Securing Content REST API with api key

Hil all, I’m exposing the Content REST API via a preview (hst:type = preview) so I can also access unpublished content from an external service. And logically I want to secure this API as it’s not supposed to available to the public.

Is there a way to protect the Content REST API with an api key (that consumers have to specify in a x-api-key request header)?

By Content REST API i meant the generic REST API that comes out of the box. The preview endpoints for this API I want to secure with an api key are, for example:

  • /site/preview/api/documents
  • /site/preview/api/documents/{id}

By default we use basic authentication (user needs to be a CMS user). To change it to something else you can read this document:

Other option is to use Spring security.
(see also HST Spring Security Support Documentation – Introduction )

forgot to say, for default basic authentication check:

RolesAllowed annotation mainly, e.g:

 @RolesAllowed(value={"author", "editor"})

@machak Thanks again for the reply.

I’ve updated my question and added that it’s regarding the generic Content REST API that comes out of the box. (Instead of a custom jax-rs service)

From the documentation (see link below) I understood that it’s possible to enable basic authentication. However I was wondering if there’s a way to add an api key check to specific endpoints.

Regarding basic authentication, according to the documention it’s possible to enable basic authentication (see link below). However, the documentation also says that by default form-based authentication is configured on the delivery tier. My questions in this regard are:

  1. When I enable basic authentication does it mean that all secured delivery tier services will get basic authentication (like the site preview)?
  2. Can’t each service be configured to use a different AuthenticationProvider?
  3. Is it possible to have a user that can access the API endpoints (through basic authentication), but has no or minimum permissions in the CMS?

Enable authentication: Add a preview channel and limit access - Bloomreach Experience - Open Source CMS

Configure Basic Authentication: Configure the Delivery Tier to Use Basic Authentication - Bloomreach Experience - Open Source CMS