eclideria
Reputation: 141
Role based Rest-API using JWT
I'm implementing a simple Rest-API in java with jax-rs. I use JWT and a ContainerRequestFilter to verify that the user is logged-in.
Now I want to be able to handle different roles. Is it ok to store the user roles in the JWT (claim) and fully trust it to give access or not to an endpoint ?
If not what's the best way to achieve this ?
Thanks for the help
Upvotes: 0
Views: 519
Answers (1)
MvdD
Reputation: 23436
Is it ok to store the user roles in the JWT (claim) and fully trust it to give access or not to an endpoint ?
Yes, that should be fine. As long as you make sure the JWT token is properly signed, you can be assured that no one can make changes to the token and assign themselves high-privilege roles.
Upvotes: 3
Related Questions
- Role based authorisation in JWT
- JWT role Based Authorization with Spring Security
- Role Based Authentication on Restful endpoints in java
- Java rest API authentication, best practises with JWT
- Using JWT with role based authorization
- JWT With Role Based Access Control
- Roles using JWT
- Securing REST services with JWT in JAVA ee
- Custom JAX-RS authorization - using JWT in each request
- Spring Boot Role Based Security JWT