REST security is configured using two levels of security:
B2CStore/Mobile/REST/config/atg/rest/registry/ActorChainRestRegistry.properties
:B2CStore/Mobile/REST/config/atg/dynamo/servlet/dafpipeline/AccessControlServlet.properties
ActorChainRestRegistry.properties
This is the property file where actors and actor chains are registered. Only the actor chains explicitly listed in this file are externally accessible.
AccessControlServlet.properties
The servlet AccessControlServlet
is used to provide more security granularity.
/rest/model/atg/userprofiling/ProfileActor/summary=/atg/rest/userprofiling/LoggedInAccessController,\ /rest/model/atg/userprofiling/ProfileActor/logout=/atg/rest/userprofiling/LoggedInAccessController,\ /rest/model/atg/userprofiling/ProfileActor/logout-success=/atg/rest/userprofiling/AllAccessController,\
In the previous example, the code requests the Summary actor-chain on the ProfileActor
, which returns profile information such as name, birth date, etc., and requires that the user be logged in, or be redirected to /rest/model/atg/userprofiling/SecurityStatusActor/authenticationRequired
, which would display an authentication error message.
Note: The chain ProfileActor/logout-success
is explicitly set to AllAccessController
since otherwise it would fall under the ProfileActor/logout LoggedInAccessController
.