Endpoint security is done through access control and access checkers. Once you have configured and set up access checkers, you can indicate access levels for endpoints.
Access controllers use URLs to define the type of access an endpoint has. The type
value, which is defined in accessControllers.xml
, is used by the AccessControlService
to map access to the access checker Nucleus component, which is used to perform the access check.
The following is an example of the AccessControlService
that defines accessCheckers
:
accessCheckers=\ allowAll=AllowAllAccessChecker,\ denyAll=DenyAllAccessChecker,\ combineOr=CombineOrAccessChecker,\ combineAnd=CombineAndAccessChecker,\ loggedIn=LoggedInAccessChecker,\ transientOrLoggedIn=TransientOrLoggedInAccessChecker,\ https=HttpsAccessChecker
Access checkers identify if access to an endpoint is allowed. There are several access checkers that are available by default. These include:
allow-all
– This security checker allows all access to an endpoint.deny-all
– This security checker denies all access to an endpoint.logged-in
– This checker verifies that a user is logged in before allowing access to an endpoint by checking for a valid OAuth token.https
– This checker verifies that the request is secure before allowing access to an endpoint.combinedAndAccessChecker
– This checker combines multiple access checker using an AND operator.combinedOrAccessChecker
– This checker combines multiple access checkers using an OR operator.accessControllerAccessChecker
– This checker looks for access controllers that were created for use with ATG MVC REST calls to verify that the access should be granted to an endpoint.
You can create custom access checkers by implementing the atg.service.jaxrs.security.
interface and configuring an access checker as necessary. You can also create access checkers from existing ATG MVC REST
AccessCheckeratg.userprofiling.AccessController
implementations. For example, a logged in access checker that uses the ATG MVC REST /atg/userprofiling/LoggedInAccessController
might look like this:
$class=atg.service.jaxrs.security.AccessControllerAccessChecker $classloader=/atg/dynamo/service/jaxrs/JerseyClassLoaderService accessController=/atg/userprofiling/LoggedInAccessController
Access checkers can be combined to create more complex access checkers using the combineOr
and the combineAnd
types. For example, this could be added to the accessControllers.xml
file:
<access-controllers> <!-- logged-in or https --> <access-controller id="logged-in-or-deny-all" type="combineOr" values="logged-in, deny-all"/> <!-- logged in and https --> <access-controller id="logged-in-or-deny-all" type="combineAnd" values="logged-in, https"/> </access-controllers>