Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. To enable the intercepting of services:
    1. Open the catalina-server.xml file found in the <IS_HOME>/repository/conf/tomcat directory. 
    2. Uncomment the following valves found under the <Engine name="Catalina"> tag.    

      Code Block
      languagexml
       <!-- Authentication and Authorization valve for the rest apis and we can configure context for this in identity.xml  -->
       <!--Valve className="org.wso2.carbon.identity.auth.valve.AuthenticationValve"/>
       <Valve className = "org.wso2.carbon.identity.authz.valve.AuthorizationValve"/-->
  2. To specify the resources that you want to secure:

    1. Open the identity.xml file found in the  <IS_HOME>/repository/conf/identity directory. 

    2. Specify the resource that you want to secure under the <ResourceAccssControl> as given below. 

      ParameterDescriptionSample Value
      Resource contextThis defines the resource context relative to the root context, which needs to be secured./api/identity/*
      securedThis specifies whether to enable or disable security in the given resource context.true
      http-methodThis defines the method as all, post, get, etc.all
      PermissionsThis defines the user role permission that is required to authorize the resource. You can enter multiple permission strings in a comma-separated list./permission/admin/login

      Example:

      Code Block
      languagexml
      <ResourceAccessControl>
          <Resource context="/api/identity/*" secured="true" http-method="all">
              <Permissions>/permission/admin/login</Permissions>
          </Resource>
      </ResourceAccessControl>
  3. To configure intermediate certificate validation, configure the following in the identity.xml file as given below. 

    ParameterDescriptionSample Value
    IntermediateCertificateValidationThis defines whether intermediate certificate validation is enabled or not.true
    IntermediateCertsThis specifies the context paths of the intermediate certificates.localhost
    ExemptContextThis specifies the context paths that
    needs
    need to be
    excempted
    exempted from intermediate certificate validation. It is recommended to add this parameter and leave it empty. This is because authentication might fail for the exempted contexts. However, if you still require context paths to be exempted, you can list the context paths as shown in the below example.

    Example:

    Code Block
    <IntermediateCertValidation enable="true">
         <IntermediateCerts>
             <CertCN>wso2isintcert</CertCN>
             <CertCN>localhost</CertCN>
         </IntermediateCerts>
         <ExemptContext>
             <Context>scim2</Context>
         </ExemptContext>
     </IntermediateCertValidation>
    Info

    When using intermediate certificate validation, CN will be taken as the username instead of retrieving from the header.

...