Skip to content

Api and Authorization

Jan Tomášek edited this page Sep 26, 2024 · 5 revisions
  • The API is accessible at host:port**/api**. The port may be configured in application.yml file

Authorization

  • The requests require JWT authorization:
    • Authorization token is obtained in the response header of a successful login request.
    • Authorization header format: 'Authorization:Bearer authorization-token'

Swagger Documentation

  • The Swagger documentation is accessible at: host:port**/swagger-ui.html**

  • Use login method from user-api to obtain the authorization token. The login method uses basic authorization: fill Authorization:Basic *base64(username:password)* into the swagger Authorization header field of the login endpoint. After that, copy the JWT token from response header and use it for JWT authorization in swagger Authorization fields of other requests.

  • The Swagger download link used to download object during object retrieval request is broken. Use other tool, e.g. Postman or cURL to call the object retrieval endpoints. Due to the need of authorization header it is not possible to call the endpoint just by pasting the URL to the address bar.

Roles

Role is esentially an editable named group of permissions used to link permissions with users. Every user can have multiple roles. ARCLib comes with 5 default roles: superadmin, admin, analyst, archivist and deletion acknowledgement. See Authorization sheet for mapping of GUI sections, API endpoints and required permissions and roles.

Adding new user

New ARCLib user can be added in two ways:

Login first: only if LDAP authentication is enabled:

  1. Responsible person creates LDAP account on a LDAP server connected to ARCLib*
  2. User logs in (with the username/password obtained from LDAP admin) and see an information that he/she has to wait for ARCLib admin to assign him/her with permissions
  3. All ARCLib users with SUPER_ADMIN_PRIVILEGE permission are notified by email
  4. Any of notified users find the new user in the ARCLib GUI and assign him/her with roles

Create user first:

  1. New user is created by user with appropriate permission in the User section of ARCLib GUI. Creating user can also assign roles to the created user straight away.
  2. User logs in

If LDAP authentication is enabled The domain name must match the pattern of the organisation running the ARCLib instance. The pattern is configured in LDAP section of application.yml file In case of "Create first" the username filled when creating the user must match the username/id under which the user is looked up in the LDAP see LDAP section of application.yml file

Clone this wiki locally