REST API Allow access to a URL only for the Owner of the Resource

Question

I am currently designing a REST API for a social networking application.

I am trying to decide how I can go about locking access to a specific resource for each user. For example I have the following URL's

https://social-network.com/api/user?id=2/someUpdateOrPostOp 
(or https://social-network.com/api/user/id=2/someUpdateOrPostOp)
https://social-network.com/api/user?id=3/someUpdateOrPostOp

What I need of course is for a user with id=2 not to be able to change their id to 3 in the url and perfom an operation on the data of user with id 3.

Note: I am using JAX-RS with Tomcat and the Client consuming the API is an Android device.

What is the technique I need to research to achieve this? I feel like I am missing something with all this.

Thanks for any help you can offer, this is confusing me greatly!

Answer 1

You need two things:

1. logic that confirms the identity of the caller i.e. you know the caller is Alice. That can happen through OAuth, Open ID Connect or other protocols. You could use more basic authentication e.g. HTTP BASIC Auth but that leads to the password anti-pattern whereby you share your password with the API.
2. logic that given the user, determines what that user can do. This is referred to as authorization or access control. Given you are in JAX-RS, you could use a message interceptor to look at the user ID and then look at the requested object or the parameters of the call and then decide to deny access if the authenticated user doesn't correspond to the requested profile. You could even use externalized authorization with XACML. Given your simple use case, though, that would be too much.

You can read more on JAX-RS interceptors here.