Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Authentication is triggered by the Authorization layer. If a resource does not require Authorization, then it is considered open for access, unless brand access check is in place. The Authentication protocol used is OAUTH2  and the implementation used is from Spring Framework.

...

  1. Brand Access
    In order to obtain an access token, the client has to have configured the proper authorization. That is, in the OAUTH_CLIENT_DETAILS table, a client has to have defined proper values in AUTHORITIES column. Those authorities must have the following prefix: ACCESS_BRAND_ .After the prefix there should be the brand_key (uppercase) that the respective client has access to. The brand_key parameter should be sent as QUERY parameter in the request for the token.

    Example of registered client:

    CLIENT_IDRESOURCE_IDSCLIENT_SECRETSCOPEAUTHORIZED_GRANT_TYPESWEB_SERVRE_REDIRECT_URIAUTHORITIESACCESS_TOKEN_VALIDITYADDITIONAL_INFORMATIONAUTOAPROVE
    swagger-ui
    swagger-ui-secretread,writepassword,operator_password
    ACCESS_BRAND_BRAND_X600



    Example: given a brand key with a value of RATOR_X , the authority tag should be ACCESS_BRAND_RATOR_X .
    If a client has access to multiple brands, those should be separated by ,  (e.g ACCESS_BRAND_RATOR_X, ACCESS_BRAND_RATOR_Y)

    Code Block
    titleCURL example
    CURL example:  curl -v -X POST -u myclientid:myclientsecret http://host:port/appcontext/oauth/token -H "Accept: application/json" -d "grant_type=operator_password&username=#myusername&password=mypassword&brand_key=RATOR_X"
    


  2. Fine-grained access control is about limiting the access to specific resources, or even to limit the access to code blocks within a single resource. The current version of the REST app uses our own framework for this. The framework defines two abstract classes, whose implementations stand in a one-to-one relationship with a resource (an @Path annotated method). The two classes reflect the kind of questions/checks needed in the code.

...

  1. the @RatorSecured annotation that can have few input attributes, in orderto define the assesed field or the Role of the logged in user.

Code Block
languagejava
titleAccess Configuration
// URL - /accounts/{account-id}/subscriptions
map.put(key(HttpMethod.GET,ResourcePathParent.ACCOUNTS, ResourcePath.ACCOUNTID_SUBSCRIPTIONS),new AccessControllerByOwnership(Ownership.SUB_OR_BG_OR_ACC_OWNER));
 
//URL - /accounts/{account-id}/documents
map.put(key(HttpMethod.POST,ResourcePathParent.ACCOUNTS,ResourcePath.ACCOUNTID_DOCUMENTS),new AccessControllerByOwnership(Ownership.ACC_OWNER));
 
//URL - /accounts/{account-id}/documents
map.put(key(HttpMethod.GET,ResourcePathParent.ACCOUNTS,ResourcePath.ACCOUNTID_DOCUMENTS),new AccessControllerByOwnership(Ownership.ACC_OWNER));
 
//URL - /accounts/{account-id}/billing-groups
map.put(key(HttpMethod.GET, ResourcePathParent.ACCOUNTS,ResourcePath.ACCOUNTID_BILLING_GROUPS),new AccessControllerByOwnership(Ownership.BG_OR_ACC_OWNER));

...

@RatorSecured(requiredRole = Role.OPERATOR , assertOn = "subscriptionId")
public Response updateNpFlow(@PathParam("subscription-id") SubscriptionId subscriptionId) {...}

@RatorSecured(requiredRole = Role.SUB_OWNER, assertOn = "userId")
public Collection<ContactPoint> getContactPointsForUser(@PathParam("user-id") UserId userId) {...}

@RatorSecured(requiredRole = Role.OPERATOR, restrictorFactory = OperatorAccessRestrictorFactory.class)
    public Collection<Product> getProducts(@Context RESTContext ctx) { ... } 

Brand Access Check

In case of a multi branded  environment it is possible to restrict access to the "public" endpoints by enabling the brand access check in the configuration file (Properties.txt). This is done by setting the following parameter:

...