About access control in hyperledger composer to implement a business network

Question

I try to use composer to develop a block-chain web app. I write the ".acl" file to implement access control, and I also issued different IDs to different participant, then I start the REST server.

The next thing I want to ask is, how can the REST server identify my identity?

Just like, one kind of participant is named "trader", I specify "trader" cannot access function "A" in chaincode, but REST server generate the API of "A", then I write a simple html file and send a POST request to localhost:3000, I can invoke this function directly. I even don't know I access this interface by what kind of identity.

I am confused about this, can some one help me?

Answer 1

Remember how you started the REST server? You had to specify a business network card, and likely it was the card for the admin with all reading and writing rights. Also most likely, you disabled authentication with passport.

With these two elements, of course you can always do anything just by calling any available API function.

You can refer to the passport authentication instructions for composer-rest-server to implement your authentication scheme.

You should code the rules for what is allowed for certain groups (such as "patients", "doctors", "payers") in the ACL permission files. Refer to the section "Granting Network Access Control" in https://hyperledger.github.io/composer/latest/reference/acl_language, which contains some pretty similar examples.

Illicit API calls would then simply fail if attempted by the wrong entity.