Is it possible to specify in the HTTP Routing assertion certain request headers to be forwarded to the endpoint using variables instead of hardcoded header names?
Background of this question: We have created an encapsulated assertion to be used as a template policy visible in the API Portal. Routing to the endpoint happens within the encapsulated assertion. However, the headers allowed to be forwarded must be configurable per API using this template.
Outside of having a static list of custom headers to send through or being able to send all headers that were received by the service, I'm not sure we have any other options unfortunately .
Depending on the different combinations of potential headers that will be sent to the backend, you could have a set of branches in policy, that determine which headers will eventually be sent to the back end and based on that, you can invoke the correct routing assertion that is prepared to route those headers?
I know it's not pretty, but i can't think of another way off hand.
If you would like to create an 'Idea' on this communities forum for this feature, i'll vote on it for you.
hope this helps,
Another thought would be to pass in a variable to the encapsulated assertion from the main policy called headers which has a common delimited list of headers and values such as Accept:application/json,Distance:30. In the encapsulated assertion take the variable and split it based on the comma then run through each one with 2 regular expressions and assign it to a header. I've attached a sample policy that outlines some of these thoughts. I've not been able to test this on how it would scale though.
Director, CA Support
Thanks for your feedback. If I understand your approach right it doesn't prevent unwanted headers being forwarded to the endpoint, which is our security requirement.
Is there a possibility to remove all headers from an incoming request? If yes we could do the following:
- Save all values of a defined set of variables
- Remove all incoming headers
- Set the defined variables with the original values
So only predefined headers would be allowed...
Very nice solution... i forgot about the 'Add Header' assertion.
The example I provided does only pass through certain headers as you need to identify in the main policy which headers to be sent through so the encapsulation assertion can handle them. The encapsulated assertion will only pass in what you specify as inputs. The other way to ensure that all headers are removed would be to use the Manage Transport Properties/Headers assertion with the option Remove for the operation, the value .* in the Property/Header name field with the Regular Expression checked next to it.
<?xml version="1.0" encoding="UTF-8"?><wsp:Policy xmlns:L7p="http://www.layer7tech.com/ws/policy" xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy"> <wsp:All wsp:Usage="Required"> <L7p:AddHeader> <L7p:EvaluateNameAsExpression booleanValue="true"/> <L7p:HeaderName stringValue=".*"/> <L7p:HeaderValue stringValue=""/> <L7p:Operation operation="REMOVE"/> </L7p:AddHeader> </wsp:All></wsp:Policy>
Great, didn't know about the regex possibility. That's what we were looking for!