> On Feb 8, 2016, at 4:08 PM, Chris Pike <[email protected]> wrote: > > We have a REST service that will get called to retrieve the active roles for > a user. Need to restrict who can make this call.
How is that user credential being passed in currently? As HTTP header or via session attribute inside the payload? If former, you may restrict using this policy: https://github.com/apache/directory-fortress-enmasse/blob/master/src/main/resources/FortressRestServerPolicy.xml. I am not opposed to adding the security checks to the accessmgr methods. We could make it a configurable option. Shawn
