Almost all registered operations and automation chains are exposed through a REST interface to be invoked by remote clients. The UI-specific operations are not exposed through REST since they require a web user interface to work.
For security reasons, you may want to prevent some operations from being accessed remotely, or only allow certain users to be able to invoke them.
The REST operation filters provide an extension point where you can register such security rules on what operations are exposed and for which users.
Here is an example of such an extension point:
<extension target="org.nuxeo.ecm.automation.server.AutomationServer" point="bindings">
<binding name="Document.Delete" disabled="true"/>
<binding name="audit" chain="true">
<administrator>true</administrator>
<secure>true</secure>
<groups>members</groups>
</binding>
</extension>
The above code is contributing two REST bindings - one for the atomic operation Document.Delete
which is completely disabled (by using the disabled
parameter) and the second one is defining a security rule for the automation chain named audit
.
The chain
attribute must be set to true
every time a binding refers to an automation chain and not to an atomic operation.
The second binding installs a guard that allows only requests made by an administrator
user or by users from the member
group AND the request should be made over a secured channel like HTTPS.
Here is the complete list of attributes and elements you can use in the extension:
Attribute / Element | Description | Default Value |
---|---|---|
name |
The name of the operation or automation chain that should be protected. | |
chain |
true if the name refers to an automation chain, false otherwise |
false |
disabled |
Whether or not to completely disable the operation from REST access. If set to true then all the other security rules will be ignored.
|
false |
administrator |
If set to true the operation is allowed if the user is an administrator. |
false |
groups |
A comma separated list of groups of which the user should be member. If both administrator and groups are specified the user must be either from a group or an administrator.
|
|
secure |
If true the request must be done through a secured channel like HTTPS. Even if the user is in the specific group the operation is not accessible if the connection is not secured. |
false |