2.1.11 Method level overrides - Axway-API-Management-Plus/apim-cli GitHub Wiki

It is possible to control so called Method-Level-Overrides. This means you can make use of Inbound- and Outbound-Settings on a per Method-Level.

General information

To configure method level settings, you must use the operationId which is declared in your Swagger-Definition and reference it in the API-Config file as shown in the examples below.

Swagger OperationId

Method-Level settings can be used for InboundProfiles or OutboundProfiles.

API-Inbound overrides

In the example below the following is configured.

  1. A special Security-Profile named: API Key Security is declared
  2. A special CORS-Profile named: New CORS Profile is declared
  3. A specific Inbound-Profile for the operationId: findPetsByStatus is declared
  4. That Inbound-Profile is referencing the profiles API Key Security & New CORS Profile
{
   "name":"API with Method-Level inbound settings",
   "path":"/api/v1/some/stuff",
   "state":"published",
   "version":"1.0.7",
   "organization":"API Development",
   "inboundProfiles":{
      "findPetsByStatus":{
         "securityProfile":"API Key Security",
         "corsProfile":"New CORS Profile",
         "monitorAPI":true
      }
   },
   "securityProfiles":[
      {
         "name":"API Key Security",
         "isDefault":false,
         "devices":[
            {
               "name":"API Key",
               "type":"apiKey",
               "order":0,
               "properties":{
                  "apiKeyFieldName":"KeyId",
                  "takeFrom":"HEADER",
                  "removeCredentialsOnSuccess":"false"
               }
            }
         ]
      }
   ],
   "corsProfiles":[
      {
         "name":"New CORS Profile",
         "isDefault":false,
         "origins":[
            "*"
         ],
         "allowedHeaders":[
            "Authorization"
         ],
         "exposedHeaders":[
            "via"
         ],
         "supportCredentials":false,
         "maxAgeSeconds":0
      }
   ]
}

If you don't provide any default Inbound-Profile, the tool creates a PassThrough-Profile internally which is used by default for all other methods. That means in the example above all other methods, besides findPetsByStatusare exposed using PassThrough.
Don't declared more than one default profile as it will lead to an error.
Please make sure, that the Profile references are consistent. If you declare for instance are Security-Profile or CORS-Profile that doesn't exists in your API-Config you get one of the following error messages:
InboundProfile is referencing an unknown CorsProfile: '<yourProfileName>'
InboundProfile is referencing a unknown SecurityProfile: '<yourProfileName>'

The configuration from above results in the following when viewing it in API-Manager UI: API-Method Inbound

More information on how to configure Security-Profiles can be found here and for CORS please read here.

API-Outbound overrides

Outbound-Profiles are working in the same way as Inbound-Profiles. The example below is similar, but in this case, a custom default Outbound-Profile is declared, which should be used for all methods. In that case Swagger-Promote will not generate another Default-Profile.
However, the method with operationId getOrderById, which is configured with a special Outbound-Profile, will use HTTP-Basic to communicate with the Downstream-Application.

Additionally to that, some special parameters are declared which is used to control the API-Proxy. You can find more details & examples on the parameters section below.

{
   "name":"API with Method-Level outbound settings",
   "path":"/api/v1/some/stuff",
   "state":"unpublished",
   "version":"1.0.7",
   "organization":"API Development",
   "outboundProfiles":{
      "_default":{
         "authenticationProfile":"_default",
         "routeType":"proxy"
      },
      "getOrderById":{
         "authenticationProfile":"HTTP Basic",
         "parameters":[
            {
               "name":"additionalOutboundParam",
               "required":false,
               "type":"string",
               "paramType":"header",
               "value":"Test-Value",
               "exclude":false,
               "additional":true
            }
         ]
      }
   },
   "authenticationProfiles":[
      {
         "name":"HTTP Basic",
         "parameters":{
            "username":"usernameabc",
            "password":"password"
         },
         "type":"http_basic"
      }
   ]
}

The example above will result in the following API-Configuration override as shown in the API-Manager UI: API-Method Inbound

Please note: The section marked in Red is NOT supported.

For more information how to configure AuthenticationProfiles please read here.
More information on Outbound-Profiles for instance to use Custom-Policies, please read here

Outbound-Profile parameters

With the Outbound-Profile parameters you can declare multiple additional parameters to be injected at runtime by the API-Manager proxy. This is an additional example:

"parameters":[
   {
      "name":"additionalOutboundParam",
      "required":false,
      "type":"string",
      "paramType":"header",
      "value":"Test-Value",
      "exclude":false,
      "additional":true
   },
   {
      "name":"exmaple1",
      "required":true,
      "type":"double",
      "paramType":"query",
      "value":"${params.path.orderId}",
      "exclude":false,
      "additional":true
   }
]

The parameter section is not validated by Swagger-Promote and will be send as it's given to the API-Manager. Hence the recommendation is not to leave additional=true and exclude=false.

If you declare an Authentication-Profile that doesn't exists you get the following error message:
OutboundProfile is referencing na unknown AuthenticationProfile: '<yourProfileName>'