValidationHandlerClassName>org.wso2.carbon.apimgt.keymgt >>> .handlers.DefaultKeyValidationHandler</KeyValidationHandlerClassName> >>> </APIKeyValidator> >>> >>> <!-- Uncomment this section only if you are going to have an >>> instance other than KeyValidator as your KeyManager. >>> Unless a ThirdParty KeyManager is used, you don't need to >>> configure this section. --> >>> <!--APIKeyManager> >>> <KeyManagerClientImpl>org.wso2.carbon.apimgt.impl.AMDefaultK >>> eyManagerImpl</KeyManagerClientImpl> >>> <Configuration> >>> <ServerURL>https://localhost:${mgt.transport.https.port}${ca >>> rbon.context}services/</ServerURL> >>> <Username>${admin.username}</Username> >>> <Password>${admin.password}</Password> >>> <TokenURL>https://${carbon.local.ip}:${https.nio.port}/token >>> </TokenURL> >>> <RevokeURL>https://${carbon.local.ip}:${https.nio.port}/revo >>> ke</RevokeURL> >>> </Configuration> >>> </APIKeyManager--> >>> >>> <OAuthConfigurations> >>> <!-- Remove OAuth headers from outgoing message. --> >>> <!--RemoveOAuthHeadersFromOutMessage>true</RemoveOAuthHeader >>> sFromOutMessage--> >>> <!-- Scope used for marking Application Tokens. If a token is >>> generated with this scope, they will be treated as Application Access >>> Tokens --> >>> <ApplicationTokenScope>am_application_scope</ApplicationToke >>> nScope> >>> <!-- All scopes under the ScopeWhitelist element are not >>> validating against roles that has assigned to it. >>> By default ^device_.* and openid scopes have been white >>> listed internally. --> >>> <!--ScopeWhitelist> >>> <Scope>^device_.*</Scope> >>> <Scope>openid</Scope> >>> </ScopeWhitelist--> >>> <!-- Name of the token API --> >>> <TokenEndPointName>/oauth2/token</TokenEndPointName> >>> <!-- This the API URL for revoke API. When we revoke tokens >>> revoke requests should go through this >>> API deployed in API gateway. Then it will do cache >>> invalidations related to revoked tokens. >>> In distributed deployment we should configure this property >>> in key manager node by pointing >>> gateway https( /http, we recommend users to use 'https' >>> endpoints for security purpose) url. >>> Also please note that we should point gateway revoke >>> service to key manager --> >>> <RevokeAPIURL>https://localhost:${https.nio.port}/revoke</Re >>> vokeAPIURL> >>> <!-- Whether to encrypt tokens when storing in the Database >>> Note: If changing this value to true, change the value of >>> <TokenPersistenceProcessor> to >>> >>> org.wso2.carbon.identity.oauth.tokenprocessor.EncryptionDecryptionPersistenceProcessor >>> in the identity.xml --> >>> <EncryptPersistedTokens>false</EncryptPersistedTokens> >>> </OAuthConfigurations> >>> >>> <!-- Settings related to managing API access tiers. --> >>> <TierManagement> >>> <!-- Enable the providers to expose their APIs over the special >>> 'Unlimited' tier which >>> basically disables tier based throttling for the specified >>> APIs. --> >>> <EnableUnlimitedTier>true</EnableUnlimitedTier> >>> </TierManagement> >>> >>> <!-- API Store Related Configurations --> >>> <APIStore> >>> <!--GroupingExtractor>org.wso2.carbon.apimgt.impl.DefaultGro >>> upIDExtractorImpl</GroupingExtractor--> >>> <!