wso2 API manager for authorsation and authentication of a web application

Question

I have a web app where front end layer has a angular based UI.It has both public pages and other private pages which are accessible to logged in users and it depends on roles of the logged in users as well My server based application is a java based rest service api .

How can i use wso2 for handle user authenticaiton and role based authorsation.i would like to have an additional layer of api security depending on the role of the user as well.

can someone explain the best architecture for this in wso2? if i use wso2 api manager , how can i handle login's of the user and how to relate api access with role of the logged in user?

thanks in advance

Answer 1

you can use wso2 appmanager to control the access of any web apps[1]. App manager supports role based access control as well as xacml policy based access control . In order to provide api level role based security you can use scopes[2] in wso2 api manager

[1] https://docs.wso2.com/display/APPM120/Web+Application+Resource+Authorization

[2] https://docs.wso2.com/display/APPM120/Web+Application+Resource+Authorization

Answer 2

Let me suggest another solution. I haven't tried this with APIM. But since APIM also has Identity features installed in it, this should work.

Use OpenID Connect for login. See here for a sample. This sample is for IS, but it should work for APIM too. Only endpoint URLs are different in APIM like this.

Token: https://localhost:8243/token 
Revoke: https://localhost:8243/revoke 
Authorize: https://localhost:8243/authorize 

There, when a user login, you get an ID_token which contains user claims. You can allow/deny page views depending on those data.

In above step, you create an SP and generate a client key-secret pair. You can set the same keys in APIM's application. Read this.

Then, as I mentioned here, you can use scopes to secure your APIs by roles.