Hi Thomas, When you calling the token endpoint using saml response, could you please add the scope=default parameter as well in the request. For ex :[1]. Let us know it if works. (Just want to verify , because scope is an optional parameter. )
[1] - curl -X POST -u "QlthIzYUOK5DS0BXW8Cy8uFJjKAa:XFfgPmTbMaQ5eScc0rSnAW9ZIgwa" -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" -d " *scope=deafult*&grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion=nrkelgerte..............ufw" https://{host}:{port}/oauth2/token Thanks! Rajith On Fri, Jun 16, 2017 at 1:46 PM, Thomas LEGRAND < thomas.legr...@versusmind.eu> wrote: > Hello, > > Thank you for your answers. > > I activated the DEBUG mode on the IS in the class org.wso2.carbon.apimgt. > keymgt.service.APIKeyValidationService and I can see that the IS receives > something because when I send a wrong OAuth token, its says > > [2017-06-16 12:10:00,563] ERROR > {org.wso2.carbon.apimgt.impl.AMDefaultKeyManagerImpl} > - Invalid OAuth Token : Invalid accessken > > And when I send a right one: > > [2017-06-16 14:19:52,028] DEBUG > {org.wso2.carbon.apimgt.keymgt.service.APIKeyValidationService} > - OAuth token response from Manager to gateway: , appName=myApp , > userName=myUser@carbon.super , transactionId= , > consumerKey=5bWQioSHWbt9I24xizeP0o20a > , isAuthorized=true , responseTime=Fri Jun 16 14:19:52 CEST 2017 > [2017-06-16 14:19:52,028] DEBUG > {org.wso2.carbon.apimgt.keymgt.service.APIKeyValidationService} > - APIKeyValidationInfoDTO bee returning : APIKeyValidationInfoDTO = { > authorized:true , subscriber:admin , tier:Unlimited , type:PRODUCTION , > userType:APPLICATION_USER , endUserToken:null , > endUserName:myUser@carbon.super > , applicationId:3 , applicationName:myApp , applicationr:Unlimited , > validationStatus:0 , validityPeriod:2009000 , issuedTime:1497615592019 , > apiName:MyAPI , consumerKey:5bWQioSH9I24xizeP0oxTw20a , > spikeArrestLimit:0 , spikeArrestUnit:null , > subscriberTenantDomain:carbon.super > , stopOnQuotaReach:true ,iPublisher:admin]] > > We can see the authorized: true (if that means something) so it is like > the API manager don't know how to interpret this message and take a > shortcut to conclusion because of an Axis error. So from here, I don't know > what to do :( > > Regards, > > Thomas > > > > 2017-06-16 13:13 GMT+02:00 Farasath Ahamed <farasa...@wso2.com>: > >> >> >> >> >> On Fri, Jun 16, 2017 at 4:37 PM, Rajith Roshan <raji...@wso2.com> wrote: >> >>> Hi Thomas, >>> >>> You need to subscribe to that particular api from the application you >>> have generated access token. if there is no valid subscription then this >>> error can happen. >>> And also if you have assigned specif scopes to api resource , then the >>> access token should also have that scopes when it was generated. >>> This resource forbidden issue can occur due to above mentioned errors. >>> >> >> In those cases shouldn't the error codes be different according to [1]. >> >> >> <ams:fault xmlns:ams="http://wso2.org/apimanager/security";> >> <ams:code>900900</ams:code> >> <ams:message>Unclassified Authentication Failure</ams:message> >> <ams:description>Resource forbidden</ams:description> >> </ams:fault> >> >> Error code 900900. according [1] says that, >> Backend service for key validation is not accessible when trying to >> invoke an API >> >> >> >> >> [1] https://docs.wso2.com/display/AM210/Error+Handling >> >> >>> >>> Thanks! >>> Rajith >>> >>> On Fri, Jun 16, 2017 at 12:32 PM, Thomas LEGRAND < >>> thomas.legr...@versusmind.eu> wrote: >>> >>>> Hello ! >>>> >>>> Sure. Here is my api-manager.xml AM configuration file: >>>> >>>> <APIManager> >>>> <!-- JNDI name of the data source to be used by the API publisher, >>>> API store and API >>>> key manager. This data source should be defined in the >>>> master-datasources.xml file >>>> in conf/datasources directory. --> >>>> <DataSourceName>jdbc/WSO2AM_DB</DataSourceName> >>>> >>>> <!-- This parameter is used when adding api management capability >>>> to other products like GReg, AS, DSS etc.--> >>>> <!--GatewayType>Synapse</GatewayType--> >>>> <GatewayType>None</GatewayType> >>>> >>>> <!-- This parameter is used to enable the securevault support when >>>> try to publish endpoint secured APIs. Values should be "true" or "false". >>>> By default secure vault is disabled.--> >>>> <EnableSecureVault>false</EnableSecureVault> >>>> >>>> <!-- Authentication manager configuration for API publisher and API >>>> store. This is >>>> a required configuration for both web applications as their >>>> user authentication >>>> logic relies on this. --> >>>> <AuthManager> >>>> <!-- Server URL of the Authentication service --> >>>> <!--ServerURL>https://localhost:${mgt.transport.https.port}$ >>>> {carbon.context}services/</ServerURL--> >>>> <ServerURL>https://localhost:9448/services/</ServerURL> >>>> <!-- Admin username for the Authentication manager. --> >>>> <Username>${admin.username}</Username> >>>> <!-- Admin password for the Authentication manager. --> >>>> <Password>${admin.password}</Password> >>>> <!-- Indicates whether the permissions checking of the user (on >>>> the Publisher and Store) should be done >>>> via a remote service. The check will be done on the local >>>> server when false. --> >>>> <CheckPermissionsRemotely>false</CheckPermissionsRemotely> >>>> </AuthManager> >>>> >>>> <JWTConfiguration> >>>> <!