In order to make the REST calls for user segments secure, the REST
module includes a component, /atg/rest/security/RequestCredentialAccessController
, that enables and enforces access control for these calls. Out of the box, the RequestCredentialAccessController
component’s enable
property is set to true
. If you need to disable security for the REST calls, you can set this value to false
, although this is not a configuration that Oracle recommends.
To determine if a user segment request should be fulfilled, the RequestCredentialAccessController
component compares the security credential passed in an HTTP header of the request with the credentials stored in a credential store map. If a matching credential exists in the credential store map, the request is fulfilled. If no match exists, access to the user segment data is denied. To support this functionality, the RequestCredentialAccessController
component includes the properties listed below, in addition to the enabled
property. Note that these properties must not be changed or user segment security will cease to work:
credentialStoreMap
: The credential store map under which valid REST security credentials are stored. User segment server requests must include a credential that matches a credential stored in this map in order to be fulfilled. The default value for this property isrequestCredentialMap
and must not be changed.fieldName
: The name of the HTTP header that contains the credential for user segment server REST requests. This setting defaults toRequest-Credential
, which is the field that the Workbench uses to pass the credential header, and it must not be changed.