Security Rules - Dynamic URLs

Security Rules

Security rules are used to build the Spring SecurityFilterChain which is used to filter incoming requests. By default, MOTECH blocks access to any resources if you are not logged in, therefore, accessing any URL will redirect to the login page. If you need an endpoint using a different configuration, you must add a new rule or edit an existing one.

Each rule contains the following parameters:

Display name Parameter name Description Values
Active active You can enable the rule using this parameter true, false
URL Pattern pattern URL pattern the security rule applies to (? matches one character, * matches zero or more characters, ** matches zero or more ‘directories’ in a path) all
Protocol protocol Protocol which will be used for communication HTTP or HTTPS
HTTP Method methodsRequired HTTP methods that have access to the endpoint ANY, GET, POST, HEAD, OPTIONS, PUT, DELETE, TRACE
Rest rest Whether the endpoint is meant for a form login process or as an REST endpoint that does not create a session for the client true, false
Priority priority Rule which has a higher priority will be checked first priority value
Supported Schema supportedSchemes Specify which authentication is required NO_SECURITY or USERNAME_PASSWORD, BASIC, OPEN_ID
User access userAccess Specify which users has access list of users names
Permission Access permissionAccess Requires user has at least one of the listed permissions to access the URL list of permissions names
(Not present in GUI) origin The module or user the rule originated from. Rules with SYSTEM_PLATFORM origin will be cleared at server start, so that they are always reloaded by the server all
(Not present in GUI) version The version of the module or platform in which the rule was created all

Priority

You can specify the order of processing using the priority parameter. Rules with greater priority will be checked first. In case of conflicting rules, the ones with higher priority will block the ones with lower priority. In this case it is worth considering to use more accurate URL patterns. It is very helpful for a hierarchy model of urls.

User access and permission access

When you are using permission access with user access in one rule you must know that these options operate separately. For example you gave User access to sampleUser and Permission access to viewSecurity permission. Access to the endpoint will be granted to sampleUser and each other user with viewSecurity permission.

Supported Schema, Rest and @PreAuthorize

If resources are protected using @PreAuthorize annotation you must remember that NO_SECURITY schema will not work because access to these resources will be granted only to users with respective roles. If other schemas are used, the user will still have to have the appropriate roles. The value of the rest option is important, you must know that if it’s true then only NO_SECURITY and BASIC schemas will be supported.

Configuration via GUI

Attention

Before saving configuration remember to check the correctness of the settings, because you can lock yourself access to change them or you could provide access to the whole system. If you have lost access to the system, read the information on regaining access, due to incorrect security rules configuration.

If you want edit those settings via GUI, your user account must have viewSecurity and updateSecurity permissions. To open the configuration you want to select ‘Manage dynamic URLs’ option under Security tab in the Admin panel. You should see a list of all security rules. When you start editing or adding a new security rule form will expand and you will see options that were described earlier. To activate current configuration you must save changes.

Configuration screen for security rules

Configuration via files

You can add rules to your module using configuration files. To do this you must create a file named securityRules.json and place it in the resources directory and then build the module. Security rule configuration files are discovered automatically by MOTECH when the module starts.

Sample file:

[
    {
        "active": true,
        "pattern": "/**/myModuleApi/someResources/**",
        "supportedSchemes": [
            "NO_SECURITY"
        ],
        "protocol": "HTTP",
        "priority": 2,
        "rest": true,
        "origin": "SYSTEM_MODULE_MY_MODULE",
        "version": "0.25",
        "methodsRequired": [
            "GET",
            "POST"
        ]
    },
    {
        "active": true
        "pattern": "/**/myModuleApi/otherResources/**",
        "supportedSchemes": [
            "BASIC"
        ],
        "protocol": "HTTP",
        "userAccess": [
            "userName"
        ],
        "priority": 3,
        "rest": true,
        "origin": "SYSTEM_MODULE_MY_MODULE",
        "version": "0.25",
        "methodsRequired": [
            "ANY"
       ],
   }
]

Regaining access

To regain access to MOTECH, restart it. When server starts, default platform rules are always reloaded so it may help you regain access. If that doesn’t work you should try drop database table holding security rules or delete only rules that block access.