wso2 API manager for authorsation and authentication of a web application

1
votes

I have a web app where front end layer has a angular based UI.It has both public pages and other private pages which are accessible to logged in users and it depends on roles of the logged in users as well My server based application is a java based rest service api .

How can i use wso2 for handle user authenticaiton and role based authorsation.i would like to have an additional layer of api security depending on the role of the user as well.

can someone explain the best architecture for this in wso2? if i use wso2 api manager , how can i handle login's of the user and how to relate api access with role of the logged in user?

thanks in advance

2
wso2wso2-am
do you want to control the access to your pages based on roles or you want to control the access to apis used within your page ?Jenananthan
i will need both.in the UI , i have to restrict access . Also in the API layer , i need API security.Janier

2 Answers

0
votes

you can use wso2 appmanager to control the access of any web apps[1]. App manager supports role based access control as well as xacml policy based access control . In order to provide api level role based security you can use scopes[2] in wso2 api manager

[1] https://docs.wso2.com/display/APPM120/Web+Application+Resource+Authorization

[2] https://docs.wso2.com/display/APPM120/Web+Application+Resource+Authorization

0
votes

Let me suggest another solution. I haven't tried this with APIM. But since APIM also has Identity features installed in it, this should work.

Use OpenID Connect for login. See here for a sample. This sample is for IS, but it should work for APIM too. Only endpoint URLs are different in APIM like this.

Token: https://localhost:8243/token 
Revoke: https://localhost:8243/revoke 
Authorize: https://localhost:8243/authorize

There, when a user login, you get an ID_token which contains user claims. You can allow/deny page views depending on those data.

In above step, you create an SP and generate a client key-secret pair. You can set the same keys in APIM's application. Read this.

Then, as I mentioned here, you can use scopes to secure your APIs by roles.