REST security is configured using two levels:
B2CStore/Mobile/REST/config/atg/rest/registry/ActorChainRestRegistry.propertiesB2CStore/Mobile/REST/config/atg/dynamo/servlet/dafpipeline/AccessControlServlet.properties
ActorChainRestRegistry.properties
This is the property file where actors and actor chains are registered. Only the actor chains explicitly listed in this file are externally accessible.
AccessControlServlet.properties
The servlet AccessControlServlet is used to provide more security granularity, for example:
/rest/model/atg/userprofiling/ProfileActor/summary=/atg/rest/userprofiling/LoggedInAccessController,\ /rest/model/atg/userprofiling/ProfileActor/logout=/atg/rest/userprofiling/LoggedInAccessController,\ /rest/model/atg/userprofiling/ProfileActor/logout-success=/atg/rest/userprofiling/AllAccessController,\
In the previous example, the code requests the summary actor-chain on the ProfileActor, which returns profile information such as name, birth date, etc., and requires that the user be logged in, or be redirected to /rest/model/atg/userprofiling/SecurityStatusActor/authenticationRequired, which displays an authentication error message.
Note: The chain ProfileActor/logout-success is explicitly set to AllAccessController since otherwise it would fall under the ProfxileActor/logout LoggedInAccessController.
