...
Date: | Author: | Version: | Changes: | Completed | Ext. | Int. | Is in Core | Jira Ref. | |||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0.1 | Doc. created |
| x |
| N/A | ||||||||
22 November 2018 | Emil Ion Ifrim | 0.2 | Brand Enabling | Yes | x | N/A | |||||||
15 January 2019 | SD | 0.3 | Download pdf-file |
Overview
This page describes the security layers of the REST web app. There are two security layers:
...
Brand Access
In order to obtain an access token, the client has to have configured the proper authorization. That is, in the OAUTH_CLIENT_DETAILS table, a client has to have defined proper values in AUTHORITIES column. Those authorities must have the following prefix: ACCESS_BRAND_ .After the prefix there should be the brand_key (uppercase) that the respective client has access to. The brand_key parameter should be sent as QUERY parameter in the request for the token.
Example of registered client:CLIENT_ID RESOURCE_IDS CLIENT_SECRET SCOPE AUTHORIZED_GRANT_TYPES WEB_SERVRE_REDIRECT_URI AUTHORITIES ACCESS_TOKEN_VALIDITY ADDITIONAL_INFORMATION AUTOAPROVE swagger-ui swagger-ui-secret read,write password,operator_password,client_credentials ACCESS_BRAND_BRAND_X 600
Example: given a brand key with a value of RATOR_X , the authority tag should be ACCESS_BRAND_RATOR_X .
If a client has access to multiple brands, those should be separated by , (e.g ACCESS_BRAND_RATOR_X, ACCESS_BRAND_RATOR_Y)Code Block title CURL example CURL example: curl -v -X POST -u myclientid:myclientsecret http://host:port/appcontext/oauth/token -H "Accept: application/json" -d "grant_type=operator_password&username=#myusername&password=mypassword&brand_key=RATOR_X"
Fine-grained access control is about limiting the access to specific resources, or even to limit the access to code blocks within a single resource. The current version of the REST app uses our own framework for this. The framework defines two abstract classes, whose implementations stand in a one-to-one relationship with a resource (an @Path annotated method). The two classes reflect the kind of questions/checks needed in the code.
...
When the above parameter is in place an access token (Authorization: Bearer access_token) is required to be sent in the request. For public endpoints one can obtain a access token by using the "client_credentials" grant type.
Code Block | ||
---|---|---|
| ||
https://host:port/appcontext/oauth/token?grant_type=client_credentials&brand_key=a_valid_brand_key |
...
Info | ||
---|---|---|
| ||
To configure swagger to use this authentication scenario, an additional parameter has to be set in Properties.txt file: rest.swagger.auth.flow=clientoperator_credentialspassword |
Info | ||
---|---|---|
| ||
To configure swagger to allow testing endpoints when REST is deployed behind a proxy (e.g CI/CD and docker) an additional parameter has to be set in Properties.txt file: rest.swagger.api.context_path=/rator-rest-api/v1 #the valuehas to adjusted according to the proxy configuration |
...