Transport protocols in the storefront

REST services can be sent over HTTP or HTTPs. Depending on the service being used, one protocol might be required over the other.

HTTPS versus HTTP

Some REST services must be sent securely over SSL (Secure Sockets Layer). When a REST service requires HTTPS, the request must be sent over HTTPS. The Rest.war/WEB-INF/config/com.ibm.commerce.rest/wc-rest-security.xml file defines the following REST services that require SSL, where the resource URLs defined in this file are used to match the request URL:

<sslConfig resource="store/{storeId}/cart/@self/checkout" enabled="true"/>
<sslConfig resource="store/{storeId}/cart/@self/precheckout" enabled="true"/>
<sslConfig resource="store/{storeId}/cart/@self/payment_instruction" enabled="true"/>
<sslConfig resource="store/{storeId}/cart/@self/shipping_info" enabled="true"/>
<sslConfig resource="store/{storeId}/guestidentity" enabled="true"/>
<sslConfig resource="store/{storeId}/loginidentity" enabled="true"/>
<sslConfig resource="store/{storeId}/ltpaidentity" enabled="true"/>
<sslConfig resource="store/{storeId}/order" enabled="true"/>
<sslConfig resource="store/{storeId}/person" enabled="true"/>
<sslConfig resource="store/{storeId}/wishlist" enabled="true"/>
Partial authentication is enabled by default in the wc-rest-security.xml file, indicated by the partialAuthentication flag. For example:

<security>
   <partialAuthentication resource="store/{storeId}/wishlist" method="POST" enabled="true"/>
</security>
Where each resource listed as partialAuthentication=true is allowed to consume the partial authentication stored in the WC_PERSISTENT cookie. This configuration is only used if cookie consumption is allowed on the REST API. The default value is false. When a service is called, the service URL is matched with the resource patterns, starting with the longest pattern, matching the behavior of the sslConfig nodes in the file.

HTTP method overrides

You must use a POST request and HTTP method override header, if your web server allows only the following methods:
  • GET
  • POST
And does not allow the following methods:
  • PUT
  • DELETE
For PUT methods, set the X-HTTP-Method-Override header to PUT:

X-HTTP-Method-Override: PUT
For DELETE methods, set the X-HTTP-Method-Override header to DELETE:

X-HTTP-Method-Override: DELETE