Magnolia 5.6 reached end of life on June 25, 2020. This branch is no longer supported, see End-of-life policy.
There are three levels of control when REST requests are issued:
Permissions to issue REST requests are controlled using Magnolia's standard role-based security mechanism.
Table of Contents |
---|
Multiexcerpt | ||
---|---|---|
| ||
REST endpoints are a powerful tool but can also make your site very vulnerable. Make sure you understand how to implement a strong security strategy to safeguard your system. |
Web access security is checked by the
Javadoc resource link | ||||
---|---|---|---|---|
|
...
JCR access security is checked on every endpoint which that reads or writes JCR data.
...
Role-based access to specific commands are configured in the rest-services
module: /modules/rest-services/rest-endpoints/commands/enabledCommands/
Include Page | ||||
---|---|---|---|---|
|
...
If the endpoint triggers commands, the command definition grants access via specifically defined roles defined per command:
HTTP method | Web access security required | JCR access security | Specific role based security | |
---|---|---|---|---|
delivery | GET | /.rest/delivery |
/ |
* | Read-only access for |
the delivery API path | - | |||
nodes | GET | /.rest/nodes/v1/{workspace}/{path} | Read-only access for a path on a workspace | - |
PUT | /.rest/nodes/v1/{workspace}/{path} | Read/Write access for a path on a workspace | - | |
POST | /.rest/nodes/v1/{workspace}/{path} | Read/Write access for a path on a workspace | - | |
DELETE | /.rest/nodes/v1/{workspace}/{path} | Read/Write access for a path on a workspace | - | |
properties | GET | /.rest/nodes/v1/{workspace}/{path} | Read-only access for a path on a workspace | - |
PUT | /.rest/nodes/v1/{workspace}/{path} | Read/Write access for a path on a workspace | - | |
POST | /.rest/nodes/v1/{workspace}/{path} | Read/Write access for a path on a workspace | - | |
DELETE | /.rest/nodes/v1/{workspace}/{path} | Read/Write access for a path on a workspace | - | |
commands | POST | /.rest/commands/v2/{catalogName}/{command} | - | required |
The REST module installs four default roles with the following permissions:
rest-admin
– The REST administrator role grants GET/POST permissions to all Magnolia's REST APIs.rest-editor
– The REST editor – The REST editor role grants GET/POST permissions to REST services APIs (nodes, properties), for a limited set of workspaces.rest-anonymous
– The REST anonymous consumer consumer role grants GET permissions to Magnolia's content delivery REST API.rest-backup
– – The REST backup role backup role grants permission to execute the backup
command from a running Magnolia instance.Multiexcerpt include | ||||||
---|---|---|---|---|---|---|
|
...
Magnolia recommends you create custom REST roles granting specific access for specific use cases.
There is no "one size fits all" recipe. Create the custom roles according to your needs. However here are a few recommendations.
The custom roles you create depend on your individual project requirements. In general, we recommend you: