How to make endpoint secure?

Tags: #<Tag:0x00007fcebc2936e0> #<Tag:0x00007fcebc2935f0> #<Tag:0x00007fcebc293500> #<Tag:0x00007fcebc2933e8>

I have created one separate module and implemented some services and controller. Those endpoints are not secure, yet everyone can call them, I just want to make them secure so only authorized users can call them. Is there any way already existed in OpenMRS that helps me to make my endpoint secure. Please help me to figure out this.

@narukumar you can make your endpoints secure by making sure the right users have access to then through authentication and authorization using openmrs AOP

1 Like

@narukumar you can use the Authorized annotation at your service layer as done by the openmrs services. Here is an example.

1 Like

@dkayiwa thank you for your response. I am already using the Authorized annotation but it’s not working. Is there any document so I could get to know more about it. I have applied @Authorized on one of my service layer, but still I can access my controller, without passing jsessionId in cookies or Basic Auth in header.

Looking forward to hear from you. Thank you

Is the controller able to access the service layer without authentication?

@dkayiwa Yes, controller able to access the service layer without authentication.

Can you publish your module’s source on github?

Hey @dkayiwa Please visit my module’s source code, And you can see my service layer here.

Hey @gcliff Thank you for your reply.

Your suggestion is regarding about AOP, not API’s security.

@narukumar AOP allows the programmer to express cross-cutting concerns in stand-alone modules called aspects . Aspects can contain advice (code joined to specified points in the program) and inter-type declarations (structural members added to other classes).eg a module can include advice that performs a security check before accessing API data through authorization and authentication

1 Like

A few comments:

  • For the @Authorized annotation to work, you need to provide some privilege to actually check for, e.g., @Authorized(PrivilegeConstants.GET_OBS).
  • In your REST controller, you are injecting UnassignedPrescriptionServiceImpl directly instead of injecting the interface, but the @Authorized annotations are only on the interface. You should be autowiring UnassignedPrescriptionService instead.
  • You probably want your controller to extend org.openmrs.module.webservices.rest.web.v1_0.controller.BaseRestController.
2 Likes

hello @ibacher I have done all the changes but still endpoint is not secure, I am able to call it without passing authentication. Just to let you know that I have inserted one table in openmrs database and do I need to make a new privilege constant?

Are all your changes committed?

@dkayiwa yes, but I am not sure about the ‚ÄúPrivilegeConstants‚ÄĚ. How they works for authorization and should I make a new constant?

After adding the authorised annotation to your service interface method, the OpenMRS platform will automatically take care of the rest. As for the privilege constant, it is all up to you. For instance, you can use something like this: @Authorized("Create Prescriptions") for the createUnassignedPrescription() method.