The security metadata for an endpoint lets you describe a set of requirements that must be passed in order for the business logic to execute. Requirements are executed in collections. If any requirement in the collection passes the entire collection passes. A collection of requirements can be defined at the following locations:
Collections short circuit for failures. If the end point collection fails, the route and input entity collections will not execute. Requirements within a collection short circuit on success, since one requirement passing means the entire collection passes.
Most security requirements are implemented as database functions but there are a few code based requirements too. A security block is a JSON object whose properties are a descriptive name for the requirement. The property name will be used in error messages if the requirement fails to pass. The property values are JSON objects that describe additional metadata needed to configure or execute the requirement. The structure of these property values will vary across requirements of different types. The only common property that all requirements share is the 'type' property, which gives the framework enough information to instantiate the objects necessary to execute the requirement.
The security framework is flexible enough to allow for requirements of any type to be created but that is not covered in these pages.
Be very aware of the data you are exposing through services. Your services site is always going to be accessible regardless of how you are securing your front end pages. Putting your pages behind a CMS does not protect you. It is trivial for users to open the network tab on the browser, see what requests are being made, and make manual calls to mine for additional data. Let's assume you want to expose an endpoint to retrieve information from persons. Consider the following questions: