Looking for Cloud Services or Professional Support? Check restheart.com

Edit Page


Authorizers check if the authenticated client can execute the request according to the security policy.

RESTHeart provides two implementations of Authorizer:

Multiple Authorizers can be enabled; an Authorizer can be either a VETOER or an ALLOWER.

A request is allowed when no VETOER denies it and any ALLOWER allows it.


The Authorizer implementation class must implement the org.restheart.plugins.security.Authorizer interface.

public interface Authorizer extends ConfigurablePlugin {

     * @param request
     * @return true if request is allowed
    boolean isAllowed(final Request request);

     * @param request
     * @return true if not authenticated user won't be allowed
    boolean isAuthenticationRequired(final Request request);


The Authorizer class must be annotated with @RegisterPlugin:

        description = "my custom authorizer",
        authorizerType = ALLOWER)
public class MyAuthorizer implements Authorizer {



The Authorizer can receive parameters from the configuration file using the @Inject("config") annotation:

private Map<String, Object> config;

public void init() throws ConfigurationException {
    // get configuration arguments
    int number  = argValue(this.config, "number");
    String string = argValue(this.config, "string");

The parameters are defined in the configuration using the name of the authorizer as defined by the @RegisterPlugins annotation:

    number: 10
    string: a string