--This property is used to indicate how we do user name >>> comparision for token generation https://wso2.org/jira/browse/A >>> PIMANAGER-2225--> >>> <CompareCaseInsensitively>true</CompareCaseInsensitively> >>> <DisplayURL>false</DisplayURL> >>> <URL>https://localhost:${mgt.transport.https.port}/store</URL> >>> >>> <!-- Server URL of the API Store. --> >>> <ServerURL>https://localhost:${mgt.transport.https.port}${ca >>> rbon.context}services/</ServerURL> >>> <!-- Admin username for API Store. --> >>> <Username>${admin.username}</Username> >>> >>> <!-- Admin password for API Store. --> >>> <Password>${admin.password}</Password> >>> <!-- This parameter specifies whether to display multiple >>> versions of same >>> API or only showing the latest version of an API. --> >>> <DisplayMultipleVersions>false</DisplayMultipleVersions> >>> <!-- This parameter specifies whether to display all the APIs >>> [which are having DEPRECATED/PUBLISHED status] or only >>> display the APIs >>> with having their status is as 'PUBLISHED' --> >>> <DisplayAllAPIs>false</DisplayAllAPIs> >>> <!-- Uncomment this to limit the number of APIs in api the API >>> Store --> >>> <!--APIsPerPage>5</APIsPerPage--> >>> >>> <!-- This parameter specifies whether to display the comment >>> editing facility or not. >>> Default is "true". If user wants to disable, he must set >>> this param as "false" --> >>> <DisplayComments>true</DisplayComments> >>> >>> <!-- This parameter specifies whether to display the ratings or >>> not. >>> Default is "true". If user wants to disable, he must set >>> this param as "false" --> >>> <DisplayRatings>true</DisplayRatings> >>> >>> <!--set isStoreForumEnabled to false for disable forum in >>> store--> >>> <!--isStoreForumEnabled>false</isStoreForumEnabled--> >>> </APIStore> >>> >>> <APIPublisher> >>> <DisplayURL>false</DisplayURL> >>> <URL>https://localhost:${mgt.transport.https.port}/publisher >>> </URL> >>> <!-- This parameter specifies enabling the capability of setting >>> API documentation level granular visibility levels. >>> By default any document associate with an API will have the >>> same permissions set as the API.With enabling below >>> property,it will show two additional permission levels as >>> visible only to all registered users in a particular >>> domain or only visible to API doc creator --> >>> <!--EnableAPIDocVisibilityLevels>true</EnableAPIDocVisibilit >>> yLevels--> >>> <!-- Uncomment this to limit the number of APIs in api the API >>> Publisher --> >>> <!--APIsPerPage>30</APIsPerPage--> >>> </APIPublisher> >>> >>> <!-- Status observers can be registered against the API Publisher to >>> listen for >>> API status update events. Each observer must implement the >>> APIStatusObserver >>> interface. Multiple observers can be engaged if necessary and >>> in such situations >>> they will be notified in the order they are defined here. >>> This configuration is unused from API Manager version 1.10.0 --> >>> <!--StatusObservers> >>> <Observer>org.wso2.carbon.apimgt.impl.observers.SimpleLoggin >>> gObserver</Observer> >>> </StatusObservers--> >>> >>> <!-- Use this configuration Create APIs at the Server startup --> >>> <StartupAPIPublisher> >>> <!-- Enable/Disable the API Startup Publisher --> >>> <Enabled>false</Enabled> >>> >>> <!