Access Control
Protecting API Using Access Tokens
Access to REST API endpoints may be protected with access tokens. The Authorization Server add-on may be used for obtaining access tokens. See the Authorization Server add-on documentation for details.
Anonymous Access
It is possible to expose certain parts of the REST API without authentication by using the anonymous access functionality of Jmix. In this case, the API request is performed as the user anonymous, which is configured by default in a Jmix application.
For every secured endpoint that is called without the Authentication
header, the user will be authenticated with the anonymous
user session.
To whitelist specific endpoints for anonymous access, set a comma-separated list of URL patterns in the jmix.rest.anonymous-url-patterns application property. For example:
jmix.rest.anonymous-url-patterns = \
/rest/services/productService/getProductInformation,\
/rest/entities/Product,\
/rest/entities/Product/*
The last pattern in the example above is needed if you want to update or delete the Product
entity, because in this case the URL has the id part.
Once this setting is in place, it is possible to interact with the ProductService
without sending an Authorization
header:
GET {{baseRestUrl}}
/services
/productService
/getProductInformation
?productId=123
# Authorization: not set
This request will respond in a successful response of the Service:
{
"name": "Apple iPhone",
"productId": "123",
"price": 499.99
}
If you want to provide anonymous access to some entities endpoints, make sure the anonymous
user has rights to these entities. You can do it by creating a resource role and assigning it to the anonymous
user in the DatabaseUserRepository.initAnonymousUser()
method. For example:
@ResourceRole(name = "AnonymousRestRole", code = AnonymousRestRole.CODE, scope = "API")
public interface AnonymousRestRole {
String CODE = "anonymous-rest-role";
@EntityAttributePolicy(entityClass = Product.class,
attributes = "*",
action = EntityAttributePolicyAction.MODIFY)
@EntityPolicy(entityClass = Product.class,
actions = {EntityPolicyAction.READ, EntityPolicyAction.UPDATE})
void product();
}
@Primary
@Component("UserRepository")
public class DatabaseUserRepository extends AbstractDatabaseUserRepository<User> {
// ...
@Override
protected void initAnonymousUser(User anonymousUser) {
Collection<GrantedAuthority> authorities = getGrantedAuthoritiesBuilder()
.addResourceRole(AnonymousRestRole.CODE)
.build();
anonymousUser.setAuthorities(authorities);
}
}
The anonymous access feature does not require that anonymous user has the rest-minimal role.
|
Predefined Roles
REST: minimal access (rest-minimal
): Allows users to interact with the application via the API.