Skip to main content

How to create a custom REST service in an Atoti Server Extension

note

You can find all the necessary information on Spring REST services in the Spring documentation.

Prerequisites

This guide assumes you have already created a Maven project with atoti-server-extension-parent as described in the Atoti Server Extension reference.

In this guide, we show the steps required to create a custom REST service in an Atoti Server Extension.

1. Create a custom REST service

Since Atoti Server Extension is a Spring Boot application, you can create a custom REST service by creating a Spring @RestController class.

/** A REST controller that exposes cube information. */
@RestController
@RequestMapping("/app-extension")
@RequiredArgsConstructor
public class AtotiServerExtensionRestController {
  /** These Beans are available with the atoti-server-runtime-extension module. */
  private final IActivePivotManager activePivotManager;
  private final IDatastore datastore;
  @GetMapping("/cubes")
  public ResponseEntity<String> getCubes() {
    final String cubes = String.join(",", activePivotManager.getActivePivots().keySet());
    return ResponseEntity.of(Optional.of(cubes));
  }
}

2. Secure the REST service

Important

All custom REST endpoints must have a security configuration, even if you want to allow unauthenticated access. Without security configuration, your endpoints will not be accessible and will return a 403 Forbidden error.

You need to create a security configuration that defines which users can access your custom endpoints. This is done by creating a SecurityFilterChain bean, you can find more information on Atoti endpoint security here.

@EnableWebSecurity
@Configuration
public class SecurityConfig {
  /** Configures the security for the custom REST service. */
  @Bean
  @Order(20)
  @Lazy(false)
  public SecurityFilterChain customRestServiceSecurity(
      final HttpSecurity http, final MachineToMachineSecurityDsl dsl) throws Exception {
    http.with(dsl, d -> d.setScope(Set.of(MachineToMachineSecurityDsl.Scope.SECURITY)));
    http.securityMatcher("/app-extension/**")
        .authorizeHttpRequests(
            request -> request.requestMatchers("/app-extension/cubes").hasRole("ADMIN"));
    return http.build();
  }

Key points about the security configuration:

  • The @Order annotation determines when this security filter chain is evaluated. Lower values have higher priority. Use a value between the standard Atoti filter chains (e.g., 20).
  • The @Lazy(false) annotation ensures the security configuration is loaded at application startup.
  • Use http.securityMatcher("/your-path/**") to specify which endpoints this configuration applies to.
  • Use http.authorizeHttpRequests() to define authorization rules:
    • .hasRole("ADMIN") - requires the user to have the ADMIN role
    • .permitAll() - allows unauthenticated access
    • .authenticated() - requires any authenticated user
  • The MachineToMachineSecurityDsl.Scope.SECURITY scope applies authentication and authorization filters.

3. Register the REST service and security configuration

To register your custom REST service and its security configuration, you need to import both in your @AutoConfiguration class see.

/* Autoconfiguration for the Atoti Server Extension. */
@AutoConfiguration
@Import({AtotiServerExtensionRestController.class, SecurityConfig.class})
public class AtotiServerExtensionAutoConfiguration {}