REST security is configured using two levels of security:
B2CStore/Mobile/REST/config/atg/rest/registry/ActorChainRestRegistry.properties:B2CStore/Mobile/REST/config/atg/dynamo/servlet/dafpipeline/AccessControlServlet.properties
ActorChainRestRegistry.properties
This is the property file where actors and actor chains are registered. Only the actor chains explicitly listed in this file are externally accessible.
AccessControlServlet.properties
The servlet AccessControlServlet is used to provide more security granularity.
/rest/model/atg/userprofiling/ProfileActor/summary=/atg/rest/userprofiling/LoggedInAccessController,\ /rest/model/atg/userprofiling/ProfileActor/logout=/atg/rest/userprofiling/LoggedInAccessController,\ /rest/model/atg/userprofiling/ProfileActor/logout-success=/atg/rest/userprofiling/AllAccessController,\
In the previous example, the code requests the Summary actor-chain on the ProfileActor, which returns profile information such as name, birth date, etc., and requires that the user be logged in, or be redirected to /rest/model/atg/userprofiling/SecurityStatusActor/authenticationRequired, which would display an authentication error message.
Note: The chain ProfileActor/logout-success is explicitly set to AllAccessController since otherwise it would fall under the ProfileActor/logout LoggedInAccessController.
