Category Archives: Enterprise Service Bus

Apply OAuth2.0 base security for Rest endpoint with WSO2ESB 4.6.0 and WSO2IS 4.1.1 alpha

I think this would be good example for applying the security for the simple rest endpoint. Lets think we already have some rest endpoint without security but we need to expose this with the OAuth2.0 base security.

you can achieve this task with the following steps.

1. Create the custom handler to validate the Bearer token.
2. Create API element in the ESB and pointing the rest endpoint that you have
3. Include created handler to the created API element.
4. Go to IS and create the OAuth2.0 application and get the Access token form IS
5. Invoke the API with the valid access token.

Functional Scenario

Rest endpoint with security

1. Creating custom handler (Download the mvn project here)
You need to extends AbstractHandler and implements ManagedLifecycle as follows. as well I’m getting some parameters from the axis2.xml

package org.wso2.handler;

 * Created with IntelliJ IDEA.
 * User: dinuka
 * Date: 4/4/13
 * Time: 3:46 PM
 * To change this template use File | Settings | File Templates.
import org.apache.axis2.client.Options;
import org.apache.axis2.client.ServiceClient;
import org.apache.axis2.context.ConfigurationContext;
import org.apache.axis2.context.ConfigurationContextFactory;
import org.apache.axis2.transport.http.HTTPConstants;
import org.apache.axis2.transport.http.HttpTransportProperties;
import org.apache.http.HttpHeaders;
import org.apache.synapse.core.axis2.Axis2MessageContext;
import org.wso2.carbon.identity.oauth2.stub.OAuth2TokenValidationServiceStub;
import org.wso2.carbon.identity.oauth2.stub.dto.OAuth2TokenValidationRequestDTO;
import org.apache.synapse.ManagedLifecycle;
import org.apache.synapse.MessageContext;
import org.apache.synapse.core.SynapseEnvironment;

import java.util.Map;

public class SimpleOauthHandler extends AbstractHandler implements ManagedLifecycle {

    private String securityHeader = HttpHeaders.AUTHORIZATION;
    private String consumerKeyHeaderSegment = "Bearer";
    private String oauthHeaderSplitter = ",";
    private String consumerKeySegmentDelimiter = " ";
    private String oauth2TokenValidationService = "oauth2TokenValidationService";
    private String identityServerUserName = "identityServerUserName";
    private String identityServerPw = "identityServerPw";

    public boolean handleRequest(MessageContext messageContext) {
            ConfigurationContext configCtx = ConfigurationContextFactory.createConfigurationContextFromFileSystem(null, null);
            //Read parameters from axis2.xml
            String identityServerUrl = messageContext.getConfiguration().getAxisConfiguration().getParameter(oauth2TokenValidationService).getValue().toString();
            String username = messageContext.getConfiguration().getAxisConfiguration().getParameter(identityServerUserName).getValue().toString();
            String password = messageContext.getConfiguration().getAxisConfiguration().getParameter(identityServerPw).getValue().toString();

            OAuth2TokenValidationServiceStub stub = new OAuth2TokenValidationServiceStub(configCtx,identityServerUrl);
            ServiceClient client = stub._getServiceClient();
            Options options = client.getOptions();
            HttpTransportProperties.Authenticator authenticator = new HttpTransportProperties.Authenticator();

            options.setProperty(HTTPConstants.AUTHENTICATE, authenticator);
            OAuth2TokenValidationRequestDTO dto = new OAuth2TokenValidationRequestDTO();
            Map headers = (Map) ((Axis2MessageContext) messageContext).getAxis2MessageContext().
            String apiKey = null;
            if (headers != null) {
                apiKey = extractCustomerKeyFromAuthHeader(headers);
            //validate passed apiKey(token)
                return true;
                return false;
        }catch(Exception e){
            return false;

    public String extractCustomerKeyFromAuthHeader(Map headersMap) {

        //From 1.0.7 version of this component onwards remove the OAuth authorization header from
        // the message is configurable. So we dont need to remove headers at this point.
        String authHeader = (String) headersMap.get(securityHeader);
        if (authHeader == null) {
            return null;

        if (authHeader.startsWith("OAuth ") || authHeader.startsWith("oauth ")) {
            authHeader = authHeader.substring(authHeader.indexOf("o"));