-- Enable/Disable JWT generation. Default is false. --> >>>> <!-- EnableJWTGeneration>false</EnableJWTGeneration--> >>>> >>>> <!-- Name of the security context header to be added to the >>>> validated requests. --> >>>> <JWTHeader>X-JWT-Assertion</JWTHeader> >>>> >>>> <!-- Fully qualified name of the class that will retrieve >>>> additional user claims >>>> to be appended to the JWT. If not specified no claims will >>>> be appended.If user wants to add all user claims in the >>>> jwt token, he needs to enable this parameter. >>>> The DefaultClaimsRetriever class adds user claims from the >>>> default carbon user store. --> >>>> <!--ClaimsRetrieverImplClass>org.wso2.carbon.apimgt.impl.tok >>>> en.DefaultClaimsRetriever</ClaimsRetrieverImplClass--> >>>> >>>> <!-- The dialectURI under which the claimURIs that need to be >>>> appended to the >>>> JWT are defined. Not used with custom ClaimsRetriever >>>> implementations. The >>>> same value is used in the keys for appending the default >>>> properties to the >>>> JWT. --> >>>> <!--ConsumerDialectURI>http://wso2.org/claims</ConsumerDiale >>>> ctURI--> >>>> >>>> <!-- Signature algorithm. Accepts "SHA256withRSA" or "NONE". To >>>> disable signing explicitly specify "NONE". --> >>>> <!--SignatureAlgorithm>SHA256withRSA</SignatureAlgorithm--> >>>> >>>> <!-- This parameter specifies which implementation should be >>>> used for generating the Token. JWTGenerator is the >>>> default implementation provided. --> >>>> <JWTGeneratorImpl>org.wso2.carbon.apimgt.keymgt.token.JWTGen >>>> erator</JWTGeneratorImpl> >>>> >>>> <!-- This parameter specifies which implementation should be >>>> used for generating the Token. For URL safe JWT >>>> Token generation the implementation is provided in >>>> URLSafeJWTGenerator --> >>>> <!--<JWTGeneratorImpl>org.wso2.carbon.apimgt.keymgt.token.UR >>>> LSafeJWTGenerator</JWTGeneratorImpl>--> >>>> >>>> <!-- Remove UserName from JWT Token --> >>>> <!-- <RemoveUserNameFromJWTForAppli >>>> cationToken>true</RemoveUserNameFromJWTForApplicationToken>--> >>>> </JWTConfiguration> >>>> >>>> <!-- Primary/secondary login configuration for APIstore. If user >>>> likes to keep two login attributes in a distributed setup, to login the >>>> APIstore, >>>> he should configure this section. Primary login doesn't have a claimUri >>>> associated with it. But secondary login, which is a claim attribute, >>>> is associated with a claimuri.--> >>>> <!--LoginConfig> >>>> <UserIdLogin primary="true"> >>>> <ClaimUri></ClaimUri> >>>> </UserIdLogin> >>>> <EmailLogin primary="false"> >>>> <ClaimUri>http://wso2.org/claims/emailaddress</ClaimUri> >>>> </EmailLogin> >>>> </LoginConfig--> >>>> >>>> <!-- Credentials for the API gateway admin server. This >>>> configuration >>>> is mainly used by the API publisher and store to connect to >>>> the API gateway and >>>> create/update published API configurations. --> >>>> <APIGateway> >>>> <!-- The environments to which an API will be published --> >>>> <Environments> >>>> <!-- Environments can be of different types. Allowed values >>>> are 'hybrid', 'production' and 'sandbox'. >>>> An API deployed on a 'production' type gateway will >>>> only support production keys >>>> An API deployed on a 'sandbox' type gateway will only >>>> support sandbox keys >>>> An API deployed on a 'hybrid' type gateway will >>>> support both production and sandbox keys. --> >>>> <!-- api-console element specifies whether the environment >>>> should be listed in API Console or not --> >>>> <Environment type="hybrid" api-console="true"> >>>> <Name>Production and Sandbox</Name> >>>> <Description>This is a hybrid gateway that handles both >>>> production and sandbox token traffic.</Description> >>>> <!-- Server URL of the API gateway --> >>>> <ServerURL>https://localhost:$ >>>> {mgt.transport.https.port}${carbon.context}services/</ServerURL> >>>> <!-- Admin username for the API gateway. --> >>>> <Username>${admin.username}</Username> >>>> <!-- Admin password for the API gateway.--> >>>> <Password>${admin.password}</Password> >>>> <!-- Endpoint URLs for the APIs hosted in this API >>>> gateway.--> >>>> <GatewayEndpoint>http://${carb >>>> on.local.ip}:${http.nio.port},https://${carbon.local.ip}:${h >>>> ttps.nio.port}</GatewayEndpoint> >>>> </Environment> >>>> </Environments> >>>> </APIGateway> >>>> >>>> <CacheConfigurations> >>>> <!-- Enable/Disable token caching at the Gateway--> >>>> <EnableGatewayTokenCache>true</EnableGatewayTokenCache> >>>> <!-- Enable/Disable API resource caching at the Gateway--> >>>> <EnableGatewayResourceCache>true</EnableGatewayResourceCache> >>>> <!-- Enable/Disable API key validation information caching at >>>> key-management server --> >>>> <EnableKeyManagerTokenCache>false</EnableKeyManagerTokenCache> >>>> <!-- This parameter specifies whether Recently Added APIs will >>>> be loaded from the cache or not. >>>> If there are multiple API modification during a short time >>>> period, better to disable cache. --> >>>> <EnableRecentlyAddedAPICache>false</EnableRecentlyAddedAPICa >>>> che> >>>> <!-- JWT claims Cache expiry in seconds --> >>>> <!--JWTClaimCacheExpiry>900</JWTClaimCacheExpiry--> >>>> <!-- Expiry time for the apim key mgt validation info cache --> >>>> <!--TokenCacheExpiry>900</TokenCacheExpiry--> >>>> <!-- This parameter specifies the expiration time of the >>>> TagCache. TagCache will >>>> only be created when this element is uncommented. When the >>>> specified >>>> time duration gets elapsed ,tag cache will get >>>> re-generated. --> >>>> <!