Protecting the ruleset testing user interface
The testing page (/run) is not a runtime API and is not protected by default. If you want to add security to that user interface, you must explicitly grant the access to user roles.
Before you begin
The ruleset testing feature is available only for the REST API. For information about the testing feature, see Testing a ruleset for REST execution
About this task
You can protect the testing page by adding the
<security-constraint> block
in the web.xml deployment descriptor file. You must grant access to all three
default roles (resAdministrators, resMonitors, and
resDeployers) that are predefined in Rule Execution Server.Note: The Swagger UI
interface (/swagger) is not protected by default either, so you can apply the same procedure to it
in case you need to protect it.
Procedure
See the following
<security-constraint> block in the
web.xml deployment descriptor file: <security-constraint>
<web-resource-collection>
<web-resource-name>Decision Service Testing UI</web-resource-name>
<url-pattern>/run</url-pattern>
<url-pattern>/swagger</url-pattern>
</web-resource-collection>
</web-resource-collection>
<auth-constraint>
<role-name>resAdministrators</role-name>
<role-name>resMonitors</role-name>
<role-name>resDeployers</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Default</realm-name>
</login-config>Important:
CONFIDENTIAL in the transport-guarantee tag
means that the use of HTTPS is required. When HTTP is used, it is redirected to HTTPS.For more information about each subelement in the preceding example, see Specifying Security Constraints
.
To invoke the decision service APIs with other user roles, you must add new roles.