You can configure access to service endpoints in two ways:

  • Configure whether authenticated access to services is required by default, using fusion.security.serviceAuthenticationRequired.

  • Configure whether authenticated access is required for specific endpoint patterns. These patterns can be listed under fusion.security.authenticatedEndpoints, with either authenticated set to true or false.

Default access is configured for all endpoint patterns returned by getEndpointPatterns() of the ILfnServiceTypeConfiguration implementations registered as Spring beans in the ApplicationContext. This means this configuration is applied to all service types that LuciadFusion knows about. This will not be applied to custom service endpoints.

The following examples illustrate how to configure specific use cases. In each case we will modify the fusion.security section that can be found in application-fusion.development.yml and application-fusion.production-template.yml.

Our starting point is a configuration with anonymous access allowed for all services.

fusion.security:
  enabled: true
  # Configures all service endpoints to allow anonymous access using Platform's authentication system
  serviceAuthenticationRequired: false

Enabling authenticated access for a service of a certain type

To require authenticated access for all services of a specific type, we add the endpoint patterns defined in authenticatedEndpoints that match the specific type with authenticated set to true. If we require authenticated access for the WMS service type (The endpointPattern ${fusion.ogc.wms.basePath}/**), this results in the following configuration: 

# Enables access control
fusion.security:
  enabled: true
  # Configures all service endpoints to allow anonymous access using Platform's authentication system
  serviceAuthenticationRequired: false
  # Overrides the default configuration, by requiring authentication access for the /wms/** endpoint pattern
  authenticatedEndpoints:
      - endpointPattern: "${fusion.ogc.wms.basePath}/**"
        authenticated: true

Enabling authenticated access for all services

To require authenticated access for all services, we set the serviceAuthenticationRequired property to true. This results in the following configuration. 

fusion.security:
  enabled: true
  # Configures all service endpoints to require authentication using Platform's authentication system
  serviceAuthenticationRequired: true

Enabling anonymous access for all services of a specific type

To enable anonymous access for all services of a specific type we add the endpoint patterns defined in authenticatedEndpoints that match the specific type with authenticated set to false. If we add anonymous access for the WMS service type (the endpointPattern ${fusion.ogc.wms.basePath}/**), this results in the following configuration: 

# Enables access control
fusion.security:
  enabled: true
  # Configures all service endpoints to require authentication using Platform's authentication system
  serviceAuthenticationRequired: true
  # Overrides the default configuration, by enabling anonymous access for the /wms/** endpoint pattern
  authenticatedEndpoints:
      - endpointPattern: "${fusion.ogc.wms.basePath}/**"
        authenticated: false

Enabling anonymous access for services of a specific type and with a specific name

To enable anonymous access for all services of a specific type and with a name that starts with a certain value, we add an endpoint pattern to authenticatedEndpoints that matches the endpoint and with authenticated set to false. To enable anonymous access for the WMS service type with a name that starts with public we added a new endpointPattern at the start, this results in the following configuration: 

# Enables access control
fusion.security:
  enabled: true
  serviceAuthenticationRequired: true
  # Overrides the default configuration, by enabling anonymous access for the /wms/public*/** endpoint pattern
  authenticatedEndpoints:
      - endpointPattern: "${fusion.ogc.wms.basePath}/public*/**"
        authenticated: false
With access control enabled, you need to grant permissions to the LFN_ANONYMOUS role for the Data resources to which the anonymous users must have access. See Access Control in LuciadFusion for more information.