Replies: 2 comments 1 reply
-
|
Currently the authorization logic is executed if and only if there is at least one authentication mechanism. We will modify this behavior in RESTHeart 6.2 to execute authorization logic if the request handling service is secured (i.e. its definition specifies the attribute This will allow to configure no auth mechanism but still authorizes requests (for instance, based on remote ip address). To reproduce the current behavior the authorizer |
Beta Was this translation helpful? Give feedback.
-
|
Done in commit 23bd408, will be part of RESTHeart 6.2 @dev-indb You can try it now using snapshot builds |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
I wrote a custom
Authorizerplugin for RESTHeart 5.1.5 version but methodisAllowedis never called when I try to work directly in my IDE and RESTHeart project source codeI can see the plugin is correctly registered in log file.
fileAclAuthorizeris enabled in the conf file and the attributeenabledByDefaultis equals totrueof@registerPluginannotationI found a long entry with this message : "No Authentication Mechanisms defined"
I enabled tokenBasicAuthMechanism and the plugin works correctly.
In my plugin, I return
falsetoisAuthenticationRequiredThat's why the plugin code is not processed by the handler
This means that the authorizer code is processed if and only if there is at least one authentication mechanism.
That sounds good to me
Maybe an
isAuthorizationRequiredmethod could load the security context too ?Beta Was this translation helpful? Give feedback.
All reactions