Authorization in Restful apis
Question
I am working on restul api and unable to find a solution to my prob.
I have a get request to get resource by ID, I have implemented basic authentication.
Now if somebody changes the Id in the get request , He can access resource of other users as well.
How can I restrict user to see his resources only, Do I have to create some security filter for every type of resource?
Any Link to best practises to prevent this kind of issue will be appreciated!
2 answers
solution1
2 2016-02-24 20:47:28
The short answer is: yes, you need to develop something that checks for each resource if the user is actually allowed to access that resource.
If the user is not allowed, you return a 403 Forbidden HTTP error.
solution2
0 2016-02-24 20:52:22
If the user have access then the request should have some authorization related field as a token access. With it you can verify which user is requesting the data, and if it's allowed, then you continue with the GET as usual. A filter would fit perfect for this.
Check Authorization here: https://en.wikipedia.org/wiki/List_of_HTTP_header_fields .
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.