Endpoint security is done through access control and access checkers. Once you have configured and set up access checkers, you can indicate access levels for endpoints.

Access controllers use URLs to define the type of access an endpoint has. The type value, which is defined in accessControllers.xml, is used by the AccessControlService to map access to the access checker Nucleus component, which is used to perform the access check.

The following is an example of the AccessControlService that defines accessCheckers:

accessCheckers=\
        allowAll=AllowAllAccessChecker,\
        denyAll=DenyAllAccessChecker,\
        combineOr=CombineOrAccessChecker,\
        combineAnd=CombineAndAccessChecker,\
                loggedIn=LoggedInAccessChecker,\
                transientOrLoggedIn=TransientOrLoggedInAccessChecker,\
        https=HttpsAccessChecker

Access checkers identify if access to an endpoint is allowed. There are several access checkers that are available by default. These include:

You can create custom access checkers by implementing the atg.service.jaxrs.security.
AccessChecker
interface and configuring an access checker as necessary. You can also create access checkers from existing ATG MVC REST atg.userprofiling.AccessController implementations. For example, a logged in access checker that uses the ATG MVC REST /atg/userprofiling/LoggedInAccessController might look like this:

$class=atg.service.jaxrs.security.AccessControllerAccessChecker
$classloader=/atg/dynamo/service/jaxrs/JerseyClassLoaderService

accessController=/atg/userprofiling/LoggedInAccessController

Access checkers can be combined to create more complex access checkers using the combineOr and the combineAnd types. For example, this could be added to the accessControllers.xml file:

<access-controllers>
  <!-- logged-in or https -->
  <access-controller id="logged-in-or-deny-all" type="combineOr"
      values="logged-in, deny-all"/>
  <!-- logged in and https -->
  <access-controller id="logged-in-or-deny-all" type="combineAnd"
      values="logged-in, https"/>
</access-controllers>

Copyright © 1997, 2017 Oracle and/or its affiliates. All rights reserved. Legal Notices