Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Date:

Author:

Version:

Changes:

Completed

Ext.

Int.

Is in Core

Jira Ref.

0.1

Doc. created

 


x

 


N/A 


22 November 2018Emil Ion Ifrim0.2Brand EnablingYesx 
N/A 
15 January 2019SD0.3Download pdf-file     




Overview

This page describes the security layers of the REST web app. There are two security layers:

...

  1. Brand Access
    In order to obtain an access token, the client has to have configured the proper authorization. That is, in the OAUTH_CLIENT_DETAILS table, a client has to have defined proper values in AUTHORITIES column. Those authorities must have the following prefix: ACCESS_BRAND_ .After the prefix there should be the brand_key (uppercase) that the respective client has access to. The brand_key parameter should be sent as QUERY parameter in the request for the token.

    Example of registered client:

    CLIENT_IDRESOURCE_IDSCLIENT_SECRETSCOPEAUTHORIZED_GRANT_TYPESWEB_SERVRE_REDIRECT_URIAUTHORITIESACCESS_TOKEN_VALIDITYADDITIONAL_INFORMATIONAUTOAPROVE
    swagger-ui 
    swagger-ui-secretread,writepassword,operator_password,client_credentials 
    ACCESS_BRAND_BRAND_X600  



    Example: given a brand key with a value of RATOR_X , the authority tag should be ACCESS_BRAND_RATOR_X .
    If a client has access to multiple brands, those should be separated by ,  (e.g ACCESS_BRAND_RATOR_X, ACCESS_BRAND_RATOR_Y)

    Code Block
    titleCURL example
    CURL example:  curl -v -X POST -u myclientid:myclientsecret http://host:port/appcontext/oauth/token -H "Accept: application/json" -d "grant_type=operator_password&username=#myusername&password=mypassword&brand_key=RATOR_X"
    


  2. Fine-grained access control is about limiting the access to specific resources, or even to limit the access to code blocks within a single resource. The current version of the REST app uses our own framework for this. The framework defines two abstract classes, whose implementations stand in a one-to-one relationship with a resource (an @Path annotated method). The two classes reflect the kind of questions/checks needed in the code.

...

When the above parameter is in place an access token (Authorization: Bearer access_token) is required to be sent in the request. For public endpoints one can obtain a access token by using the "client_credentials" grant type. 

 


Code Block
titleAuthorization URL
https://host:port/appcontext/oauth/token?grant_type=client_credentials&brand_key=a_valid_brand_key

...

Info
titleSwagger

To configure swagger to use this authentication scenario, an additional parameter has to be set in Properties.txt file:

rest.swagger.auth.flow=clientoperator_credentialspassword


Info
titleSwagger UI and proxy

To configure swagger to allow testing endpoints when REST is deployed behind a proxy (e.g CI/CD and docker) an additional parameter has to be set in Properties.txt file:

rest.swagger.api.context_path=/rator-rest-api/v1 #the valuehas to adjusted according to the proxy configuration

...