The security functionality for Oracle ATG Web Commerce platform REST Web Services allows security to be placed on multiple levels of granularity for Nucleus components.

The default configuration for Oracle ATG Web Commerce platform REST Web Services is to not allow access to any components. This means that you will need to configure security to be able to call methods or access properties on Nucleus components.

Security on Nucleus components can be configured globally for all components, at the component level for all properties and methods, at the property level, at the method level, and for entire Nucleus sub-trees. The REST security subsystem depends on the Oracle ATG Web Commerce security system and therefore uses ACLs which are similar to those used to configure security in other parts of an Oracle ATG Web Commerce server. The personas can be users, organizations, or roles. The valid rights which can be assigned to a persona are read, write, and execute. Read and write refer to Nucleus properties and execute refers to Nucleus methods. To configure multiple personas, use a semicolon (;) character to separate each access control entry (persona/rights).

The REST security configuration file is located at /atg/rest/security/restSecurityConfiguration.xml. To add your own security configuration create a file at that location in the config directory of your module.

Note: The Oracle ATG Web Commerce platform REST Web Services module does not provide functionality for securing repository items All Oracle ATG Web Commerce repository security is handled by the Oracle ATG Web Commerce secured repository system, which works in conjunction with the Oracle ATG Web Commerce Security System to provide fine-grained access control to repository item descriptors, individual repository items, and even individual properties. For more information, see the ATG Repository Guide.