REST API anonymous access only for a registration user API

Hi Team,

We are passing oauth token to access all the REST API(custom controllers) after the user logs in.
we have set = false

But we want to access one custom controller to create the users/Register users from the application(custom web application/mobile app). So what do we pass as a oauthtoken value or how do we access this API

My making a call from javascript function to call this register user API as below

var url = restAPIUrl +'user/registerUser';
		url: url,
		headers: {
            'Authorization': 'Bearer ' + oauthToken,
            'Content-Type': 'application/json'
        dataType: 'json',
        data: userData,
        success: function (data) {

I have just completed an extension module for CUBA that allows for service methods to be declared as anonymous, even when GlobalConfig.getRestAnonymousEnabled() is false.

It is not exactly what asked here, but you can use this functionality to create a service that wraps your anonymous functionality, and let the client call that method.

an example of rest-services.xml file using this extension:

<?xml version="1.0" encoding="UTF-8"?>
<services xmlns="">
    <service name="extsec_UserProfileService">
        <method name="getProfile"/>
        <method name="updateProfile">
            <param name="user"/>
    <service name="extsec_UserManagementService">
        <method name="checkUserExist" allowAnonymous="true">
            <param name="loginOrEmail"/>
        <method name="sendResetPasswordLink" allowAnonymous="true">
            <param name="loginOrEmail"/>
        <method name="checkResetPasswordToken" allowAnonymous="true">
            <param name="token"/>
        <method name="changePasswordWithToken" allowAnonymous="true">
            <param name="token"/>
            <param name="password"/>
        <method name="deleteResetPasswordToken" allowAnonymous="true">
            <param name="token"/>

allowAnonymous=“true” kicks in even when rest anonymous access is globally set to false, and allow clients to call only the needed methods without an Authorization token.

I included this code in my not yet published security component, that I hope to publish soon on GH…
If you think it could be useful in your scenario, let me know and I’ll try to post it in a gist.


I want to add that the anonymous access in REST api is pretty useless (read: UNSECURE), unless we can list WHICH methods are allowed without an Authorization header…

It’s too dangerous to just enable anonymous access, and then every service method is readily available for everyone!

I developed an extended UserManagementService, that exposes several methods to let the users of my SPA client to reset their passwords, by sending them an email with a reset link.

Some methods should be available anonymously, while others after authentication.

I need a way to list which methods of my service will be available anonymously, and only that methods (and nothing else) will be allowed without an Authorization token.


Thanks so much Paolo,
I just followed the service method invocation by following the steps you suggested.
Below is my service

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<services xmlns="[url=">]">[/url]; 
    <service name="fot_UserDetailsService"> 
        <method name="createUser" allowAnonymous="true"> 
            <param name="userDetails"/> 
        <method name="getUserDetailsByVerificationToken"> 
            <param name="token"/> 

My URL for service call
Passing POST request parameters are passed in the request body as below
“userDetails” : {
“error”: “unauthorized”,
“error_description”: “An Authentication object was not found in the SecurityContext”
But it is not working says “An Authentication object was not found in the SecurityContext”.
I have attached the screens for more details .
Is this feature allowAnonymous=“true” for services is available? is it not yet published from cuba ?

Only If I pass the token it works.




Hi Shanur,
sorry if it was not clear from my comment above, but that allowAnonymous attribute is a custom extension I made for REST api framework in my ext-security custom app component.

That component is not yet published on github, but it is complete now, apart from extensive documentation :wink:

The component includes:

  • new user profile screen and REST apis to let the logged in user change their personal details (edit User entity)
  • add a “forgot password” functionality both in the login screen and via REST apis (to let an external SPA client implement this function)
  • extend the REST api framework to let some service methods be called anonymously (allowAnonymous)

incidentally, the component extends the User entity with some needed attributes (in my own projects), like phone numbers, but it is not mandatory to use it.

I’ll let you know as soon as I publish it on GH.


Thanks Paolo,

We need these features urgently in our current project.

Could tell the dates when you have plan of publishing.
After these changes are published how do we integrate/make use of these changes? Will they come as a update in Cuba studio?


it is a custom application component, that everyone can create for sharing common functionality to others, or inside own company.
See and
I’m not in any way affiliated with core CUBA team, but if they’ll find the code useful, maybe they could accept a PR to integrate such modifications in the framework itself.
I’m working to separate the forgot password and anonymous service methods functionalities in a separate component, for better separation of concerns.
I’ll let you know when published.
IMPORTANT NOTICE: and please note that this component is strictly tied with low-level framework infrastructure, so it will work ONLY with current version of CUBA (6.6.4) and NOT with earlier or later versions…

I published the component on github and bintray. The installation and usage instructions are in the readme of the repo:
If you find any issue while using the component, please file an issue on github.

@pfurini Any updates on this ?

@sameer.ansaree sorry, I can’t understand which updates you’re referring to…