Handling security
You handle security in GWS high-level REST via scopes.
Security is configured based on the recommendations of the OpenAPI specification via scopes implemented by OAuth, and Bearer token authentication. OAuth allows the user to access the protected content from the resource server without sharing their credentials. Instead access is granted by access tokens forwarded to the GWS REST service.
To implement security the Genero Application Server delegate service must be running. For more information, see the How to implement delegation and Genero Identity Provider (GIP) pages in the Genero Application Server User Guide.
If there is no access token, or there is no delegate service providing the
verification, the security function is not executed. Security is executed if, and only if, the
request contains a scope definition, and its value matches what is in the WSScope
attribute.
- When testing your service in standalone mode without a GAS, the
WSScope
is not checked. However, when behind a GAS, the appropriate scope is required and you will need to deploy and secure the service with the Genero Identity Provider (GIP). - Alternatively, if you need to integrate Genero REST services security into your own environment system, you can also write your own delegate service to validate any kind of token, extract the scope from it, and forward it to the REST service.
Handling security errors
Access token errors are automatically handled by the GWS engine. You do not need to do anything in your code. If the client request does not have the correct access token, the service will return HTTP 403.
Publishing scopes
When you generate the service description, the scope you declared in the WSScope
attribute, the user or group member detail, is published in the "security" section for that function
in the OpenAPI specification file. If you declare scopes with a modular variable with the
WSInfo
and WSScope
attributes, the "security" tag at the end of
the specification file contains the security details.