Securing the Management API¶
The Management API of WSO2 Micro Integrator is the internal REST API.
The MI CLI and the Integration Control Plane communicates with this service to obtain administrative information of the server instance and to perform various administration tasks. If required, you can directly access the management API without using the ICP or CLI.
See the topics given below information on securing the management API.
Authentication (JWT)¶
Info
User authentication in the management API uses the file-based user store by default. If required, you can configure an LDAP or RDBMS user store.
JWT-based user authentication is enabled for the management API by default. This ensures that users that log in to the management API or log out will be authenticated.
The following resources of the API handles login and logout:
/login
: This resource is used to obtain a JWT token for the provided user name and password and it is protected by basic auth./logout
: This resource is used to revoke the JWT token.
When you access the management API directly, you must first acquire a JWT token with your valid username and password. To log out of the management API, this token must be revoked. See securely invoking the management API for more information.
When you use the Integration Control Plane or the MI CLI, JWT token-based authentication is handled internally.
Disable user authentication¶
Note
The management API and related tools (the CLI and the ICP will not be accessible if authentication is disabled.
If security is not required, you can simply disable the handler for the Micro Integrator. Open the deployment.toml
file (stored in the MI_HOME/conf/
directory) and add the following configuration:
[management_api.jwt_token_security_handler]
enable = false
Update token store configurations¶
Add the following configuration section to the deployment.toml
file and change the default values.
[management_api.jwt_token_security_handler]
token_store_config.max_size= "200"
token_store_config.clean_up_interval= "600"
token_store_config.remove_oldest_token_on_overflow= "true"
token_config.expiry= "3600"
token_config.size= "2048"
Parameter | Description |
---|---|
max_size |
Number of tokens stored in the in memory token store. User can increase or decrease this value accordingly. |
clean_up_interval |
Token cleanup will be handled through a seperate thread and the frequency of the token clean up can be configured from this setting. This will clean all the expired and revoked security tokens. The thread will run only when there are tokens in the store. If it is empty, the cleanup thread will automatically stop. Interval is specified in seconds. |
remove_oldest_token_on_overflow |
If set to true , this will remove the oldest accessed token when the token store is full. If it is set to false , the user should either wait until other tokens expire or increase the token store max size accordingly.
|
expiry |
This configures the expiry time of the token (specified in seconds). |
size |
Specifies the key size of the token. |
Authorization¶
Note
Authorization does not apply to users in the default file-based user store. Therefore, be sure to configure an LDAP or RDBMS user store if you want authorization to be effective.
Authorization can be set for resources that only need to be invoked by admin users. The /management/users
resource is by default secured with authorization, meaning that only users with admin privileges can access this resource.
Disable authorization¶
Add the following to the deployment.toml
file.
[management_api.authorization_handler]
enable = false
Enable authorization for other resources¶
If you want to enable authorization for any resources other than /users
, open the deployment.toml
file (stored in
the MI_HOME/conf/
directory) and add the following:
Tip
Note that the /users
resource is secured by default. However, you need to redefine the /users
resource (as shown below) in cases where you need to customize the resources that need authorization. Failing to do so will remove authorization from the /users
resource.
[[management_api.authorization_handler.resources]]
path = "/users"
[[management_api.authorization_handler.resources]]
path = "/apis"
Configuring CORS¶
CORS is enabled for the management API by default. The default configuration allows all origins (denoted by the *
symbol). The Authorization
header is also enabled by default to cater to the functionalities of the the Integration Control Plane.
Add the following to the deployment.toml
file and update the values.
[management_api.cors]
enabled = true
allowed_origins = "https://127.0.0.1:9743,https://wso2.com:9743"
allowed_headers = "Authorization"