Almost all the registered operations and chains are automatically exposed through a REST interface to be invoked from remote clients. The UI-specific operations are not exposed through REST since they require a Web User Interface to work.
For security reasons, you may want to prevent some operations to be accessed remotely. Or you may want to allow only certain users to be able to invoke them. The REST Operation filters provide an extension point where you can register such security rules on what operations are exposed and for which users.
Here is an example on how to write such an extension:
The above code is contributing two REST bindings - one for the atomic operation Document.Delete which is completely disabled (by using the
disable parameter) and the second one is defining a security rule for the operation chain named
You notice the usage of the
chain attribute which must be set to true every time a binding refer to an operation chain and not to an atomic operation.
The second binding installs a guard that allows only requests made by an
administrator user or by users from the
member group AND the request should be made over a secured channel like HTTPS.
Here is the complete of attributes and elements you can use in the extension:
- name - the operation or operation chain main that should be protected.
- chain - true if the name refer to an operation chain, false otherwise (the default is false)
- disabled - whether or not to completely disable the operation from Rest access. The default is false. If you put this flag on true then all the other security rules will be ignored.
- administrator - possible values are "true" or "false". The default is false. If set to true the operation is allowed if the user is an administrator.
- groups - a comma separated list of groups that the user should be member of. If both administrator and groups are specified the user must eb either from a group either an administrator.
- secure - "true" or "false". Default is false. If true the request must be done through a secured channel like HTTPS. If this guard is used the connection must be secured - so that even if the groups guard matched the operation is not accessible if the connection is not secured.