Policy Validation and Dependencies
- Any policy (for example, Log Invocation) that can appear in an API multiple times is allowed to appear multiple times.
- For policies (for example, Require HTTP / HTTPS) that can appear only once in an API, API Gateway issues an error message.
- For policies (for example, Monitor SLA) that are dependent and use another policy in conjunction (for example, Identify & Authorize) in an API, API Gateway prompts you with a warning message to include the dependent policy.
When you save an API, API Gateway combines the policies from all of the global and direct policies that apply to the API (that is, at the API-level) and generates what is called the effective policy for the API. For example, let's say your REST API is within the scope of two policies: one policy that performs a logging task and another policy that performs a security task. When you save the REST API, API Gateway automatically combines the two policies into one effective policy. The effective policy, which contains both the logging task and the security task, is the policy that API Gateway actually uses to publish the REST API.
When API Gateway generates the effective policy, it validates the resulting policy to ensure that it contains no conflicting or incompatible policies.
If the policy contains conflicts or inconsistencies,
API Gateway
computes the effective API policy according to policy resolution rules. For
example, an effective API policy can include only one Identify & Authorize
policy. If the resulting policy list contains multiple Identify & Authorize
policies,
API Gateway
shows the conflict by including an including a Conflict (
) icon next to the name of
the conflicting policies in the effective policy.
- Policy dependencies (that is, whether a policy must be used in conjunction with another particular policy).
- Conflicting or incompatible policies.
- Whether a policy can be included multiple times in a single API. If a policy cannot be included multiple times in a single API, API Gateway selects one (depending on the precedence of the policy at the enforcement level) for the effective policy and processes at run-time.
Policy Validation and Dependencies:
| Policy | Applicable API Type | Dependent Policy | Mutually Exclusive Policy | Can include multiple times in an API? |
|---|---|---|---|---|
| Authorize User | REST
SOAP |
Identify & Authorize | None. | No. API Gateway includes only one policy in the effective policy. |
| Conditional Error Processing | REST
SOAP |
None. | None. | Yes. API Gateway includes all Conditional Error Processing policies in the effective policy. |
| Conditional Routing | REST
SOAP |
None. | Straight Through Routing, Load Balancer Routing, Dynamic Routing, Content-based Routing | No. API Gateway includes only one policy in the effective policy. |
| Content-based Routing | REST
SOAP |
None. | Straight Through Routing, Load Balancer Routing, Dynamic Routing, Conditional Routing | No. API Gateway includes only one policy in the effective policy. |
| Custom HTTP Header | REST
SOAP |
None. | None. | No. API Gateway includes only one policy in the effective policy. |
| Data Masking
(Error Handling) |
REST
SOAP |
None. | None. | No. API Gateway includes only one policy in the effective policy. |
| Data Masking
(Response Processing) |
REST
SOAP |
None. | None. | No. API Gateway includes only one policy in the effective policy. |
| Data Masking
(Request Processing) |
REST
SOAP |
None. | None. | No. API Gateway includes only one policy in the effective policy. |
| Dynamic Routing | REST
SOAP |
None. | Straight Through Routing, Load Balancer Routing, Content-based Routing, Conditional Routing | No. API Gateway includes only one policy in the effective policy. |
| Enable HTTP / HTTPS | REST
SOAP GraphQL |
None. | None. | No. API Gateway includes only one policy in the effective policy. |
| Enable JMS / AMQP | REST
SOAP |
None | None | No. API Gateway includes only one policy in the effective policy. |
| Identify & Authorize | REST
SOAP GraphQL |
Inbound Auth - Message policy is required if Identification Type is configured as WS Security Username Token or WS Security X.509 Certificate or Kerberos Token for SOAP-based APIs. | None. | No. API Gateway includes only one policy in the effective policy. |
| Inbound Auth - Message | SOAP | None. | None. | No. API Gateway includes only one policy in the effective policy. |
| Invoke webMethods IS
(Response Processing) |
REST
SOAP |
None. | None. | Yes. API Gateway includes all Invoke webMethods IS policies in the effective policy. |
| Invoke webMethods IS
(Request Processing) |
REST
SOAP |
None. | None. | Yes. API Gateway includes all Invoke webMethods IS policies in the effective policy. |
| JMS/AMQP REST Properties | REST | JMS/AMQP REST Routing | None | No. API Gateway includes only one policy in the effective policy. |
| JMS/AMQP SOAP Properties | SOAP | JMS/AMQP SOAP Routing | None. | No. API Gateway includes only one policy in the effective policy. |
| JMS/AMQP REST Routing | REST | None | Straight Through Routing, Dynamic Routing, Content-based Routing, Conditional Routing | No. API Gateway includes only one policy in the effective policy. |
| JMS/AMQP REST Routing | SOAP | None. | Straight Through Routing, Dynamic Routing, Content-based Routing, Conditional Routing | No. API Gateway includes only one policy in the effective policy. |
| Load Balancer Routing | REST
SOAP |
None. | Straight Through Routing, Dynamic Routing, Content-based Routing, Conditional Routing | No. API Gateway includes only one policy in the effective policy. |
| Log Invocation | REST
SOAP GraphQL |
None. | None. | Yes. API Gateway includes all Log Invocation policies in the effective policy. |
| Monitor Performance | REST
SOAP |
None. | None. | Yes. API Gateway includes all Monitor Performance policies in the effective policy. |
| Monitor SLA | REST
SOAP |
Identify & Authorize | None. | Yes. API Gateway includes all Monitor Service Level Agreement policies in the effective policy. |
| Outbound Auth - Message | SOAP | None. | None. | No. API Gateway includes only one policy in the effective policy. |
| Outbound Auth - Transport | REST
SOAP |
None. | None. | No. API Gateway includes only one policy in the effective policy. |
| Response Transformation | REST
SOAP |
None. | None. | Yes. API Gateway includes all XSLT Transformation policies in the effective policy. |
| Request Transformation | REST
SOAP |
None. | None. | Yes. API Gateway includes all XSLT Transformation policies in the effective policy. |
| Service Result Cache | REST
SOAP |
None. | None. | No. API Gateway includes only one policy in the effective policy. |
| Set Media Type | REST | None. | None. | No. API Gateway includes only one policy in the effective policy. |
| Straight Through Routing | REST
SOAP GraphQL |
None. | Load Balancer Routing, Dynamic Routing, Content-based Routing, Conditional Routing | No. API Gateway includes only one policy in the effective policy. |
| Traffic Optimization | REST
SOAP |
Identify & Authorize | None. | Yes. API Gateway includes all Traffic Optimization policies in the effective policy. |
| Validate API Specification
(Response Processing) |
REST
SOAP |
None. | None. | No. API Gateway includes only one policy in the effective policy. |
| Validate API Specification
(Request Processing) |
REST
SOAP GraphQL |
None. | None. | No. API Gateway includes only one policy in the effective policy. |