Sets the security level required to access a method defined in an API object.
'['SecurityLevel(None|Authorization|Authentication)']'
View Syntax conventions
Where:
None
Indicates that the method is an open entry point. This means that no login or additional permissions are required to access the method. Any end user can invoke the method without restrictions.
Authorization
The system checks if the end user has the appropriate permissions before allowing the method to execute. So, end user must be logged in and have the necessary permissions to perform the operation.
Authentication
Requires the end user to be authenticated before the method can be used. The end user must be logged in to access the method, but they do not need to have additional specific permissions.
When an API object has the set the Enable Integrated Security property to True and Integrated Security Level property set to Authentication or Authorization, all methods require some level of security for access. However, some cases may require an open entry point method, with no OAuth login or token required. To achieve this, the SecurityLevel attribute is used to define the specific security level for each method.
Suppose you have an API object called APICustomer that provides services related to customers of an application. This object has the following methods defined:
- ListCustomers: Lists all registered customers in the database.
- Insert: Adds a new customer to the database.
- Update: Updates the information of an existing customer.
- Delete: Deletes a customer from the database.
- GetByKey: Gets the information of a specific customer by its ID.
In addition, the following is configured:
Then the Service Source of the APICustomer looks like the one below:
APICustomer{
[SecurityLevel(Authorization)]
[SecurityPermission("Read_Permission")]
ListCustomers(out:&SDTCustomers)
=> CustomerList(&SDTCustomers);
[RestMethod(POST)]
[SecurityLevel(Authorization)]
[SecurityPermission("Write_Permission")]
Insert(in:&CustomerId, in:&CustomerName, in:&CustomerLastName, out:&Messages)
=> CustomerInsert(&CustomerId, &CustomerName, &CustomerLastName, &Messages);
[RestMethod(PUT)]
[SecurityLevel(Authorization)]
[SecurityPermission("Write_Permission")]
Update(in:&CustomerId, in:&CustomerName, in:&CustomerLastName, out:&Messages)
=> CustomerUpdate(&CustomerId, &CustomerName, &CustomerLastName, &Messages);
[RestMethod(DELETE)]
[SecurityLevel(Authorization)]
[SecurityPermission("Write_Permission")]
Delete(in:&CustomerId, out:&Messages)
=> CustomerDelete(&CustomerId, &Messages);
[SecurityLevel(None)]
GetByKey(in:&CustomerId, out:&Customer, out:&Messages)
=> CustomerGetByKey(&CustomerId, &Customer);
}
In this case:
- ListCustomers method requires the Read_Permission to be executed. Only authenticated users with this permission will be able to list all customers.
- The Insert, Update, and Delete methods require Authorization and the Write_Permission to be executed. Only authenticated users with this permission will be able to add, update or delete customers.
- The "GetByKey method does not require authentication and does not have a specific permission associated with it. This means that it can be accessed by any user, even without authentication.
Since GeneXus 18 Upgrade 6.
SecurityPermission annotation
API object - Troubleshooting