Skip to content

Document Network Security Access Control (host validation and remote reference resolution)#11613

Open
IsuruGunarathne wants to merge 3 commits into
wso2:masterfrom
IsuruGunarathne:feature/host-validation-docs
Open

Document Network Security Access Control (host validation and remote reference resolution)#11613
IsuruGunarathne wants to merge 3 commits into
wso2:masterfrom
IsuruGunarathne:feature/host-validation-docs

Conversation

@IsuruGunarathne

Copy link
Copy Markdown

Purpose

Adds documentation for the Network Security Access Control feature (outbound host validation) in WSO2 API Manager, which lets administrators control the external hosts the product is permitted to connect to during API creation, validation, and import flows.

New page: en/docs/administer/network-security-access-control.md.

What it covers

  • Overview of outbound host validation and how it is enforced.
  • Platform-level (deployment.toml) and tenant-level (tenant-conf.json) configuration, and the precedence between them.
  • Host pattern matching, DNS / resolved-IP checks, and private-network blocking.
  • Configuration reference and example scenarios for allow / deny modes and empty host lists.
  • Enforcement on remote references embedded inside definitions:
    • OpenAPI/Swagger $ref URLs (OAS 2.0, 3.0, and 3.1).
    • Nested WSDL/XSD imports (WSDL 1.1 and 2.0) and SOAP-to-REST type resolution.
    • Backwards-compatibility behavior (enforcement requires a configured policy), the allow-mode www.w3.org requirement for WSDL 2.0, and the redirect limitation.

Related PR / credit

The host-validation baseline (overview, configuration, host matching, and example scenarios) was authored by @JanithaSampathBandara and originally proposed in #11476. That commit is included here under his authorship, and this PR extends it with the remote $ref and WSDL reference-resolution sections.

#11476 currently has merge conflicts. This PR consolidates that work together with the additional sections, so #11476 can be closed in favor of it.

Files

  • en/docs/administer/network-security-access-control.md (new page)
  • en/docs/administer/admin-overview.md (navigation entry)
  • en/mkdocs.yml (navigation entry)

@coderabbitai

coderabbitai Bot commented Jul 15, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a9615159-486b-4895-a27e-cfefbf2e835f

📥 Commits

Reviewing files that changed from the base of the PR and between acd83ed and 717cee3.

📒 Files selected for processing (3)
  • en/docs/administer/admin-overview.md
  • en/docs/administer/network-security-access-control.md
  • en/mkdocs.yml

📝 Walkthrough

Summary

  • Added documentation for configuring and applying Network Security Access Control during API creation, validation, and import workflows.
  • Documented platform- and tenant-level settings, precedence, host matching, network restrictions, and remote reference handling.
  • Added the new page to the administrator documentation navigation.

Walkthrough

Adds a new “Network Security Access Control” administration page. The documentation covers platform and tenant configurations, precedence, hostname matching, DNS resolution, private-network blocking, empty host lists, configuration examples, and enforcement for remote OpenAPI and WSDL references. It also documents WSDL 2.0 and redirect limitations. The page is linked from the administration overview and MkDocs Governance navigation.

Suggested reviewers: chamilaadhi, tharikagithub

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Description check ⚠️ Warning The description covers purpose and scope, but it omits many required template sections such as Goals, Approach, Release note, Documentation, tests, and security checks. Add the missing template sections with brief content or N/A where not applicable, especially Goals, Approach, Release note, Documentation, Automation tests, and Security checks.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly matches the PR’s main change: new documentation for Network Security Access Control and related host/reference validation.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants