Layer7 API Management

We have a use case to fail an incoming websocket connection if the clients token is expired. We would like to return a 500 exception message with a security exception code which will prompt the user to relogin. Using the http error handling with stop processing seems to just drop the connection. How can we gracefully handle this use case?

Thanks

Toni,

Would you be able to post what your current policy looks like. Maybe one of our experts who have worked in these may be able to assist.

Thanks.

Hey Mohindra

Here is a sample policy configured on the "inbound Policy" component of the websocket:

==========

<?xml version="1.0" encoding="UTF-8"?>
<wsp:Policy xmlns:L7p="http://www.layer7tech.com/ws/policy" xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy">
<wsp:All wsp:Usage="Required">
<L7p:CustomizeErrorResponse>
<L7p:Content stringValue="Security Exception: Error Code 5130001"/>
<L7p:ExtraHeaders nameValuePairArray="included"/>
</L7p:CustomizeErrorResponse>
<L7p:ComparisonAssertion>
<L7p:CaseSensitive booleanValue="false"/>
<L7p:Expression1 stringValue="${request.url.host}"/>
<L7p:Operator operatorNull="null"/>
<L7p:Predicates predicates="included">
<L7p:item dataType="included">
<L7p:Type variableDataType="string"/>
</L7p:item>
<L7p:item binary="included">
<L7p:CaseSensitive booleanValue="false"/>
<L7p:RightValue stringValue="casupporttest.com"/>
</L7p:item>
</L7p:Predicates>
</L7p:ComparisonAssertion>
</wsp:All>
</wsp:Policy>

=====================

It simply checks to see if the host is casupporttest.com before continuing processing. If this fails, the connection simply gets dropped and there is no response body noticed on the app with a reason for the failure.

Thanks

Hey

Just following up for any insights.

Thanks

Dear tonyogidi,

The response of "inbound policy" will be exactly sent to backend websocket server, not the requestor.

You may try "connection policy".

For gw9.2, "connection policy" is OOTB, for other version, you may need to open support ticket to require the tactical websocket assertion.

For more details about  "connection policy", please refer to,

Manage WebSocket Connections - CA API Gateway - 9.2 - CA Technologies Documentation 

Regards,

Mark

Hey Mark

The issue is that if the inbound policy fails due to a policy violation, the gateway closes the connection without sending a response to the mobile app. We want to be able to send an exception back so the mobile app can make intelligent decisions based on the reason for the failure.

Thanks

Dear tonyogidi,

Exception/error raised in connection policy will reject the connection.

You may try to validate the token in connection policy, and use customize error response assertion to return error.

Regards,

Mark