unboundedpress/restheart/etc/security.yml.template

## RESTHeart simple security configuration file.
---
## Configuration for file based Identity Manager
users:
  - userid: username
    password: password
    roles: [users, admins]

## Configuration for db based Identity Manager
## bcrypt-hashed-password: true to authenticate against bcrypt hashed passwords
## https://github.com/svenkubiak/jBCrypt
dbim:
  - db: userbase
    coll: accounts
    prop-name-id: _id
    prop-name-password: password
    prop-name-roles: roles
    bcrypt-hashed-password: false
    create-user: false
    create-user-document: '{"_id": "admin", "password": "secret", "roles": ["admins"]}'
    cache-enabled: false
    cache-size: 1000
    cache-ttl: 60000
    cache-expire-policy: AFTER_WRITE

## Config for AD Identity Manager
#adim:
#    - domainControllers: ldap://eastdc.example.com
#      principalNameSuffixes: corp.example.com,example.com

## Configuration for file based Access Manager

## Look at undertow documentation for information about predictates syntax
## http://undertow.io/undertow-docs/undertow-docs-1.3.0/index.html#predicates-attributes-and-handlers
## The special role $unauthenticated allows to give permissions without requiring authentication
permissions:
  # Users with role 'admins' can do anything
  - role: admins
    predicate: path-prefix[path="/"]

  # Not authenticated user can only GET any resource under the /publicdb URI
  - role: $unauthenticated
    predicate: path-prefix[path="/"] and method[value="GET"]

  # Users with role 'users' can GET any collection or document resource (excluding dbs)
  - role: users
    predicate: regex[pattern="/.*/.*", value="%R", full-match=true] and method[value="GET"]

  # Users with role 'users' can do anything on the collection /publicdb/{username}
  - role: users
    predicate: path-template[value="/publicdb/{username}"] and equals[%u, "${username}"]

  # Users with role 'users' can do anything on documents of the collection /publicdb/{username}
  - role: users
    predicate: path-template[value="/publicdb/{username}/{doc}"] and equals[%u, "${username}"]
# Same than previous one, but using regex predicate
# Users with role 'users' can do anything on documents of the collection /publicdb/{username}
#    - role: users
#      predicate: regex[pattern="/publicdb/(.*?)/.*", value="%R", full-match=true] and equals[%u, "${1}"]
initial commit 6 years ago			`## RESTHeart simple security configuration file.`
			`---`
			`## Configuration for file based Identity Manager`
			`users:`
			`- userid: username`
			`password: password`
			`roles: [users, admins]`

			`## Configuration for db based Identity Manager`
			`## bcrypt-hashed-password: true to authenticate against bcrypt hashed passwords`
			`## https://github.com/svenkubiak/jBCrypt`
			`dbim:`
			`- db: userbase`
			`coll: accounts`
			`prop-name-id: _id`
			`prop-name-password: password`
			`prop-name-roles: roles`
			`bcrypt-hashed-password: false`
			`create-user: false`
			`create-user-document: '{"_id": "admin", "password": "secret", "roles": ["admins"]}'`
			`cache-enabled: false`
			`cache-size: 1000`
			`cache-ttl: 60000`
			`cache-expire-policy: AFTER_WRITE`

			`## Config for AD Identity Manager`
			`#adim:`
			`# - domainControllers: ldap://eastdc.example.com`
			`# principalNameSuffixes: corp.example.com,example.com`

			`## Configuration for file based Access Manager`

			`## Look at undertow documentation for information about predictates syntax`
			`## http://undertow.io/undertow-docs/undertow-docs-1.3.0/index.html#predicates-attributes-and-handlers`
			`## The special role $unauthenticated allows to give permissions without requiring authentication`
			`permissions:`
			`# Users with role 'admins' can do anything`
			`- role: admins`
			`predicate: path-prefix[path="/"]`

			`# Not authenticated user can only GET any resource under the /publicdb URI`
			`- role: $unauthenticated`
			`predicate: path-prefix[path="/"] and method[value="GET"]`

			`# Users with role 'users' can GET any collection or document resource (excluding dbs)`
			`- role: users`
			`predicate: regex[pattern="/./.", value="%R", full-match=true] and method[value="GET"]`

			`# Users with role 'users' can do anything on the collection /publicdb/{username}`
			`- role: users`
			`predicate: path-template[value="/publicdb/{username}"] and equals[%u, "${username}"]`

			`# Users with role 'users' can do anything on documents of the collection /publicdb/{username}`
			`- role: users`
			`predicate: path-template[value="/publicdb/{username}/{doc}"] and equals[%u, "${username}"]`
			`# Same than previous one, but using regex predicate`
			`# Users with role 'users' can do anything on documents of the collection /publicdb/{username}`
			`# - role: users`
			`# predicate: regex[pattern="/publicdb/(.?)/.", value="%R", full-match=true] and equals[%u, "${1}"]`