Let's take a look at some concepts and terminology that you need to know in order to follow the use cases.
...
- Configure a WSO2 API Manager instance as the Key Manager in a separate server. See Product Profiles.
- Configure an instance of WSO2 Identity Server as the Key Manager. See Configuring WSO2 Identity Server as the Key Manager.
- Configure a third-party authorization server for key validations and an API Manager instance for the rest of the key management operations. See Configuring a Third-Party Key Manager.
Traffic Manager
Handlers
When an API is created, a file with its synapse configuration is added to the API Gateway. You can find it in the<APIM_HOME>/repository/deployment/server/synapse-configs/default/api folder. It has a set of handlers, each of which is executed on the APIs in the same order they appear in the configuration. You find the default handlers in any API's Synapse definition.
For a detailed description of handlers and how to write a custom handler, see Writing Custom Handlers.
...
Analytics
Additionally, statistics monitoring and analytics are provided by the monitoring analytics component, which integrates with WSO2 DASWSO2 API Manager Analytics.
...
Users and roles
The API Manager offers four distinct community roles that are applicable to most enterprises:
...
The API Manager comes with a pre-created default application, which allows unlimited access by default. You can also create your own applications.
If you want to create a mobile application, you can create a client side stub for Android or Java using SDKs. SDKs contain the necessary toolkits to create a mobile application using the OS to call the local API. To download the relevant ZIP file,
...
.
...
...
Access tokens
An access token is a simple string that is passed as an HTTP header of a request. For example, "Authorization: Bearer NtBQkXoKElu0H1a1fQ0DWfo6IX4a." Access tokens authenticate API users and applications, and ensure better security (e.g., prevent DoS attacks). If a token that is passed with a request is invalid, the request is discarded in the first stage of processing. Access tokens work equally well for SOAP and REST calls.
...
Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources (e.g., fonts, JavaScript) of a Web page to be requested from another domain outside the domain from which the resource originated.
The Swagger API Console that is integrated in the API Manager runs as a JavaScript client in the API Store and makes calls from the Store to the API Gateway. Therefore, if you have the API Store and Gateway running on different ports, enable CORS between them.
...
| Code Block | ||
|---|---|---|
| ||
<handlers> <handler class="org.wso2.carbon.apimgt.gateway.handlers.security.CORSRequestHandler"/> </handlers> |
...
OAuth scopes
Scopes enable fine-grained access control to API resources based on user roles. You define scopes to an API's resources. When a user invokes the API, his/her OAuth 2 bearer token cannot grant access to any API resource beyond its associated scopes.
...