为什么未订阅的应用程序令牌可以用于访问 WSO2 APIM 端点?
[英]Why unsubscribed Application token can be used to access WSO2 APIM endpoint?
问题描述
There is an API hosted in WSO2 APIM 4.1.0 and there are two different App subscribed to that API.
在WSO2 APIM 4.1.0中托管了一个 API,并且有两个不同的 App 订阅了该 API。
Before Unsubscribe:退订前:
I just unsubscribed one of App to delete the API subscription by follows wso2 doc我刚刚取消订阅了其中一个应用程序,通过以下wso2 文档删除了 API 订阅
After Unsubscribe:取消订阅后:
After unsubscribed , I can able to invoke WSO2 API by using unsubscribed Application token取消订阅后,我可以使用取消订阅的应用程序令牌调用 WSO2 API
It should now allow that unsubscribed app to invoke API. OR correct me if my understanding is wrong.它现在应该允许取消订阅的应用程序调用OR如果我的理解有误,请纠正我。
Postman: Postman:
Note: In above API Hit, I passed unsubscribed APP token as Authorization注意:在上面的 API Hit 中,我传递了未订阅的 APP token 作为授权
3 个解决方案
解决方案1
0 2023-01-13 10:14:48
In your case, you should not be able to invoke the API without a proper subscriptions.在您的情况下,如果没有适当的订阅,您将无法调用 API。 Although the token is valid, you should get a 403 HTTP code saying subscription validation has failed.尽管令牌有效,您应该会收到 403 HTTP 代码,表示订阅验证失败。
You can check whether the events are propagated successfully to your gateway node from the control plane node.您可以检查事件是否已从控制平面节点成功传播到您的网关节点。 This is basically when you have a distributed setup.这基本上是当你有一个分布式设置时。 If you have a HA setup, verify both nodes are working properly when it comes to event distribution.如果您有 HA 设置,请验证两个节点在事件分发时是否正常工作。
解决方案2
0 2023-01-13 10:18:01
Are you using the GA release of APIM 4.1.0?您使用的是 APIM 4.1.0 的 GA 版本吗? If so, this could be a bug in that was fixed later through U2 updates.如果是这样,这可能是后来通过 U2 更新修复的错误。 When an application subscription is deleted, any API invocations done using the tokens of that application should fail due subscription validation with an error similar to the one below with a 403 HTTP code.当应用程序订阅被删除时,使用该应用程序的令牌完成的任何 API 调用都应该由于订阅验证而失败,并出现类似于下面的代码 403 HTTP 的错误。
{"code":"900908","message":"Resource forbidden ","description":"User is NOT authorized to access the Resource. API Subscription validation failed."}
If you have a paid WSO2 subsciption, please try this scenario by taking the latest U2 updated/patched version of APIM 4.1.0 by referring this .如果您有付费的 WSO2 订阅,请通过参考此获取 APIM 4.1.0 的最新 U2 更新/补丁版本来尝试此方案。
解决方案3
0 2023-01-17 17:27:13
I tried the GA APIM 4.1.0 and this usecase worked as expected.我尝试了 GA APIM 4.1.0,这个用例按预期工作。 Shall we verify the subscription delete event flow in the API gateway by enabling debug logs for gateway and keymanagement components?我们是否应该通过为网关和密钥管理组件启用调试日志来验证 API 网关中的订阅删除事件流?
Add the following configurations in the <APIM_HOME>/repository/logs/log4j2.properties在<APIM_HOME>/repository/logs/log4j2.properties中添加如下配置
logger.gateway-component.name = org.wso2.carbon.apimgt.gateway
logger.gateway-component.level = DEBUG
logger.keymgt-component.name = org.wso2.carbon.apimgt.keymgt
logger.keymgt-component.level = DEBUG
make sure to add the newly created loggers as below.确保如下添加新创建的记录器。
loggers = gateway-component,keymgt-component, AUDIT_LOG, trace-messages, org-apache-coyote, ....
With these, subscribe and unsubscribe events should be displayed in the terminal.有了这些,订阅和取消订阅事件应该显示在终端中。 You can use them to verify the event flow.您可以使用它们来验证事件流。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.