VP Innovation at Axway, Co-founder at Vordel

Mark O'Neill

Subscribe to Mark O'Neill: eMailAlertsEmail Alerts
Get Mark O'Neill via: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Blog Feed Post

Controlling API Access based in identity and API parameters using the Axway API Gateway

The Axway API Management platform makes it simple to configure a policy so that, for example, the userId "joe" is allowed to call /api/service?id=222  but not /api/service?id=333

Let's see how this can be done.

Firstly, I have setup a path on the API Gateway for "/api/service" to a policy called "Fine Grained AuthZ"

Let's look at this "Fine Grained AuthZ" policy:

You can see that it's a relatively simple policy, where the important work is being done by a "Compare Attribute Values" filter which is checking the identity of the client and the value being passed in the API call. Because the client has been authenticated at the top of the policy, the client ID is available in the "authentication.subject.id" attribute.

Now, if you press "Next" on the "Compare Attributes" filter, you can set the info that is shown when the filter runs:

You can see that I am setting that if the user is not authorized, then I will see the following parameterized info in my traffic log:

UserID ${authentication.subject.id} & parameter ${params.query.id} not Authorized

So let's test this now, using a browser:

You can see that, when I pass "222" as the parameter, and authenticate as "joe", then I am authorized.

As the API Gateway admin, this is what I see in the Traffic Monitor:

If I pass in a different parameter, then we see where the info I configured in the "Next" part of my "Compare Attributes" filter is displayed:

This enables me to see exactly why the API call was blocked.

This is quite a simple ACL (Access Control List) example. If you have a long list of users and attributes, you could use the Key Property Store (KPS), or make use of the embedded Apache Cassandra database to look up the authorization. 

Read the original blog entry...

More Stories By Mark O'Neill

Mark O'Neill is VP Innovation at Axway - API and Identity. Previously he was CTO and co-founder at Vordel, which was acquired by Axway. A regular speaker at industry conferences and a contributor to SOA World Magazine and Cloud Computing Journal, Mark holds a degree in mathematics and psychology from Trinity College Dublin and graduate qualifications in neural network programming from Oxford University.