How do authentication and permissions work when using the CMIS API?
Can I restrict the documents available through CMIS requests based on user permissions? How does authentication work when using CMIS?
Permissions: with CMIS like with all other Nuxeo APIs, the access to documents obeys the user's permissions. This means that you will not be able to see or search documents to which you don't have Read access granted, and won't be able to create, modify or delete documents to which you don't have Write access.
Authentication: this is the process through which you state and prove which user you actually are. Authentication depends on the protocol employed by your CMIS connection. Nuxeo 5.4.2 supports the standard AtomPub (REST) and SOAP (Web Services) bindings and the authentication methods standardized by CMIS for them:
- For AtomPub, you authenticate through HTTP Basic Auth.
- For SOAP, you authenticate through the Web Services Security (WSS) UsernameToken.
In both cases, using HTTPS is recommended as otherwise the credentials could be eavesdropped.
You can read more about CMIS in Nuxeo here.
Authentication is done through the CMIS API using Web Service Security user token. If the user used for that purpose is correctly configured and as the righ ACL in the Nuxeo server, only the document accessible to him will be accessible from the CMIS client using his user token.