Requests to the session-less protected REST APIs need to be authenticated and authorized. The corresponding configuration is:
Loginapp >> REST Settings >> Request Authentication and Request Authorization.
- Request Authentication: Defines how users or REST clients are authenticated (e.g. Basic Auth, client certificates, or OAuth tokens).
- Access Controller: Defines what services are accessible by the authenticated user or REST client.
- The following plugins are available:
- "Resource Access Controller": role-based access policy based on REST resource paths (e.g. rules like " IF $user has role 'admin' THEN allow POST on path /protected/xxx")
- "Enabling All Access Controller": use this plugin to disable authorization and allow all services to authenticated users.
You may use the Airlock Gateway (WAF)'s one-shot authentication flow to secure the protected API upfront.
- This has the following security advantages:
- Authentication enforcement and coarse-grained access control are done on the Airlock Gateway (WAF)
- The API may be strictly enforced using the Airlock Gateway (WAF)s "API enforcement" feature
To do so, proceed as follows: