Protecting Resources

The resource server security is defined in the auto-configuration of the Authorization Server add-on. This configuration provides extension points that can be used to define any URL pattern as protected. See the Token Based Authentication section for details on how to configure protected resources.

Sending Access Token

After the above configuration is defined, all requests to /greeting/** endpoints will need an access token in the Authorization header. The header value must contain the word Bearer followed by the access token value. For example:

GET /greeting/hello HTTP/1.1
Host: server.example.com
Authorization: Bearer <ACCESS_TOKEN>

Protecting Generic REST API Endpoints

When you simply add the REST API add-on to your application, REST endpoints will not be protected by default.

To configure token-based authentication you need to define the following application property (see its description here):

jmix.resource-server.authenticated-url-patterns = /rest/**

To access REST endpoints you need to obtain an access token and pass it in the Authorization header of the HTTP request. The header value must contain the word Bearer followed by the access token value. For example:

GET /rest/entities/User HTTP/1.1
Host: server.example.com
Authorization: Bearer <ACCESS_TOKEN>