Protecting Resources

The resource server security is defined in the auto-configuration of the Authorization Server add-on. This configuration provides extension points that can be used to define any URL pattern as protected.

Defining Protected Resources

Suppose that you have the following REST controller:

@RestController
public class GreetingController {

    @GetMapping("/greeting/hello")
    public String hello() {
        return "Hello!";
    }

    @PostMapping("/greeting/hi")
    public String hi() {
        return "Hi!";
    }
}

To make /greeting/** endpoints protected with the access token you should define a bean that implements the io.jmix.core.security.AuthorizedUrlsProvider interface and return a list of URL patterns from its getAuthenticatedUrlPatterns() method:

@Component
public class GreetingAuthorizedUrlsProvider implements AuthorizedUrlsProvider {

    @Override
    public Collection<String> getAuthenticatedUrlPatterns() {
        return List.of("/greeting/**");
    }

    @Override
    public Collection<String> getAnonymousUrlPatterns() {
        return List.of();
    }
}

Sending Access Token

After the above configuration is defined, all requests to /greeting/** endpoints will need an access token in the Authorization header. The header value must contain the word Bearer followed by the access token value. For example:

GET /greeting/hello HTTP/1.1
Host: server.example.com
Authorization: Bearer <ACCESS_TOKEN>

Protecting Generic REST Add-on Endpoints

When you add the Generic REST add-on to the application, all REST endpoints become automatically protected by the Authorization Server add-on. This means that to access REST endpoints you need to obtain an access token and pass it in the Authorization header of the HTTP request. The header value must contain the word Bearer followed by the access token value. For example:

GET /rest/entities/User HTTP/1.1
Host: server.example.com
Authorization: Bearer <ACCESS_TOKEN>