Lab 1.4 - Test Course-Grained Access

In this section, you will sample API requests to the new created api.acme.com virtual server to test functionality

Task 1 - Send a valid GET without JWT to retrieve user’s attributes 1

  1. From the Jumpbox, open Postman

image23

  1. Expand the API Protection Collection
  2. Select the request GET-Retrieve User Attributes-No JWT-Fail

image24

  1. Click Send

image25

  1. You receive a 403 Forbidden response status code since you do not have a valid JWT

image26

Task 2 - Send a valid GET with JWT to retrieve user1’s attributes

  1. Select the request GET-Retrieve User Attributes-JWT-Pass

image42

  1. Select the Authorization tab

image43

  1. Click Get New Access Token

image44

  1. Enter User1 for the Token Name and review the Postman Configuration. Nothing else should need to be modified
  2. Click Request Token

image27

  1. Login using Username: user1, Password: user1

image28

  1. Scroll down to the token and click Use Token

image29

  1. Notice the Access Token field is now populated

image34

  1. Click Send
  2. You receive a 200 OK response status code with attributes for user1 in the body of the response

image31

Task 3 - Send a valid GET with JWT to set user1’s employeeNumber

  1. Select the request GET-Set User Attributes-JWT-Pass

image32

  1. Select the Authorization tab
  2. Select the previously created User1 token from the Available Tokens dropdown

image33

  1. The Token field is now populated

image34

  1. Click Send

Note

If you receive a 403 response status code, repeat steps 10-13 to request a new token. You can change the name of the token request prior to sending by setting the Token Name.

Note

You can delete expired tokens by clicking the Available Tokens dropdown, clicking Manage Tokens, and then clicking the trashcan next to the Token.

  1. You receive a 200 OK response status code with a response body that contains user1’s employeeNumber 123456

image35

Task 4 - Send a valid GET with JWT to create a user

  1. Select the request GET-Create User-JWT-Pass

image45

  1. Select the Authorization tab
  2. Select the previously created User1 token from the Available Tokens dropdown

image33

  1. Click Send

Note

If you receive a 403 response status code, repeat steps 10-13 to request a new token. You can change the name of the token request prior to sending by setting the Token Name.

Note

You can delete expired tokens by clicking the Available Tokens dropdown, clicking Manage Tokens, and then clicking the trashcan next to the Token.

5. You receive a 200 OK response status code with a response body that contains Bob Smith’s user attributes image46

Task 4 - Send invalid GET request with JWT to set a nonexistent user’s attributes

  1. Select the request GET-Set Invalid Attributes-JWT-Fail

image36

  1. Select the Authorization tab
  2. Select the previously created User1 token from the Available Tokens dropdown
  3. The Token field is now populated
  4. Click Send

Note

If you receive a 403 response status code, repeat steps 10-13 to request a new token. You can change the name of the token request prior to sending by setting the Token Name.

Note

you can delete expired tokens by clicking the Available Tokens dropdown, clicking Manage Tokens, and then clicking the trashcan next to the Token.

  1. You receive a 400 Bad Request response status code. The request successfully passed through the API Gateway, but the server failed to process the request.

image37

Task 6 - Send a POST request to a valid URI to set User1’s attributes

  1. Select the request POST-Set User Attributes-JWT-Fail

image38

  1. Select the Authorization tab
  2. Select the previously created User1 token from the Available Tokens dropdown
  3. The Token field is now populated
  4. Click Send
  5. You receive a 403 Forbidden response status code. This is expected because the POST Method was not specified in the API Protection Profile for the path /aduser/get

image39

Task 7 - Send a GET request to an invalid URI

  1. Select the request GET-Invalid URI-JWT-Fail

image40

  1. Select the Authorization tab
  2. Select the previously created User1 token from the Available Tokens dropdown
  3. The Token field is now populated
  4. Click Send
  5. You receive a 403 Forbidden response status code. This is expected because the path //hacker//attack was not specified in the API Protection Profile

image39