Version 1.4 of Apiman is released!

· apiman, release
Avatar for Marc Savy
Co-founder & maintainer of Apiman. Founded Black Parrot Labs to support enterprise Apiman users.
/ Black Parrot Labs /

I’m delighted to announce that Apiman 1.4 has been released (actually, 1.4.1.Final as of this blog post [1]).

The most important change in this release is that we’ve upgraded support for Elasticsearch from 1.x to 5.x. It may also support Elasticsearch 2.x, but this isn’t officially supported (let us know your experiences).

A significant number of changes across the ES platform were needed to bring this improvement; including in Apiman Gateway, Apiman Manager, Apiman Metrics, test harnesses, and the ES distribution.

If you experience any issues, please report them to us via JIRA, GitHub, or the mailing list.


Depending on your approach, to upgrade you can simply use Apiman’s export-import feature, or upgrade the indices by following Elasticsearch’s upgrade guides (likely trickier; I recommend export-import).

We also now launch and manage ES in a significantly different way than previously (as an external process), as the old method is no longer supported.

Policies can suppress/allow headers in connectors.

A new function has been added to IPolicyContext which enables policy authors to explicitly suppress or allow headers that may otherwise have different treatment by default.

IConnectorConfig getConnectorConfiguration();

Using IConnectorConfig a policy author may explicitly override the connector’s default filtering of headers. These may vary slightly by platform, but generally would by default filter out headers such as X-Api-Key. This is applied at the end of the policy chain right before the connection is established.

This feature is useful to unblock certain headers that may otherwise be disallowed, or block headers in such a way that it would even apply to subsequent policies.

Here’s an example, using the suppressRequestHeader method:

void doApply(ApiRequest request, IPolicyContext context, ...) {
    // Get connector config
    IConnectorConfig connectorConfig = context.getConnectorConfiguration();

    // Ban header. Connector will filter this out.
    super.doApply(request, context, config, chain);

Even if another policy in the chain added an X-SECRET header, it would still be filtered out [2].

We hope to expand the functionality of IConnectorConfig in future to allow more control of the connector by policies than is possible presently.

Release Notes

  • APIMAN-1334 - Allow policies to suppress/allow headers in connector.

  • APIMAN-1266 - Error when adding plugin that has previously been deleted (Oracle 12C database)

  • APIMAN-1296 - The API Key policy plugin (apikey-policy) expects the requestHeader property to be all lowercase as of 1.3.1

  • APIMAN-1318 - Export/Import of a plugin with policies does not work because of its ID

  • APIMAN-1320 - Gateway API: Clients still inserted even when invalid

  • APIMAN-1321 - Elasticsearch data is deleted at tomcat shutdown

  • APIMAN-1324 - index_already_exists_exception when starting WF quickstart

  • APIMAN-1335 - ApiKeyPolicy from apikey-policy is throwing an NPE on null connectorConfig using the Vert.x gateway

  • APIMAN-1337 - SoapAuthorizationPolicy missing i18n messages

  • APIMAN-1323 - Rework test harness to cope better with out of order JSON

  • APIMAN-1325 - Upgrade Jest HTTP Client for ES

  • APIMAN-1326 - Upgrade Gateway to ES 5.x

  • APIMAN-1327 - Upgrade Manager to ES 5.x

  • APIMAN-1328 - Upgrade metrics to ES 5.x

  • APIMAN-1329 - Update test harness and tests to ES 5.x

  • APIMAN-1330 - Update QueryBuilders to ES 5.x

  • APIMAN-1331 - Switch to EmbeddedElastic instead of (actually) embedded

  • APIMAN-1332 - Update ES distro to include Elasticsearch distro zip

  • APIMAN-1333 - Handle EmbeddedElastic hanging process when JVM killed ungracefully.

1. We fixed a couple of bugs spotted in 1.4.0.Final by the community before the blog was written
2. Unless it explicitly overrode your suppression!