Chapter nine REST Service security

If REST The service is accessing confidential data , You should use authentication for services . If you need to provide different levels of access for different users , Also specify the permissions required by the endpoint .

by REST Service settings authentication

It can be done to IRIS REST The service uses any of the following forms of authentication ：

• HTTP Authentication header — This is a REST The recommended form of authentication for the service .
• Web Session authentication — The user name and password are URL Specify after the question mark in .
• OAuth 2.0 Authentication - Please refer to the following sections .

REST Applications and OAuth 2.0

To pass the OAuth 2.0 Yes REST Application for authentication , Please do all the following ：

• Will include REST The resource server of the application is configured as OAuth 2.0 Resource server .
• Allow for %Service.CSP Delegate authentication .
• Ensure that Web Applications （ be used for REST Applications ） Configured to use delegated authentication .
• stay %SYS Create a namespace named ZAUTHENTICATE Routine for . A sample routine is provided REST.ZAUTHENTICATE.mac, You can copy and modify it . This routine is GitHub (https://github.com/intersystems/Samples-Security) On Samples-Security Part of the example . May, in accordance with the “ Download for IRIS An example of ” Download the entire example according to the instructions in , But in GitHub It may be more convenient to open a routine on and copy its contents .

In routine , modify applicationName And make other changes as needed .

Specify the use of REST Permissions required by the service

To specify the permissions required to execute code or access data , Technology uses role-based access control (RBAC).

If you need to provide different levels of access for different users , Please do the following to specify permissions ：

• Modify the specification class to specify the use REST Service or REST Permissions required for a specific endpoint in the service ; Then recompile . Permissions are permissions combined with resource names （ For example, read or write ）.
• Use the management portal ：
  • Define the resources referenced in the specification class .
  • Define roles that provide permission sets . for example , Roles can provide read access to endpoints or write access to different endpoints . A role can contain multiple groups of permissions .
  • Place users in all roles required for their tasks .

Besides , have access to %CSP.REST Class SECURITYRESOURCE Parameters to execute authorization .

Specify permissions

It can be for the whole REST Service specified permission list , You can also specify a permission list for each endpoint . So ：

1. To specify the permissions required to access the service , Please edit OpenAPI XData block . about info object , Add a name x-ISC_RequiredResource New properties of , Its value is a comma separated list of defined resources and their access patterns (resource:mode), This is a visit REST Necessary for any endpoint of the service .

An example is shown below ：

  "swagger":"2.0",
  "info":{
    
    "version":"1.0.0",
    "title":"Swagger Petstore",
    "description":"A sample API that uses a petstore as an example to demonstrate features in the swagger-2.0 specification",
    "termsOfService":"http://swagger.io/terms/",
    "x-ISC_RequiredResource":["resource1:read","resource2:read","resource3:read"],
    "contact":{
    
      "name":"Swagger API Team"
    },
...

2. To specify the permissions required to access a specific endpoint , Please put x-ISC_RequiredResource Property is added to the operand that defines the endpoint , As shown in the following example ：

      "post":{
    
        "description":"Creates a new pet in the store. Duplicates are allowed",
        "operationId":"addPet",
        "x-ISC_RequiredResource":["resource1:read","resource2:read","resource3:read"],
        "produces":[
          "application/json"
        ],
        ...

3. Compile the specification class . This operation regenerates the scheduling class .

Use SECURITYRESOURC Parameters

As an additional authorization tool , Assignment %CSP.REST Subclass's class has SECURITYRESOURCE Parameters . SECURITYRESOURCE The value of is either the resource and its permissions , Or just resources （ under these circumstances , The relevant permission is to use ）. The system checks whether the user is right with SECURITYRESOURCE The associated resource has the required permissions .

Be careful ： If the scheduling class is SECURITYRESOURCE Specified a value , also CSPSystem The user does not have sufficient permissions , Then this may cause unexpected... When the login attempt fails HTTP Error code . To prevent this from happening , It is recommended that you grant permission to the specified resource CSPSystem user .