We have Azure API Management in internal VNet mode and make it publicly available by placing an Application Gateway in front of it. Everything works fine, but I noticed that in the API Management Analytics section, under Geography, I only see aggregation by "Other" instead of by country.
One one line is shown.
How can I solve this problem?
The IP to Geography mapping that APIM uses is based on a static internal DB that may not provide 100% correct info. There is no ETA or guarantees that it will provide 100% accurate information about the user's geography. You're welcome to log client IP in Log Analytics and use any 3rd party service that may provide better information please let me know incase of further queries I would be glad to assist you.
Related
Scenario: Externally exposed API, connects to multiple backed Dbs. Multiple customers can use the API, they obviously should only have access to their data. In the past this is done by separate accounts for each customer/user, and consequently each account would need setting up in each of the backend systems with the correct authorities.
Problem: I want to use Azure APIM. I don't want the extra maintenance for each user in both the Azure APIM and the backend Dbs. I was wondering if anyone has any thoughts or cases where they accomplished this in a different way. Also the API may be built with access via one account with all access to tables.
I'm sure there are different ways to approach this but a common way I believe to do this would be using Application Roles.
I don't believe this is really dependent on Azure APIM as such, but you can leverage OAuth 2.0 support to pre-authorize requests and in your backend, depending on the claims present in the token passed, you can allow/deny access to the data.
You backend would usually authenticate to the different DBs as itself with full access to all data and your backend would be tasked with making sure only people with the right claims can access the data.
In order to use an API the user/customer has to register with the Developer Portal and get a Subscription to a given API and the associated key. So you have to authenticate them. When you publish APIs through Azure API Management, it's easy and common to secure access to those APIs by using subscription keys. Client applications that need to consume the published APIs must include a valid subscription key in HTTP requests when they make calls to those APIs. https://learn.microsoft.com/en-us/azure/api-management/api-management-subscriptions
The Developer Portal supports different authentication mechanisms including Azure AD. So if you plan to use Azure AD for your authentication for both portals you will need to configure it accordingly. https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-aad
So I have the website that provides the API for logging in/registering/etc. And I have the MediaWiki set up at my server.
I need to disallow MediaWiki registration and only allow logging people in through our API. So, when the user tries to login, no request to MediaWiki db for the user should be done, instead the request to our API should be done, logging person in if our API returned the correct data and displaying an error if it didn't.
Is there a way to get it done with MediaWiki?
Thanks in advance.
Your question is very broad and involves some development but also a lot of configuration as well. So, let's start:
First of all, you need to somehow integrate with the API you mentioned, which is possible by developing your own primary authentication provider. See the high level documentation. In this, you will have all the necessary entry points a user might hit when logging in or registering a new account and you can "translate" them to the actual actions which you need to do in your API (which you do not mention what it is or provides, so we can not give you better guidance here).
The second step would then be to configure this new authentication provider as the only one using $wgAuthManagerConfig which will in fact disable all other ways of creating other accounts as well as logging in with other accounts then the ones provided from your API.
If you've more questions, I would suggest that you provide more information and specific points where you're stuck :)
You can have a look at Extension:Auth remoteuser, it could fit at least partly you needs.
newbie for sawtooth here. Currently I am working on a POC for supply chain by using sawtooth as their record storage and there is one use case that i am still trying to sort it out. Here is the usecase, let say there is company A and company B, both companies will upload document to the supply chain system and the file url will store into sawtooth. In this case, may i know what is the best design for the permission control? As those documents able to view by all company A and company B staff. thanks!
Once the file URL is stored in the chain, anyone with access to the node will be able to view it. Only allowing certain people to read from the sawtooth chain can be done, similar to how traditional access restriction is given for APIs or servers. You can put the sawtooth system, behind a proxy and an API and give permissions for the access. That is one way to do it.
I would like to know if it is legal for me to collect data from some 3rd party service via their api?
This is a situation: I have customer, Customer uses some system that provides them reports. Customer wants me to have access to those reports so they give me their credentials and i'm using my service rest-api calls using customer's credentials converting their data from that system rest api to my DB that I share only with this customer per his request.
Is it ok thing to do?
I am concern because it gets deeper. I have many customers who are using the same service that i figured out api to and willing to collect data
Ask them, or read their legal contracts with you and licensing terms of their API. Consult law of the land too.
Nobody is going to read this question after I would like to know if it is legal...
And Oh, delete the question before you get 50 down-votes because it just doesn't belong to this forum :)
Hi I have a question regarding security, and web services.
I need a web service to provide an interface for the underlying mySQL database. I am trying to get a Blackberry Application to store data on the web servers mySQL database through a web service.
My question is, how can I ensure that the bb-application is the only thing that is using the web service? The web service will essential insert data into a table. I want to ensure that only the bb-application is allowed to use this service and not someone who figures out the service and starts spamming my table.
Any pointers, best practices or links are greatly appreciated.
Also what sort of web service is best in this scenario?
Take a look at basic authentication over SSL. Configuring the application to include the username/password in the header should be fairly straightforward and the SSL connection will ensure they're not being transmitted in cleartext.
Use net.rim.device.api.crypto.HMAC to implement HMAC authentication and validation. Establishing end to end SSL connections on a Blackberry can be problematic and dependent on wireless provider support unless your users are activated on a corporate BES (which I srongly recommend as part of the solution if you want robust security).
I am going to assume that the BlackBerry application is made by yourself as well. How you can then do this is by creating a sequence or hash that only your application can create, that the web service can verify. For instance, in the beginning of the process, or better, for each step the web service sends down a key sequence, which maps to an internal dictionary within your application on the method to make the unique hash.
The flow would then be as follows:
Perform data task in BB application
Ready to transmit data to web service
Create unique hash from data + your own information from the mapped dictionary
Transmit the data with the key
Web Service verifies the key. If validation fails, it discards the data completely, if succeeds, it will then do what it needs to do.
Continue.
HTH
Disclaimer: Assuming this is an open ended WS.
Also see my answer here.
I would go with a REST web service over HTTPS it would take your problems away. I dunno anything about blackberry apps so I can't give u any pointers on how to use HTTPS in that platform.
If you are creating a SOAP web service then you want to read about ws-security.
Others have indicated using SSL to secure the site. However, that is only one part of the puzzle. Kyle was close with the second, but didn't quite cut it.
The answer is that every single transaction which is posted to your web service must contain some type of authorization key. That key can be pre-shared and baked into the application OR it can be acquired through some other means and set up as part of the application install / configuration process.
Nearly all companies which provide web services online following this method. The idea is that regardless of the underlying protocol (ssl for example) you have to validate that the request is indeed coming from an authorized device / program. Some vendors have the users create a unique key for each user, some for each device, and others just 1 key for the entire organization. Regardless of how deep you take it there is in fact a key.
The key usually isn't that large. It might be anywhere from 15 to 40 alphanumeric characters.