Although the repository is accessible directly by default, since anything attached to the router is accessible with the default policy, avoid direct HTTP access in production. If you do not need such access, deny it in the authorization policy to reduce the attack surface.
Similarly deny direct HTTP access to system objects in production,
particularly access to action. As a rule of thumb, do not
expose anything that is not used in production. The main public interfaces
over HTTP are /openidm/managed/ and /openidm/config/.
Other URIs are triggered indirectly, or are for internal consumption.
OpenIDM supports native query expressions on the JDBC repository and it is possible to enable these over HTTP, for example:
$curl --header "X-OpenIDM-Username: openidm-admin" --header "X-OpenIDM-Password: openidm-admin" "http://localhost:8080/openidm/managed/user?_queryExpression=select+*+from+managedobjects"
By default, direct HTTP access to native queries is disallowed, and
should remain so in production systems. To enable native queries on the JDBC
repository over HTTP, specifically for testing or development purposes,
remove the custom authorization call from the router authorization script
(openidm/script/router-authz.js).
"customAuthz" : "disallowQueryExpression()"
Remember to remove the comma at the end of the preceding line as well.
See the chapter on Managing Authentication, Authorization & RBAC for an example showing how to protect sensitive URLs.
