Versions Compared

Old Version 9

changes.mady.by.user Julie Legendre

Saved on

compared with

New Version Current

changes.mady.by.user Christoph Meier

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

There are three levels of control when REST requests are issued:

  • Web access
  • JCR access
  • Command-level access

Permissions to issue REST requests are controlled using Magnolia's standard role-based security mechanism.

URI access security

.

Table of Contents

Security strategy

Multiexcerpt
MultiExcerptNamegeneral-security-advice

REST endpoints are a powerful tool but can also make your site very vulnerable. Make sure you understand how to implement a strong security strategy to safeguard your system.

Web access security

Web access URI security is checked by the 

Javadoc resource link
classNameinfo.magnolia.cms.security.URISecurityFilter
renderTypeasynchronous
. The filter checks whether the role(s) of the requesting user allow to the user to request a given path with given method.

URI Web permissions are granted by Access Control Lists (ACL). An ACL grants as web access lists per role. They grant access to a path for Get or Get & Post. 

  • Get – Grants the HTTP method GET for a given URI.
  • Get & Post – Grants the HTTP methods GETPUTPOST and DELETE for a given URI.

URI Web access is checked for every endpoint.

JCR access security

JCR access security is a feature of the JCR standard (defined by JCR JSR-170 and JSR-283). JCR access is granted per workspace on path level. It can grant Read-only or Read/Write permission. Grant JCR access lists per role.

When using endpoints dealing with JCR repositories (nodes and properties to read and write, delivery to read only) the user must have an appropriate role that provides JCR permissions for the given method.

JCR access security is checked on every endpoint dealing which that reads or writes JCR data.Exception: It

Info

JCR access security can be bypassed for the delivery endpoint for testing purposes.

...

Role-based security

...

... requires further, nice hopefully well understandable bla bla ... :-|.

Summary

Info

Depending on the endpoint, its access requires always URI access, may require JCR access or may require a specific role defined defined on command level.

...

for commands

Command level security access only applies to the commands endpoint. 

Role-based access to specific commands are configured in the rest-services module: /modules/rest-services/rest-endpoints/commands/enabledCommands/ 

Include Page
_What is a command
_What is a command

Security for endpoints - summary

Endpoints always require URI access, they may also require JCR access or a specific role defined at a command level.

When you request a REST URL, URI security is checked first:

  • If the URI security check fails, the request is redirected to the login page

...

  • by default.
  • If the the URI security check is

...

  • passed, the

...

  • request is delegated to the

...

  • endpoint in question.

If the endpoint concerns with JCR access - , JCR access security is checked too. :

  • If the user is not granted access to the requested node,

...

  • the endpoint responds with an HTTP error.
  • If JCR security access is granted, the endpoint

...

  • responds with

...

  • an HTTP response code 200 and

...

  • a response body if appropriate.

If the endpoint triggers commands - , the command definition grants access via specifically defined roles defined per command.:


HTTP
method
URI
Web access security required

JCR access security


Specific role based security

delivery GET

/.rest/delivery/

v1/{workspace}/{path} read access for a path on a workspace

*

Read-only access for the delivery API path-
nodes GET

/.rest/nodes/v1/{workspace}/{path}

read
Read-only access for a path on a workspace-
PUT

/.rest/nodes/v1/{workspace}/{path}

read&write
Read/Write access for a path on a workspace-
POST

/.rest/nodes/v1/{workspace}/{path}

read&write
Read/Write access for a path on a workspace-
DELETE/.rest/nodes/v1/{workspace}/{path}
read&write
Read/Write access for a path on a workspace-
properties GET/.rest/nodes/v1/{workspace}/{path}
read
Read-only access for a path on a workspace-
PUT/.rest/nodes/v1/{workspace}/{path}
read&write
Read/Write access for a path on a workspace-
POST/.rest/nodes/v1/{workspace}/{path}
read&write
Read/Write access for a path on a workspace-
DELETE/.rest/nodes/v1/{workspace}/{path}
read&write
Read/Write access for a path on a workspace-
commands POST/.rest/commands/v2/{catalogName}/{command}-required

REST roles

The REST module installs four default roles with the following permissions:

  • rest-admin – The REST administrator role grants GET/POST permissions to all Magnolia's REST APIs.
  • rest-editor – The REST editor role grants GET/POST permissions to REST services APIs (nodes, properties), for a limited set of workspaces.
  • rest-anonymous – The REST anonymous consumer role grants GET permissions to Magnolia's content delivery REST API.
  • rest-backup – The REST backup role grants permission to execute the backup command from a running Magnolia instance.

Multiexcerpt include
MultiExcerptNamerest-role-permissions
nopaneltrue
PageWithExcerptDefault permissions

The superuser account has the rest-admin role by default so you can use superuser to test your requests. However, for production use, you should create a custom REST role. The anonymous role is specifically denied access to the REST endpoints.

Custom REST roles

Magnolia recommends you create custom REST roles granting specific access for specific use cases.

Todo

Jira
serverMagnolia - Issue tracker
columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
serverId500b06a6-e204-3125-b989-2d75b973d05f
keyDOCU-1199

To be further specified into

  • rest roles used on the public instance - mainly to grant to anonymous user
  • rest roles for the author context for specific apps and whatnot ...

Enabling commands (optional)

...

Note

You can make sweeping changes with commands, such as bypassing approval and deleting the whole site. Commands are therefore subject to special security restrictions. 

To enable the use of commands through REST:

  1. Open the security app and grant the rest-admin role a permission to issue requests to the commands endpoint.  Permission to the endpoint is denied by default. Add a new rule.
    Image Removed
  2. Whitelist any commands you want to expose to REST. The white list is managed in /modules/rest-services/rest-endpoints/commands/enabledCommands.

...

enableHeadingAttributesfalse
enableSortingfalse
classm5-configuration-tree
enableHighlightingfalse

...

The custom roles you create depend on your individual project requirements. In general, we recommend you:

  • First deny everything, then specifically grant only what is required.
  • Avoid granting write permissions on JCR workspaces for anonymous users.
  • Create different roles for each use case

...

Mgnl f
modules

...

Mgnl f
rest-services

...

Mgnl f
rest-endpoints

...

Mgnl n
commands

...

Mgnl n
enabledCommands

...

Mgnl n
activate

...

Mgnl n
access

...

Mgnl n
roles

...

Mgnl p
rest

...

rest

...

Mgnl p
catalogName

...

website

...

Mgnl p
commandName

...

activate

...

Mgnl n
markAsDeleted

Properties:

...

required

Enabled commands node.

...

<command>

...

required

Arbitrary name for the command. Use any name you like.

...

access

...

required

Access node.

...

roles

...

required

Roles node.

...

<role>

...

required

Role name. Grants the role permission to execute the command . Add the default rest role. The property name is arbitrary but the value must be a valid role name.

...

catalogName

...

required

Catalog where the command resides.

...

commandName

required

...

  • .