...
This page describes the security layers of the REST web app. There are two security layers:
- Authentication:
- Client-authentication:The database table
OAUTH_CLIENT_DETAILSdescribes the servers, which are allowed to make calls to the REST web app. (Typically this will be the selfcare web app and, when in development, the Swagger UI) - User-authentication: A username/password based security layer that upon each requests matches a token from the request against an in-memory map from token to logged in users.
- Client-authentication:The database table
- Authorization: A fine grained access rights control implemented in all resources that shall have limited access. This layer is customizable: The customer can register their own rules. The default rules are all based on "ownership": Account-ownership, BillingGroup-ownership and Subscription-ownership.
Authentication
Authorization
Fine-grained access control is about limiting the access to specific resources, or even to limit the access to code blocks within a single resource. The current version of the REST app uses our own framework for this. The framework defines two abstract classes, whose implementations stand in a one-to-one relationship with a resource (an @Path annotated method). The two classes reflect the kind of questions/checks needed in the code.
- AccessController: Implementations must implement a single method called
assertAccessible(AccessContext), which returns a boolean. This method is called before entering the resource. - AccessRestrictor: Implementations must implement a single method called restrict(List<?>). This is called before returning Lists of objects, and provided the customer with an opportunity to filter away restricted resources (such as Subscriptions, for which the caller does not have some sort of ownership over.