--TagCacheDuration>120000</TagCacheDuration--> >>>> </CacheConfigurations> >>>> >>>> <!-- >>>> API usage tracker configuration used by the DAS data publisher >>>> and >>>> Google Analytics publisher in API gateway. >>>> --> >>>> <Analytics> >>>> <!-- Enable Analytics for API Manager --> >>>> <Enabled>false</Enabled> >>>> >>>> <!-- Server URL of the remote DAS/CEP server used to collect >>>> statistics. Must >>>> be specified in protocol://hostname:port/ format. >>>> >>>> An event can also be published to multiple Receiver Groups >>>> each having 1 or more receivers. Receiver >>>> Groups are delimited by curly braces whereas receivers are >>>> delimited by commas. >>>> Ex - Multiple Receivers within a single group >>>> tcp://localhost:7612/,tcp://l >>>> ocalhost:7613/,tcp://localhost:7614/ >>>> >>>> Ex - Multiple Receiver Groups with two receivers each >>>> {tcp://localhost:7612/,tcp:// >>>> localhost:7613},{tcp://localhost:7712/,tcp://localhost:7713/} --> >>>> <DASServerURL>{tcp://localhost:7612}</DASServerURL> >>>> <!--DASAuthServerURL>{ssl://localhost:7712}</DASAuthServerUR >>>> L--> >>>> <!-- Administrator username to login to the remote DAS server. >>>> --> >>>> <DASUsername>${admin.username}</DASUsername> >>>> <!-- Administrator password to login to the remote DAS server. >>>> --> >>>> <DASPassword>${admin.password}</DASPassword> >>>> >>>> <!-- For APIM implemented Statistic client for RDBMS --> >>>> <StatsProviderImpl>org.wso2.carbon.apimgt.usage.client.impl. >>>> APIUsageStatisticsRdbmsClientImpl</StatsProviderImpl> >>>> >>>> <!-- DAS REST API configuration --> >>>> <DASRestApiURL>https://localhost:9444</DASRestApiURL> >>>> <DASRestApiUsername>${admin.username}</DASRestApiUsername> >>>> <DASRestApiPassword>${admin.password}</DASRestApiPassword> >>>> >>>> <!-- Below property is used to skip trying to connect to event >>>> receiver nodes when publishing events even if >>>> the stats enabled flag is set to true. --> >>>> <SkipEventReceiverConnection>false</SkipEventReceiverConnect >>>> ion> >>>> >>>> <!-- API Usage Data Publisher. --> >>>> <PublisherClass>org.wso2.carbon.apimgt.usage.publisher.APIMg >>>> tUsageDataBridgeDataPublisher</PublisherClass> >>>> >>>> <!-- If below property set to true,then the response message >>>> size will be calculated and publish >>>> with each successful API invocation event. --> >>>> <PublishResponseMessageSize>false</PublishResponseMessageSize> >>>> <!-- Data publishing stream names and versions of API requests, >>>> responses and faults. If the default values >>>> are changed, the toolbox also needs to be changed >>>> accordingly. --> >>>> <Streams> >>>> <Request> >>>> <Name>org.wso2.apimgt.statistics.request</Name> >>>> <Version>1.1.0</Version> >>>> </Request> >>>> <Response> >>>> <Name>org.wso2.apimgt.statistics.response</Name> >>>> <Version>1.1.0</Version> >>>> </Response> >>>> <Fault> >>>> <Name>org.wso2.apimgt.statistics.fault</Name> >>>> <Version>1.0.0</Version> >>>> </Fault> >>>> <Throttle> >>>> <Name>org.wso2.apimgt.statistics.throttle</Name> >>>> <Version>1.0.0</Version> >>>> </Throttle> >>>> <Workflow> >>>> <Name>org.wso2.apimgt.statistics.workflow</Name> >>>> <Version>1.0.0</Version> >>>> </Workflow> >>>> <ExecutionTime> >>>> <Name>org.wso2.apimgt.statistics.execution.time</Name> >>>> <Version>1.0.0</Version> >>>> </ExecutionTime> >>>> <AlertTypes> >>>> <Name>org.wso2.analytics.apim. >>>> alertStakeholderInfo</Name> >>>> <Version>1.0.0</Version> >>>> </AlertTypes> >>>> </Streams> >>>> >>>> </Analytics> >>>> >>>> <!-- >>>> API key validator configuration used by API key manager (IS), >>>> API store and API gateway. >>>> API gateway uses it to validate and authenticate users against >>>> the provided API keys. >>>> --> >>>> <APIKeyValidator> >>>> <!-- Server URL of the API key manager --> >>>> <!--ServerURL>https://localhost:${mgt.transport.https.port}$ >>>> {carbon.context}services/</ServerURL--> >>>> <ServerURL>https://localhost:9448/services/</ServerURL> >>>> >>>> <!-- Admin username for API key manager. --> >>>> <Username>${admin.username}</Username> >>>> <!-- Admin password for API key manager. --> >>>> <Password>${admin.password}</Password> >>>> <!--Username>admin</Username> >>>> <Password>admin</Password--> >>>> >>>> <!-- Configurations related to enable thrift support for >>>> key-management related communication. >>>> If you want to switch back to Web Service Client, change >>>> the value of "KeyValidatorClientType" to "WSClient". >>>> In a distributed environment; >>>> -If you are at the Gateway node, you need to point >>>> "ThriftClientPort" value to the "ThriftServerPort" value given at >>>> KeyManager node. >>>> -If you need to start two API Manager instances in the >>>> same machine, you need to give different ports to "ThriftServerPort" value >>>> in two nodes. >>>> -ThriftServerHost - Allows to configure a hostname for the >>>> thrift server. It uses the carbon hostname by default. >>>> -The Gateway uses this parameter to connect to the key >>>> validation thrift service. --> >>>> <KeyValidatorClientType>WSClient</KeyValidatorClientType> >>>> <ThriftClientConnectionTimeOut>10000</ThriftClientConnection >>>> TimeOut> >>>> <!--ThriftClientPort>10397</ThriftClientPort--> >>>> >>>> <EnableThriftServer>false</EnableThriftServer> >>>> <ThriftServerHost>localhost</ThriftServerHost> >>>> <!