You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
60 lines
2.3 KiB
Plaintext
60 lines
2.3 KiB
Plaintext
6 years ago
|
## RESTHeart simple security configuration file.
|
||
|
---
|
||
|
## Configuration for file based Identity Manager
|
||
|
users:
|
||
|
- userid: username
|
||
|
password: password
|
||
|
roles: [users, admins]
|
||
|
|
||
|
## Configuration for db based Identity Manager
|
||
|
## bcrypt-hashed-password: true to authenticate against bcrypt hashed passwords
|
||
|
## https://github.com/svenkubiak/jBCrypt
|
||
|
dbim:
|
||
|
- db: userbase
|
||
|
coll: accounts
|
||
|
prop-name-id: _id
|
||
|
prop-name-password: password
|
||
|
prop-name-roles: roles
|
||
|
bcrypt-hashed-password: false
|
||
|
create-user: false
|
||
|
create-user-document: '{"_id": "admin", "password": "secret", "roles": ["admins"]}'
|
||
|
cache-enabled: false
|
||
|
cache-size: 1000
|
||
|
cache-ttl: 60000
|
||
|
cache-expire-policy: AFTER_WRITE
|
||
|
|
||
|
## Config for AD Identity Manager
|
||
|
#adim:
|
||
|
# - domainControllers: ldap://eastdc.example.com
|
||
|
# principalNameSuffixes: corp.example.com,example.com
|
||
|
|
||
|
## Configuration for file based Access Manager
|
||
|
|
||
|
## Look at undertow documentation for information about predictates syntax
|
||
|
## http://undertow.io/undertow-docs/undertow-docs-1.3.0/index.html#predicates-attributes-and-handlers
|
||
|
## The special role $unauthenticated allows to give permissions without requiring authentication
|
||
|
permissions:
|
||
|
# Users with role 'admins' can do anything
|
||
|
- role: admins
|
||
|
predicate: path-prefix[path="/"]
|
||
|
|
||
|
# Not authenticated user can only GET any resource under the /publicdb URI
|
||
|
- role: $unauthenticated
|
||
|
predicate: path-prefix[path="/"] and method[value="GET"]
|
||
|
|
||
|
# Users with role 'users' can GET any collection or document resource (excluding dbs)
|
||
|
- role: users
|
||
|
predicate: regex[pattern="/.*/.*", value="%R", full-match=true] and method[value="GET"]
|
||
|
|
||
|
# Users with role 'users' can do anything on the collection /publicdb/{username}
|
||
|
- role: users
|
||
|
predicate: path-template[value="/publicdb/{username}"] and equals[%u, "${username}"]
|
||
|
|
||
|
# Users with role 'users' can do anything on documents of the collection /publicdb/{username}
|
||
|
- role: users
|
||
|
predicate: path-template[value="/publicdb/{username}/{doc}"] and equals[%u, "${username}"]
|
||
|
# Same than previous one, but using regex predicate
|
||
|
# Users with role 'users' can do anything on documents of the collection /publicdb/{username}
|
||
|
# - role: users
|
||
|
# predicate: regex[pattern="/publicdb/(.*?)/.*", value="%R", full-match=true] and equals[%u, "${1}"]
|