/** * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. * * Copyright (c) 2011-2012 ForgeRock AS. All rights reserved. * * The contents of this file are subject to the terms * of the Common Development and Distribution License * (the License). You may not use this file except in * compliance with the License. * * You can obtain a copy of the License at * http://forgerock.org/license/CDDLv1.0.html * See the License for the specific language governing * permission and limitations under the License. * * When distributing Covered Code, include this CDDL * Header Notice in each file and include the License file * at http://forgerock.org/license/CDDLv1.0.html * If applicable, add the following below the CDDL Header, * with the fields enclosed by brackets [] replaced by * your own identifying information: * "Portions Copyrighted [year] [name of copyright owner]" */ // A configuration for allowed HTTP requests. Each entry in the configuration contains a pattern // to match against the incoming request ID and, in the event of a match, the associated roles, // methods, and actions that are allowed for requests on that particular pattern. // // pattern: A pattern to match against an incoming request's resource ID // roles: A comma separated list of allowed roles // methods: A comma separated list of allowed methods // actions: A comma separated list of allowed actions // customAuthz: A custom function for additional authorization logic/checks (optional) // excludePatterns: A comma separated list of patterns to exclude from the pattern match (optional) // // A single '*' character indicates all possible values. With patterns ending in "/*", the "*" // acts as a wild card to indicate the pattern accepts all resource IDs "below" the specified // pattern (prefix). For example the pattern "managed/*" would match "managed/user" or anything // starting with "managed/". Note: it would not match "managed", which would need to have its // own entry in the config. /*jslint vars:true*/ var httpAccessConfig = { "configs" : [ { "pattern" : "info/login", "roles" : "openidm-authorized", "methods" : "read", "actions" : "*" }, // Anyone can read from these endpoints { "pattern" : "info/ping", "roles" : "*", "methods" : "read", "actions" : "*" }, { "pattern" : "endpoint/dbTypes", "roles" : "*", "methods" : "read", "actions" : "*" }, { "pattern" : "endpoint/loadContent/*", "roles" : "*", "methods" : "read", "actions" : "*" }, { "pattern" : "endpoint/createSchema", "roles" : "*", "methods" : "create", "actions" : "*" }, { "pattern" : "endpoint/executeQuery", "roles" : "*", "methods" : "action", "actions" : "query" }, { "pattern" : "endpoint/oidc", "roles" : "*", "methods" : "action,read", "actions" : "getToken" }, { "pattern" : "endpoint/favorites", "roles" : "openidm-authorized", "methods" : "query", "actions" : "*" }, { "pattern" : "endpoint/favorites/*", "roles" : "openidm-authorized", "methods" : "update", "actions" : "*" }, // openidm-admin can request nearly anything (some exceptions being a few system endpoints) { "pattern" : "*", "roles" : "openidm-admin", "methods" : "*", // default to all methods allowed "actions" : "*", // default to all actions allowed "customAuthz" : "disallowQueryExpression()", "excludePatterns": "system/*" }, // additional rules for openidm-admin that selectively enable certain parts of system/ { "pattern" : "system/*", "roles" : "openidm-admin", "methods" : "create,read,update,delete,patch,query", // restrictions on 'action' "actions" : "", "customAuthz" : "disallowQueryExpression()" }, // Note that these actions are available directly on system as well { "pattern" : "system/*", "roles" : "openidm-admin", "methods" : "action", "actions" : "test,testConfig,createconfiguration,liveSync" } ] }; // Additional custom authorization functions go here