In the context of expose user resources (user data) through restful sevices, I want that the data of one of the users can't be accessed from other user, if the second user's not the owner of that data. Instead of reinvent some complex model to map each user identity with its data (programatic solution) , are there some best practices or design pattern or any kind of model that i can apply to this problem?. With user profiles i assure that some kind of user can't access data of another kind of users but i cant be sure that user of the same profile not will access the another user data.
Asked
Active
Viewed 101 times
2
-
3[I wrote an answer about different kinds of security models](http://stackoverflow.com/a/3177578/377270) for another question; it doesn't specifically address REST, but I hope it can give you some ideas of what security model specifically you're looking for. – sarnold Jun 21 '12 at 22:43
1 Answers
0
You'll either need to authenticate the user and then associate the user with the data (which you're calling complex/programatic) or you simply make the data unreadable to everyone except the user who creates it. Like the user encrypts all data with a private key and then it is stored on your server. This is a little different, because anyone can access the data, they just can't make much sense of it.
I don't recommend the second approach, as you'll have no ability to use the profile data (birthdates, interests, whatever you might have in that profile), and also, everyone can see the encrypted data.
But your idea that this is reinventing something complex is paradoxical, if it's so complex why reinvent it when there are a ton of plugin based authentication schemes that you can use. Is security in this case an afterthought? If so, it shouldn't be. If you are assuring this, it should be a high priority to deliver it.
Mike
- 611
- 4
- 12
-
yes @mike, but i don't remember have worked with profiles that aren't sytem profies (or bussiness profiles). – chech0x Jun 22 '12 at 21:57