        String[] headers = authHeader.split(oauthHeaderSplitter);
        if (headers != null) {
            for (int i = 0; i < headers.length; i++) {
                String[] elements = headers[i].split(consumerKeySegmentDelimiter);
                if (elements != null && elements.length > 1) {
                    int j = 0;
                    boolean isConsumerKeyHeaderAvailable = false;
                    for (String element : elements) {
                        if (!"".equals(element.trim())) {
                            if (consumerKeyHeaderSegment.equals(elements[j].trim())) {
                                isConsumerKeyHeaderAvailable = true;
                            } else if (isConsumerKeyHeaderAvailable) {
                                return removeLeadingAndTrailing(elements[j].trim());
        return null;

    private String removeLeadingAndTrailing(String base) {
        String result = base;

        if (base.startsWith("\"") || base.endsWith("\"")) {
            result = base.replace("\"", "");
        return result.trim();

    public boolean handleResponse(MessageContext messageContext) {
      return true;

    public void init(SynapseEnvironment synapseEnvironment) {
        //To change body of implemented methods use File | Settings | File Templates.

    public void destroy() {
        //To change body of implemented methods use File | Settings | File Templates.

2. Now I take rest unsecured endpoint as ““(You can use your own endpoint)
Lets look at how to configure the WSO2 ESB with this endpoint.

Start the ESB 4.6.0 and Sign in as admin.
Then go to Source View.

Insert following xml configuration in to the source view to create the API element name as TestGoogle

  <api name="TestGoogle" context="/search">
      <resource methods="GET">
            <log level="custom">
               <property name="Test" value="Test"/>
                  <address uri=""/>
         <handler class="org.wso2.handler.SimpleOauthHandler"/>


3. We need to add the created custom handler.jar in to $ESB_HOME/repository/components/libs and go to the $ESB_HOME/repository/conf/axis2/axis2.xml and put the following parameters.

    <!-- OAuth2 Token Validation Service -->
    <parameter name="oauth2TokenValidationService">https://localhost:9444/services/OAuth2TokenValidationService</parameter>
    <!-- Server credentials -->
    <parameter name="identityServerUserName">admin</parameter>
    <parameter name="identityServerPw">admin</parameter>

restart the ESB.

Again go to source view and place the following xml to engage the custom handler in to the API element

         <handler class="org.wso2.handler.SimpleOauthHandler"/>

Total configuration looks like this

  <api name="TestGoogle" context="/search">
      <resource methods="GET">
            <log level="custom">
               <property name="Test" value="Test"/>
                  <address uri=""/>
         <handler class="org.wso2.handler.SimpleOauthHandler"/>

4. Start the WSO2 Identity server and create the Oauth2.0 Application


Request the access token from IS you need to pass the ClientID and Client Secret with the curl request.

curl -v -X POST –user <strong>R2CNjiq672f6xXQabAfWbYby2nca</strong>:<strong>QhEQi9eJv8BmSinPBnWscCFFDgsa</strong> -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" -k -d "grant_type=password&username=admin&password=admin" https://localhost:9444/oauth2endpoints/token

Then you will receive the access token

5. Now you can invoke the API with the received access token

curl -v -X GET -H “Authorization: Bearer ca1799fc84986bd87c120ba499838a7”


Tags: , ,

Authentication and Authorization with WSO2ESB and WSO2IS

This is very impotent post because I’m going to discuss how to secure the proxy service with Username Token  as well as Authorization with XACML policies.

For Authorization we are using the WSO2 Identity server and Inbuilt Entitlement mediator in WSO2 ESB.

Authentication and Authorization

You can see the high level view of the ESB and IS communication. Let me explain the scenario.

1. User going to access the proxy service with the user credentials.
2. ESB authenticate the user first
3. If the authentication pass then go to Identity Server through the Entitlement Mediator and call the get decision method with above credentials
4. Identity Server will look the XACML policies and return the decision.
5. If decision is “Permit” then proxy service allow to access the echo service
6. If decision is “Deny” or “Not applicable” proxy service not allow to access the echo service.