-- Configuration to create APIs for local endpoints. >>> Endpoint will be computed as http://${carbon.local.ip}:${mg >>> t.transport.http.port}/Context. >>> Define many LocalAPI elements as below to create many APIs >>> for local Endpoints. >>> IconPath should be relative to CARBON_HOME. --> >>> <LocalAPIs> >>> <LocalAPI> >>> <Context>/resource</Context> >>> <Provider>admin</Provider> >>> <Version>1.0.0</Version> >>> <IconPath>none</IconPath> >>> <DocumentURL>none</DocumentURL> >>> <AuthType>Any</AuthType> >>> </LocalAPI> >>> </LocalAPIs> >>> >>> <!-- Configuration to create APIs for remote endpoints. >>> When Endpoint need to be defined use this configuration. >>> Define many API elements as below to create many APIs >>> for external Endpoints. >>> If you do not need to add Icon or Documentation set >>> 'none' as the value for IconPath & DocumentURL. --> >>> <!--APIs> >>> <API> >>> <Context>/resource</Context> >>> <Endpoint>http://localhost:9764/resource</Endpoint> >>> <Provider>admin</Provider> >>> <Version>1.0.0</Version> >>> <IconPath>none</IconPath> >>> <DocumentURL>none</DocumentURL> >>> <AuthType>Any</AuthType> >>> </API> >>> </APIs--> >>> </StartupAPIPublisher> >>> >>> <!-- Configuration to enable/disable sending CORS headers in the >>> Gateway response >>> and define the Access-Control-Allow-Origin header value.--> >>> <CORSConfiguration> >>> <!-- Configuration to enable/disable sending CORS headers from >>> the Gateway--> >>> <Enabled>true</Enabled> >>> >>> <!-- The value of the Access-Control-Allow-Origin header. >>> Default values are >>> API Store addresses, which is needed for swagger to >>> function. --> >>> <Access-Control-Allow-Origin>*</Access-Control-Allow-Origin> >>> >>> <!-- Configure Access-Control-Allow-Methods --> >>> <Access-Control-Allow-Methods>GET,PUT,POST,DELETE,PATCH,OPTI >>> ONS</Access-Control-Allow-Methods> >>> >>> <!-- Configure Access-Control-Allow-Headers --> >>> <Access-Control-Allow-Headers>authorization,Access-Control-A >>> llow-Origin,Content-Type,SOAPAction</Access-Control-Allow-Headers> >>> >>> <!-- Configure Access-Control-Allow-Credentials --> >>> <!-- Specifying this header to true means that the server allows >>> cookies (or other user credentials) to be included on cross-origin requests. >>> It is false by default and if you set it to true then make >>> sure that the Access-Control-Allow-Origin header does not contain the >>> wildcard (*) --> >>> <Access-Control-Allow-Credentials>false</Access-Control-Allo >>> w-Credentials> >>> </CORSConfiguration> >>> >>> <!-- This property is there to configure velocity log output into >>> existing Log4j carbon Logger. >>> You can enable this and set preferable Logger name. --> >>> <!-- VelocityLogger>VELOCITY</VelocityLogger --> >>> >>> <RESTAPI> >>> <!