This section guides you through securing REST services and how requests to REST APIs are authenticated and authorized in the WSO2 Identity Server.
When sending requests with REST APIs, tomcat valves are used to intercept these requests and an OSGI service is used to authenticate and authorize the request. There are two OSGi services that provide the authentication and authorization service based on its own handlers. You can write your own handlers for both authentication and authorization and register them in OSGI. The WSO2 Identity Server has the following three out-of-the-box authentication handlers:
- OAuth2AccessTokenHandler
- ClientCertificateBasedAuthenticationHandler
- BasicAuthenticationHandler
The authorization handler is based on the specified permission against a particular user role. You can write your own handler for authorization as well.
To secure REST services in the WSO2 Identity Server, follow the steps below.
- Open the c
atalina-server.xml
file found in the<IS_HOME>/repository/conf/tomcat
folder. Uncomment the following valves found under the
<Engine name="Catalina">
tag, to enable each service to intercept requests.<!-- Authentication and Authorization valve for the rest apis and we can configure context for this in identity.xml --> <!--Valve className="org.wso2.carbon.identity.auth.valve.AuthenticationValve"/> <Valve className = "org.wso2.carbon.identity.authz.valve.AuthorizationValve"/-->
- Open the identity.xml file found in the
<IS_HOME>/repository/conf/identity
folder. Use the following code block to specify the resource that you want to secure.
<ResourceAccessControl> <Resource context="/api/identity/*" secured="true" http-method="all"> <Permissions>/permission/admin/login</Permissions> </Resource> </ResourceAccessControl>
Resource context: Specify which resource context(relative to the root context) must be secured.
- secured: Specify true or false to enable to enable and disable security in this context.
- http-method: Specify "all" or the type of method (e.g., "post", "get" etc.)
- <Permissions>: Define which permission strings should be assigned your role to authorize this resource, by specifying the permission strings in a comma separated list.