Magnolia 5.6 reached end of life on June 25, 2020. This branch is no longer supported, see End-of-life policy.
Permissions to issue REST requests are controlled using Magnolia's standard role-based security mechanism.
Do, re mi ..
<START: note from chm>
URI access security
URI security is checkecked by the URISecurityFilter. The filter checks whether the role(s) of the requesting user allow to request the given path by the given method.
URI permissions are granted by ACLs. An ACL grants access to a path for get or get&post.
get => grants the HTTP method GET for a given URI.
get&post => grants the HTTP methods GET, PUT, POST and DELETE for a given URI.
URI access is checked for every endpoint.
JCR access security
JCR acces security is a feature of the JCR standard (defined by JCR JSR-170 and JSR-283). JCR access is granted per workspace on path level - it can grant the permision to read or to read&write.
When using endpoints dealing with JCR repositories - nodes and properties to read and write - delivery to read only - the given user must have an appropriate role which provides JCR permissions for the given method.
JCR access security is checked on every endpoint dealing which reads or writes JCR data. (Exception: It can be bypassed for the delivery endpoint for testing reasons.)
Specific role based security applied to commands
... requires further, nice hopefully well understandable bla bla ... :-|.
Summary
Depending on the endpoint - its access requires always URI access, may require JCR access or may require a specific role defined defined on command level.
When requesting a REST URL - first URI security is checked. If URI security check fails, the request is redirected to the login page per default. If the URI security is granted, the requested is delegated to the responsible endpoint.
If the endpoint concerns with JCR access - JCR access security is checked too. If the user is not granted access to the requested node, the endpoint returns with the the HTTP response code 401, 403, 404 or 500 depending on the case (to be checked or to be shortened). When JCR security access is granted, the endpoint returns with the HTTP response code 200 and may or may not return an response body.
If the endpoint triggers commands - the command definition grants access via specifically defined roles defined per command ... (oder so ähnlich ...).
| HTTP method | URI security required | JCR access security | Specific role based security | |
|---|---|---|---|---|
delivery | GET | /.rest/delivery/v1/{workspace}/{path} | read access for a path on a workspace | - |
nodes | GET | /.rest/nodes/v1/{workspace}/{path} | read access for a path on a workspace | - |
PUT | /.rest/nodes/v1/{workspace}/{path} | read&write access for a path on a workspace | - | |
POST | /.rest/nodes/v1/{workspace}/{path} | read&write access for a path on a workspace | - | |
DELETE | /.rest/nodes/v1/{workspace}/{path} | read&write access for a path on a workspace | - | |
properties | GET | /.rest/nodes/v1/{workspace}/{path} | read access for a path on a workspace | - |
PUT | /.rest/nodes/v1/{workspace}/{path} | read&write access for a path on a workspace | - | |
POST | /.rest/nodes/v1/{workspace}/{path} | read&write access for a path on a workspace | - | |
DELETE | /.rest/nodes/v1/{workspace}/{path} | read&write access for a path on a workspace | - | |
commands | POST | /.rest/commands/v2/{catalogName}/{command} | - | required |
<EOF: note from chm>
REST roles
The REST module installs four default roles with the following permissions:
Web access Permission Path Get & Post Configured access Applies to Name Path Commands Delete Activate Web access Permission Path Deny Deny Deny Get & Post Deny Get & Post Get & Post Web access Permission Path Deny Get Web access Permission Path Get & Post Configured access Applies to Name Path Command Backuprest-admin
/.rest/*/modules/rest-services/rest-endpoints/commands/enabledCommands/markAsDeleted/access/roles/modules/rest-services/rest-endpoints/commands/enabledCommands/activate/access/rolesrest-editor
/.rest*Get /.rest/delivery/*/.rest/commands*/.rest/nodes*/.rest/nodes/v1/website*/.rest/properties*/.rest/properties/v1/website*/.rest/cache/v1*rest-anonymous
/.rest*/.rest/delivery/*rest-backup
/.rest/commands/v2/backup/backup
/modules/rest-services/rest-endpoints/commands/enabledCommands/backup/access/roles
The superuser account has the rest-admin role by default so you can use superuser to test your requests. However, for production use you should create a custom REST role. The anonymous role is specifically denied access to the REST endpoints.
Custom REST roles
Magnolia recommends you create custom REST roles granting specific access for specific use cases.TODO:
DOCU-1199
-
Getting issue details...
STATUS
To be further specified intoanonymous user
Enabling commands (optional)
Commands are custom actions executed at pre-defined trigger points. Magnolia uses commands to activate content, send email, flush the cache, take backups, import and export data, and to do many other tasks. Commands can perform duties within the system or connect to external resources.
You can make sweeping changes with commands, such as bypassing approval and deleting the whole site. Commands are therefore subject to a special security restrictions.
To enable the use of commands through REST:
- Open the security app and grant the
rest-adminrole a permission to issue requests to thecommandsendpoint. Permission to the endpoint is denied by default. Add a new rule.
- Whitelist any commands you want to expose to REST. The white list is managed in
/modules/rest-services/rest-endpoints/commands/enabledCommands.
| Node name | Value |
|---|---|
rest | |
website | |
activate | |
Properties:
enabledCommands | required Enabled commands node. |
| required Arbitrary name for the command. Use any name you like. |
| required Access node. |
| required Roles node. |
| required Role name. Grants the role permission to execute the command . Add the default |
| required Catalog where the command resides. |
| required Command definition name. |
Overview
Content Tools