Webapi2 Access Filters
You can set webapi2 access filters under the Security settings. You can set webapi2 access filter access filter on server level - you can not set user or domain specific security filters. With this filter you specify rules for accessing webapi2 methods.
In the example above you can deny webapi2 method utils/login for any IP address. It will deny any version of utils/login method, because filter matches all versions (utils/login/*). Instead of ip any you can use also specific IP address or IP address range.
You can limit access for all users from one specific IP - method utils/echo/1 can be called only 10 times in 5 second range. You can set expiration range in milliseconds (ms), seconds (s), minutes (m) or hours (h).
NOTE: When using throttle filter every call has its own timer - in the example above, if you call method echo 5 times in the first second and 6 times in fourth second, last call will be denied (because the limit is 10). Every other call in the range of 5 seconds would be denied too. But you can repeat 3 calls in the sixth second, as the timer for first 3 calls would already run out.
You can also deny specific user from calling specific method - in the example above you deny user with ID s2_0_2 from calling method utils/echo/1.
You don't need to use exact method version, instead you can use wildcard to match method name with all existing versions - example above is the same as previous example with version (utils/echo/1).
All possible combinations for webapi2 access filter are:
[ip any OR ip <specific ip> OR ip <ip range>] filter deny_method <method name>; filter deny_user <user ID>; throttle user;expires <range>s;max number <maximum attempts>; throttle method;expires <range>s;max number <maximum attempts>; [method <method name with method version> OR method <method name with wildcard>] filter deny_user <user ID>; throttle ip;expires <range>s;max number <maximum attempts>; throttle user;expires <range>s;max number <maximum attempts>;
Syntax is same for same group of filters (same for throttle, same for filter).
|Filters that define access to webapi2
||server:s-999_0_0:webapi2_access_filter=[<empty>, <filter string>]||ICP 4.0.0|