Requests to the session-less protected REST APIs need to be authenticated and authorized. The corresponding configuration is:
Loginapp >> Session-less REST Endpoints >> Request Authentication and Request Authorization.
- Request Authentication: Defines how users or REST clients are authenticated (e.g. Basic Auth, client certificates, or OAuth tokens).
- Access Controller: Defines what services are accessible by the authenticated user or REST client.
- The following plugins are available:
- "Resource Access Controller": role-based access policy based on REST resource paths (e.g. rules like " IF $user has role 'admin' THEN allow POST on path /protected/xxx")
- "Enabling All Access Controller": use this plugin to disable authorization and allow all services to authenticated users.
You may use the Airlock Gateway's one-shot authentication flow to secure the protected API upfront.
- This has the following security advantages:
- Authentication enforcement and coarse-grained access control are done on the Airlock Gateway
- The API may be strictly enforced using the Airlock Gateways "API enforcement" feature
To do so, proceed as follows:
- Setup the one-shot authentication flow according to HTTP request authentication (One-Shot flow)
- Use an identity propagator to transport the verified user identity to the IAM REST API
- Use a request authentication plugin to authenticate the propagated identity.
- On the Airlock Gateway, create a separate mapping for the protected APS (as described in Airlock Gateway for Airlock IAM configuration)
- Enable API Enforcement
- Restrict access to specific roles.