V
V
Viktor Koltcov2015-02-26 10:34:25
Java
Viktor Koltcov, 2015-02-26 10:34:25

How to control user access to REST resources?

In Java EE application there are users (user) each user can create documents (Document)

Documents are accessed via JAX-RS.

Before the user can access the documents he needs to log in, after which he can make requests like example.com/documents and example.com/document/15 he should only get access to his documents and an error if he tries to get/delete/ change someone else's document.

How to organize user login and check if a document belongs to a user when deleting/updating documents?

Answer the question

In order to leave comments, you need to log in

3 answer(s)
V
Victor Potapov, 2015-02-26
@Vityarik

usually these things are done with tokens. those. at the first request, the client is identified in the system and receives a unique token ( number \ string \ hash ) and all subsequent messages are already sent with this token and its rights and capabilities are determined based on it.
if possible, I would look towards spring-ws and spring-security. they are more or less successful in trying to provide a convenient api for all this. and work almost out of the box. but I doubt the feasibility.

J
jumb0jet, 2015-02-26
@jumb0jet

For example, you can create a createdBy or owner field to store the user who created the document. And when you try to access someone else's document, return status 403.
In order to transfer user data, you can either use a cookie or pass username / password in each request.

V
Vyacheslav, 2015-07-24
@vkulakov

User login to the system should be done through a ready-made framework. I am using Apache Shiro. It's definitely not worth writing something of your own for authorization.
Checking if a document belongs to a user can be done through the user ID (PK in the database, for example): when creating a document, write the user ID to the document, and when changing/deleting the document, compare the current user ID and the user ID stored in the document. When using Shiro, getting the current user is not a problem.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question