--ThriftServerPort>10397</ThriftServerPort--> >>>> >>>> <!--ConnectionPool> >>>> <MaxIdle>100</MaxIdle> >>>> <InitIdleCapacity>50</InitIdleCapacity> >>>> </ConnectionPool--> >>>> <!-- Specifies the implementation to be used for >>>> KeyValidationHandler. Steps for validating a token can be controlled by >>>> plugging in a >>>> custom KeyValidation Handler --> >>>> <KeyValidationHandlerClassName>org.wso2.carbon.apimgt.keymgt >>>> .handlers.DefaultKeyValidationHandler</KeyValidationHandlerClassName> >>>> </APIKeyValidator> >>>> >>>> <!-- Uncomment this section only if you are going to have an >>>> instance other than KeyValidator as your KeyManager. >>>> Unless a ThirdParty KeyManager is used, you don't need to >>>> configure this section. --> >>>> <!--APIKeyManager> >>>> <KeyManagerClientImpl>org.wso2.carbon.apimgt.impl.AMDefaultK >>>> eyManagerImpl</KeyManagerClientImpl> >>>> <Configuration> >>>> <ServerURL>https://localhost:$ >>>> {mgt.transport.https.port}${carbon.context}services/</ServerURL> >>>> <Username>${admin.username}</Username> >>>> <Password>${admin.password}</Password> >>>> <TokenURL>https://${carbon.loc >>>> al.ip}:${https.nio.port}/token</TokenURL> >>>> <RevokeURL>https://${carbon.lo >>>> cal.ip}:${https.nio.port}/revoke</RevokeURL> >>>> </Configuration> >>>> </APIKeyManager--> >>>> >>>> <OAuthConfigurations> >>>> <!-- Remove OAuth headers from outgoing message. --> >>>> <!--RemoveOAuthHeadersFromOutMessage>true</RemoveOAuthHeader >>>> sFromOutMessage--> >>>> <!-- Scope used for marking Application Tokens. If a token is >>>> generated with this scope, they will be treated as Application Access >>>> Tokens --> >>>> <ApplicationTokenScope>am_application_scope</ApplicationToke >>>> nScope> >>>> <!-- All scopes under the ScopeWhitelist element are not >>>> validating against roles that has assigned to it. >>>> By default ^device_.* and openid scopes have been white >>>> listed internally. --> >>>> <!--ScopeWhitelist> >>>> <Scope>^device_.*</Scope> >>>> <Scope>openid</Scope> >>>> </ScopeWhitelist--> >>>> <!-- Name of the token API --> >>>> <TokenEndPointName>/oauth2/token</TokenEndPointName> >>>> <!-- This the API URL for revoke API. When we revoke tokens >>>> revoke requests should go through this >>>> API deployed in API gateway. Then it will do cache >>>> invalidations related to revoked tokens. >>>> In distributed deployment we should configure this >>>> property in key manager node by pointing >>>> gateway https( /http, we recommend users to use 'https' >>>> endpoints for security purpose) url. >>>> Also please note that we should point gateway revoke >>>> service to key manager --> >>>> <RevokeAPIURL>https://localhost:${https.nio.port}/revoke</Re >>>> vokeAPIURL> >>>> <!-- Whether to encrypt tokens when storing in the Database >>>> Note: If changing this value to true, change the value of >>>> <TokenPersistenceProcessor> to >>>> >>>> org.wso2.carbon.identity.oauth.tokenprocessor.EncryptionDecryptionPersistenceProcessor >>>> in the identity.xml --> >>>> <EncryptPersistedTokens>false</EncryptPersistedTokens> >>>> </OAuthConfigurations> >>>> >>>> <!-- Settings related to managing API access tiers. --> >>>> <TierManagement> >>>> <!-- Enable the providers to expose their APIs over the special >>>> 'Unlimited' tier which >>>> basically disables tier based throttling for the specified >>>> APIs. --> >>>> <EnableUnlimitedTier>true</EnableUnlimitedTier> >>>> </TierManagement> >>>> >>>> <!-- API Store Related Configurations --> >>>> <APIStore> >>>> <!--GroupingExtractor>org.wso2.carbon.apimgt.impl.DefaultGro >>>> upIDExtractorImpl</GroupingExtractor--> >>>> <!--This property is used to indicate how we do user name >>>> comparision for token generation https://wso2.org/jira/browse/A >>>> PIMANAGER-2225--> >>>> <CompareCaseInsensitively>true</CompareCaseInsensitively> >>>> <DisplayURL>false</DisplayURL> >>>> <URL>https://localhost:${mgt.transport.https.port}/store</URL> >>>> >>>> <!-- Server URL of the API Store. --> >>>> <ServerURL>https://localhost:${mgt.transport.https.port}${ca >>>> rbon.context}services/</ServerURL> >>>> <!-- Admin username for API Store. --> >>>> <Username>${admin.username}</Username> >>>> >>>> <!-- Admin password for API Store. --> >>>> <Password>${admin.password}</Password> >>>> <!-- This parameter specifies whether to display multiple >>>> versions of same >>>> API or only showing the latest version of an API. --> >>>> <DisplayMultipleVersions>false</DisplayMultipleVersions> >>>> <!-- This parameter specifies whether to display all the APIs >>>> [which are having DEPRECATED/PUBLISHED status] or only >>>> display the APIs >>>> with having their status is as 'PUBLISHED' --> >>>> <DisplayAllAPIs>false</DisplayAllAPIs> >>>> <!-- Uncomment this to limit the number of APIs in api the API >>>> Store --> >>>> <!--APIsPerPage>5</APIsPerPage--> >>>> >>>> <!-- This parameter specifies whether to display the comment >>>> editing facility or not. >>>> Default is "true". If user wants to disable, he must set >>>> this param as "false" --> >>>> <DisplayComments>true</DisplayComments> >>>> >>>> <!-- This parameter specifies whether to display the ratings >>>> or not. >>>> Default is "true". If user wants to disable, he must set >>>> this param as "false" --> >>>> <DisplayRatings>true</DisplayRatings> >>>> >>>> <!--set isStoreForumEnabled to false for disable forum in >>>> store--> >>>> <!--isStoreForumEnabled>false</isStoreForumEnabled--> >>>> </APIStore> >>>> >>>> <APIPublisher> >>>> <DisplayURL>false</DisplayURL> >>>> <URL>https://localhost:${mgt.transport.https.port}/publisher >>>> </URL> >>>> <!-- This parameter specifies enabling the capability of >>>> setting API documentation level granular visibility levels. >>>> By default any document associate with an API will have >>>> the same permissions set as the API.With enabling below >>>> property,it will show two additional permission levels as >>>> visible only to all registered users in a particular >>>> domain or only visible to API doc creator --> >>>> <!--EnableAPIDocVisibilityLevels>true</EnableAPIDocVisibilit >>>> yLevels--> >>>> <!-- Uncomment this to limit the number of APIs in api the API >>>> Publisher --> >>>> <!--APIsPerPage>30</APIsPerPage--> >>>> </APIPublisher> >>>> >>>> <!-- Status observers can be registered against the API Publisher >>>> to listen for >>>> API status update events. Each observer must implement the >>>> APIStatusObserver >>>> interface. Multiple observers can be engaged if necessary and >>>> in such situations >>>> they will be notified in the order they are defined here. >>>> This configuration is unused from API Manager version 1.10.0 >>>> --> >>>> <!--StatusObservers> >>>> <Observer>org.wso2.carbon.apimgt.impl.observers.SimpleLoggin >>>> gObserver</Observer> >>>> </StatusObservers--> >>>> >>>> <!-- Use this configuration Create APIs at the Server startup --> >>>> <StartupAPIPublisher> >>>> <!-- Enable/Disable the API Startup Publisher --> >>>> <Enabled>false</Enabled> >>>> >>>> <!-- Configuration to create APIs for local endpoints. >>>> Endpoint will be computed as http:// >>>> ${carbon.local.ip}:${mgt.transport.http.port}/Context. >>>> Define many LocalAPI elements as below to create many APIs >>>> for local Endpoints. >>>> IconPath should be relative to CARBON_HOME. --> >>>> <LocalAPIs> >>>> <LocalAPI> >>>> <Context>/resource</Context> >>>> <Provider>admin</Provider> >>>> <Version>1.0.0</Version> >>>> <IconPath>none</IconPath> >>>> <DocumentURL>none</DocumentURL> >>>> <AuthType>Any</AuthType> >>>> </LocalAPI> >>>> </LocalAPIs> >>>> >>>> <!-- Configuration to create APIs for remote endpoints. >>>> When Endpoint need to be defined use this configuration. >>>> Define many API elements as below to create many APIs >>>> for external Endpoints. >>>> If you do not need to add Icon or Documentation set >>>> 'none' as the value for IconPath & DocumentURL. --> >>>> <!--APIs> >>>> <API> >>>> <Context>/resource</Context> >>>> <Endpoint>http://localhost:9764/resource</Endpoint> >>>> <Provider>admin</Provider> >>>> <Version>1.0.0</Version> >>>> <IconPath>none</IconPath> >>>> <DocumentURL>none</DocumentURL> >>>> <AuthType>Any</AuthType> >>>> </API> >>>> </APIs--> >>>> </StartupAPIPublisher> >>>> >>>> <!-- Configuration to enable/disable sending CORS headers in the >>>> Gateway response >>>> and define the Access-Control-Allow-Origin header value.--> >>>> <CORSConfiguration> >>>> <!-- Configuration to enable/disable sending CORS headers from >>>> the Gateway--> >>>> <Enabled>true</Enabled> >>>> >>>> <!-- The value of the Access-Control-Allow-Origin header. >>>> Default values are >>>> API Store addresses, which is needed for swagger to >>>> function. --> >>>> <Access-Control-Allow-Origin>*</Access-Control-Allow-Origin> >>>> >>>> <!-- Configure Access-Control-Allow-Methods --> >>>> <Access-Control-Allow-Methods>GET,PUT,POST,DELETE,PATCH,OPTI >>>> ONS</Access-Control-Allow-Methods> >>>> >>>> <!-- Configure Access-Control-Allow-Headers --> >>>> <Access-Control-Allow-Headers>authorization,Access-Control-A >>>> llow-Origin,Content-Type,SOAPAction</Access-Control-Allow-Headers> >>>> >>>> <!-- Configure Access-Control-Allow-Credentials --> >>>> <!-- Specifying this header to true means that the server >>>> allows cookies (or other user credentials) to be included on cross-origin >>>> requests. >>>> It is false by default and if you set it to true then make >>>> sure that the Access-Control-Allow-Origin header does not contain the >>>> wildcard (*) --> >>>> <Access-Control-Allow-Credentials>false</Access-Control-Allo >>>> w-Credentials> >>>> </CORSConfiguration> >>>> >>>> <!-- This property is there to configure velocity log output into >>>> existing Log4j carbon Logger. >>>> You can enable this and set preferable Logger name. --> >>>> <!-- VelocityLogger>VELOCITY</VelocityLogger --> >>>> >>>> <RESTAPI> >>>> <!--Configure white-listed URIs of REST API. Accessing >>>> white-listed URIs does not require credentials (does not require >>>> Authorization header). --> >>>> <WhiteListedURIs> >>>> <WhiteListedURI> >>>> <URI>/api/am/publisher/{version}/swagger.json</URI> >>>> <HTTPMethods>GET,HEAD</HTTPMethods> >>>> </WhiteListedURI> >>>> <WhiteListedURI> >>>> <URI>/api/am/store/{version}/swagger.json</URI> >>>> <HTTPMethods>GET,HEAD</HTTPMethods> >>>> </WhiteListedURI> >>>> <WhiteListedURI> >>>> <URI>/api/am/admin/{version}/swagger.json</URI> >>>> <HTTPMethods>GET,HEAD</HTTPMethods> >>>> </WhiteListedURI> >>>> <WhiteListedURI> >>>> <URI>/api/am/store/{version}/apis</URI> >>>> <HTTPMethods>GET,HEAD</HTTPMethods> >>>> </WhiteListedURI> >>>> <WhiteListedURI> >>>> <URI>/api/am/store/{version}/apis/{apiId}</URI> >>>> <HTTPMethods>GET,HEAD</HTTPMethods> >>>> </WhiteListedURI> >>>> <WhiteListedURI> >>>> <URI>/api/am/store/{version}/apis/{apiId}/swagger</URI> >>>> <HTTPMethods>GET,HEAD</HTTPMethods> >>>> </WhiteListedURI> >>>> <WhiteListedURI> >>>> <URI>/api/am/store/{version}/a >>>> pis/{apiId}/documents</URI> >>>> <HTTPMethods>GET,HEAD</HTTPMethods> >>>> </WhiteListedURI> >>>> <WhiteListedURI> >>>> <URI>/api/am/store/{version}/a >>>> pis/{apiId}/documents/{documentId}</URI> >>>> <HTTPMethods>GET,HEAD</HTTPMethods> >>>> </WhiteListedURI> >>>> <WhiteListedURI> >>>> <URI>/api/am/store/{version}/a >>>> pis/{apiId}/documents/{documentId}/content</URI> >>>> <HTTPMethods>GET,HEAD</HTTPMethods> >>>> </WhiteListedURI> >>>> <WhiteListedURI> >>>> <URI>/api/am/store/{version}/a >>>> pis/{apiId}/thumbnail</URI> >>>> <HTTPMethods>GET,HEAD</HTTPMethods> >>>> </WhiteListedURI> >>>> <WhiteListedURI> >>>> <URI>/api/am/store/{version}/tags</URI> >>>> <HTTPMethods>GET,HEAD</HTTPMethods> >>>> </WhiteListedURI> >>>> <WhiteListedURI> >>>> <URI>/api/am/store/{version}/tiers/{tierLevel}</URI> >>>> <HTTPMethods>GET,HEAD</HTTPMethods> >>>> </WhiteListedURI> >>>> <WhiteListedURI> >>>> <URI>/api/am/store/{version}/t >>>> iers/{tierLevel}/{tierName}</URI> >>>> <HTTPMethods>GET,HEAD</HTTPMethods> >>>> </WhiteListedURI> >>>> </WhiteListedURIs> >>>> <ETagSkipList> >>>> <ETagSkipURI> >>>> <URI>/api/am/store/{version}/apis</URI> >>>> <HTTPMethods>GET</HTTPMethods> >>>> </ETagSkipURI> >>>> <ETagSkipURI> >>>> <URI>/api/am/store/{version}/apis/generate-sdk</URI> >>>> <HTTPMethods>POST</HTTPMethods> >>>> </ETagSkipURI> >>>> <ETagSkipURI> >>>> <URI>/api/am/store/{version}/a >>>> pis/{apiId}/documents</URI> >>>> <HTTPMethods>GET</HTTPMethods> >>>> </ETagSkipURI> >>>> <ETagSkipURI> >>>> <URI>/api/am/store/{version}/applications</URI> >>>> <HTTPMethods>GET</HTTPMethods> >>>> </ETagSkipURI> >>>> <ETagSkipURI> >>>> <URI>/api/am/store/{version}/a >>>> pplications/generate-keys</URI> >>>> <HTTPMethods>POST</HTTPMethods> >>>> </ETagSkipURI> >>>> <ETagSkipURI> >>>> <URI>/api/am/store/{version}/subscriptions</URI> >>>> <HTTPMethods>GET,POST</HTTPMethods> >>>> </ETagSkipURI> >>>> <ETagSkipURI> >>>> <URI>/api/am/store/{version}/tags</URI> >>>> <HTTPMethods>GET</HTTPMethods> >>>> </ETagSkipURI> >>>> <ETagSkipURI> >>>> <URI>/api/am/store/{version}/tiers/{tierLevel}</URI> >>>> <HTTPMethods>GET</HTTPMethods> >>>> </ETagSkipURI> >>>> <ETagSkipURI> >>>> <URI>/api/am/store/{version}/t >>>> iers/{tierLevel}/{tierName}</URI> >>>> <HTTPMethods>GET</HTTPMethods> >>>> </ETagSkipURI> >>>> <ETagSkipURI> >>>> <URI>/api/am/publisher/{version}/apis</URI> >>>> <HTTPMethods>GET,POST</HTTPMethods> >>>> </ETagSkipURI> >>>> <ETagSkipURI> >>>> <URI>/api/am/publisher/{version}/apis/{apiId}</URI> >>>> <HTTPMethods>GET,DELETE,PUT</HTTPMethods> >>>> </ETagSkipURI> >>>> <ETagSkipURI> >>>> <URI>/api/am/publisher/{versio >>>> n}/apis/{apiId}/swagger</URI> >>>> <HTTPMethods>GET,PUT</HTTPMethods> >>>> </ETagSkipURI> >>>> <ETagSkipURI> >>>> <URI>/api/am/publisher/{versio >>>> n}/apis/{apiId}/thumbnail</URI> >>>> <HTTPMethods>GET,POST</HTTPMethods> >>>> </ETagSkipURI> >>>> <ETagSkipURI> >>>> <URI>/api/am/publisher/{versio >>>> n}/apis/{apiId}/change-lifecycle</URI> >>>> <HTTPMethods>POST</HTTPMethods> >>>> </ETagSkipURI> >>>> <ETagSkipURI> >>>> <URI>/api/am/publisher/{versio >>>> n}/apis/{apiId}/copy-api</URI> >>>> <HTTPMethods>POST</HTTPMethods> >>>> </ETagSkipURI> >>>> <ETagSkipURI> >>>> <URI>/api/am/publisher/{versio >>>> n}/applications/{applicationId}</URI> >>>> <HTTPMethods>GET</HTTPMethods> >>>> </ETagSkipURI> >>>> <ETagSkipURI> >>>> <URI>/api/am/publisher/{versio >>>> n}/apis/{apiId}/documents</URI> >>>> <HTTPMethods>GET,POST</HTTPMethods> >>>> </ETagSkipURI> >>>> <ETagSkipURI> >>>> <URI>/api/am/publisher/{versio >>>> n}/apis/{apiId}/documents/{documentId}/content</URI> >>>> <HTTPMethods>GET,POST</HTTPMethods> >>>> </ETagSkipURI> >>>> <ETagSkipURI> >>>> <URI>/api/am/publisher/{versio >>>> n}/apis/{apiId}/documents/{documentId}</URI> >>>> <HTTPMethods>GET,PUT,DELETE</HTTPMethods> >>>> </ETagSkipURI> >>>> <ETagSkipURI> >>>> <URI>/api/am/publisher/{version}/environments</URI> >>>> <HTTPMethods>GET</HTTPMethods> >>>> </ETagSkipURI> >>>> <ETagSkipURI> >>>> <URI>/api/am/publisher/{version}/subscriptions</URI> >>>> <HTTPMethods>GET</HTTPMethods> >>>> </ETagSkipURI> >>>> <ETagSkipURI> >>>> <URI>/api/am/publisher/{versio >>>> n}/subscriptions/block-subscription</URI> >>>> <HTTPMethods>POST</HTTPMethods> >>>> </ETagSkipURI> >>>> <ETagSkipURI> >>>> <URI>/api/am/publisher/{versio >>>> n}/subscriptions/{subscriptionId}</URI> >>>> <HTTPMethods>GET</HTTPMethods> >>>> </ETagSkipURI> >>>> <ETagSkipURI> >>>> <URI>/api/am/publisher/{versio >>>> n}/subscriptions/unblock-subscription</URI> >>>> <HTTPMethods>POST</HTTPMethods> >>>> </ETagSkipURI> >>>> <ETagSkipURI> >>>> <URI>/api/am/publisher/{versio >>>> n}/tiers/{tierLevel}</URI> >>>> <HTTPMethods>GET,POST</HTTPMethods> >>>> </ETagSkipURI> >>>> <ETagSkipURI> >>>> <URI>/api/am/publisher/{versio >>>> n}/tiers/{tierLevel}/{tierName}</URI> >>>> <HTTPMethods>GET,PUT,DELETE</HTTPMethods> >>>> </ETagSkipURI> >>>> <ETagSkipURI> >>>> <URI>/api/am/publisher/{versio >>>> n}/tiers/update-permission</URI> >>>> <HTTPMethods>POST</HTTPMethods> >>>> </ETagSkipURI> >>>> </ETagSkipList> >>>> </RESTAPI> >>>> <ThrottlingConfigurations> >>>> <EnableAdvanceThrottling>true</EnableAdvanceThrottling> >>>> <DataPublisher> >>>> <Enabled>true</Enabled> >>>> <Type>Binary</Type> >>>> <ReceiverUrlGroup>tcp://${carb >>>> on.local.ip}:${receiver.url.port}</ReceiverUrlGroup> >>>> <AuthUrlGroup>ssl://${carbon.l >>>> ocal.ip}:${auth.url.port}</AuthUrlGroup> >>>> <Username>${admin.username}</Username> >>>> <Password>${admin.password}</Password> >>>> <DataPublisherPool> >>>> <MaxIdle>1000</MaxIdle> >>>> <InitIdleCapacity>200</InitIdleCapacity> >>>> </DataPublisherPool> >>>> <DataPublisherThreadPool> >>>> <CorePoolSize>200</CorePoolSize> >>>> <MaxmimumPoolSize>1000</MaxmimumPoolSize> >>>> <KeepAliveTime>200</KeepAliveTime> >>>> </DataPublisherThreadPool> >>>> </DataPublisher> >>>> <PolicyDeployer> >>>> <ServiceURL>https://localhost: >>>> ${mgt.transport.https.port}${carbon.context}services/</ServiceURL> >>>> <Username>${admin.username}</Username> >>>> <Password>${admin.password}</Password> >>>> </PolicyDeployer> >>>> <BlockCondition> >>>> <Enabled>true</Enabled> >>>> <!--InitDelay>300000</InitDelay> >>>> <Period>3600000</Period--> >>>> </BlockCondition> >>>> <JMSConnectionDetails> >>>> <Enabled>true</Enabled> >>>> <ServiceURL>tcp://${carbon.loc >>>> al.ip}:${jms.port}</ServiceURL> >>>> <Username>${admin.username}</Username> >>>> <Password>${admin.password}</Password> >>>> <Destination>throttleData</Destination> >>>> <!--InitDelay>300000</InitDelay--> >>>> <JMSConnectionParameters> >>>> <transport.jms.ConnectionFacto >>>> ryJNDIName>TopicConnectionFactory</transport.jms.ConnectionF >>>> actoryJNDIName> >>>> <transport.jms.DestinationType >>>> >topic</transport.jms.DestinationType> >>>> <java.naming.factory.initial>o >>>> rg.wso2.andes.jndi.PropertiesFileInitialContextFactory</java >>>> .naming.factory.initial> >>>> <connectionfactory.TopicConnec >>>> tionFactory>amqp://${jms.username}:${jms.password}@clientid/ >>>> carbon?brokerlist='${jms.url}'</connectionfactory.TopicConne >>>> ctionFactory> >>>> </JMSConnectionParameters> >>>> <JMSTaskManager> >>>> <MinThreadPoolSize>20</MinThreadPoolSize> >>>> <MaxThreadPoolSize>100</MaxThreadPoolSize> >>>> <KeepAliveTimeInMillis>1000</KeepAliveTimeInMillis> >>>> <JobQueueSize>10</JobQueueSize> >>>> </JMSTaskManager> >>>> </JMSConnectionDetails> >>>> <JMSEventPublisherParameters> >>>> <java.naming.factory.initial>o >>>> rg.wso2.andes.jndi.PropertiesFileInitialContextFactory</java >>>> .naming.factory.initial> >>>> <java.naming.provider.url>repo >>>> sitory/conf/jndi.properties</java.naming.provider.url> >>>> <transport.jms.DestinationType >>>> >topic</transport.jms.DestinationType> >>>> <transport.jms.Destination>thr >>>> ottleData</transport.jms.Destination> >>>> <transport.jms.ConcurrentPubli >>>> shers>allow</transport.jms.ConcurrentPublishers> >>>> <transport.jms.ConnectionFacto >>>> ryJNDIName>TopicConnectionFactory</transport.jms.ConnectionF >>>> actoryJNDIName> >>>> </JMSEventPublisherParameters> >>>> <!--DefaultLimits> >>>> <SubscriptionTierLimits> >>>> <Gold>5000</Gold> >>>> <Silver>2000</Silver> >>>> <Bronze>1000</Bronze> >>>> <Unauthenticated>60</Unauthenticated> >>>> </SubscriptionTierLimits> >>>> <ApplicationTierLimits> >>>> <50PerMin>50</50PerMin> >>>> <20PerMin>20</20PerMin> >>>> <10PerMin>10</10PerMin> >>>> </ApplicationTierLimits> >>>> <ResourceLevelTierLimits> >>>> <50KPerMin>50000</50KPerMin> >>>> <20KPerMin>20000</20KPerMin> >>>> <10KPerMin>10000</10KPerMin> >>>> </ResourceLevelTierLimits> >>>> </DefaultLimits--> >>>> <EnableUnlimitedTier>true</EnableUnlimitedTier> >>>> <EnableHeaderConditions>false</EnableHeaderConditions> >>>> <EnableJWTClaimConditions>false</EnableJWTClaimConditions> >>>> <EnableQueryParamConditions>false</EnableQueryParamConditions> >>>> </ThrottlingConfigurations> >>>> >>>> <WorkflowConfigurations> >>>> <Enabled>false</Enabled> >>>> <ServerUrl>https://localhost:9445/bpmn</ServerUrl> >>>> <ServerUser>${admin.username}</ServerUser> >>>> <ServerPassword>${admin.password}</ServerPassword> >>>> <WorkflowCallbackAPI>https://localhost:${mgt.transport.https >>>> .port}/api/am/publisher/v0.11/workflows/update-workflow-stat >>>> us</WorkflowCallbackAPI> >>>> <TokenEndPoint>https://localhost:${https.nio.port}/token</To >>>> kenEndPoint> >>>> <DCREndPoint>https://localhost:${mgt.transport.https.port}/c >>>> lient-registration/v0.11/register</DCREndPoint> >>>> <DCREndPointUser>${admin.username}</DCREndPointUser> >>>> <DCREndPointPassword>${admin.password}</DCREndPointPassword> >>>> </WorkflowConfigurations> >>>> >>>> <SwaggerCodegen> >>>> <ClientGeneration> >>>> <GroupId>org.wso2</GroupId> >>>> <ArtifactId>org.wso2.client.</ArtifactId> >>>> <ModelPackage>org.wso2.client.model.</ModelPackage> >>>> <ApiPackage>org.wso2.client.api.</ApiPackage> >>>> <!-- Configure supported languages/Frameworks as comma >>>> separated values, >>>> Supported Languages/Frameworks : android, java, scala, >>>> csharp, cpp, dart, flash, go, groovy, javascript, jmeter, >>>> nodejs, perl, php, python, ruby, swift, clojure, aspNet5, >>>> asyncScala, spring, csharpDotNet2, haskell--> >>>> <SupportedLanguages>java,android</SupportedLanguages> >>>> </ClientGeneration> >>>> </SwaggerCodegen> >>>> >>>> </APIManager> >>>> >>>> Do you need my IS one, too? >>>> >>>> Regards, >>>> >>>> Thomas >>>> >>>> 2017-06-15 22:16 GMT+02:00 Farasath Ahamed <farasa...