In order to make the REST calls for user segments secure, the REST module includes a component, /atg/rest/security/RequestCredentialAccessController, that enables and enforces access control for these calls. Out of the box, the RequestCredentialAccessController component’s enable property is set to true. If you need to disable security for the REST calls, you can set this value to false, although this is not a configuration that Oracle recommends.
To determine if a user segment request should be fulfilled, the RequestCredentialAccessController component compares the security credential passed in an HTTP header of the request with the credentials stored in a credential store map. If a matching credential exists in the credential store map, the request is fulfilled. If no match exists, access to the user segment data is denied. To support this functionality, the RequestCredentialAccessController component includes the properties listed below, in addition to the enabled property. Note that these properties must not be changed or user segment security will cease to work:
credentialStoreMap: The credential store map under which valid REST security credentials are stored. User segment server requests must include a credential that matches a credential stored in this map in order to be fulfilled. The default value for this property isrequestCredentialMapand must not be changed.fieldName: The name of the HTTP header that contains the credential for user segment server REST requests. This setting defaults toRequest-Credential, which is the field that the Workbench uses to pass the credential header, and it must not be changed.
