Magnolia 5.6 reached end of life on June 25, 2020. This branch is no longer supported, see End-of-life policy.
...
Permissions to issue REST requests are controlled using Magnolia's standard role-based security mechanism.
Table of Contents |
---|
...
REST enpoints are a poendpoints are a powerful tool but can also make your site very vulnerable. Make sure you understand how to implement a strong security strategy to safeguard your system.
URI security is checked by the
Javadoc resource link | ||||
---|---|---|---|---|
|
...
Include Page | ||||
---|---|---|---|---|
|
Endpoints always require URI access, they may also require JCR access or a specific role defined at a command level.
...
If the endpoint triggers commands, the command definition grants access via specifically defined roles defined per command:
HTTP method | URI security required | JCR access security | Specific role based security | |
---|---|---|---|---|
delivery | GET | /.rest/delivery/v1/{workspace}/{path} | Read-only access for a path on a workspace | - |
nodes | GET | /.rest/nodes/v1/{workspace}/{path} | Read-only access for a path on a workspace | - |
PUT | /.rest/nodes/v1/{workspace}/{path} | Read/Write access for a path on a workspace | - | |
POST | /.rest/nodes/v1/{workspace}/{path} | Read/Write access for a path on a workspace | - | |
DELETE | /.rest/nodes/v1/{workspace}/{path} | Read/Write access for a path on a workspace | - | |
properties | GET | /.rest/nodes/v1/{workspace}/{path} | Read-only access for a path on a workspace | - |
PUT | /.rest/nodes/v1/{workspace}/{path} | Read/Write access for a path on a workspace | - | |
POST | /.rest/nodes/v1/{workspace}/{path} | Read/Write access for a path on a workspace | - | |
DELETE | /.rest/nodes/v1/{workspace}/{path} | Read/Write access for a path on a workspace | - | |
commands | POST | /.rest/commands/v2/{catalogName}/{command} | - | required |
...
The REST module installs four default roles with the following permissions:
rest-admin
– The REST administrator role grants GET/POST permissions to all Magnolia's REST APIs.rest-editor
– The REST editor role grants GET/POST permissions to REST services APIs (nodes, properties), for a limited set of workspaces.rest-anonymous
– The REST anonymous consumer role grants GET permissions to Magnolia's content delivery REST API.rest-backup
– The REST backup role grants permission to execute the backup
command from a running Magnolia instance.Multiexcerpt include | ||||||
---|---|---|---|---|---|---|
|
The superuser account has the rest-admin
role by default so you can use superuser to test your requests. However, for production use, you should create a custom REST role. The anonymous
role is specifically denied access to the REST endpoints.
Magnolia recommends you create custom REST roles granting specific access for specific use cases.
Todo | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
To be further specified into
|
...
Advanced Tables - Table Plus | |||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| |||||||||||||||||||||||||||||||||||||||||
|
Properties:
enabledCommands | required Enabled commands node. |
| required Arbitrary name for the command. Use any name you like. |
| required Access node. |
| required Roles node. |
| required Role name. Grants the role permission to execute the command . Add the |
| required Catalog where the command resides. |
| required Command definition name. |
The REST module installs four default roles with the following permissions:
rest-admin
– The REST administrator role grants GET/POST permissions to all Magnolia's REST APIs.rest-editor
– The REST editor role grants GET/POST permissions to REST services APIs (nodes, properties), for a limited set of workspaces.rest-anonymous
– The REST anonymous consumer role grants GET permissions to Magnolia's content delivery REST API.rest-backup
– The REST backup role grants permission to execute the backup
command from a running Magnolia instance.Multiexcerpt include | ||||||
---|---|---|---|---|---|---|
|
The superuser account has the rest-admin
role by default so you can use superuser to test your requests. However, for production use, you should create a custom REST role. The anonymous
role is specifically denied access to the REST endpoints.
Magnolia recommends you create custom REST roles granting specific access for specific use cases.
Todo | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
To be further specified into
|
...