Comparing Data Access Strategies for Public APIs (Sign-up, Forgot Password)

Support
#1

Hello,
I am developing public-facing features such as user sign-up and password reset functionalities. To achieve this, I need to allow anonymous users to interact with the backend to create or modify data. I have identified several possible approaches for data access, and I would like to seek clarity on which method is considered the most secure and appropriate according to Jmix best practices.

  1. SystemAuthenticator + DataManager + SpecificPolicy
    My understanding is that this is a layered approach. First, a SpecificPolicy (e.g., resources = "public.sign-up") is assigned to the AnonymousRole to grant entry-point access to the specific REST controller method. Second, within the controller method, the entire business logic (involving DataManager calls) is wrapped in a systemAuthenticator.runWithSystem(...) block to execute it with system-level privileges.
  2. Using DataManager.unconstrained()
    This approach involves injecting the standard DataManager and then calling the .unconstrained() method to bypass security constraints for a specific operation. However, it seems this still requires an authenticated user context to begin with, which is absent in a public API call.
  3. Using the UnconstrainedDataManager bean
    This involves directly injecting the UnconstrainedDataManager. I understand this is a legacy approach and is generally discouraged, but I would like to confirm its security implications compared to the other methods.

My Questions Is:

  • Security Comparison: Which of these approaches provides the highest level of security for public APIs? What are the specific risks associated with each method?
  • Role of SpecificPolicy: When using SystemAuthenticator, is the primary role of SpecificPolicy simply to allow the HTTP request to reach the controller method, while the actual data operations are secured by the system-level execution context?
  • Recommended Practice: For features like user sign-up and password reset, what is the officially recommended Jmix pattern?

Thank you in advance for your guidance.

Please help Jmix team and community members to answer your questions:

  • Provide your Jmix framework and Studio versions. Use Welcome screen in Studio to copy versions.
  • If possible, attach a zip-archive with a sample project or provide a link to a GitHub repository with a minimal, reproducible example. Use Gradle → Zip Project action in Jmix tool window to make an archive.
  • Format source code in your posts by wrapping it in triple backquotes (```).