Versions Compared

Old Version 19

changes.mady.by.user Julie Legendre

Saved on

compared with

New Version 20

changes.mady.by.user Julie Legendre

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Permissions to issue REST requests are controlled using Magnolia's standard role-based security mechanism.

Table of Contents

...

Security strategy

REST enpoints are a poendpoints are a powerful tool but can also make your site very vulnerable. Make sure you understand how to implement a strong security strategy to safeguard your system.

URI access security

URI security is checked by the 

Javadoc resource link
classNameinfo.magnolia.cms.security.URISecurityFilter
renderTypeasynchronous
. The filter checks whether the role(s) of the requesting user allow to the user to request a given path with given method.

...

Include Page
_What is a command
_What is a command

Security for endpoints - summary

Endpoints always require URI access, they may also require JCR access or a specific role defined at a command level.

...

If the endpoint triggers commands, the command definition grants access via specifically defined roles defined per command:


HTTP
method		URI security required

JCR access security


Specific role based security

delivery GET

/.rest/delivery/v1/{workspace}/{path}

Read-only access for a path on a workspace-
nodes GET

/.rest/nodes/v1/{workspace}/{path}

Read-only access for a path on a workspace-
PUT

/.rest/nodes/v1/{workspace}/{path}

Read/Write access for a path on a workspace-
POST

/.rest/nodes/v1/{workspace}/{path}

Read/Write access for a path on a workspace-
DELETE/.rest/nodes/v1/{workspace}/{path}Read/Write access for a path on a workspace-
properties GET/.rest/nodes/v1/{workspace}/{path}Read-only access for a path on a workspace-
PUT/.rest/nodes/v1/{workspace}/{path}Read/Write access for a path on a workspace-
POST/.rest/nodes/v1/{workspace}/{path}Read/Write access for a path on a workspace-
DELETE/.rest/nodes/v1/{workspace}/{path}Read/Write access for a path on a workspace-
commands POST/.rest/commands/v2/{catalogName}/{command}-required

...

REST roles

The REST module installs four default roles with the following permissions:

  • rest-admin – The REST administrator role grants GET/POST permissions to all Magnolia's REST APIs.
  • rest-editor  The REST editor role grants GET/POST permissions to REST services APIs (nodes, properties), for a limited set of workspaces.
  • rest-anonymous  The REST anonymous consumer role grants GET permissions to Magnolia's content delivery REST API.
  • rest-backup  The REST backup role grants permission to execute the backup command from a running Magnolia instance.

Multiexcerpt include
MultiExcerptNamerest-role-permissions
nopaneltrue
PageWithExcerptDefault permissions

The superuser account has the rest-admin role by default so you can use superuser to test your requests. However, for production use, you should create a custom REST role. The anonymous role is specifically denied access to the REST endpoints.

Custom REST roles

Magnolia recommends you create custom REST roles granting specific access for specific use cases.

Todo

Jira
serverMagnolia - Issue tracker
columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
serverId500b06a6-e204-3125-b989-2d75b973d05f
keyDOCU-1199

To be further specified into

  • rest roles used on the public instance - mainly to grant to anonymous user
  • rest roles for the author context for specific apps and whatnot ...

Enabling the commands endpoint

...

Advanced Tables - Table Plus
enableHeadingAttributesfalse
enableSortingfalse
classm5-configuration-tree
enableHighlightingfalse


Node nameValue

Mgnl f
modules


Mgnl f
rest-services


Mgnl f
rest-endpoints


Mgnl n
commands


Mgnl n
enabledCommands


Mgnl n
activate


Mgnl n
access


Mgnl n
roles


Mgnl p
rest

rest-admin

Mgnl p
catalogName

website

Mgnl p
commandName

activate

Mgnl n
markAsDeleted


Mgnl n
backup



Properties:

enabledCommands

required

Enabled commands node.

<command>

required

Arbitrary name for the command. Use any name you like.

access

required

Access node.

roles

required

Roles node.

<role>

required

Role name. Grants the role permission to execute the command . Add the rest-admin role. The property name is arbitrary but the value must be a valid role name.

catalogName

required

Catalog where the command resides.

commandName

required

Command definition name.

REST roles

The REST module installs four default roles with the following permissions:

  • rest-admin – The REST administrator role grants GET/POST permissions to all Magnolia's REST APIs.
  • rest-editor  The REST editor role grants GET/POST permissions to REST services APIs (nodes, properties), for a limited set of workspaces.
  • rest-anonymous  The REST anonymous consumer role grants GET permissions to Magnolia's content delivery REST API.
  • rest-backup  The REST backup role grants permission to execute the backup command from a running Magnolia instance.

Multiexcerpt include
MultiExcerptNamerest-role-permissions
nopaneltrue
PageWithExcerptDefault permissions

The superuser account has the rest-admin role by default so you can use superuser to test your requests. However, for production use, you should create a custom REST role. The anonymous role is specifically denied access to the REST endpoints.

Custom REST roles

Magnolia recommends you create custom REST roles granting specific access for specific use cases.

Todo

Jira
serverMagnolia - Issue tracker
columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
serverId500b06a6-e204-3125-b989-2d75b973d05f
keyDOCU-1199

To be further specified into

  • rest roles used on the public instance - mainly to grant to anonymous user
  • rest roles for the author context for specific apps and whatnot ...

...