Example Two: Protecting an Application with a Resource
In this part of the example, we protect the web application with a resource. Only users that are members of roles granting them permissions on the resource are able to access HomePage.cls.
Before beginning, complete the following preliminary steps:
Add a user (user name is JSmith, password is JSmith) to InterSystems IRIS. Read Creating a User for instructions.
Add a new resource (SecurityTutorialResource). Assign the resource no public permissions. Read Creating a Resource for instructions.
Create a new role (SecurityTutorialRole). Add the SecurityTutorialResource:USE privilege to the role. Read Creating a Role for instructions.
After completing the above preliminary steps, do the following:
Edit the CSP Application definition for the /csp/user application. In the dropdown box labeled Resource required to run the application, select SecurityTutorialResource. Verify that the Enabled box is checked. Click Save.
In your REST client, execute the GET request again. Use Basic authentication and JSmith/JSmith as the Username/Password. You will see a not authorized error:
Next, add JSmith to the SecurityTutorialRole role. For instructions read Adding a User to a Role.
This is not yet enough to for our GET to succeed using JSmith's credentials. At this point the credentials provide privileges on the application but they provide no privileges on the USER database where the SecurityTutorial.AuthenticationExample code resides. If you execute the GET again it will still fail with a not authorized status.
There are several ways that we could provide the necessary privileges. We could, for example, add privileges on the %DB_USER resource to the SecurityTutorialRole. Or, we could add JSmith to the %DB_USER role. This role exists already by default in the system and would give JSmith both Read and Write privileges on the USER database. Yet another approach involves Application Roles, which will be explained next in the tutorial.