RESTful secure resources by user
Question
I am building a SpringBoot RESTful api with OAuth2 as security component.
I am wondering how to protect my resources, but thinking more as business logic. For example, if I have a list of courses /rest/v1/courses , and this courses have a Supervisor and suppose that I logged as ROLE_SUPERVISOR (no admin access) and I make a call to /rest/v1/courses and as business logic I can only see the courses where I am supervisor.
1) Should I make a /rest/v1/courses?supervisor_id=2 . Classic filter, it would be ok if I where an Admin, but anyone who is logged in, could see other data if trace the url and change the id.
2) Should I make a /rest/v1/courses and get the supervisor_id from the successful login? So I have to check every request against the login data. I think this is the more secure approach, but it's sound a little tedious, and I could forget to perform security checks in any controller method.
3) Maybe there is a more generic solution and I couldn't find or think?
Thank you, and sorry for my english.
1 answers
solution1
0 2016-07-20 16:13:40
RESTful APIs are stateless. Therefore with every request you must validate the request's credentials, either immediately with a token or by checking with your OAuth service. If the supervisor_id is linked to the credentials (eg token value xyz implies supervisor_id = 2 ), and this ID determines access, then adding it as a request parameters is unnecessary. You would always be validating this parameter against the credentials anyway.
Now if "supervisor 2" can request information regarding "supervisor 1", then yes, you would want the ID as another request parameter. You will still need to check credentials to know "supervisor 2" is making the request and validate what they are allowed to query.
So I have to check every request against the login data. I think this is the more secure approach, but it's sound a little tedious, and I could forget to perform security checks in any controller method.
Basically anything identifying the requestor should be part of your authentication mechanism, separate from your specific API business logic. You'll find in many frameworks a workflow that processes authentication before URL routing. This includes providing your controllers with user information.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.