How to secure rest api using permissions

Question

I'm developing rest api service using spring boot, to check permission I use token as - Save key value to memcache in login request, key it's token(string) with length 50 and value it's your id. To have access to any rest request my rest controller get this token as get parameter(the same logic with post,put...) than i get id of user(from memcache) and check does this user has permission to specific resource.For example "carwashs/2 PUT" Car wash has FK to company, user also has FK to company, if these FK's are similar you have access to update car wash.I'm looking for another approach to secure my rest api using spring security because current method is not safety(i see token in url and use get parameters in all HTTP requestes). But in examples given in official docs it's seem that spring security only work with permisions enum and login page.

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
      auth.inMemoryAuthentication().withUser("anon").password("123456").roles("USER");
      auth.inMemoryAuthentication().withUser("admin").password("123456").roles("ADMIN");
      auth.inMemoryAuthentication().withUser("userr").password("123456").roles("DBA");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {

      http.authorizeRequests()
        .antMatchers("/admin/**").access("hasRole('ROLE_ADMIN')")
        .antMatchers("/dba/**").access("hasRole('ROLE_ADMIN') or hasRole('ROLE_DBA')")
        .and().formLogin();

    }
}

How to check permission to specific car wash using this approach?

How to secure rest api using permissions

Answers (1)

Related Questions