Access Control

Protecting API Using Access Tokens

Access to REST API endpoints may be protected with access tokens. The Authorization Server add-on may be used for obtaining access tokens. See the Authorization Server add-on documentation for details.

Anonymous Access

It is possible to expose certain parts of the REST API without authentication by using the anonymous access functionality of Jmix. In this case, the API request is performed as the user anonymous, which is configured by default in a Jmix application.

For every secured endpoint that is called without the Authentication header, the user will be authenticated with the anonymous user session.

To whitelist specific endpoints for anonymous access, set a comma-separated list of URL patterns in the application property. For example: = \

The last pattern in the example above is needed if you want to update or delete the Product entity, because in this case the URL has the id part.

Once this setting is in place, it is possible to interact with the ProductService without sending an Authorization header:

GetProductInformation Request
GET {{baseRestUrl}}
# Authorization: not set

This request will respond in a successful response of the Service:

HTTP/1.1 200
  "name": "Apple iPhone",
  "productId": "123",
  "price": 499.99

If you want to provide anonymous access to some entities endpoints, make sure the anonymous user has rights to these entities. You can do it by creating a resource role and assigning it to the anonymous user in the DatabaseUserRepository.initAnonymousUser() method. For example:

@ResourceRole(name = "AnonymousRestRole", code = AnonymousRestRole.CODE, scope = "API")
public interface AnonymousRestRole {

    String CODE = "anonymous-rest-role";

    @EntityAttributePolicy(entityClass = Product.class,
        attributes = "*",
        action = EntityAttributePolicyAction.MODIFY)
    @EntityPolicy(entityClass = Product.class,
        actions = {EntityPolicyAction.READ, EntityPolicyAction.UPDATE})
    void product();
public class DatabaseUserRepository extends AbstractDatabaseUserRepository<User> {
    // ...

    protected void initAnonymousUser(User anonymousUser) {
        Collection<GrantedAuthority> authorities = getGrantedAuthoritiesBuilder()
The anonymous access feature does not require that anonymous user has the rest-minimal role.

Predefined Roles

REST: minimal access (rest-minimal): Allows users to interact with the application via the API.