--Configure white-listed URIs of REST API. Accessing >>> white-listed URIs does not require credentials (does not require >>> Authorization header). --> >>> <WhiteListedURIs> >>> <WhiteListedURI> >>> <URI>/api/am/publisher/{version}/swagger.json</URI> >>> <HTTPMethods>GET,HEAD</HTTPMethods> >>> </WhiteListedURI> >>> <WhiteListedURI> >>> <URI>/api/am/store/{version}/swagger.json</URI> >>> <HTTPMethods>GET,HEAD</HTTPMethods> >>> </WhiteListedURI> >>> <WhiteListedURI> >>> <URI>/api/am/admin/{version}/swagger.json</URI> >>> <HTTPMethods>GET,HEAD</HTTPMethods> >>> </WhiteListedURI> >>> <WhiteListedURI> >>> <URI>/api/am/store/{version}/apis</URI> >>> <HTTPMethods>GET,HEAD</HTTPMethods> >>> </WhiteListedURI> >>> <WhiteListedURI> >>> <URI>/api/am/store/{version}/apis/{apiId}</URI> >>> <HTTPMethods>GET,HEAD</HTTPMethods> >>> </WhiteListedURI> >>> <WhiteListedURI> >>> <URI>/api/am/store/{version}/apis/{apiId}/swagger</URI> >>> <HTTPMethods>GET,HEAD</HTTPMethods> >>> </WhiteListedURI> >>> <WhiteListedURI> >>> <URI>/api/am/store/{version}/a >>> pis/{apiId}/documents</URI> >>> <HTTPMethods>GET,HEAD</HTTPMethods> >>> </WhiteListedURI> >>> <WhiteListedURI> >>> <URI>/api/am/store/{version}/a >>> pis/{apiId}/documents/{documentId}</URI> >>> <HTTPMethods>GET,HEAD</HTTPMethods> >>> </WhiteListedURI> >>> <WhiteListedURI> >>> <URI>/api/am/store/{version}/a >>> pis/{apiId}/documents/{documentId}/content</URI> >>> <HTTPMethods>GET,HEAD</HTTPMethods> >>> </WhiteListedURI> >>> <WhiteListedURI> >>> <URI>/api/am/store/{version}/a >>> pis/{apiId}/thumbnail</URI> >>> <HTTPMethods>GET,HEAD</HTTPMethods> >>> </WhiteListedURI> >>> <WhiteListedURI> >>> <URI>/api/am/store/{version}/tags</URI> >>> <HTTPMethods>GET,HEAD</HTTPMethods> >>> </WhiteListedURI> >>> <WhiteListedURI> >>> <URI>/api/am/store/{version}/tiers/{tierLevel}</URI> >>> <HTTPMethods>GET,HEAD</HTTPMethods> >>> </WhiteListedURI> >>> <WhiteListedURI> >>> <URI>/api/am/store/{version}/t >>> iers/{tierLevel}/{tierName}</URI> >>> <HTTPMethods>GET,HEAD</HTTPMethods> >>> </WhiteListedURI> >>> </WhiteListedURIs> >>> <ETagSkipList> >>> <ETagSkipURI> >>> <URI>/api/am/store/{version}/apis</URI> >>> <HTTPMethods>GET</HTTPMethods> >>> </ETagSkipURI> >>> <ETagSkipURI> >>> <URI>/api/am/store/{version}/apis/generate-sdk</URI> >>> <HTTPMethods>POST</HTTPMethods> >>> </ETagSkipURI> >>> <ETagSkipURI> >>> <URI>/api/am/store/{version}/a >>> pis/{apiId}/documents</URI> >>> <HTTPMethods>GET</HTTPMethods> >>> </ETagSkipURI> >>> <ETagSkipURI> >>> <URI>/api/am/store/{version}/applications</URI> >>> <HTTPMethods>GET</HTTPMethods> >>> </ETagSkipURI> >>> <ETagSkipURI> >>> <URI>/api/am/store/{version}/a >>> pplications/generate-keys</URI> >>> <HTTPMethods>POST</HTTPMethods> >>> </ETagSkipURI> >>> <ETagSkipURI> >>> <URI>/api/am/store/{version}/subscriptions</URI> >>> <HTTPMethods>GET,POST</HTTPMethods> >>> </ETagSkipURI> >>> <ETagSkipURI> >>> <URI>/api/am/store/{version}/tags</URI> >>> <HTTPMethods>GET</HTTPMethods> >>> </ETagSkipURI> >>> <ETagSkipURI> >>> <URI>/api/am/store/{version}/tiers/{tierLevel}</URI> >>> <HTTPMethods>GET</HTTPMethods> >>> </ETagSkipURI> >>> <ETagSkipURI> >>> <URI>/api/am/store/{version}/t >>> iers/{tierLevel}/{tierName}</URI> >>> <HTTPMethods>GET</HTTPMethods> >>> </ETagSkipURI> >>> <ETagSkipURI> >>> <URI>/api/am/publisher/{version}/apis</URI> >>> <HTTPMethods>GET,POST</HTTPMethods> >>> </ETagSkipURI> >>> <ETagSkipURI> >>> <URI>/api/am/publisher/{version}/apis/{apiId}</URI> >>> <HTTPMethods>GET,DELETE,PUT</HTTPMethods> >>> </ETagSkipURI> >>> <ETagSkipURI> >>> <URI>/api/am/publisher/{versio >>> n}/apis/{apiId}/swagger</URI> >>> <HTTPMethods>GET,PUT</HTTPMethods> >>> </ETagSkipURI> >>> <ETagSkipURI> >>> <URI>/api/am/publisher/{versio >>> n}/apis/{apiId}/thumbnail</URI> >>> <HTTPMethods>GET,POST</HTTPMethods> >>> </ETagSkipURI> >>> <ETagSkipURI> >>> <URI>/api/am/publisher/{versio >>> n}/apis/{apiId}/change-lifecycle</URI> >>> <HTTPMethods>POST</HTTPMethods> >>> </ETagSkipURI> >>> <ETagSkipURI> >>> <URI>/api/am/publisher/{versio >>> n}/apis/{apiId}/copy-api</URI> >>> <HTTPMethods>POST</HTTPMethods> >>> </ETagSkipURI> >>> <ETagSkipURI> >>> <URI>/api/am/publisher/{versio >>> n}/applications/{applicationId}</URI> >>> <HTTPMethods>GET</HTTPMethods> >>> </ETagSkipURI> >>> <ETagSkipURI> >>> <URI>/api/am/publisher/{versio >>> n}/apis/{apiId}/documents</URI> >>> <HTTPMethods>GET,POST</HTTPMethods> >>> </ETagSkipURI> >>> <ETagSkipURI> >>> <URI>/api/am/publisher/{versio >>> n}/apis/{apiId}/documents/{documentId}/content</URI> >>> <HTTPMethods>GET,POST</HTTPMethods> >>> </ETagSkipURI> >>> <ETagSkipURI> >>> <URI>/api/am/publisher/{versio >>> n}/apis/{apiId}/documents/{documentId}</URI> >>> <HTTPMethods>GET,PUT,DELETE</HTTPMethods> >>> </ETagSkipURI> >>> <ETagSkipURI> >>> <URI>/api/am/publisher/{version}/environments</URI> >>> <HTTPMethods>GET</HTTPMethods> >>> </ETagSkipURI> >>> <ETagSkipURI> >>> <URI>/api/am/publisher/{version}/subscriptions</URI> >>> <HTTPMethods>GET</HTTPMethods> >>> </ETagSkipURI> >>> <ETagSkipURI> >>> <URI>/api/am/publisher/{versio >>> n}/subscriptions/block-subscription</URI> >>> <HTTPMethods>POST</HTTPMethods> >>> </ETagSkipURI> >>> <ETagSkipURI> >>> <URI>/api/am/publisher/{versio >>> n}/subscriptions/{subscriptionId}</URI> >>> <HTTPMethods>GET</HTTPMethods> >>> </ETagSkipURI> >>> <ETagSkipURI> >>> <URI>/api/am/publisher/{versio >>> n}/subscriptions/unblock-subscription</URI> >>> <HTTPMethods>POST</HTTPMethods> >>> </ETagSkipURI> >>> <ETagSkipURI> >>> <URI>/api/am/publisher/{version}/tiers/{tierLevel}</URI> >>> <HTTPMethods>GET,POST</HTTPMethods> >>> </ETagSkipURI> >>> <ETagSkipURI> >>> <URI>/api/am/publisher/{versio >>> n}/tiers/{tierLevel}/{tierName}</URI> >>> <HTTPMethods>GET,PUT,DELETE</HTTPMethods> >>> </ETagSkipURI> >>> <ETagSkipURI> >>> <URI>/api/am/publisher/{versio >>> n}/tiers/update-permission</URI> >>> <HTTPMethods>POST</HTTPMethods> >>> </ETagSkipURI> >>> </ETagSkipList> >>> </RESTAPI> >>> <ThrottlingConfigurations> >>> <EnableAdvanceThrottling>true</EnableAdvanceThrottling> >>> <DataPublisher> >>> <Enabled>true</Enabled> >>> <Type>Binary</Type> >>> <ReceiverUrlGroup>tcp://${carbon.local.ip}:${receiver.url.po >>> rt}</ReceiverUrlGroup> >>> <AuthUrlGroup>ssl://${carbon.local.ip}:${auth.url.port}</Aut >>> hUrlGroup> >>> <Username>${admin.username}</Username> >>> <Password>${admin.password}</Password> >>> <DataPublisherPool> >>> <MaxIdle>1000</MaxIdle> >>> <InitIdleCapacity>200</InitIdleCapacity> >>> </DataPublisherPool> >>> <DataPublisherThreadPool> >>> <CorePoolSize>200</CorePoolSize> >>> <MaxmimumPoolSize>1000</MaxmimumPoolSize> >>> <KeepAliveTime>200</KeepAliveTime> >>> </DataPublisherThreadPool> >>> </DataPublisher> >>> <PolicyDeployer> >>> <ServiceURL>https://localhost:${mgt.transport.https.port}${c >>> arbon.context}services/</ServiceURL> >>> <Username>${admin.username}</Username> >>> <Password>${admin.password}</Password> >>> </PolicyDeployer> >>> <BlockCondition> >>> <Enabled>true</Enabled> >>> <!