Elastic Path Commerce Development

Security Configuration Guide

Security Configuration Guide

Cortex uses authentication tokens and Apache Shiro to manage access to Cortex resources.

After a customer logs in, the client application uses the end-user credentials to request an authentication token from Cortex. The authentication token allows access to different resources depending on the user's role. For information on how the Cortex uses authentication tokens to allow customers to access its resources, see Cortex Authentication.

Handling roles and permissions on Cortex's side is Apache Shiro, a role-based access control framework (RBAC). Shiro provides a dynamic security model where roles and permissions can be configured at run time. Each of your Cortex API resources has a set of permissions assigned that controls what resource operations a given user is authorized to perform. For information on how the Cortex utilizes Apache Shiro to manage roles and permissions, see Cortex Authorization.