Wiremock API Security

Ramesa

unread,

Oct 7, 2017, 2:32:52 AM10/7/17

to wiremock-user

We are planning to host the wiremock API on AWS Cloud. So we want to make the api more secured and hence in this regard, i would like to know any solution to make the wiremock api secured so that only our team can access and also the API must be secured over the internet. If any of your team have come across any such solution or already implemented, please share us the solution that we can leverage.

Thanks in advance

Tom Akehurst

unread,

Oct 9, 2017, 4:55:11 AM10/9/17

to wiremock-user

At present there isn't a way to add security to WireMock's admin API, other than by adding it via a reverse proxy server.

However, we've had a similar request to this a few times recently so I think we're going to prioritise working on it.

Here's what I have in mind, feedback appreciated on whether this will work for you:

Add a hook in the WireMockConfiguration object for adding an Authenticator implementation which will take a Request and provide a yes/no answer as to whether it's authenticated or not.
Include a default implementation of this for HTTP Basic authentication with a fixed username/password.
Add a constructor variant for the WireMock class (the client) to support passing credentials to the admin API.
Again, provide a default implementation for HTTP Basic.

Having hooks in both places would mean that you could e.g. integrate with your own OAuth2 server if you wanted to go beyond a fixed username/password.

What are your thoughts?

Tom Akehurst

unread,

Oct 11, 2017, 9:27:40 AM10/11/17

to wiremock-user

I've just pushed some commits to implement this. See:

https://github.com/tomakehurst/wiremock/blob/master/src/test/java/com/github/tomakehurst/wiremock/client/ClientAuthenticationAcceptanceTest.java

and

https://github.com/tomakehurst/wiremock/blob/master/src/test/java/com/github/tomakehurst/wiremock/standalone/CommandLineOptionsTest.java#L336

Cor en Tilly Westerman

unread,

Aug 12, 2020, 6:14:39 AM8/12/20

to wiremock-user

Hi Tom,

Can this be used already in the wiremock-standalone latest stable version running on windows OS, to secure the __admin route of wiremock?

I see you implemented something, but not sure how to use it.

Thanks in advance!

Op woensdag 11 oktober 2017 15:27:40 UTC+2 schreef Tom Akehurst:

Tom Akehurst

unread,

Aug 13, 2020, 4:59:18 AM8/13/20

to wiremock-user

Client authentication has been present in the build for a long time, so yes you should be able to use this to secure the admin API. Specific OS shouldn't matter.

Reply all

Reply to author

Forward