Versions Compared

Old Version 4

changes.mady.by.user Tim Donohue

Saved on

compared with

New Version 5

changes.mady.by.user Tim Donohue

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Info

Unless otherwise specified, all DSpace v7 REST API methods/endpoints will default to ANONYMOUS access. This page details how to access restrict specific endpoints/methods by simply adding @PreAuthorize annotations to those methods.

The Authorizations checks in the new REST API are based on Spring Authorization annotations. Currently we only make use of the @PreAuthorize annotations. This means Spring will evaluate the expression within the annotations before executing the annotated method. Spring Security relies on Spring AOP Proxies to do this. This means that inner-class method calls are not evaluated by Spring security (unless you autowire a self-reference, see this StackOverflow discussion).

If the evaluation of the expression fails or returns false, Spring will not execute the method and return a 40x response. If the user is authenticated this will be a 403 Forbidden response. If the user is not authenticated, this will be a 401 Unauthorized response. This is configured using the DSpace401AuthenticationEntryPoint class.

...