Role Base Authorization REST API
Question
I'm building a REST API ( using Jersey for rest and Spring for DI and AOP,JDBC Template) for OMS(Order Management System) in which several users with different roles will have access to the resources it contains.
let's for simplicity we have three roles : Customer, Manager, Admin
Customer will only have access to their order. Manager will have access to all order. Admin have will have access to all order also have some extra capabilities.
So what can i do here : 1.Create separate API for each role 2.Single API for all role
2 answers
solution1
2 2016-08-04 11:18:11
Single API for all roles of course and depending on the security you use you will authorize your requests and you will give permision to pages depending on the role of the user trying to access them.
In most cases when we are talking about RESTful APIs your are sending credentials once from the client to the server (mostly on login it depends on the system). Then the server gives you back a cookie or a token in which there is information about roles, mail or whatever you put in it, which depends on your security again. Now in the client depending on that role you just got from the server you will specify which pages the user can access.
solution2
1 2016-08-04 11:17:45
With spring you can use spring-mvc and spring-security libraries, wich allows you to make clear and simple perrmission rules for api:
@PreAuthorize("hasRole('ADMIN')")
public void doAdminAction();
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.