Page tree
Skip to end of metadata
Go to start of metadata


Documentation on authentication and authorization


In the standard "development" build of the tool, default user/password security is used.  The allowed user and roles are indicated in the file and these "fake" users can log in with the same username and password.  For example,


Here, the default security service defines a number of viewer, user, and admin application role users.  To log in as, say "admin1", the same username and password woudl be used.

IMS Authentication

In the IHTSDO deployment of the tool uses "IMS" security (backed by Atlassian Crowd).  Users are allowed to access the application if they have either "refset-user" or "refset-administator" roles in crowd.  Without one of these roles, a user is considered a "viewer" and will have access to the "Directory" tab and functionality.

Upon attempt to login to the Refset Management & Translation Tool, a check is made against IMS to determine if the user is logged in.  If so, the login controller requests an authToken from the server which is used to validate future service-layer calls for that user. 

If a user is granted new roles, they should log out and re-log in to the application


When a user authenticates (e.g. via the security service "authenticate" call), an authToken is provided

All API calls in the system take an authToken parameter as an "Authorization" header param.  

The system checks this token against a list of currently validated (and not timed-out) tokens and provides the REST API call with information about the user and their application role.  With that information the user's project role can also be checked and the individual authorization level for that call can be validated.  

Thus a logged-in (authenticated) user can still be rejected for not having privileges to access a certain call.  In particular this applies to things like write-based calls against projects on which the user does not have any role.  The methods "authorizeProject" and "authorizeApp" are used as convenience methods for performing this authorization role.




  • n/a


  • No labels