Questions about securing the API

avi.fatal · November 21, 2018, 3:21pm

Hi,
In my public API i need to register users with customer role, add rows in other related entities. (CustomerEntity, WebsiteInfoEntity and such…)

How is that supposed to happen?
Do I need to handle the above entirely with the anonymous user?
I assume that from this point and on, I will work with his user and password?
But what happened during the registration?

What’s the best practice here?
Thanks

artamonov · November 26, 2018, 10:30am

Hi,

If you want to perform some actions on behalf of system you can use a middleware service and perform all operations under system session. Anonymous should not be used since usually anonymous is restricted user for anonymous access, e.g. login window or REST-API calls.

Create a custom middleware service RegistrationService with your register() method.
Use com.haulmont.cuba.security.app.Authentication bean and its withSystemUser method:

@Inject
protected Authentication authentication;
...
authentication.withSystemUser(() -> {
    // register user here, create entities and so on
});

Call your middleware service from LoginWindow or from REST-API endpoint. Probably, in case of public REST-API you will need additional captcha check in Spring MVC controller to prevent spam.

avi.fatal · November 28, 2018, 9:25am

But, in my website, when I calling RegistrationService.register() I need to identify someone or else I will get an exception on trying to invoke a service without a session.

Or what you are saying is that RegistrationService.register() should be unsecured and inside I will impersonate as system user? if so, why not doing that also when logging in?

Thanks