--InitDelay>300000</InitDelay> >>> <Period>3600000</Period--> >>> </BlockCondition> >>> <JMSConnectionDetails> >>> <Enabled>true</Enabled> >>> <ServiceURL>tcp://${carbon.local.ip}:${jms.port}</ServiceURL >>> > >>> <Username>${admin.username}</Username> >>> <Password>${admin.password}</Password> >>> <Destination>throttleData</Destination> >>> <!--InitDelay>300000</InitDelay--> >>> <JMSConnectionParameters> >>> <transport.jms.ConnectionFacto >>> ryJNDIName>TopicConnectionFactory</transport.jms.ConnectionF >>> actoryJNDIName> >>> <transport.jms.DestinationType >>> >topic</transport.jms.DestinationType> >>> <java.naming.factory.initial>o >>> rg.wso2.andes.jndi.PropertiesFileInitialContextFactory</java >>> .naming.factory.initial> >>> <connectionfactory.TopicConnec >>> tionFactory>amqp://${jms.username}:${jms.password}@clientid/ >>> carbon?brokerlist='${jms.url}'</connectionfactory.TopicConne >>> ctionFactory> >>> </JMSConnectionParameters> >>> <JMSTaskManager> >>> <MinThreadPoolSize>20</MinThreadPoolSize> >>> <MaxThreadPoolSize>100</MaxThreadPoolSize> >>> <KeepAliveTimeInMillis>1000</KeepAliveTimeInMillis> >>> <JobQueueSize>10</JobQueueSize> >>> </JMSTaskManager> >>> </JMSConnectionDetails> >>> <JMSEventPublisherParameters> >>> <java.naming.factory.initial>o >>> rg.wso2.andes.jndi.PropertiesFileInitialContextFactory</java >>> .naming.factory.initial> >>> <java.naming.provider.url>repo >>> sitory/conf/jndi.properties</java.naming.provider.url> >>> <transport.jms.DestinationType >>> >topic</transport.jms.DestinationType> >>> <transport.jms.Destination>thr >>> ottleData</transport.jms.Destination> >>> <transport.jms.ConcurrentPubli >>> shers>allow</transport.jms.ConcurrentPublishers> >>> <transport.jms.ConnectionFacto >>> ryJNDIName>TopicConnectionFactory</transport.jms.ConnectionF >>> actoryJNDIName> >>> </JMSEventPublisherParameters> >>> <!--DefaultLimits> >>> <SubscriptionTierLimits> >>> <Gold>5000</Gold> >>> <Silver>2000</Silver> >>> <Bronze>1000</Bronze> >>> <Unauthenticated>60</Unauthenticated> >>> </SubscriptionTierLimits> >>> <ApplicationTierLimits> >>> <50PerMin>50</50PerMin> >>> <20PerMin>20</20PerMin> >>> <10PerMin>10</10PerMin> >>> </ApplicationTierLimits> >>> <ResourceLevelTierLimits> >>> <50KPerMin>50000</50KPerMin> >>> <20KPerMin>20000</20KPerMin> >>> <10KPerMin>10000</10KPerMin> >>> </ResourceLevelTierLimits> >>> </DefaultLimits--> >>> <EnableUnlimitedTier>true</EnableUnlimitedTier> >>> <EnableHeaderConditions>false</EnableHeaderConditions> >>> <EnableJWTClaimConditions>false</EnableJWTClaimConditions> >>> <EnableQueryParamConditions>false</EnableQueryParamConditions> >>> </ThrottlingConfigurations> >>> >>> <WorkflowConfigurations> >>> <Enabled>false</Enabled> >>> <ServerUrl>https://localhost:9445/bpmn</ServerUrl> >>> <ServerUser>${admin.username}</ServerUser> >>> <ServerPassword>${admin.password}</ServerPassword> >>> <WorkflowCallbackAPI>https://localhost:${mgt.transport.https >>> .port}/api/am/publisher/v0.11/workflows/update-workflow-stat >>> us</WorkflowCallbackAPI> >>> <TokenEndPoint>https://localhost:${https.nio.port}/token</To >>> kenEndPoint> >>> <DCREndPoint>https://localhost:${mgt.transport.https.port}/c >>> lient-registration/v0.11/register</DCREndPoint> >>> <DCREndPointUser>${admin.username}</DCREndPointUser> >>> <DCREndPointPassword>${admin.password}</DCREndPointPassword> >>> </WorkflowConfigurations> >>> >>> <SwaggerCodegen> >>> <ClientGeneration> >>> <GroupId>org.wso2</GroupId> >>> <ArtifactId>org.wso2.client.