In this scenario, the application of Plain-Text Authentication policy to a SOAP web service named Calculator will be tested.
The numbering in the chart below belongs to the order of the transactions.
- The Security Manager included in Apinizer requests Plain-Text type authentication information from API Client. If this authentication is correct, field number two is switched.
- Apinizer makes requests to the Backend API.
- Backend API responds to Apinizer.
- Apinizer responds to API Client.
Creating the API Proxy
The web service named Calculator can be accessed at http://www.dneonline.com/calculator.asmx?WSDL.
First of all, this address must be defined as API Proxy.
For this, click on the API Proxies option under the Development menu.
The page that opens contains the text No records found!, since no proxy has been defined before.
Here, the Create button in the upper right corner is clicked and a new proxy is started to be created.
Since the API to be added is a proxy SOAP web service, clicking Enter URL from the WSDL menu will switch to the screen where the address of the web service to be used will be entered.
As can be seen in the image below, the address to be accessed in the URL section is entered and the Parse button is clicked.
After performing the analysis, the screen in the image below appears.
On this screen, the settings of API Proxy can be made.
- It is specified who will use the API Proxy created with the Usage field. Here, there are options such as publisher, consumer, publisher and consumer.
- There are two different options under the Protocol Transformation tab;
- Pass-Through SOAP enables the use of SOAP as a web service without any transformation on the web service.
- REST to SOAP to REST allows this SOAP web service to be used in a structure that will include a REST architecture.
- One or both of the two API addresses under the Addresses tab can be selected, if both addresses are selected, Apinizer will perform the Load Balance process itself.
- The Relative Path is the address of the API Proxy that will be accessed.
- The Category List field also allows the created API Proxy to be categorized.
- After these settings are made, the API Proxy is registered.
After saving, click on the Develop tab on the page that opens.
Here are the methods that belong to the web service.
- The policies to be added with the phrase All above these endpoints can be applied to all endpoints.
- The created API Proxy is deployed. For this, click on the Deploy button in the middle above.
- In the next step, it is specified which users will have access to the API Proxy created by adding Credentials.
The information of the Credential to be added is as username = apinizer, password = 123123aA.
For this, the Identity Management menu is accessed.
Here, the Credentials menu under the Credential Management menu is clicked.
Click on the Create button enclosed in the rectangle in the upper right corner of the screen that opens.
Here, the required fields are filled with the previously specified information and the credential created by clicking the Save and Deploy button is saved.
The proxy that this credential element will access must be selected. By hovering over the created credential and clicking on the Edit option from the side menu.
On the screen that opens, click on the API Proxy ACL tab, click on the button in this tab, which is indicated in the red rectangle on the image.
On the page that opens, API Proxies in the project currently being worked on are listed. The proxy named Calculator is selected.
It is stated that the Credential item created by clicking the Add button will have access to this proxy.
There is now an API Proxy in the list that was previously empty.
The Save and Deploy button in the upper right corner is clicked and the transaction is recorded.
Adding Authentication Policy
Now Plain-Text Authentication policy can be added.
Go to the page where API Proxies are listed and the proxy named Calculator is selected.
Then come to the Develop tab, click the Add Policy button.
On the page that opens, Plain-Text Authentication policy is selected.
If the expressions on this screen are examined one by one,
- The value to be selected in the Identity/Role/Group Service field is the Security Manager value. Because the credentials check will be performed by Security Manager.
- With the expressions variable for username and variable for password, the variable with which the user name and password information will be obtained is selected. In this scenario, these values will be taken from the header.
- If the Clear Authentication Information option is selected, the authentication information is deleted in the incoming message.
- The Add Client Info To Header option specifies whether the client information will be included in the Header that will go to the backend API.
- If this option becomes active, another parameter named Authenticated User Header Name appears.
- The X-Authenticated-UserId expression here specifies the header name of the client information that will go to the backend API.
When the policy is registered, the icon enclosed in a red rectangle is seen.
The proxy must be Redeploy for the operation to be valid.
Now the testing of the methods inside the proxy can be performed.
Testing API Proxy
After selecting the Add method, the Test Method button is clicked.
After the desired values are written in the body, the Send button is clicked and a request is made to the backend API.
As it can be seen in the image below, since no authentication information is sent to the backend API, the error message in the rectangle is received in response.
This time, username and password are entered in the header and the test is performed again.
In the headers that will be sent to the Backend API, username = apinizer, password = 123123aA are entered.
The response received when clicking the Send button is the expression in the rectangle below on the image.