CODEWITHSUNDEEP
javaweb-servicesrestjax-rs
Martin
Martin

Reputation: 2785

JAX-RS and resource ownership restrictions

There are many good resources and literature on how to set up a a JAX-RS API. However, I have yet to find any resource that properly describes how to do security restrictions towards specific resources and methods. For example, given a resource PictureResource, only the uploader of the picture (and an admin) should be able to delete or change properties related to the picture, while anyone should be able to view the picture. The admin restriction is fine as it can be solved by roles, however the uploader would depend on the context of the call. A token identifying the user would then describe who is making the call. This can be solved through a ContainerRequestFilter. 

@Path("pictures/{pictureId}")
public class PictureResource {

    @GET
    public Response getPicture(@PathParam("pictureId") final int pictureId) {
        // Get the picture, available for all users.
    }

    @DELETE
    public Response deletePicture(@PathParam("pictureId") final int pictureId) {
        // Delete the picture, only available for the uploader of the picture and admins.
    }

    // ...
}

What would be the JAX-RS way of solving this issue? I'm assuming this can be solved by annotations, but is is rather vague to me how to do this. Would another approach be to dynamically assign the user a pictureOwnerRole depending on the context of the call?

Upvotes: 1

Views: 183

Answers (1)

Ahkilleux
Ahkilleux

Reputation: 31

The problem is discrete resource access control. You need a standard way to describe the resource being accessed in terms of ownership. Who owns the resource, and who has been granted scoped authority over it.

The problem is that this is very domain specific. Resource grouping and ownership requires the ability to lookup a resource instance or associated metadata and determine ownership/access requirements.

I don't know of any security frameworks that provide a standard framework or annotation for this.

You could place pictures into a directory structure and use directory access control to determine what users have what access to the resources.

Something like @Secured("ownerDecider=PictureInspector.class") would be how I would approach it. The AccessDecisionVoter or AfterInvocationProvider in spring security could then use the provided strategy for discerning ownership, and restrict access accordingly.

Upvotes: 2

Related Questions