When using the REST API, your client application needs to act under the permissions and restrictions of a particular user. This way Jmix can link the API calls to a user and apply the regular Security Authorization capabilities of Jmix to the requests.

The REST API supports a variety of security mechanisms that are available via the Security Subsystem of Jmix. Additionally, it adds API-specific parts on top like OAuth2 for securing the interactions via the API.

Predefined Roles

REST: minimal access (rest-minimal): Allows users to interact with the application via the API.


For security reasons, browsers don’t allow JavaScript network calls to resources outside the current origin. Cross-Origin Resource Sharing or CORS solves this restriction, as it lets you specify which cross-domain requests are allowed.

By default, all cross-origin requests to the REST API are allowed. To restrict the origins list you can define the jmix.cors.allowed-origins application property and other CORS properties.

CORS settings are automatically applied to the following URLs:

If you want to apply the CORS settings to another URL path, define the following bean (you can do it in the main application class):

public WebSecurityConfigurerAdapter mySecurityConfigurerAdapter() {
    return new WebSecurityConfigurerAdapter() {
        protected void configure(HttpSecurity http) throws Exception {
                    .requestMatchers(requestMatchers ->
                    .authorizeRequests(authorize ->

In order to replace the default CORS configuration provided by Jmix, register a bean with the corsConfigurationSource name in your project. In this case, the properties mentioned above will not work.

Refer to Spring Security Documentation for more information on CORS.