I have created a plugin in bamboo with one module in it.
atlassian-plugin.xml:
<rest key="REST API Key" path="/plugin/myplugin/api" version="1.0">
<description>Rest API for plugin</description>
</rest>
Now I have a class with one method in it:
@Path("/config/user")
@Consumes({MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON})
@Produces({MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON})
public class UserService {
@PUT
@Path("/add")
public Response addUser(User user){
return Response.ok().build();
}
}
This particular endpoint mybamboo.host:6990/rest/plugin/myplugin/api/config/user/add can be accessed by any user who has access to that particular instance of Bamboo.
Now my question is, is it possible to restrict the access to this end point only for bamboo administrators and not all the users?
I know that this is possible using webwork action classes by extending the BambooActionSupport and implementing GlobalAdminSecurityAware interface. But is there a similar way to accomplish this kind of access control in rest module?
By default all rest resources require at least basic authentication, see Atlassian REST API Design Guidelines.
In addition you can inject com.atlassian.sal.api.user.UserManager into your rest service and apply logic as follows:
String username = userManager.getRemoteUsername();
if ( userManager.isAdmin(username) || userManager.isSystemAdmin(username) ){
.....
}else if isUserInGroup(...){
...
}