Your policies are customizable rules or logic the Gateway executes during an API transaction. Policies generally fall into security, transformation, performance, routing, or monitoring and testing categories. They are added to flows to enforce security, reliability, and proper data transfer. Examples of policies include traffic shaping, authentication/authorization, rate limiting, and dynamic routing. You can use dozens of policies; see the comprehensive list below. Learn more about the Policy Studio's features.
Celigo's API Management offers two different packages: the Standard Plan and the Advanced Plan. Below is a list of all the policies available to Standard and Advanced Plan subscribers.
Policy name |
Description |
Category |
---|---|---|
API Key |
You can use the |
Security |
Assign Attributes |
You can use the |
Transformation |
Assign Content |
You can use the assign-content policy to change or transform the request or response body's content. This policy is compatible with the Freemarker template engine, which allows you to apply complex transformations, such as transforming from XML to JSON and vice versa. You can access multiple objects from the template context by default — request and response bodies, dictionaries, context attributes, and more. |
Transformation |
Basic Authentication |
You can use the To use the policy in an API, you need to configure:
|
Security |
Cache |
You can use the |
Performance |
Dynamic Routing |
The |
Others |
Generate HTTP Signature |
HTTP Signature is an authentication method that adds a new level of security. Use this policy to generate an HTTP Signature with a set of headers, a max validity duration, and some other settings. The "Signature" authentication scheme is based on the model that the client must authenticate itself with a digital signature produced by either a private asymmetric key (e.g., RSA) or a shared symmetric key (e.g., HMAC). |
Security |
Generate JWT |
You use the |
Security |
Groovy |
You can use the Groovy policy to run Groovy scripts at any stage of request processing through the gateway. |
Others |
HTML to JSON |
You use the |
Transformation |
HTTP Callout |
You can use the |
Others |
HTTP Signature |
HTTP Signature is an authentication method that adds a new level of security. Under this policy, the consumer must send a signature using a secret key to temporarily identify the request and ensure that it's coming from the requesting consumer. |
Security |
IP Filtering |
You can use the Blacklist mode allows all IP addresses except the addresses included in the blacklist. The blacklist takes precedence, so if an IP address is included in both lists, the policy rejects the request. You can specify a host to be resolved and checked against the remote IP. |
Security |
JSON Threat Protection |
You can use the |
Security |
JSON to JSON |
You can use the |
Transformation |
JSON to XML |
You can use the |
Transformation |
JSON Validation |
You can use the |
Others |
JSON Web Signature |
Before sending the API call to the target backend, you can use the |
Security |
JWT |
You can use the JWT policy to validate the token signature and expiration date before sending the API call to the target backend. |
Security |
Keyless |
This security policy does not block requests as it considers them valid by default. |
Security |
Latency |
You can use the latency policy to add latency to the request or the response. For example, if you configure the policy on the request with a latency of 100ms, the gateway waits 100ms before routing the request to the backend service. This policy is particularly useful in two scenarios:
|
Others |
Metrics Reporter |
This policy allows you to push the request metrics to a custom endpoint. Running this policy ensures the complete response is sent to the initial consumer. You can configure the payload to send to the custom endpoint by using the Freemarker template engine. |
Others |
Mock |
You can use the mock policy to create mock responses when a consumer calls one of your services. This means you do not have to provide a functional backend when you create your API, giving you more time to think about your API contract. |
Others |
OAuth2 |
Using token introspection, you can use the oauth2 policy to check access token validity during request processing. If the access token is valid, the request is allowed to proceed. If not, the process stops and rejects the request. The access token must be supplied in the Authorization HTTP request header. |
Security |
OpenID Connect UserInfo |
Use the |
Security |
Override HTTP Method |
You can use the |
Transformation |
Rate Limiting |
There are three rate-limit policies:
|
Others |
Regex Threat Protection |
You can use the |
Security |
Request Content Limit |
You can use the |
Others |
Resource Filtering |
You can use the This policy is mainly used in plan configuration to limit subscriber access to specific resources. A typical usage would be to allow access to all paths |
Others |
REST to SOAP |
You can use the |
Transformation |
Retry |
You can use the retry policy to replay requests when experiencing backend connection issues or if the response meets a given condition. |
Others |
Role Based Access Control |
You can use the The policy can be configured to either:
|
Security |
SSL Enforcement |
You can use the |
Security |
Traffic Shadowing |
Traffic shadowing allows you to copy traffic to another service asynchronously. This policy duplicates requests and sends them to the target, an endpoint defined at the API level. The request can be enriched with additional headers. |
Others |
Transform Headers |
You can use the
|
Transformation |
Transform Query Parameters |
You can use the
|
Transformation |
URL Rewriting |
You can use the |
Transformation |
Validate Request |
You can use the request-validation policy to validate an incoming HTTP request according to defined rules. A rule is defined for an input value. This input value supports Expression Language expressions and is validated against constraint rules. For example, it can be used after OpenID Connect UserInfo policy to vaidate who is making the request. |
Others |
XML to JSON |
You can use the |
Transformation |
XML Threat Protection |
You can use the |
Security |
XML validation |
You can use the |
Others |
XSLT Transformation |
If your backend exposes XML content, you can use the XSLT policy based on the Saxon library to apply an XSL transformation to an incoming XML request body or to the response body. |
Transformation |
All the standard plan policies are available to APIM Advanced plan subscribers, along with these advanced policies.
Policy name |
Description |
Category |
---|---|---|
Assign Metrics |
You can use the |
Transformation |
Data Logging Masking |
You can use the |
Others |
Comments
Article is closed for comments.