Filtering Exposed Operations

Updated: July 17, 2023

Almost all the registered operations and chains are automatically exposed through a REST interface to be invoked from remote clients. The UI-specific operations are not exposed through REST since they require a web user interface to work.

For security reasons, you may want to prevent some operations from being accessed remotely. Or you may want to allow only certain users to be able to invoke them.

The REST operation filters provide an extension point where you can register such security rules on what operations are exposed and for which users.

Here is an example on how to write such an extension:

<extension target="org.nuxeo.ecm.automation.server.AutomationServer" point="bindings">
  <binding name="Document.Delete" disabled="true"/>
  <binding name="audit" chain="true">

The above code is contributing two REST bindings - one for the atomic operation Document.Delete which is completely disabled (by using the disable parameter) and the second one is defining a security rule for the automation chain named audit. You can notice the usage of the chain attribute which must be set to true every time a binding refers to an automation chain and not to an atomic operation.

The second binding installs a guard that allows only requests made by an administrator user or by users from the member group AND the request should be made over a secured channel like HTTPS.

Here is the complete of attributes and elements you can use in the extension:

  • name : The operation or automation chain name that should be protected.
  • chain : "true" if the name refers to an automation chain, "false" otherwise (the default is "false").
  • disabled : Whether or not to completely disable the operation from REST access. The default is "false". If you put this flag on "true" then all the other security rules will be ignored.
  • administrator : Possible values are "true" or "false". The default is "false". If set to "true" the operation is allowed if the user is an administrator.
  • groups : A comma separated list of groups that the user should be member of. If both administrator and groups are specified the user must be either from a group or an administrator.
  • secure : "true" or "false". Default is "false". If "true" the request must be done through a secured channel like HTTPS. If this guard is used the connection must be secured, so that even if the groups guard is matched the operation is not accessible if the connection is not secured.