Endpoint access control
With API 3.11.0 is possible restrict access to any endpoint.
In order for a user to get access to a given API Endpoint, the user must belong to a SecurityRole that has a SecurityPermission for the API Endpoint.
The endpoint access control is done also against the objects requested using the fields JSON in the HTTP Header. So for instance if the endpoint Vessel.GET is present and the user does not belong to a SecurityRole that has a SecurityPermission for the Vessel.GET endpoint, requesting the Voyage resource specifying the following JSON in the fields parameter will get unauthorized (HTTP 401):
{
"vessel":{
"vesselName":"*",
"auxEngine":"*"
}
}
If the same user requests with the following JSON, it will get access because vesselName attribute is part of the minimal view of Vessel resource:
{
"vessel":{
"vesselName":"*"
}
}
.
The same access control is performed when a WebhookSubscription is requested. If the user tries to subscribe for an object that has an Endpoint in the system, the subscription will be created only if the user can access to the Endpoint, otherwise Bad request (HTTP 400) exception will be thrown.
To create a new Endpoint it has to be used the endpoint /ws/rest/Endpoint posting a JSON like this:
{
"resourceName": "Vessel",
"path": ".",
"httpMethodType": "GET"
}
To create a new SecurityPermission it has to be used the endpoint /ws/rest/SecurityPermission posting a JSON like this:
{
"endpoint": 335928937,
"permissionName": "Bank.GET",
"permissionType": 335343886
}
To create a new SecurityRole. Post the following JSON to /ws/rest/SecurityRole:
{
"roleName":"testRole"
}
To add a SecurityPermission to a SecurityRole. Post the following JSON to /ws/rest/SecurityRole:
{
"securityPermissions": [
{
"key":335928939
}
]
}
To add a SecurityRole to a User. Post the following JSON to /ws/rest/SecurityRole:
{
"securityRoles": [
{
"key":335927922
}
]
}