用户提供的RESTful安全资源
[英]RESTful secure resources by user
问题描述
I am building a SpringBoot RESTful api with OAuth2 as security component. 
我正在使用OAuth2作为安全组件构建SpringBoot RESTful api。
I am wondering how to protect my resources, but thinking more as business logic. 我想知道如何保护我的资源,但更多地考虑作为业务逻辑。 For example, if I have a list of courses /rest/v1/courses , and this courses have a Supervisor and suppose that I logged as ROLE_SUPERVISOR (no admin access) and I make a call to /rest/v1/courses and as business logic I can only see the courses where I am supervisor. 例如,如果我有课程列表/rest/v1/courses ,并且此课程有Supervisor并且假设我以ROLE_SUPERVISOR(没有管理员访问权限)的身份登录,并且我以/rest/v1/courses身份进行通话,逻辑上,我只能看到我担任主管的课程。
1) Should I make a /rest/v1/courses?supervisor_id=2 . 1)我应该参加/rest/v1/courses?supervisor_id=2 Classic filter, it would be ok if I where an Admin, but anyone who is logged in, could see other data if trace the url and change the id. 经典过滤器,如果我在哪里有管理员,但登录的任何人都可以看到其他数据(如果跟踪url并更改id),则可以。
2) Should I make a /rest/v1/courses and get the supervisor_id from the successful login? 2)我应该做一个/rest/v1/courses ,并获得supervisor_id从成功登录? So I have to check every request against the login data. 因此,我必须对照登录数据检查每个请求。 I think this is the more secure approach, but it's sound a little tedious, and I could forget to perform security checks in any controller method. 我认为这是一种更安全的方法,但是听起来有些乏味,而且我可能会忘记以任何控制器方法执行安全性检查。
3) Maybe there is a more generic solution and I couldn't find or think? 3)也许有一个更通用的解决方案,我找不到或认为吗?
Thank you, and sorry for my english. 谢谢,对不起我的英语。
1 个解决方案
解决方案1
0 2016-07-20 16:13:40
RESTful APIs are stateless. RESTful API是无状态的。 Therefore with every request you must validate the request's credentials, either immediately with a token or by checking with your OAuth service. 因此,对于每个请求,您必须立即使用令牌或通过检查OAuth服务来验证请求的凭据。 If the supervisor_id is linked to the credentials (eg token value xyz implies supervisor_id = 2 ), and this ID determines access, then adding it as a request parameters is unnecessary. 如果supervisor_id已链接到凭据(例如,令牌值xyz暗含supervisor_id = 2 ),并且此ID确定了访问权限,则无需将其添加为请求参数。 You would always be validating this parameter against the credentials anyway. 无论如何,您始终会根据凭据验证此参数。
Now if "supervisor 2" can request information regarding "supervisor 1", then yes, you would want the ID as another request parameter. 现在,如果“主管2”可以请求有关“主管1”的信息,那么可以,您希望将ID作为另一个请求参数。 You will still need to check credentials to know "supervisor 2" is making the request and validate what they are allowed to query. 您仍然需要检查凭据,以了解“主管2”正在发出请求并验证允许查询的内容。
So I have to check every request against the login data.
Basically anything identifying the requestor should be part of your authentication mechanism, separate from your specific API business logic. 基本上,任何标识请求者的内容都应与您的特定API业务逻辑分开,成为身份验证机制的一部分。 You'll find in many frameworks a workflow that processes authentication before URL routing. 您会在许多框架中找到一个工作流程,该工作流程在URL路由之前处理身份验证。 This includes providing your controllers with user information. 这包括向您的控制器提供用户信息。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.