stackoom
  简体   繁体   中英

How to implement field level access control for REST service based on the caller?

 原文  2016-03-17 19:59:41       java/ rest

Question

I have a requirement to restrict attributes in the REST response by the caller. Consider the response in JSON format.

Ex:For a given REST endpoint, the default response is like 

 {
    "id" : "111"
    "name" : "John"
    "age" : "30"
 }

For the "caller 1" the response should be like 

 {
    "id" : "111"
    "name" : "John"
    "age" : "null"
 }

For the "caller 2" the response should be like 

{
    "id" : "111"
    "name" : "null"
    "age" : "30"
}

In above response JSONs, "null" means, such attributes are not exposed to such callers.

I am looking for a way to implement to control REST response by caller.

2 answers

solution1
 5  2016-03-17 20:34:10

The implementation on the server side is heavily dependent on the underlying server technology stack (REST API, DB, User's Role layer, etc.). In some configurations, you defines the data authorization in the DB layer while in other on the REST layer. Implement field level authorization is a tricky one as not all frameworks provides this granularity.

One framework that do offer such granularity is Jello Framework (I am the author). One of Jello's key features is its inline Authorization Model where you can assign different access levels for data elements at any resolution (Namespaces, Entities, Fields, Actions) and specify who is authorized to access the data via the REST API.

For example - Let's say you want to expose the 'age' field only to the record owner and the site administrator. In Jello, it will look something like this: 

public class Person extends JelloEntity {
   @Expose @KeyElement 
   Integer  id;

   @Expose 
   String name;

   @Expose({Role.OWNER, Role.ADMIN}) 
   Integer age;
}

solution2
 1  2016-03-17 20:25:35

I had similar requirement in the past where permissions were granular at field level.

I implemented Rest response writers for each entity. I pass list of fields of that entity for which the calling user has access. Using the list, in the response writer, I used to output only those fields for which the user has access.

I used to output map/list structure from the entity. Jackson then marshall the structure into JSON.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Role based field level access control in Spring boot REST API How to implement role-based access control Java/MySql? How to implement Role Based Access Control with rails/java? How to implement default Roles on a Role Based Access Control How to filter service now incident records based on caller? Catch user exception in remote service at caller level How to implement custom user-based authorization in jax-rs rest service? Reconfigure logback ThresholdFilter level dynamically or based on caller? How to implement a REST service with Spring Boot How to Implement ABAC Access Control using NGAC
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM