## RESTHeart simple security configuration file.
---
## Configuration for file based Identity Manager
users:
  - userid: username
    password: password
    roles: [users, admins]

## Configuration for db based Identity Manager
## bcrypt-hashed-password: true to authenticate against bcrypt hashed passwords
## https://github.com/svenkubiak/jBCrypt
dbim:
  - db: userbase
    coll: accounts
    prop-name-id: _id
    prop-name-password: password
    prop-name-roles: roles
    bcrypt-hashed-password: false
    create-user: false
    create-user-document: '{"_id": "admin", "password": "secret", "roles": ["admins"]}'
    cache-enabled: false
    cache-size: 1000
    cache-ttl: 60000
    cache-expire-policy: AFTER_WRITE

## Config for AD Identity Manager
#adim:
#    - domainControllers: ldap://eastdc.example.com
#      principalNameSuffixes: corp.example.com,example.com

## Configuration for file based Access Manager

## Look at undertow documentation for information about predictates syntax
## http://undertow.io/undertow-docs/undertow-docs-1.3.0/index.html#predicates-attributes-and-handlers
## The special role $unauthenticated allows to give permissions without requiring authentication
permissions:
  # Users with role 'admins' can do anything
  - role: admins
    predicate: path-prefix[path="/"]

  # Not authenticated user can only GET any resource under the /publicdb URI
  - role: $unauthenticated
    predicate: path-prefix[path="/"] and method[value="GET"]

  # Users with role 'users' can GET any collection or document resource (excluding dbs)
  - role: users
    predicate: regex[pattern="/.*/.*", value="%R", full-match=true] and method[value="GET"]

  # Users with role 'users' can do anything on the collection /publicdb/{username}
  - role: users
    predicate: path-template[value="/publicdb/{username}"] and equals[%u, "${username}"]

  # Users with role 'users' can do anything on documents of the collection /publicdb/{username}
  - role: users
    predicate: path-template[value="/publicdb/{username}/{doc}"] and equals[%u, "${username}"]
# Same than previous one, but using regex predicate
# Users with role 'users' can do anything on documents of the collection /publicdb/{username}
#    - role: users
#      predicate: regex[pattern="/publicdb/(.*?)/.*", value="%R", full-match=true] and equals[%u, "${1}"]