Nuxeo Server

Filtering Exposed Operations

Updated: March 18, 2024

Almost all registered operations and automation chains are exposed through a REST interface to be invoked by remote clients. The UI-specific operations are not exposed through REST since they require a web user interface to work.

For security reasons, you may want to prevent some operations from being accessed remotely, or only allow certain users to be able to invoke them.

The REST operation filters provide an extension point where you can register such security rules on what operations are exposed and for which users.

Here is an example of such an extension point:

<extension target="org.nuxeo.ecm.automation.server.AutomationServer" point="bindings">
  <binding name="Document.Delete" disabled="true"/>
  <binding name="audit" chain="true">
    <administrator>true</administrator>
    <secure>true</secure>
    <groups>members</groups>
  </binding>
</extension>

The above code is contributing two REST bindings - one for the atomic operation Document.Delete which is completely disabled (by using the disabled parameter) and the second one is defining a security rule for the automation chain named audit.

The chain attribute must be set to true every time a binding refers to an automation chain and not to an atomic operation.

The second binding installs a guard that allows only requests made by an administrator user or by users from the member group AND the request should be made over a secured channel like HTTPS.

Here is the complete list of attributes and elements you can use in the extension:

Attribute / Element Description Default Value
name The name of the operation or automation chain that should be protected.
chain true if the name refers to an automation chain, false otherwise false
disabled Whether or not to completely disable the operation from REST access. If set to true then all the other security rules will be ignored. false
administrator If set to true the operation is allowed if the user is an administrator. false
groups A comma separated list of groups of which the user should be member. If both administrator and groups are specified the user must be either from a group or an administrator.
secure If true the request must be done through a secured channel like HTTPS. Even if the user is in the specific group the operation is not accessible if the connection is not secured. false