Sometimes hackers can use this
information to guess correct domain and resend request with it. Since
different WSO2 users expect different error formats we let our users to
configure error messages. Since this is authentication failure you can
customize auth_failure_handler.xml available in
/repository/deployment/server/synapse-configs/default/sequences
directory of the server. There you can define any error message status
codes etc. Here i will provide sample sequence to send 401 status code
and simple error message to client. If need you can customize this and
send any specific response, status code etc. You can use synapse
configuration language and customize error message as you need.
You can add following synapse configuration to auth_failure_handler.xml available in /repository/deployment/server/synapse-configs/default/sequences directory of the server.
Then it will be deployed automatically and for domain restriction errors you will see following error.
In the backend server logs it will print correct error message as follows. So system adminstrative users can see what is the actual issue is.
You can add following synapse configuration to auth_failure_handler.xml available in /repository/deployment/server/synapse-configs/default/sequences directory of the server.
<sequence name="_auth_failure_handler_" xmlns="http://ws.apache.org/ns/synapse"> <payloadFactory media-type="xml"> <format> <am:fault xmlns:am="http://wso2.org/apimanager"> <am:code>$1</am:code> <am:type>Status report</am:type> <am:message>Runtime Error</am:message> <am:description>$2</am:description> </am:fault> </format> <args> <arg evaluator="xml" expression="$ctx:ERROR_CODE"/> <arg evaluator="xml" expression="$ctx:ERROR_MESSAGE"/> </args> </payloadFactory> <property name="RESPONSE" value="true"/> <header name="To" action="remove"/> <property name="HTTP_SC" value="401" scope="axis2"/> <property name="NO_ENTITY_BODY" scope="axis2" action="remove"/> <property name="ContentType" scope="axis2" action="remove"/> <property name="Authorization" scope="transport" action="remove"/> <property name="Access-Control-Allow-Origin" value="*" scope="transport"/> <property name="Host" scope="transport" action="remove"/> <property name="Accept" scope="transport" action="remove"/> <send/> <drop/> </sequence>
< HTTP/1.1 401 Unauthorized < Access-Control-Allow-Origin: * < domain: test.com < Content-Type: application/xml; charset=UTF-8 < Date: Fri, 16 Dec 2016 08:31:37 GMT < Server: WSO2-PassThrough-HTTP < Transfer-Encoding: chunked < <am:fault xmlns:am="http://wso2.org/apimanager"> <am:code>0</am:code><am:type>Status report</am:type> <am:message>Runtime Error</am:message><am:description>Unclassified Authentication Failure</am:description></am:fault>
In the backend server logs it will print correct error message as follows. So system adminstrative users can see what is the actual issue is.
[2016-12-16 14:01:37,374] ERROR - APIUtil Unauthorized client domain :null. Only "[test.com]" domains are authorized to access the API. [2016-12-16 14:01:37,375] ERROR - AbstractKeyValidationHandler Error while validating client domain org.wso2.carbon.apimgt.api.APIManagementException: Unauthorized client domain :null. Only "[test.com]" domains are authorized to access the API. at org.wso2.carbon.apimgt.impl.utils.APIUtil.checkClientDomainAuthorized(APIUtil.java:3843) at org.wso2.carbon.apimgt.keymgt.handlers.AbstractKeyValidationHandler.checkClientDomainAuthorized(AbstractKeyValidationHandler.java:92)
No comments:
Post a Comment