Lets look at the configuration of this setup. We are using ESB-4.6.0 and IS-4.1.0

1. You have to share the same User store with WSO2ESB and WSO2IS
refer the ESB user-mgt.xml and IS user-mgt.xml – this is done for Embedded LDAP coming with WSO2IS but you can configure any DB as your user store and share with both ESB and IS

2. Start the IS first and then ESB with port offset 1
3. Create “In sequence” in ESB
here you need to add the entitlement mediator as a first child of In Sequence

Select the entitlement and set the entitlement server url, username and password.
entitlement server url = https://localhost:9443/services/
username = admin
password = admin

Set the Fault mediators under OnReject as well as set the Send mediator under OnAccept

Set the Header mediator as follows and remove the security headers.

Click on the Namespaces and put the following entry.
Prefix – wsse

3. Create “Out sequence” in ESB
just put send and log mediators as follows

4. Now we need create the proxy service for echo service already in WSO2ESB
Add new proxy -> custom proxy then you can see the following window and you have to specify the following details.
Name – EchoProxy
Publishing WSDL – Specify source URI
then put the wsdl of the echo service as “http://localhost:8281/services/echo?wsdl&#8221;

Move next and select the “InSequence” that we created before.

Move next again and select the “OutSequence” as well.

finally click the finish
Now you have to create the new role “testRole” with admin permission and new user “testuser” with password “testuser” and assign the “testRole” because we are using this to control the access . then secure the created proxy with Username Token as follows




Now you complete the proxy service creation and lets move to Identity server configurations.

5. In Identity server we need to add the XACML Policy
Here I’m going to create the simple User base XACML policy.

Name – EchoServicePolicy
Specify the Role name as “testRole” as well as you have to specify the action as “read” because our Entitlement mediator send the action string as “read

Finish the policy and enable the policy to test.

Now you can evaluate the policy through the Tryit.


But if you click on the “Evaluate with PDP” you will not get Premit because still you not promote the XACML policy to the PDP.

to promote XACML policy to the PDP you can click on the button in front of the policy “sync with PDP“. Now try to “Evaluate with PDP”.

Now we done the configuration on Identity Server.

6. Go to ESB and select the EchoProxy service and go to TryIt.

Here we are using “testuser” which is under the role “testRole” so the XACML engine will permit to access the resource

Now go and remove the “testRole” form user “testuser” and try to access the service. Now you can see XACML engine is not permit to user to access the resource.


Tags: , ,

Invoke secured service(Sign and encrypt) from SoapUI 4.0.0

Here we are using the WSO2ESB 4.0.3 and SoapUI 4.0.0

First of all you have to start the ESB and secure the “echo” service as follows

1. Click on the “List” button under “Web Service” menu and Select the “Unsecured” button to Secure the service in front of “echo” service


2. Now select “yes” from drop down and selected the policy number “5” and click Next


3. Select the “Trusted key store” and “Private key store” click Finish


4. You can see the message “Security applied successfully


Configuration part in ESB side is finished. What we have to do now is Invoke the secured service through the SoapUI

1. Open the SoapUI and go to “New SoapUI project” and give the service endpoint url with wsdl

ex/ endpoint url – http://localhost:8280/services/echo?wsdl

you can easily take the endpoint url by click on the service


Place the endpoint url with wsdl and create SoapUI project


2. Click on the created project and select “Show Project View


3. go to “WS-Security Configurations


4. Select “Keystores / Certificates


5. Add new keystore – select the “wso2carbon.jks” that you select to secure the service (you can easily find this here ${ESB_HOME}/repository/resources/security)




6. Set Default Alias as “wso2carbon” and Alias Password as “wso2carbon


7. Select tab “Incoming WS-Security Configuration


Add new record name as “incoming-security


Select Signature keystore as “wso2carbon.jks” and set password as “wso2carbon


8. Select tab “Outgoing WS-Security Configuration


Add new record name as “outgoing-security



Set Alias name as “wso2carbon” and password as “wso2carbon


9. Add new WS Entry “TimeStamp



Set value as “300000


9. Add another WS Entry “Signature

Keystore : wso2carbon.jks
Alias : wso2carbon
Password : wso2carbon
Key Identifier type : Binary Security Token
Signature Algorithm :
Signature Canonicalization :
Digest Algorithm : sha1
Use Single certificate : true