</ArtifactId> >>> <ModelPackage>org.wso2.client.model.</ModelPackage> >>> <ApiPackage>org.wso2.client.api.</ApiPackage> >>> <!-- Configure supported languages/Frameworks as comma >>> separated values, >>> Supported Languages/Frameworks : android, java, scala, >>> csharp, cpp, dart, flash, go, groovy, javascript, jmeter, >>> nodejs, perl, php, python, ruby, swift, clojure, aspNet5, >>> asyncScala, spring, csharpDotNet2, haskell--> >>> <SupportedLanguages>java,android</SupportedLanguages> >>> </ClientGeneration> >>> </SwaggerCodegen> >>> >>> </APIManager> >>> >>> Do you need my IS one, too? >>> >>> Regards, >>> >>> Thomas >>> >>> 2017-06-15 22:16 GMT+02:00 Farasath Ahamed <farasa...@wso2.com>: >>> >>>> Would be better if you could share the api-manager.xml configuration >>>> file to see if there are any errors in configs. >>>> >>>> >>>> >>>> >>>> Farasath Ahamed >>>> Software Engineer, WSO2 Inc.; http://wso2.com >>>> Mobile: +94777603866 >>>> Blog: blog.farazath.com >>>> Twitter: @farazath619 <https://twitter.com/farazath619> >>>> <http://wso2.com/signature> >>>> >>>> >>>> >>>> On Thu, Jun 15, 2017 at 8:40 PM, Thomas LEGRAND < >>>> thomas.legr...@versusmind.eu> wrote: >>>> >>>>> Hello again, >>>>> >>>>> I followed the tutorial in [1] to configure my Identity Server (IS) as >>>>> a key manager for my API Manager (AM). When I create my Production & >>>>> Sandbox applications in the AM, I can see service providers created in the >>>>> IS. I configures them to use SAML to retrieve informations like the roles, >>>>> if the authentication is successfull. And I can "exchange" my SAML >>>>> assertion for a OAuth token. So, everything is cool, here. >>>>> >>>>> But, when I try to reuse this OAuth token to access to a resource via >>>>> the AM, it rejects me with this sweet message: >>>>> >>>>> <ams:fault xmlns:ams="http://wso2.org/apimanager/security"> >>>>> <ams:code>900900</ams:code> >>>>> <ams:message>Unclassified Authentication Failure</ams:message> >>>>> <ams:description>Resource forbidden</ams:description> >>>>> </ams:fault> >>>>> >>>>> But no errors in the logs but just a WARN. So, I activated the DEBUG >>>>> mode and then, I can see some intersting things: >>>>> >>>>> [2017-06-15 16:44:52,954] WARN - APIAuthenticationHandler API >>>>> authentication failure due to Unclassified Authentication Failure >>>>> [2017-06-15 16:44:52,954] DEBUG - APIAuthenticationHandler API >>>>> authentication failed with error 900900 >>>>> org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException: >>>>> Resource forbidden >>>>> at org.wso2.carbon.apimgt.gateway >>>>> .handlers.security.keys.WSAPIKeyDataStore.getAPIKeyData(WSAP >>>>> IKeyDataStore.java:51) >>>>> at org.wso2.carbon.apimgt.gateway >>>>> .handlers.security.APIKeyValidator.doGetKeyValidationInfo(AP >>>>> IKeyValidator.java:253) >>>>> at org.wso2.carbon.apimgt.gateway >>>>> .handlers.security.APIKeyValidator.getKeyValidationInfo(APIK >>>>> eyValidator.java:209) >>>>> at org.wso2.carbon.apimgt.gateway >>>>> .handlers.security.oauth.OAuthAuthenticator.authenticate(OAu >>>>> thAuthenticator.java:196) >>>>> at org.wso2.carbon.apimgt.gateway >>>>> .handlers.security.APIAuthenticationHandler.handleRequest(AP >>>>> IAuthenticationHandler.java:117) >>>>> at org.apache.synapse.rest.API.process(API.java:325) >>>>> at org.apache.synapse.rest.RESTRe >>>>> questHandler.dispatchToAPI(RESTRequestHandler.java:90) >>>>> at org.apache.synapse.rest.RESTRe >>>>> questHandler.process(RESTRequestHandler.java:69) >>>>> at org.apache.synapse.core.axis2. >>>>> Axis2SynapseEnvironment.injectMessage(Axis2SynapseEnvironmen >>>>> t.java:304) >>>>> at org.apache.synapse.core.axis2. >>>>> SynapseMessageReceiver.receive(SynapseMessageReceiver.java:78) >>>>> at org.apache.axis2.engine.AxisEn >>>>> gine.receive(AxisEngine.java:180) >>>>> at org.apache.synapse.transport.p >>>>> assthru.ServerWorker.processNonEntityEnclosingRESTHandler(Se >>>>> rverWorker.java:325) >>>>> at org.apache.synapse.transport.p >>>>> assthru.ServerWorker.run(ServerWorker.java:158) >>>>> at org.apache.axis2.transport.bas >>>>> e.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172) >>>>> at java.util.concurrent.ThreadPoo >>>>> lExecutor.runWorker(ThreadPoolExecutor.java:1142) >>>>> at java.util.concurrent.ThreadPoo >>>>> lExecutor$Worker.run(ThreadPoolExecutor.java:617) >>>>> at java.lang.Thread.run(Thread.java:745) >>>>> Caused by: org.wso2.carbon.apimgt.gateway >>>>> .handlers.security.APISecurityException: Error while accessing >>>>> backend services for API key validation >>>>> at org.wso2.carbon.apimgt.gateway >>>>> .handlers.security.keys.APIKeyValidatorClient.getAPIKeyData( >>>>> APIKeyValidatorClient.java:114) >>>>> at org.wso2.carbon.apimgt.gateway >>>>> .handlers.security.keys.WSAPIKeyDataStore.getAPIKeyData(WSAP >>>>> IKeyDataStore.java:48) >>>>> ... 16 more >>>>> Caused by: org.apache.axis2.AxisFault: org.apache.axis2.AxisFault: >>>>> Mapping qname not fond for the package: java.util >>>>> >>>>> From here, I don't know what to do since I tried some fancy URLs for >>>>> the ServerURL value in the elements AuthManager and APIKeyValidator. >>>>> My IS has an offset of 5 so the port is 9448. Here is the URL I used >>>>> to point to the IS server: https://localhost:9448/services/ >>>>> >>>>> Is there a way to know in which URL the IS deploy its Key Manager >>>>> feature web services (WS)? >>>>> Should I reinstall the Key Manager feature in the IS? >>>>> >>>>> Regards, >>>>> >>>>> Thomas >>>>> >>>>> [1] https://docs.wso2.com/display/AM210/Configuring+WSO2+Ide >>>>> ntity+Server+as+a+Key+Manager >>>>> >>>>> _______________________________________________ >>>>> Dev mailing list >>>>> Dev@wso2.org >>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>> >>>>> >>>> >>> >>> _______________________________________________ >>> Dev mailing list >>> Dev@wso2.org >>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>> >>> >> >> >> -- >> Rajith Roshan >> Software Engineer, WSO2 Inc. >> Mobile: +94-7 <%2B94-71-554-8430>17-064-214 >> > >
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev