Security
When using the REST API, your client application needs to act under the permissions and restrictions of a particular user. This way Jmix can link the API calls to a user and apply the regular Security Authorization capabilities of Jmix to the requests.
The REST API supports a variety of security mechanisms that are available via the Security Subsystem of Jmix. Additionally, it adds API-specific parts on top like OAuth2 for securing the interactions via the API.
Predefined Roles
REST: minimal access (rest-minimal): Allows users to interact with the application via the API.
CORS
For security reasons, browsers don’t allow JavaScript network calls to resources outside the current origin. Cross-Origin Resource Sharing or CORS solves this restriction, as it lets you specify which cross-domain requests are allowed.
By default, all cross-origin requests to the REST API are allowed. To restrict the origins list you can define the jmix.cors.allowed-origins application property and other CORS properties.
CORS settings are automatically applied to the following URLs:
-
/rest/** -
/oauth/** -
URL patterns defined in jmix.rest.authenticated-url-patterns property.
If you want to apply the CORS settings to another URL path, define the following bean (you can do it in the main application class):
@Bean
public WebSecurityConfigurerAdapter mySecurityConfigurerAdapter() {
return new WebSecurityConfigurerAdapter() {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.requestMatchers(requestMatchers ->
requestMatchers.antMatchers("/myapi/hello")
)
.cors(Customizer.withDefaults())
.authorizeRequests(authorize ->
authorize.anyRequest().permitAll()
);
}
};
}In order to replace the default CORS configuration provided by Jmix, register a bean with the corsConfigurationSource name in your project. In this case, the properties mentioned above will not work.
Refer to Spring Security Documentation for more information on CORS.
