CUBA Security Between Tiers

Hi CUBA team,

I’m wanting to understand a bit more the application security and whether or not something like OAUTH2 is being used at all between the client and middleware tiers of CUBA. I don’t see any references to this on the platform guidance other than pertaining to the REST API V2.

Could you please explain how communication between the tiers of CUBA are secured? Is it OAUTH2 similar to the REST API or are credentials being passed?


Hi Ryan,

Yes, a token-based authentication is used between client blocks and the middleware. It is described here:

The UserSession object is created on Middleware during LoginService.login() method execution after the user is authenticated using a name and a password. The object is then cached in the Middleware block and returned to the client tier. When running in cluster, the session object is replicated to all cluster members. The client tier also stores the session object after receiving it, associating it with the active user in one way or another (for example, storing it in HTTP session). Further on, all Middleware invocations on behalf of this user are accompanied by passing the session identifier (of UUID type). This process does not need any special support in the application code, as the session identifier is passed automatically, regardless of the signature of invoked methods.

So the UserSession identifier plays the role of the authentication token. Credentials are being only to the LoginService.login() method.