Don't reveal SwaggerHub APIKey in requests from SwaggerHub Integration for Confluence
Could you please consider proxying any authenticated calls from the Confluence page to the SwaggerHub API back through the domain that you presumably serve the widget content from (https://confluence-plugin.swaggerhub.com)? I'm not sure what constraints exist with the Confluence plugin model, but hopefully this would allow you to manage all sensitive state (ApiKey storage) externally in a location we already trust, and form the appropriate authenticated requests to the SwaggerHub API from there. As things stand right now, the SwaggerHub API requests are observable using browser dev tools as the Confluence page renders. These requests include the chosen SwaggerHub ApiKey in the authorization header. This is a security concern for us as we have external parties and partners who we grant visibility to areas of our Confluence tenant so they can view documentation which includes api specifications. Once the ApiKey is compromised, the holder has far more than the readonly-access to specific API specifications that we intended. There are probably other ways to address this, but the proxy approach seemed the most pragmatic to me. We've worked around this issue in the past with other Confluence swagger plugins by only using exported specifications that are attached to the page. However, you are in a good position to allow the convenient referencing of the api specifications in their natural home in SwaggerHub, while keeping the communication paths secure.
SSL Certificate verification missing
Hi Community, I've been trying to get SoapUI 5.5. (OpenSource) to verify and reject my self-signed ssl server certificate for security reasons (self-signed, not trusted), just like other clients do. Where can I switch the behavior between test and live environment? I need the verification enabled. In my case soapui just accepts the connection and does not even notify about any security issues. I have searched the database but didn't find much information. Thanks in advance.
Missing a receive token call in the generated client
Hello, I have the following part for securityDefinition in my swagger 2.0 API definition: securityDefinitions: petstore_auth: type: "oauth2" tokenUrl: "http://petstore.swagger.io/oauth/dialog" flow: "password" scopes: write:pets: "modify pets in your account" read:pets: "read your pets" With this API definition I generate a C# API Client with the online Swagger Editor Tool. The generated client code does not include an API call to receive the token from the given Url "http://petstore.swagger.io/oauth/dialog". What am I missing here? Thanks in advance, DavidSOAPUI not signing/ security header empty
Hi, Ive been stressed out by this item. Ive followed through the following guide:soapui keystore + security guide, double checked everything (keystore status = OK) and created the corresponding "Outgoing WS-Security Configurations". Added Signature and Timestamp, both items fully configured. Later I added, to my Request, a Basic Auth (pre-emptive auth: Use global preference) and pointed "Outgoing WSS" to my created configuration. The service that I need to connect with is stating: "An error occurred when verifying security for the message." I do believe that the reason behind all of this is because Im not seeing a security or signature token anywhere (or they are empty). I even tried creating a Mock Service, in order to review the exact message that Im sending and its as follows (extracted from raw): <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:wcf="http://wcf.dian.colombia"> <soap:Header xmlns:wsa="http://www.w3.org/2005/08/addressing"><wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"/><wsa:Action>http://wcf.dian.colombia/IWcfDianCustomerServices/GetStatus</wsa:Action></soap:Header> <soap:Body> <wcf:GetStatus> <wcf:trackId>1d1</wcf:trackId> </wcf:GetStatus> </soap:Body> </soap:Envelope> As stated, this is almost empty. I reviewed other cases on site and they tended to go into two directions: * Incorrect or missing configuration: Im pretty sure Ive followed through every required step, I even checked multiple guides on this item. * Invalid JKS store: I tried with multiple certificates, even created one following a guide from smartbear for this purpose (right now, Im unsure which) and, as stated, all of them show Status = OK. Im terrible frustrated by this, which I do require for work, so if anyone could point me out on the correct direction... Ill really appreciate it. Thanks!
Securing the default page of OpenAPI documentation
Dear community, I am trying to generate OpenAPI documentation for my existing .net core Web API's. The Web API's are protected by AAD B2C (by OAuth 2.0 spec). But when implementing the open API documentation, the default documentation page popping up without any credential verififcaiton. Since my requirement is to make the default page that lists the titles and documentation as well need an authentication before displaying that page. I was thinking to have separate authorization filter for documentation path, but how to configure the handshaking part of OAuth is looking grey to me. Could someone help me on this? Regards, Shanmugam
