REST Service Configuration

The RestService configuration is contained in the RestConfigurationSection section. To register this section, add the following section configuration registration.

  <add type="SanteDB.Server.Core.Configuration.RestConfigurationSection, SanteDB.Server.Core" />

Each REST based service in the host uses a service in the rest controller host (listed as service sections). The basic architecture of the REST service layer is illustrated below.

  • Service: A service represents a logical service which is provided on the REST based API. A service can be FHIR or METADATA, etc. Typically a single daemon service will bind itself to a single rest service.

  • Service Behavior: Service behaviors represent a behavior which applied across all endpoints within the service. This can be, for example, authorization behaviors, or policy behaviors.

  • Endpoint: An endpoint is a specific listening location for the REST based service. The endpoint is bound to a listening address and a contract. A contract can express a particular series of operations and paths on the endpoint base address. A contract can be (for example) v1, v2, v3 of an API service.

  • Endpoint Behavior: An endpoint behavior is a particular behavior applied only to the endpoint. Endpoint behaviors include messaging inspectors, serializers, compression behaviors, cors behaviors etc.

An example of a simple FHIR API configuration is illustrated below.

<service name="FHIR">
        <add type="SanteDB.Server.Core.Rest.Security.TokenAuthorizationAccessBehavior, SanteDB.Server.Core, Version="/>
      <endpoint address="" contract="SanteDB.Messaging.FHIR.Rest.IFhirServiceContract, SanteDB.Messaging.FHIR, Version=">
          <add type="SanteDB.Rest.Common.Behavior.MessageLoggingEndpointBehavior, SanteDB.Rest.Common, Version="/>


The following services are bound to the REST API in the default SanteDB installation.

Service Name






Business Intelligence Service



OpenAPI (Swagger) Metadata Exchange

Service Behaviors

Token Authorization Access

The TokenAuthorizationAccess behavior is configured using the SanteDB.Server.Core.Rest.Security.TokenAuthorizationAccessBehavior. This service validates bearer tokens with the current ISessionManager service and allows the establishment of a principal.

<service name="name">
    <add type="SanteDB.Rest.Common.Security.TokenAuthorizationAccessBehavior, SanteDB.Rest.Common"/>

Basic Authentication Access Behavior

The BasicAuthenticationAccessBehavior behavior is configured using the SanteDB.Rest.Common.Security.BasicAuthorizationAccessBehavior and allows the use of HTTP BASIC authentication to establish principals.

<service name="name">
    <add type="SanteDB.Rest.Common.Security.BasicAuthorizationAccessBehavior, SanteDB.Rest.Common"/>

Client Authorization Access Behavior

The ClientAuthorizationAccessBehavior allows services to authenticate client credentials using basic authorization. This establishes an ApplicationPrincipal as the primary principal.

<service name="name">
    <add type="SanteDB.Authentication.OAuth2.Wcf.ClientAuthorizationAccessBehavior, SanteDB.Authentication.OAuth"/>

Endpoint Behaviors

The endpoint behaviors listed here control the behavior of individual endpoints on the SanteDB core service.

Message Logging Behavior

The message logging endpoint behavior will log all inbound messages to the primary trace source log.

<endpoint address="address" contract="contract">
          <add type="SanteDB.Rest.Common.Behavior.MessageLoggingEndpointBehavior, SanteDB.Rest.Common"/>

Message Compression Behavior

The message compression endpoint behavior enables the message compression ability on the server and allows clients to send Accept-Encoding: headers with algorithm gzip, bzip2, deflate or lzma.

<endpoint address="address" contract="contract">
          <add type="SanteDB.Rest.Common.Behavior.MessageCompressionBehavior, SanteDB.Rest.Common"/>

CORS Behavior

The CORS endpoint behavior allows cross origin requests to be executed on a specific endpoint. The CORS behavior accepts a configuration which dictates the CORS policies for the service.

<endpoint address="address" contract="contract">
          <add type="SanteDB.Rest.Common.Behavior.CorsEndpointBehavior, SanteDB.Rest.Common, Version=">
                <resource name="*" domain="*">

Accept Language Behavior

The accept language behavior allows the SanteDB instance to modify the current localization string for errors and responses on the CDR pipeline. This handler uses the following language preferences in the following order:

  1. The language of the user's session

  2. The value of the Accept-Language header

  3. The value of the X-Sdb-Language header (used when clients cannot set Accept-Language)

Security Policy Behavior

The security policy behavior enables cross site scripting and Content Security Policy (CSP) on the endpoint.

<endpoint address="address" contract="contract">
          <add type="SanteDB.Rest.Common.Behavior.SecurityPolicyHeadersBehavior, SanteDB.Rest.Common"/>

Last updated