Magnolia 5.6 reached end of life on June 25, 2020. This branch is no longer supported, see End-of-life policy.
There are three levels of control when REST requests are issued:
Permissions to issue REST requests are controlled using Magnolia's standard role-based security mechanism.
Table of Contents |
---|
Multiexcerpt | ||
---|---|---|
| ||
REST endpoints are a powerful tool but can also make your site very vulnerable. Make sure you understand how to implement a strong security strategy to safeguard your system. |
Web access security is checked by the
Javadoc resource link | ||||
---|---|---|---|---|
|
Web permissions are granted with as web access lists - they per role. They grant access to a path for Get or Get & Post. You can grant web access per role.
GET
for a given URI.GET
, PUT
, POST
and DELETE
for a given URI....
JCR access security is a feature of the JCR standard (defined by JCR JSR-170 and JSR-283). JCR access is granted per workspace on path level. It can grant Read-only or Read/Write permission. You can grant Grant JCR access lists per role.
When using endpoints dealing with JCR repositories (nodes
and properties
to read and write, delivery
to read only) the user must have an appropriate role that provides JCR permissions for the given method.
JCR access security is checked on every endpoint dealing which that reads or writes JCR data.
...
Role-based access to specific commands are configured in the rest-services
module: /modules/rest-services/rest-endpoints/commands/enabledCommands/
Include Page | ||||
---|---|---|---|---|
|
...
If the endpoint triggers commands, the command definition grants access via specifically defined roles defined per command:
HTTP method | Web access security required | JCR access security | Specific role based security | |
---|---|---|---|---|
delivery | GET | /.rest/delivery |
/ |
* | Read-only access for |
the delivery API path | - | |||
nodes | GET | /.rest/nodes/v1/{workspace}/{path} | Read-only access for a path on a workspace | - |
PUT | /.rest/nodes/v1/{workspace}/{path} | Read/Write access for a path on a workspace | - | |
POST | /.rest/nodes/v1/{workspace}/{path} | Read/Write access for a path on a workspace | - | |
DELETE | /.rest/nodes/v1/{workspace}/{path} | Read/Write access for a path on a workspace | - | |
properties | GET | /.rest/nodes/v1/{workspace}/{path} | Read-only access for a path on a workspace | - |
PUT | /.rest/nodes/v1/{workspace}/{path} | Read/Write access for a path on a workspace | - | |
POST | /.rest/nodes/v1/{workspace}/{path} | Read/Write access for a path on a workspace | - | |
DELETE | /.rest/nodes/v1/{workspace}/{path} | Read/Write access for a path on a workspace | - | |
commands | POST | /.rest/commands/v2/{catalogName}/{command} | - | required |
The REST module installs four default roles with the following permissions:
rest-admin
– The REST administrator role grants GET/POST permissions to all Magnolia's REST APIs.rest-editor
– The REST editor – The REST editor role grants GET/POST permissions to REST services APIs (nodes, properties), for a limited set of workspaces.rest-anonymous
– The REST anonymous consumer consumer role grants GET permissions to Magnolia's content delivery REST API.rest-backup
– – The REST backup role backup role grants permission to execute the backup
command from a running Magnolia instance.Multiexcerpt include | ||||||
---|---|---|---|---|---|---|
|
...
Magnolia recommends you create custom REST roles granting specific access for specific use cases.
...
Jira | ||||||||
---|---|---|---|---|---|---|---|---|
|
To be further specified into
The custom roles you create depend on your individual project requirements. In general, we recommend you:
...