With the "Domain Restriction" feature, an application key will be associated with a set of domains, and requests from only those specified domains will be allowed through the gateway.
How to use domain restriction feature ?
- Access allowing domain/domains can be defined at the time, when you generate the application key. It can be either one domain or set of domains. If you are defining set of domains, they should provide as comma separated list in the 'Access Allowing Domains' field in the application key generation UI. If the APIs should not restrict for any domains, then no need to define the 'Access Allowing Domains' field.
- Once you define the access allowing domains at the token generate time, later you can modify the domain list.
- Client request message should contain a http header to inform his domain. Administrator can configure the header name, which is going to use for domain validation through the api-manager.xml (File located at {APIM_HOME}/repository/conf directory). There is a new element called '<ClientDomainHeader>' is added to the '</APIGateway>' section in the api-manager.xml.
- If you define as, <ClientDomainHeader>domain</ClientDomainHeader>, then api invocation request should contain a http header called 'domain'. (Sending this header is not mandatory. It's required only if API access is allowed for certain set of domains).
- eg: curl -v -H "Authorization: Bearer xxx" -H "domain: wso2.com" http://localhost:8280/twitter/1.0.0/search.atom?q=cat
- Value of the domain header send with client request is validated against the set of domains defined by the API subscriber. API access will allow only if client domain matches with these domains. Otherwise client will be send a authentication failure message.
What prevents a client from supplying a false "domain" header?
ReplyDeleteYes. We could not control client being sending false domain header. But this feature enhance the security, where user needs to know both "accessToken + allowedDomains".
ReplyDelete