WSO2 ESB IP address whitelisting with Throttle mediator

The following configurations will show you how to whitelist set of IP addresses (range) using ESB Throttle mediator with an embedded WS-Policy.

For an instance let say you need to secure a specific ESB API resource by whitelisting a set of IPs.

• Call the ESB Throttle mediator as soon as the API resource get's in to inSequence as shown below.

<?xml version="1.0" encoding="UTF-8"?>
<api xmlns="http://ws.apache.org/ns/synapse"
     name="ipWhitelistingSample"
     context="/whitelisting-ip"
     hostname="localhost">
   <resource methods="GET" uri-template="/access">
      <inSequence>
         <throttle id="A">
            <policy key="conf:/policy/policy.xml"/>
            <onReject>
               <log level="custom">
                  <property name="text" value="**Access Denied**"/>
               </log>
               <property name="HTTP_SC"
                         value="401"
                         scope="axis2"
                         type="STRING"
                         description="HTTP_SC_401"/>
               <property name="RESPONSE"
                         value="true"
                         scope="default"
                         type="STRING"
                         description="RESPONSE"/>
               <respond/>
            </onReject>
            <onAccept>
               <log level="custom">
                  <property name="text" value="**Access Granted**"/>
               </log>
               <payloadFactory media-type="xml">
                  <format>
                     <status>OK</status>
                  </format>
                  <args/>
               </payloadFactory>
               <respond/>
            </onAccept>
         </throttle>
      </inSequence>
      <outSequence/>
      <faultSequence/>
   </resource>
</api>

• In the above example I have referenced the WS-Policy from a resource file from the registry.
• On accept you can call another sequence or write the work inline itself.
• On reject we send a response back to the client stating "Unauthorized".
• The sample WS-Policy looks like below.

<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
            xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
            xmlns:throttle="http://www.wso2.org/products/wso2commons/throttle"
            wsu:Id="WSO2MediatorThrottlingPolicy">
    <throttle:MediatorThrottleAssertion>
        <wsp:Policy>
            <throttle:ID throttle:type="IP">192.168.10.10 - 192.168.10.20</throttle:ID>
            <wsp:Policy>
                     <throttle:Allow/>
            </wsp:Policy>
        </wsp:Policy>
        <wsp:Policy>
          <throttle:ID throttle:type="IP">other</throttle:ID>
          <wsp:Policy>
            <throttle:Deny/>
          </wsp:Policy>
        </wsp:Policy>
    </throttle:MediatorThrottleAssertion>
</wsp:Policy>

• According to above configurations, Throttle mediator will only allow access to IP addresses within the range of 192.168.10.10 to 192.168.10.20. Every other request that comes from different IPs will get denied to pass through.

Note: Let's say you have multiple IP addresses (2) that need to pass through but do not want to allow all the IP addresses within the range to pass through. In that case you can define 2 "<wsp:Policy>" tags and define "Allow" access to them. 

Ex: 

<wsp:Policy>
    <throttle:ID throttle:type="IP">192.168.10.12</throttle:ID>
    <wsp:Policy>
             <throttle:Allow/>
    </wsp:Policy>
</wsp:Policy>
<wsp:Policy>
    <throttle:ID throttle:type="IP">192.168.10.18</throttle:ID>
    <wsp:Policy>
             <throttle:Allow/>
    </wsp:Policy>
</wsp:Policy>
<wsp:Policy>
    <throttle:ID throttle:type="IP">other</throttle:ID>
    <wsp:Policy>
             <throttle:Deny/>
    </wsp:Policy>
</wsp:Policy>

Further reading:

• https://docs.wso2.com/display/ESB481/Throttle+Mediator
• http://wso2.com/library/articles/wso2-throttling/
• http://www.w3.org/TR/ws-policy/

Happy Coding!!