Enabling partial authentication and cookie-based authentication for REST services

You can enable partial authentication for new or existing REST services. Partial authentication enables persistent sessions for shoppers, so that they can be remembered.

Partial authentication is enabled by default in the wc-rest-security.xml file, indicated by the partialAuthentication flag. For example:

<security>
   <partialAuthentication resource="store/{storeId}/wishlist" method="POST" enabled="true"/>
</security>
Where each resource listed as partialAuthentication=true is allowed to consume the partial authentication token or the partial authentication cookie. The default value is false. When a service is called, the service URL is matched with the resource patterns, starting with the longest pattern, matching the behavior of the sslConfig nodes in the file.

You can create your own wc-rest-security.xml file in the Rest.war/WEB-INF/config/com.ibm.commerce.rest-ext directory to add an SSL requirement for new or existing REST services.

Procedure

  • To enable partial authentication for REST services:
    1. Enable persistent sessions for WebSphere Commerce.
    2. Enable partial authentication on the REST services you want to use:
      1. Create a wc-rest-security.xml file in the following directory, if it does not already exist:
        • Rest.war/WEB-INF/config/com.ibm.commerce.rest-ext
      2. Add the URL prefix to the file. The method attribute is optional. If it is not specified, it is applied to all the methods.
        For example:
        
        <?xml version="1.0" encoding="UTF-8"?>
        
        <security>
        
        <!-- Define if SSL is enabled for a resource and its methods. -->
        <!-- When not defined, SSL is disabled for the resource by default. -->
        <!-- An optional "method" attribute may be set for each sslConfig element with value to be GET, POST, PUT, or DELETE. -->
        
        <sslConfig resource="store/{storeId}/myresource" enabled="true"/>
        
        </security>
        
      3. Ensure that each resource is listed as partialAuthentication=true to allow it to consume the partial authentication token or the partial authentication cookie.
      4. Save your changes and close the file.
      5. Restart your WebSphere Commerce server.
    3. No changes are required for applications that already consume the WC_PERSISTENT cookie.
  • To enable cookie-based authentication for REST services:
    1. Modify the REST configuration properties in the catalog component configuration file (wc-component.xml) to enable support for cookie authorization.

      For more information on the list of REST properties contained in the file, see REST configuration properties in the component configuration file (wc-component.xml).

      To enabled cookie-based authentication by modifying the file, see Changing REST configuration properties in the component configuration file (wc-component.xml).

    2. You can then introduce REST calls in the web application, as long as all the login operations from the web are set to cookies appropriately.
      Note: Do not make REST calls to loginidentity to change between generic, guest or authenticated users. These calls would log out the cookie-based session.