This section guides you through securing REST services and how requests to REST APIs are authenticated and authorized in WSO2 Identity Server.
The requests that are sent via REST APIs are intercepted by tomcat valves and authenticated and authorized by an OSGI service. There are two OSGi services that provide the authentication and authorization service based on its own handlers.
- WSO2 Identity Server supports the following authentication handlers:
- The authorization handler is based on the permission specified against a particular user role.
You can write your own handlers for both authentication and authorization and register them in OSGI.
Let's learn how to authenticate and authorize REST APIs:
- To enable the intercepting of services:
- Open the
catalina-server.xmlfile found in the
Uncomment the following valves found under the
- Open the
To specify the resources that you want to secure:
identity.xmlfile found in the
Specify the resource that you want to secure under the
<ResourceAccssControl>as given below.
Parameter Description Sample Value Resource context This defines the resource context relative to the root context, which needs to be secured.
secured This specifies whether to enable or disable security in the given resource context.
http-method This defines the method as
Permissions This defines the user role permission that is required to authorize the resource. You can enter multiple permission strings in a comma-separated list.
To configure intermediate certificate validation, configure the following in the
identity.xmlfile as given below.
Parameter Description Sample Value IntermediateCertificateValidation This defines whether intermediate certificate validation is enabled or not.
IntermediateCerts This specifies the context paths of the intermediate certificates.
ExemptContext This specifies the context paths that needs to be excempted from intermediate certificate validation.
When using intermediate certificate validation,
CNwill be taken as the
usernameinstead of retrieving from the header.