API Gateway 10.5 | Using API Gateway | Policies | Policy Validation and Dependencies
 
Policy Validation and Dependencies
When you enforce a policy to govern an API at run-time, API Gateway validates the policies to ensure that:
*Any policy (for example, Log Invocation) that can appear in an API multiple times is allowed to appear multiple times.
*For policies (for example, Require HTTP / HTTPS) that can appear only once in an API, API Gateway issues an error message.
*For policies (for example, Monitor Service Level Agreement) that are dependent and use another policy in conjunction (for example, Identify and Authorize Application) in an API, API Gateway prompts you with a warning message to include the dependent policy.
When you save an API, API Gateway combines the policies from all of the global and direct policies that apply to the API (that is, at the API-level) and generates what is called the effective policy for the API. For example, let's say your REST API is within the scope of two policies: one policy that performs a logging task and another policy that performs a security task. When you save the REST API, API Gateway automatically combines the two policies into one effective policy. The effective policy, which contains both the logging task and the security task, is the policy that API Gateway actually uses to publish the REST API.
When API Gateway generates the effective policy, it validates the resulting policy to ensure that it contains no conflicting or incompatible policies.
If the policy contains conflicts or inconsistencies, API Gateway computes the effective API policy according to policy resolution rules. For example, an effective API policy can include only one Identify and Authorize Application policy. If the resulting policy list contains multiple Identify and Authorize Application policies, API Gateway shows the conflict by including an including a Conflict () icon next to the name of the conflicting policies in the effective policy.
The following table shows:
*Policy dependencies (that is, whether a policy must be used in conjunction with another particular policy).
*Conflicting or incompatible policies.
*Whether a policy can be included multiple times in a single API. If a policy cannot be included multiple times in a single API, API Gateway selects one (depending on the precedence of the policy at the enforcement level) for the effective policy and processes at run-time.
Policy Validation and Dependencies
Policy
Applicable API Type
Dependent Policy
Mutually Exclusive Policy
Can include multiple times in an API?
Authorize User
REST
SOAP
Identify and Authorize Application
None.
No. API Gateway includes only one policy in the effective policy.
Conditional Error Processing
REST
SOAP
None.
None.
Yes. API Gateway includes all Conditional Error Processing policies in the effective policy.
Content-based Routing
REST
SOAP
None.
Straight Through Routing, Load Balancer Routing, Dynamic Routing, Context-based Routing
No. API Gateway includes only one policy in the effective policy.
Context-based Routing
REST
SOAP
None.
Straight Through Routing, Load Balancer Routing, Dynamic Routing, Content-based Routing
No. API Gateway includes only one policy in the effective policy.
Custom HTTP Header
REST
SOAP
None.
None.
No. API Gateway includes only one policy in the effective policy.
Data Masking
(Error Handling)
REST
SOAP
None.
None.
No. API Gateway includes only one policy in the effective policy.
Data Masking
(Response Processing)
REST
SOAP
None.
None.
No. API Gateway includes only one policy in the effective policy.
Data Masking
(Request Processing)
REST
SOAP
None.
None.
No. API Gateway includes only one policy in the effective policy.
Dynamic Routing
REST
SOAP
None.
Straight Through Routing, Load Balancer Routing, Content-based Routing, Context-based Routing
No. API Gateway includes only one policy in the effective policy.
Enable HTTP / HTTPS
REST
SOAP
None.
None.
No. API Gateway includes only one policy in the effective policy.
Enable JMS / AMQP
REST
SOAP
None
None
No. API Gateway includes only one policy in the effective policy.
Identify and Authorize Application
REST
SOAP
Inbound Authentication - Message policy is required if Identification Type is configured as WS Security Username Token or WS Security X.509 Certificate or Kerberos Token for SOAP-based APIs.
None.
No. API Gateway includes only one policy in the effective policy.
Inbound Authentication - Message
SOAP
None.
None.
No. API Gateway includes only one policy in the effective policy.
Inbound Authentication - Transport
REST
SOAP
None.
None.
No. API Gateway includes only one policy in the effective policy.
Invoke webMethods IS
(Response Processing)
REST
SOAP
None.
None.
Yes. API Gateway includes all Invoke webMethods IS policies in the effective policy.
Invoke webMethods IS
(Request Processing)
REST
SOAP
None.
None.
Yes. API Gateway includes all Invoke webMethods IS policies in the effective policy.
JMS/AMQP Properties
REST
SOAP
JMS/AMQP Routing
None
No. API Gateway includes only one policy in the effective policy.
JMS/AMQP Routing
REST
SOAP
None
Straight Through Routing, Dynamic Routing, Content-based Routing, Context-based Routing
No. API Gateway includes only one policy in the effective policy.
Load Balancer Routing
REST
SOAP
None.
Straight Through Routing, Dynamic Routing, Content-based Routing, Context-based Routing
No. API Gateway includes only one policy in the effective policy.
Log Invocation
REST
SOAP
None.
None.
Yes. API Gateway includes all Log Invocation policies in the effective policy.
Monitor Service Performance
REST
SOAP
None.
None.
Yes. API Gateway includes all Monitor Service Performance policies in the effective policy.
Monitor Service Level Agreement
REST
SOAP
Identify and Authorize Application
None.
Yes. API Gateway includes all Monitor Service Level Agreement policies in the effective policy.
Outbound Authentication - Message
SOAP
None.
None.
No. API Gateway includes only one policy in the effective policy.
Outbound Authentication - Transport
REST
SOAP
None.
None.
No. API Gateway includes only one policy in the effective policy.
Response Transformation
REST
SOAP
None.
None.
Yes. API Gateway includes all XSLT Transformation policies in the effective policy.
Request Transformation
REST
SOAP
None.
None.
Yes. API Gateway includes all XSLT Transformation policies in the effective policy.
Service Result Cache
REST
SOAP
None.
None.
No. API Gateway includes only one policy in the effective policy.
Set Media Type
REST
None.
None.
No. API Gateway includes only one policy in the effective policy.
Straight Through Routing
REST
SOAP
None.
Load Balancer Routing, Dynamic Routing, Content-based Routing, Context-based Routing
No. API Gateway includes only one policy in the effective policy.
Throttling Traffic Optimization
REST
SOAP
Identify and Authorize Application
None.
Yes. API Gateway includes all Throttling Traffic Optimization policies in the effective policy.
Validate API Specification
(Response Processing)
REST
SOAP
None.
None.
No. API Gateway includes only one policy in the effective policy.
Validate API Specification
(Request Processing)
REST
SOAP
None.
None.
No. API Gateway includes only one policy in the effective policy.