@wso2.com>: >>>> >>>>> Would be better if you could share the api-manager.xml configuration >>>>> file to see if there are any errors in configs. >>>>> >>>>> >>>>> >>>>> >>>>> Farasath Ahamed >>>>> Software Engineer, WSO2 Inc.; http://wso2.com >>>>> Mobile: +94777603866 >>>>> Blog: blog.farazath.com >>>>> Twitter: @farazath619 <https://twitter.com/farazath619> >>>>> <http://wso2.com/signature> >>>>> >>>>> >>>>> >>>>> On Thu, Jun 15, 2017 at 8:40 PM, Thomas LEGRAND < >>>>> thomas.legr...@versusmind.eu> wrote: >>>>> >>>>>> Hello again, >>>>>> >>>>>> I followed the tutorial in [1] to configure my Identity Server (IS) >>>>>> as a key manager for my API Manager (AM). When I create my Production & >>>>>> Sandbox applications in the AM, I can see service providers created in >>>>>> the >>>>>> IS. I configures them to use SAML to retrieve informations like the >>>>>> roles, >>>>>> if the authentication is successfull. And I can "exchange" my SAML >>>>>> assertion for a OAuth token. So, everything is cool, here. >>>>>> >>>>>> But, when I try to reuse this OAuth token to access to a resource via >>>>>> the AM, it rejects me with this sweet message: >>>>>> >>>>>> <ams:fault xmlns:ams="http://wso2.org/apimanager/security";> >>>>>> <ams:code>900900</ams:code> >>>>>> <ams:message>Unclassified Authentication Failure</ams:message> >>>>>> <ams:description>Resource forbidden</ams:description> >>>>>> </ams:fault> >>>>>> >>>>>> But no errors in the logs but just a WARN. So, I activated the DEBUG >>>>>> mode and then, I can see some intersting things: >>>>>> >>>>>> [2017-06-15 16:44:52,954] WARN - APIAuthenticationHandler API >>>>>> authentication failure due to Unclassified Authentication Failure >>>>>> [2017-06-15 16:44:52,954] DEBUG - APIAuthenticationHandler API >>>>>> authentication failed with error 900900 >>>>>> org.wso2.carbon.apimgt.gateway.handlers.security.APISecurityException: >>>>>> Resource forbidden >>>>>> at org.wso2.carbon.apimgt.gateway >>>>>> .handlers.security.keys.WSAPIKeyDataStore.getAPIKeyData(WSAP >>>>>> IKeyDataStore.java:51) >>>>>> at org.wso2.carbon.apimgt.gateway >>>>>> .handlers.security.APIKeyValidator.doGetKeyValidationInfo(AP >>>>>> IKeyValidator.java:253) >>>>>> at org.wso2.carbon.apimgt.gateway >>>>>> .handlers.security.APIKeyValidator.getKeyValidationInfo(APIK >>>>>> eyValidator.java:209) >>>>>> at org.wso2.carbon.apimgt.gateway >>>>>> .handlers.security.oauth.OAuthAuthenticator.authenticate(OAu >>>>>> thAuthenticator.java:196) >>>>>> at org.wso2.carbon.apimgt.gateway >>>>>> .handlers.security.APIAuthenticationHandler.handleRequest(AP >>>>>> IAuthenticationHandler.java:117) >>>>>> at org.apache.synapse.rest.API.process(API.java:325) >>>>>> at org.apache.synapse.rest.RESTRe >>>>>> questHandler.dispatchToAPI(RESTRequestHandler.java:90) >>>>>> at org.apache.synapse.rest.RESTRe >>>>>> questHandler.process(RESTRequestHandler.java:69) >>>>>> at org.apache.synapse.core.axis2. >>>>>> Axis2SynapseEnvironment.injectMessage(Axis2SynapseEnvironmen >>>>>> t.java:304) >>>>>> at org.apache.synapse.core.axis2. >>>>>> SynapseMessageReceiver.receive(SynapseMessageReceiver.java:78) >>>>>> at org.apache.axis2.engine.AxisEn >>>>>> gine.receive(AxisEngine.java:180) >>>>>> at org.apache.synapse.transport.p >>>>>> assthru.ServerWorker.processNonEntityEnclosingRESTHandler(Se >>>>>> rverWorker.java:325) >>>>>> at org.apache.synapse.transport.p >>>>>> assthru.ServerWorker.run(ServerWorker.java:158) >>>>>> at org.apache.axis2.transport.bas >>>>>> e.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172) >>>>>> at java.util.concurrent.ThreadPoo >>>>>> lExecutor.runWorker(ThreadPoolExecutor.java:1142) >>>>>> at java.util.concurrent.ThreadPoo >>>>>> lExecutor$Worker.run(ThreadPoolExecutor.java:617) >>>>>> at java.lang.Thread.run(Thread.java:745) >>>>>> Caused by: org.wso2.carbon.apimgt.gateway >>>>>> .handlers.security.APISecurityException: Error while accessing >>>>>> backend services for API key validation >>>>>> at org.wso2.carbon.apimgt.gateway >>>>>> .handlers.security.keys.APIKeyValidatorClient.getAPIKeyData( >>>>>> APIKeyValidatorClient.java:114) >>>>>> at org.wso2.carbon.apimgt.gateway >>>>>> .handlers.security.keys.WSAPIKeyDataStore.getAPIKeyData(WSAP >>>>>> IKeyDataStore.java:48) >>>>>> ... 16 more >>>>>> Caused by: org.apache.axis2.AxisFault: org.apache.axis2.AxisFault: >>>>>> Mapping qname not fond for the package: java.util >>>>>> >>>>>> From here, I don't know what to do since I tried some fancy URLs for >>>>>> the ServerURL value in the elements AuthManager and APIKeyValidator. >>>>>> My IS has an offset of 5 so the port is 9448. Here is the URL I used >>>>>> to point to the IS server: https://localhost:9448/services/ >>>>>> >>>>>> Is there a way to know in which URL the IS deploy its Key Manager >>>>>> feature web services (WS)? >>>>>> Should I reinstall the Key Manager feature in the IS? >>>>>> >>>>>> Regards, >>>>>> >>>>>> Thomas >>>>>> >>>>>> [1] https://docs.wso2.com/display/AM210/Configuring+WSO2+Ide >>>>>> ntity+Server+as+a+Key+Manager >>>>>> >>>>>> _______________________________________________ >>>>>> Dev mailing list >>>>>> Dev@wso2.org >>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>> >>>>>> >>>>> >>>> >>>> _______________________________________________ >>>> Dev mailing list >>>> Dev@wso2.org >>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>> >>>> >>> >>> >>> -- >>> Rajith Roshan >>> Software Engineer, WSO2 Inc. >>> Mobile: +94-7 <%2B94-71-554-8430>17-064-214 >>> >> >> > -- Rajith Roshan Software Engineer, WSO2 Inc. Mobile: +94-7 <%2B94-71-554-8430>17-064-214
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
