You can configure access to service endpoints in several ways:

  • Configure whether authenticated access to services is required by default, using fusion.security.serviceAuthenticationRequired in the LuciadFusion configuration files.

  • Configure whether authenticated access is required for specific endpoint patterns. You can list these patterns under fusion.security.authenticatedEndpoints, with either authenticated set to true or false.

  • Configure whether authenticated access is required on a service-by-service basis, using the service detail panel in the LuciadFusion Studio web application or the PUT /api/services/{serviceId} endpoint.

Your default access configuration applies to all endpoint patterns returned by getEndpointPatterns() of the ILfnServiceTypeConfiguration implementations registered as Spring beans in the ApplicationContext. This means that the default configuration is applicable to all built-in LuciadFusion service types. The default doesn’t apply to custom service endpoints.

The examples in this article illustrate how to configure specific use cases. To resolve most cases, you change the fusion.security section in the application-fusion.development.yml and application-fusion.production-template.yml configuration files. To configure access control for one specific service, you must use other means.

The examples start from a configuration with anonymous access allowed for all services:

fusion.security:
  enabled: true
  # Configures all service endpoints to allow anonymous access using Platform's authentication system
  serviceAuthenticationRequired: false

Enabling authenticated access for all services

To require authenticated access for all services, set the serviceAuthenticationRequired property to true:

Require authenticated access for all services
fusion.security:
  enabled: true
  # Configures all service endpoints to require authentication using Platform's authentication system
  serviceAuthenticationRequired: true

Enabling authenticated access for a service of a certain type

To require authenticated access for all services of a specific type, add the endpoint patterns that match the specific type under authenticatedEndpoints, and set authenticated to true.

For example, to require authenticated access for the WMS service type, add the endpointPattern ${fusion.ogc.wms.basePath}/**), and set authenticated set to true: 

Example: require authenticated access for the WMS service type
----
# Enables access control
fusion.security:
  enabled: true
  # Configures all service endpoints to allow anonymous access using Platform's authentication system
  serviceAuthenticationRequired: false
  # Overrides the default configuration, by requiring authentication access for the /wms/** endpoint pattern
  authenticatedEndpoints:
      - endpointPattern: "${fusion.ogc.wms.basePath}/**"
        authenticated: true
----

Enabling anonymous access for all services of a specific type

To enable anonymous access for all services of a specific type, add the endpoint pattern that matches that type under authenticatedEndpoints, and set authenticated to false.

For example, to enable anonymous access for the WMS service type, add the endpointPattern ${fusion.ogc.wms.basePath}/**):

Example: enable anonymous access for the WMS service type
# Enables access control
fusion.security:
  enabled: true
  # Configures all service endpoints to require authentication using Platform's authentication system
  serviceAuthenticationRequired: true
  # Overrides the default configuration, by enabling anonymous access for the /wms/** endpoint pattern
  authenticatedEndpoints:
      - endpointPattern: "${fusion.ogc.wms.basePath}/**"
        authenticated: false

Enabling anonymous access for services of a specific type and with a specific name

To enable anonymous access for all services of a specific type and with a name that starts with a certain value, add an endpoint pattern that matches that type and name to authenticatedEndpoints and set authenticated to false.

For example, to enable anonymous access for a WMS service that has a name starting with public, add a new endpointPattern at the start of authenticatedEndpoints, and set authenticated to false:

Example: enable anonymous access for a WMS service with a name starting with public
# Enables access control
fusion.security:
  enabled: true
  serviceAuthenticationRequired: true
  # Overrides the default configuration, by enabling anonymous access for the /wms/public*/** endpoint pattern
  authenticatedEndpoints:
      - endpointPattern: "${fusion.ogc.wms.basePath}/public*/**"
        authenticated: false
With access control enabled, you need to grant permissions to the LFN_ANONYMOUS role for the Data resources to which the anonymous users must have access. See Access Control in LuciadFusion for more information.

Configuring access control on a service-by-service basis

To set the access mode for individual services, use the service detail panel in the LuciadFusion Studio web application, or the PUT /api/services/{serviceId} endpoint in the LuciadFusion API. You can choose between these options:

  • Authentication Required (Authenticated): Authentication is required for users accessing this service.

  • Authentication Optional (Anonymous): Authentication is not required for users accessing this service.

  • Default (Default): The access mode is determined by the settings in the external configuration files.

The access mode set for an individual service takes precedence over the settings in the external configuration files.