How to activate authorization only for some of HTTP methods in Apigility?

Question

On the configuration page {API name} -> {service name} -> Authorization single methods for the service can be put under authentication:

In this page you can specify which HTTP methods to put under authentication, for your entity and collection service.

E.g.:

enter image description here

If I anderstand this correctly, the checked methods should then require authorization and the other ones not.

I have two services in my application: User and Address. The problem is: Wheter I activate the authorization for one of them or not, or even if the authorization is deactivated for all methods of all services -- from the moment, when I choose the auth type for my API, every request requires authentication and returns the status code 401, if no credentials are sent.

What can be wrong here? How to put only some methods under authentication?

UPDATE

The relevant configs:

/config/autoload/global.php

return array(
    ...
    'zf-mvc-auth' => array(
        'authentication' => array(
            'map' => array(
                'AddressBookAPI\\V1' => 'demo',
            ),
        ),
    ),
);

/config/autoload/local.php

return array(
    ...
    'zf-mvc-auth' => array(
        'authentication' => array(
            'adapters' => array(
                'demo' => array(
                    'adapter' => 'ZF\\MvcAuth\\Authentication\\HttpAdapter',
                    'options' => array(
                        'accept_schemes' => array(
                            0 => 'basic',
                        ),
                        'realm' => 'demo',
                        'htpasswd' => 'data/users.htpasswd',
                    ),
                ),
            ),
        ),
    ),
);

/module/AddressBookAPI/config/module.config.php

return array(
    ...
    'zf-mvc-auth' => array(
        'authorization' => array(
            'AddressBookAPI\\V1\\Rest\\User\\Controller' => array(
                'collection' => array(
                    'GET' => false,
                    'POST' => false,
                    'PUT' => false,
                    'PATCH' => false,
                    'DELETE' => false,
                ),
                'entity' => array(
                    'GET' => true,
                    'POST' => false,
                    'PUT' => false,
                    'PATCH' => false,
                    'DELETE' => false,
                ),
            ),
            'AddressBookAPI\\V1\\Rest\\Address\\Controller' => array(
                'collection' => array(
                    'GET' => false,
                    'POST' => false,
                    'PUT' => false,
                    'PATCH' => false,
                    'DELETE' => false,
                ),
                'entity' => array(
                    'GET' => false,
                    'POST' => false,
                    'PUT' => false,
                    'PATCH' => false,
                    'DELETE' => false,
                ),
            ),
        ),
    ),
);

score 0 · Answer 1 · answered May 14 '15 at 15:02

0

I strongly believe that this is some kind of bug on your side, because in my API everything works exactly as you think should work.

answered May 14 '15 at 15:02

Vini

627
5
18

Thank you for your feedback! Hm, OK. Absolutely no idea, what I'm doing wrong... Do you have your project with the correctly working auth somewhere in open access (GitHub repo or something like this)? – automatix May 14 '15 at 15:28
Nope and I can't share it - work assignment. But I can provide some apigility autogenerated configs, just tell me which one you want. Also try updating your composer packages, there were some bugs related to oauth in recent versions. – Vini May 14 '15 at 16:04
OK, sure. Well, there are only two relevant config segments (at least for the basic authentication). I'v just updated my question and posted all the relevant configs. Do you see yna signifant differencies to yours? If you want to post your configs, please feel ffree to do this. Thanks. – automatix May 14 '15 at 16:55
`global.php` `return array( 'router' => array( 'routes' => array( 'oauth' => array( 'options' => array( 'spec' => '%oauth%', 'regex' => '(?P(/oauth))', ), 'type' => 'regex', ), ), ), 'zf-mvc-auth' => array( 'authentication' => array( 'map' => array(), ), ), );` but I think problem may be here in `local.php` because I use `'adapter' => 'ZF\\MvcAuth\\Authentication\\OAuth2Adapter'` – Vini May 15 '15 at 07:42
Thank you for posting your configs! I'm wondering, that the `zf-mvc-auth.authentication.map` is emtpy. Or have you simply removed its value tokeey the message short? Anyway, the only one difference I see between our configs is, that we use different auth adapters. Have you tried it out with basic auth? – automatix May 16 '15 at 11:40
It wasn't empty on first (at local) but then I had some problems with path to configs, and after changing them and setting up oauth on development from scratch it just disappeared. It works fine though, so dunno about that. Nope, only thing I did with it was going from sqllite to mysql. – Vini May 17 '15 at 13:04
Hey, sorry for misleading you - I just checked `global.php` again and map is there `'map' => array( 'dms\\V1' => 'dms', ),` – Vini May 27 '15 at 08:45

How to activate authorization only for some of HTTP methods in Apigility?

1 Answers1