3. Security and Validation

apiKey

Secures APIs by validating keys stored in either files or proxies.xml. Keys can be received from clients via HTTP headers or URL query parameters. Additional permission checks are possible through scope validation - scopes are loaded into an Exchange property and can be checked using the "hasScope()" SpEL function.

Can be used in:

serviceProxy, api, proxy, global, chainDef, for, choose, stompProxy, if, registration, wsStompReassembler, internal, interceptor, chain, bean, transport and soapProxy

Syntax

<api port="2000">
  <openapi location="fruitshop-api-v2-openapi-3-security.yml" validateSecurity="yes"/>
  <apiKey required = "false">
    <headerExtractor name="X-Api-Key"/>
  </apiKey>
  <!--Swagger UI requires CORS but FruitShop does not use CORS, so we disable CORS.-->
  <headerFilter>
    <exclude>Origin</exclude>
  </headerFilter>
</api>

Attributes

NameRequiredDefaultDescriptionExample
required false true
 Controls whether API key validation is enforced or optional. Optional will still load scopes and make them available for checking through SpEL function "hasScope()".
false

Child Elements

ElementsDescriptionCardinality
databaseApiKeyStore API key stores to validate keys against 0..*
mongoDBApiKeyStore API key stores to validate keys against 0..*
apiKeyFileStore API key stores to validate keys against 0..*
keys API key stores to validate keys against 0..*
queryParamExtractor Extractors that define where and how to extract API keys from requestsDefault: (Using default header "X-Api-Key") 0..*
expressionExtractor Extractors that define where and how to extract API keys from requestsDefault: (Using default header "X-Api-Key") 0..*
headerExtractor Extractors that define where and how to extract API keys from requestsDefault: (Using default header "X-Api-Key") 0..*