REST security is configured using two levels:
B2CStore/Mobile/REST/config/atg/rest/registry/ActorChainRestRegistry.properties
B2CStore/Mobile/REST/config/atg/dynamo/servlet/dafpipeline/AccessControlServlet.properties
ActorChainRestRegistry.properties
This is the property file where actors and actor chains are registered. Only the actor chains explicitly listed in this file are externally accessible.
AccessControlServlet.properties
The servlet AccessControlServlet
is used to provide more security granularity, for example:
/rest/model/atg/userprofiling/ProfileActor/summary=/atg/rest/userprofiling/LoggedInAccessController,\ /rest/model/atg/userprofiling/ProfileActor/logout=/atg/rest/userprofiling/LoggedInAccessController,\ /rest/model/atg/userprofiling/ProfileActor/logout-success=/atg/rest/userprofiling/AllAccessController,\
In the previous example, the code requests the summary
actor-chain on the ProfileActor
, which returns profile information such as name, birth date, etc., and requires that the user be logged in, or be redirected to /rest/model/atg/userprofiling/SecurityStatusActor/authenticationRequired
, which displays an authentication error message.
Note: The chain ProfileActor/logout-success
is explicitly set to AllAccessController
since otherwise it would fall under the ProfxileActor/logout LoggedInAccessController
.