3. Security and Validation

apiKey

Secures APIs by validating keys stored in either files or proxies.xml. Keys can be received from clients via HTTP headers or URL query parameters. Additional permission checks are possible through scope validation - scopes are loaded into an Exchange property and can be checked using the "hasScope()" SpEL function.

Can be used in:

serviceProxy, api, proxy, global, chainDef, for, stompProxy, if, registration, wsStompReassembler, internal, interceptor, chain, bean, transport and soapProxy

Syntax

<api port="2000">
  <openapi location="fruitshop-api-v2-openapi-3-security.yml" validateSecurity="yes"/>
  <apiKey required = "false">
    <headerExtractor name="X-Api-Key"/>
  </apiKey>
  <!--Swagger UI requires CORS but FruitShop does not use CORS, so we disable CORS.-->
  <headerFilter>
    <exclude>Origin</exclude>
  </headerFilter>
</api>

Attributes

Name	Required	Default	Description	Examples
required	false	true	Controls whether API key validation is enforced or optional. Optional will still load scopes and make them available for checking through SpEL function "hasScope()".	false

Child Elements

Elements	Description	Cardinality
keys	API key stores to validate keys against	0..*
apiKeyFileStore	API key stores to validate keys against	0..*
databaseApiKeyStore	API key stores to validate keys against	0..*
mongoDBApiKeyStore	API key stores to validate keys against	0..*
expressionExtractor	Extractors that define where and how to extract API keys from requestsDefault: <headerExtractor /> (Using default header "X-Api-Key")	0..*
queryParamExtractor	Extractors that define where and how to extract API keys from requestsDefault: <headerExtractor /> (Using default header "X-Api-Key")	0..*
headerExtractor	Extractors that define where and how to extract API keys from requestsDefault: <headerExtractor /> (Using default header "X-Api-Key")	0..*