Parts – Add a new sign part for SOAP body. For that use the following values

ID – [keep it as blank]
Name – Body
Namespace –
Encode – Content


9. Add another WS Entry “Encryption

Keystore : wso2carbon.jks
Alias : wso2carbon
Password : wso2carbon
Key Identifier type : Binary Security Token
Symmetric Encoding Algorithm : <Default>
Key Encryption Algorithm : <Default>
Encryption Canonicalization : <Default>
Create Encrypted Key : true
Parts – Add a new Encryption part

ID – [keep it as blank]
Name – Body
Namespace –
Encode – Content


10. Save the SoapUI project and select the one of function under soap12Binding and go to request

Select “Aut” and Set the  “Outgoing WSS” and “Incoming WSS


11. Invoke the service with the required parameters


1 Comment

Posted by on December 19, 2012 in Enterprise Service Bus, java, wso2


Tags: ,

How to Invoke the “echo service” secured with Kerberos in WSO2 ESB

This is most useful sample to verify the echo service secured with “kerberos”

First you have to download the WSO2-ESB 4.5.0 and WSO2-IS 4.0.0
In this example IS(Identity Server) act as KDC(key distribution center) so first of all we have to configure the IS

Open the bellow mentioned files and do the required changes

1. $IS_HOME/repository/conf/embedded-ldap.xml

Download Sample embedded-ldap.xml here
under <KDCServer> and  make the property “enable” = true as follows
<Property name=”enabled”>true</Property>

add this property under <KDCServer>
<Property name=”preAuthenticationTimeStampEnabled”>false</Property>

2. $IS_HOME/repository/conf/user-mgt.xml

Download Sample user-mgt.xml here
under <ApacheDSUserStoreManager>
<Property name=”kdcEnabled”>true</Property>

3. $IS_HOME/repository/conf/security/krb5.conf

Download Sample krb5.conf here

default_realm = WSO2.ORG
default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
allow_weak_crypto = true

WSO2.ORG = {
kdc =

[domain_realm] = WSO2.ORG = WSO2.ORG

krb4_convert = true
krb4_get_tickets = false

4. $IS_HOME/repository/conf/security/jaas.conf

Download Sample jaas.conf here

Server { required

Client { required

Now IS is configured successfully
Go to $IS_HOME/bin and run the

If IS configured properly, when your stating the IS you can see this log in command line
“[2012-12-13 14:40:32,426] INFO {} – Kerberos service started.”

Now you have to create the Server principle that we mention in “jass.conf”

Login to IS buy using username – “admin” password -“admin” and go to configure->Service Principle and create   It


Register the Server Principle
Service Name : esb/localhost
Description : Test
Password : dinuka
Re Password : dinuka

Next we have to create Client Principle that means “User”

Username : dinuka
Password : dinuka
User Role : admin

Lets move to configure the ESB

First go to $ESB_HOME/repository/conf/security/
and place the same krb5.conf and jaas.conf files in $IS_HOME/repository/conf/security/

Open $IS_HOME/repository/conf/carbon.xml and change the offset 0 to 1 and start the ESB
Download sample carbon.xml here

Go to ESB and secure the “echo” service with kerboros


Service Principle Name : esb/localhost
Service Principle Password : dinuka


We are done with the configuration now we have to invoke the echo service so you can download the Java Client from here

You have to set the project dependencies for above client so point the all jars in $ESB_HOME/repository/components/plugins 

If you change username and password at the configuration time you have to make those changes on the above client also Go to policy.xml in the above client and change the following details according to your setting

<rampart:property name=””>dinuka</rampart:property>
<!– Authenticating user password –>
<rampart:property name=”client.principal.password”>dinuka</rampart:property>
<!– To which service client needs to talk to –>
<rampart:property name=””>esb/localhost@WSO2.ORG</rampart:property>

Finally change the ECHO_SERVICE_EPR  relevant to the your ESB and run the

Results should be

Calling Echo service with parameter – Hello World
Response : <ns:echoStringResponse xmlns:ns=””><return>Hello World</return></ns:echoStringResponse>

1 Comment

Posted by on December 13, 2012 in Enterprise Service Bus, Identity Server, java, wso2

%d bloggers like this: