Versions Compared

Old Version 18

changes.mady.by.user Julie Legendre

Saved on

compared with

New Version 19

changes.mady.by.user Julie Legendre

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Permissions to issue REST requests are controlled using Magnolia's standard role-based security mechanism.

Table of Contents

"Protecting" the endpoints

REST enpoints are a po

URI access security

URI security is checked by the 

Javadoc resource link
classNameinfo.magnolia.cms.security.URISecurityFilter
renderTypeasynchronous
. The filter checks whether the role(s) of the requesting user allow to the user to request a given path with given method.

...

URI access is checked for every endpoint.

JCR access security

JCR access security is a feature of the JCR standard (defined by JCR JSR-170 and JSR-283). JCR access is granted per workspace on path level. It can grant Read-only or Read/Write permission.

...

Info

JCR access security can be bypassed for the delivery endpoint for testing purposes.

Role-based security for commands

Command level security access is the lowest level of access you can configure by role for REST endpoints. 

...

Include Page
_What is a command
_What is a command

Note

You can make sweeping changes with commands, such as bypassing approval and deleting the whole site. Commands are therefore subject to special security restrictions. 

To enable the use of commands through REST:

  1. Open the security app and grant the rest-admin role a permission to issue requests to the commands endpoint.  Permission to the endpoint is denied by default. Add a new rule.
    Image Removed
  2. Whitelist any commands you want to expose to REST. The white list is managed in /modules/rest-services/rest-endpoints/commands/enabledCommands.

...

enableHeadingAttributesfalse
enableSortingfalse
classm5-configuration-tree
enableHighlightingfalse

...

Mgnl f
modules

...

Mgnl f
rest-services

...

Mgnl f
rest-endpoints

...

Mgnl n
commands

...

Mgnl n
enabledCommands

...

Mgnl n
activate

...

Mgnl n
access

...

Mgnl n
roles

...

Mgnl p
rest

...

rest-admin

...

Mgnl p
catalogName

...

website

...

Mgnl p
commandName

...

activate

...

Mgnl n
markAsDeleted

...

Mgnl n
backup

Properties:

...

required

Enabled commands node.

...

<command>

...

required

Arbitrary name for the command. Use any name you like.

...

access

...

required

Access node.

...

roles

...

required

Roles node.

...

<role>

required

...

is

...

a

...

catalogName

required

...

command

...

commandName

...

Command definition name.

Security for endpoints - summary

Endpoints always require URI access, they may also require JCR access or a specific role defined at a command level.

...

  • If the user is not granted access to the requested node, the the endpoint returns the HTTP response code 401, 403, 404 or 500 depending on the case.
  • If JCR security access is granted, the endpoint returns the HTTP response code 200 and a response body if appropriate.

If the endpoint triggers commands, the command definition grants access via specifically defined roles defined per command:


HTTP
method		URI security required

JCR access security


Specific role based security

delivery GET

/.rest/delivery/v1/{workspace}/{path}

Read-only access for a path on a workspace-
nodes GET

/.rest/nodes/v1/{workspace}/{path}

Read-only access for a path on a workspace-
PUT

/.rest/nodes/v1/{workspace}/{path}

Read/Write access for a path on a workspace-
POST

/.rest/nodes/v1/{workspace}/{path}

Read/Write access for a path on a workspace-
DELETE/.rest/nodes/v1/{workspace}/{path}Read/Write access for a path on a workspace-
properties GET/.rest/nodes/v1/{workspace}/{path}Read-only access for a path on a workspace-
PUT/.rest/nodes/v1/{workspace}/{path}Read/Write access for a path on a workspace-
POST/.rest/nodes/v1/{workspace}/{path}Read/Write access for a path on a workspace-
DELETE/.rest/nodes/v1/{workspace}/{path}Read/Write access for a path on a workspace-
commands POST/.rest/commands/v2/{catalogName}/{command}-required

xx



Enabling the commands endpoint

Note

You can make sweeping changes with commands, such as bypassing approval and deleting the whole site. Commands are therefore subject to special security restrictions. 

To enable the use of commands through REST:

  1. Open the security app and grant the rest-admin role a permission to issue requests to the commands endpoint.  Permission to the endpoint is denied by default. Add a new rule.
    Image Added
  2. Whitelist any commands you want to expose to REST. The white list is managed in /modules/rest-services/rest-endpoints/commands/enabledCommands.
Advanced Tables - Table Plus
enableHeadingAttributesfalse
enableSortingfalse
classm5-configuration-tree
enableHighlightingfalse


Node nameValue

Mgnl f
modules


Mgnl f
rest-services


Mgnl f
rest-endpoints


Mgnl n
commands


Mgnl n
enabledCommands


Mgnl n
activate


Mgnl n
access


Mgnl n
roles


Mgnl p
rest

rest-admin

Mgnl p
catalogName

website

Mgnl p
commandName

activate

Mgnl n
markAsDeleted


Mgnl n
backup



Properties:

enabledCommands

required

Enabled commands node.

<command>

required

Arbitrary name for the command. Use any name you like.

access

required

Access node.

roles

required

Roles node.

<role>

required

Role name. Grants the role permission to execute the command . Add the rest-admin role. The property name is arbitrary but the value must be a valid role name.

catalogName

required

Catalog where the command resides.

commandName

required

Command definition name.

REST roles

The REST module installs four default roles with the following permissions:

...