Security

When using the REST API, your client application needs to act under the permissions and restrictions of a particular user. This way Jmix can link the API calls to a user and apply the regular Security Authorization capabilities of Jmix to the requests.

The REST API supports a variety of security mechanisms that are available via the Security Subsystem of Jmix. Additionally, it adds API-specific parts on top like OAuth2 for securing the interactions via the API.

Predefined Roles

REST: minimal access (rest-minimal): Allows users to interact with the application via the API.

CORS

For security reasons, browsers don’t allow Javascript network calls to resources outside the current origin. Cross-Origin Resource Sharing or CORS solves this restriction, as it lets you specify which cross-domain requests are allowed.

By default, all CORS requests to the REST API are allowed. To restrict the origins list you can define the jmix.rest.allowed-origins application property.

For further customizations of the CORS configuration, see Spring Security Documentation on CORS.