Protecting Resources
The resource server security is defined in the auto-configuration of the Authorization Server add-on. This configuration provides extension points that can be used to define any URL pattern as protected.
Defining Protected Resources
Suppose that you have the following REST controller:
@RestController
public class GreetingController {
@GetMapping("/greeting/hello")
public String hello() {
return "Hello!";
}
@PostMapping("/greeting/hi")
public String hi() {
return "Hi!";
}
}
To make /greeting/**
endpoints protected with the access token you should define a bean that implements the io.jmix.core.security.AuthorizedUrlsProvider
interface and return a list of URL patterns from its getAuthenticatedUrlPatterns()
method:
@Component
public class GreetingAuthorizedUrlsProvider implements AuthorizedUrlsProvider {
@Override
public Collection<String> getAuthenticatedUrlPatterns() {
return List.of("/greeting/**");
}
@Override
public Collection<String> getAnonymousUrlPatterns() {
return List.of();
}
}
Sending Access Token
After the above configuration is defined, all requests to /greeting/**
endpoints will need an access token in the Authorization
header. The header value must contain the word Bearer
followed by the access token value. For example:
GET /greeting/hello HTTP/1.1
Host: server.example.com
Authorization: Bearer <ACCESS_TOKEN>
Protecting Generic REST Add-on Endpoints
When you add the Generic REST add-on to the application, all REST endpoints become automatically protected by the Authorization Server add-on. This means that to access REST endpoints you need to obtain an access token and pass it in the Authorization
header of the HTTP request. The header value must contain the word Bearer
followed by the access token value. For example:
GET /rest/entities/User HTTP/1.1
Host: server.example.com
Authorization: Bearer <ACCESS_TOKEN>