How to handle resource level security
24 views
Skip to first unread message
Krishna
May 2, 2013, 8:35:13 AM5/2/13
to restinp...@googlegroups.com
Hi,
I have a jax-rs based system. I want to protect a user from accessing the data belongs to other user.
i.e Say User1 have account A1 and User2 have A2. Account Resource could be like /account/{accountid}
Now user1 should not able access account/A2, and when ever such attempt is made then 403 should be thrown.
Is there any generic way to solve this problem of duplicate code other than checking in each resource "if the resource belongs to the Principle User"
Can I achieve this using OAuth. Please give me some links if you have any example code or article.
Thanks in advance.
I have a jax-rs based system. I want to protect a user from accessing the data belongs to other user.
i.e Say User1 have account A1 and User2 have A2. Account Resource could be like /account/{accountid}
Now user1 should not able access account/A2, and when ever such attempt is made then 403 should be thrown.
Is there any generic way to solve this problem of duplicate code other than checking in each resource "if the resource belongs to the Principle User"
Can I achieve this using OAuth. Please give me some links if you have any example code or article.
Thanks in advance.
Jim Webber
May 2, 2013, 5:36:41 PM5/2/13
to restinp...@googlegroups.com
Hello,
> I have a jax-rs based system. I want to protect a user from accessing the data belongs to other user.
> i.e Say User1 have account A1 and User2 have A2. Account Resource could be like /account/{accountid}
> Now user1 should not able access account/A2, and when ever such attempt is made then 403 should be thrown.
Understood.
> Is there any generic way to solve this problem of duplicate code other than checking in each resource "if the resource belongs to the Principle User"
Add an annotation on the methods that you expose that does the checking by analysing the cookie content/munged bit of a URI/etc.
> Can I achieve this using OAuth. Please give me some links if you have any example code or article.
OAuth is about "on behalf of" authorisation. You have a much more fundamental problem of authentication here, and an even more fundamental concern around how best to modularise your code. Don't go looking for another headache just yet :-)
Jim
> I have a jax-rs based system. I want to protect a user from accessing the data belongs to other user.
> i.e Say User1 have account A1 and User2 have A2. Account Resource could be like /account/{accountid}
> Now user1 should not able access account/A2, and when ever such attempt is made then 403 should be thrown.
> Is there any generic way to solve this problem of duplicate code other than checking in each resource "if the resource belongs to the Principle User"
> Can I achieve this using OAuth. Please give me some links if you have any example code or article.
Jim
Reply all
Reply to author
Forward
0 new messages