2

I have created RESTFUL web sever which exposes the bunch of API's to external world. I am looking at securing these API's using outh2 Implementation. I think WS02 products fits my use case. However I am not finding much example of how to Integrate the Spring security(oauth) with WS02 Identity server. Any pointers on this will be helpful.

Also where and how WSo2-ESB fits in? I see documentation where the wso2IS is Integrated with ESB module.

Community
  • 1
  • 1
ram
  • 21
  • 1
  • 7
  • This might be helpful. [link](http://stackoverflow.com/questions/42569535/how-to-protect-rest-api-with-wso2-is) – nwick Mar 06 '17 at 16:39
  • Thanks for the link. Can you please clarify what is the advantage going over to WS02 Identity server over WS02 API manger. Can outh2 be implemented both with WS02IDdentity server & WS02 API manger? – ram Mar 07 '17 at 05:12
  • Yes. You can implement oauth2 security with both WSO2 API Manager and Identity Server. API Manager mainly focuses on API management functionalities such as API creation, publishing, subscription management, and throttling. Identity Server is an identity and access management solution. You can enable Federated Identity management, Role-based access control, attribute-based access control, fine-grained policy-based access control, single sign-on etc with that. It looks like API Manager is more suitable for your use case. – nwick Mar 07 '17 at 05:30

1 Answers1

0

If you want to secure your defined APIs in your webapp without the WSO2 API Manager please take a look to this resource:

https://www.yenlo.com/blog/wso2-spring-oauth2-integration-with-identity-server

Another way is to expose your backend apis through WSO2 API Manager. It´s easy just follow the documentation.

Jorge Infante Osorio
  • 2,143
  • 15
  • 26
  • Thanks for the explanation. I exposed my backend API's via API manger and tested the same with CURL commands. For oauth grant type I tested the "Password" and "Client credential". In both this grant type, the consumer key and secret is passed. How will the external application know this consumer key and secret? Is there any security risk in sharing this keys? Also case of "password grant" the username/password needs to be configured in the API manger.?(In my case I added a new user and tested). Can this be any external LDAP server? – ram Mar 08 '17 at 10:17