OpenWGA 7.7 - OpenWGA Concepts and Features
Design and development » REST web serviceEnabling REST support
By default the REST web service is completely disabled on every OpenWGA server. If you wish to use it head to the OpenWGA admin client and open menu "Configuration" > "Basic Settings".
There on section "Optional network services" you find an option "OpenWGA Web Services REST service" which can be enabled in edit mode:
Enable and save this to generally enable the REST web service.
Then you need to enable REST support for apps which you want to be queryable via REST:
- On a web apps configuration in OpenWGA admin client click the "Edit" button
- On section "Publishing settings" click "Show/hide more options"
- On the "Optional publishing parameters" find the option REST services: Enabled APIs and add it by clicking on it
On this setting you already see that there are multiple REST APIs that are supported by OpenWGA which you can individually enable or disable:
A brief overview of those APIs that are described in detail later:
- The CMS API works on pure "content management" level and can do all operations that a website author is also capable of doing, like creating and publishing pages, creating draft copies, editing items and metadata and the such.
- The HDBModel API can be used for data-driven applications which use the HDBModel framework. It therefor also works on HDBModel level and allows to create/read/edit/delete hierarchical data documents just like the HDBModel functionality does.
- The Query API allows to define database queries on the serverside that are executed via REST and also their results served that way.
- The Custom API allows to define a completely custom REST API via TMLScript
Some security considerations:
By exposing an app via REST service you most likely expose more data about that app than you would do via website.
While OpenWGA authorisation with its restrictions is absolutely in control via REST it also allows access to every bit of data that the user is allowed to see by his user rights. A website on the contrary only exposes that data that it explicitly publishes.
Apps that are exposed via OpenWGAs cms/hdbmodel/query APIs therefor should strictly rely on their authorisation via ACL and permission fields only to enforce security. They cannot rely on what is actually published via any webinterface as via REST this data still may be retrievable.
The custom REST API on the other side gives you the tools to actively filter this data again that you want to publish and hide other data. So this would be the way to expose Apps to REST that cannot rely on OpenWGA authorisation only.