The Legacy REST Web Services server uses the underlying security system of the Oracle ATG Web Commerce platform. HTTP clients that invoke Legacy REST Web Services functionality behave in a manner that is similar to human users logging into an Oracle ATG Web Commerce platform user interface and interacting with its functionality.
To understand the security system used by the Legacy REST Web Services server you must understand the system used by the Oracle ATG Web Commerce platform. See Managing Access Control in the ATG Platform Programming Guide.
Logging In and Session IDs
The Legacy REST Web Services server will only process requests if the HTTP client sending them has an active HTTP session. Clients must log in to the server before performing operations. The server will provide a session ID which the client must present with each Legacy REST Web Services request. See Logging In.
Nucleus Component Granularity
The security functionality for Legacy REST Web Services allows security to be placed on multiple levels of granularity for Nucleus components.
The default configuration for Legacy REST Web Services is to not allow access to any components. This means that you will need to configure security to be able to call methods or access properties on Nucleus components.
Security on Nucleus components can be configured globally for all components, at the component level for all properties and methods, at the property level, at the method level, and for entire Nucleus sub-trees. The REST security subsystem depends on the Oracle ATG Web Commerce security system and therefore uses ACLs which are similar to those used to configure security in other parts of an Oracle ATG Web Commerce server. The personas can be users, organizations, or roles. The valid rights which can be assigned to a persona are read, write, and execute. Read and write refer to Nucleus properties and execute refers to Nucleus methods. To configure multiple personas, use a semicolon (;) character to separate each access control entry (persona/rights).
The REST security configuration file is located at /atg/rest/security/restSecurityConfiguration.xml. To add your own security configuration create a file at that location in the config directory of your module.
Note: The Legacy REST Web Services module does not provide functionality for securing repository items All Oracle ATG Web Commerce repository security is handled by the Oracle ATG Web Commerce secured repository system, which works in conjunction with the Oracle ATG Web Commerce Security System to provide fine-grained access control to repository item descriptors, individual repository items, and even individual properties. For more information, see the ATG Repository Guide.
