Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

In the following examples, we use the Swagger Pet Store API . Yto demonstrate some basic applications of some API policies.

Info

In this document, we use the term APIs to denote the Triggered or Ultra Tasks against which the API policies are applied.


Allowing Unauthenticated Access

...

At this point, the policy is active and a request to the pet Task’s ground URL will flow through the policy. Making a request at this point should return a message like the following message:

<IP

...

_ADDRESS> is not authorized to access this API

This message means that the request was authenticated and the client is identified by the mentioned IP-address. However, while the request was authenticated, it was not authorized. Therefore, the request was rejected with a 403 Forbidden error. In order to authorize requests from anonymous clients, the Authorize By Role policy needs to be installed.

...

No preview for expressions exist at this timecurrently. However, the properties of the Policies are validated before they are saved. If the validation fails, a popup appears with the choice to disable and save the policy or return you to the editor to fix the issues.

Note

Ensuring expressions are syntactically valid is part of the validation process.


Limiting the Unauthenticated Request Rate

Allowing unrestricted access to an API can be dangerous compromise performance since a client can overload a Snaplex by making too many requests. To restrict the request rate of a particular client, you can apply the Client Throttling policy can be installed to limit the number of requests that a client can make over a period of time. The Throttling policy works by categorizing requests into different Service Tiers based on a condition. The limit is then applied separately for each user based on their ID. In the case of anonymous users, the user ID is the client’s client's IP address.

To limit the number of anonymous requests to 250 per hour, add a Service Tier row to the Client Throttling configuration with the following settings:

Conditionrequest.isUserInRole('anonymous')
Limit250
PeriodHOUR


Validating the Request

An You can take the additional step that can be taken to prevent invalid requests from invoking a Pipeline would be to add by adding an Authorized Request Validator Policy. This policy can perform arbitrary checks on the incoming request using expressions. If an expression evaluates to true, the request is rejected with a custom HTTP status code and response body. In the case of the Pet Store API’s pet endpoint, there are a limited number of path parameters that are supported. Therefore; therefore, we can add this policy to the project Project with the following check to make sure the paths are valid:

Condition


asset.name == 'pet' &&
    !(request.uri.pathInfo matches
    []|
    [/\d+/]|
    [/\d+/, 'uploadImage']|
    ['findByStatus'])



Status400
Response

'Expecting a numeric pet ID'


...

Restricting the Size of PUT/POST Request Content

The pet Pet Store API supports uploading images of the pet using a POST request, which opens up another avenue for misuse from overly large images. To immediately reject requests with excessively large content, the Request Size Limit policy can be installed. In this case, the default limit of 10MB is probably enough for most images.