Reputation: 27
Jersey rest framework - authorization - some doubts
I read about jersey framework for rest service on this page http://howtodoinjava.com/jersey/jersey-restful-client-api-authentication-example/|
And I don't understand one thing. For instance, when we have
@Path("/users")
public class JerseyService
{
@RolesAllowed("USER")
public String doLogin(@QueryParam("username") String uname,
@QueryParam("password") String result)
It means that user with role user can modify (by this method) ALL the users? Not only himself in the database? I am writing android app and I can imagine situation where someone is using for instance Advanced REST client. He logs on the service and modifying queries in appropriate way and strongly mess my database. For instance write some points to other user or something similar. How can I shut out this situation?
Upvotes: 0
Views: 79
Answers (1)
Reputation: 17721
Jersey (and similar Spring Security) operate on Resource Types and Roles.
So, if you permit Role "USER" to operate on resource "Users", you can't block specific user from editing other users with Jersey only.
What you can do is use SecurityContext to get current user, and block dangerous operations if his credentials are different from user being changed.
Here's a good example on SecurityContext:
https://simplapi.wordpress.com/2015/09/19/jersey-jax-rs-securitycontext-in-action/
Upvotes: 1
Related Questions
- REST Design of User-based access using Jersey
- How to authenticate users in Jersey
- Implement basic Authentication for rest api using Jersey 2
- User authentication on a Jersey REST service
- REST authorization with Jersey and session management
- Guidelines for RESTful Jersey User access
- How to approach this authentication mechanism in Jersey
- Jersey client calling RESTful service
- Authorization and Authentication using Jersey and Spring
- Authentication and authorization for RESTfull API (java jersery)