Securing REST services using Secure Sockets Layer (SSL)

There are some REST services that must be sent securely over Secure Sockets Layer (SSL). You can add an SSL requirement for new or existing REST services.

The Rest.war/WEB-INF/config/com.ibm.commerce.rest/wc-rest-security.xml file defines all the REST services that require SSL. In this file, resource URL prefixes are specified and all the requests that match the URL prefixes must be sent over HTTPS. Otherwise, an error response is generated.

Partial authentication is enabled by default in the wc-rest-security.xml file, indicated by the partialAuthentication flag. For example:

<security>
   <partialAuthentication resource="store/{storeId}/wishlist" method="POST" enabled="true"/>
</security>
Where each resource listed as partialAuthentication=true is allowed to consume the partial authentication stored in the WC_PERSISTENT cookie. This configuration is only used if cookie consumption is allowed on the REST API. The default value is false. When a service is called, the service URL is matched with the resource patterns, starting with the longest pattern, matching the behavior of the sslConfig nodes in the file.

You can create your own wc-rest-security.xml file in the Rest.war/WEB-INF/config/com.ibm.commerce.rest-ext directory to add an SSL requirement for new or existing REST services.

Procedure

  1. Create a wc-rest-security.xml file in the following directory, if it does not already exist:
    • Rest.war/WEB-INF/config/com.ibm.commerce.rest-ext
  2. Add the URL prefix to the file. The method attribute is optional. If it is not specified, it is applied to all the methods.
    For example:
    
<?xml version="1.0" encoding="UTF-8"?>

<security>

<!-- Define if SSL is enabled for a resource and its methods. -->
<!-- When not defined, SSL is disabled for the resource by default. -->
<!-- An optional "method" attribute may be set for each sslConfig element with value to be GET, POST, PUT, or DELETE. -->

<sslConfig resource="store/{storeId}/myresource" enabled="true"/>

</security>
  3. If you want to enable partial authentication, ensure that each resource is listed as partialAuthentication=true to allow it to consume the partial authentication token or the partial authentication cookie.
  4. Save your changes and close the file.
  5. Restart your HCL Commerce server.
  6. If you want to enable SSL Acceleration, ensure that you change the SSLAcceleratorOption and inSSLPort properties in the Foundation component configuration file (Search EAR). For more information about the property values, see REST configuration properties in the component configuration file (wc-component.xml). For more information updating the REST configuration, see Changing REST configuration properties in the component configuration file (wc-component.xml).