Replies: 2 comments 1 reply
-
Currently the authorization logic is executed if and only if there is at least one authentication mechanism. We will modify this behavior in RESTHeart 6.2 to execute authorization logic if the request handling service is secured (i.e. its definition specifies the attribute This will allow to configure no auth mechanism but still authorizes requests (for instance, based on remote ip address). To reproduce the current behavior the authorizer |
Beta Was this translation helpful? Give feedback.
-
Done in commit 23bd408, will be part of RESTHeart 6.2 @dev-indb You can try it now using snapshot builds |
Beta Was this translation helpful? Give feedback.
-
I wrote a custom
Authorizer
plugin for RESTHeart 5.1.5 version but methodisAllowed
is never called when I try to work directly in my IDE and RESTHeart project source codeI can see the plugin is correctly registered in log file.
fileAclAuthorizer
is enabled in the conf file and the attributeenabledByDefault
is equals totrue
of@registerPlugin
annotationI found a long entry with this message : "No Authentication Mechanisms defined"
I enabled tokenBasicAuthMechanism and the plugin works correctly.
In my plugin, I return
false
toisAuthenticationRequired
That's why the plugin code is not processed by the handler
This means that the authorizer code is processed if and only if there is at least one authentication mechanism.
That sounds good to me
Maybe an
isAuthorizationRequired
method could load the security context too ?Beta Was this translation helpful? Give feedback.
All reactions