2

I work for a mid-size financial company and we are trying to adapt an API driven architecture. We are developing APIs from the ground up using JEE container and the JAX-RS API like Jersey. I'll simplify and say that we have a website where you can manage your financial accounts and personal information. So for simplicity say I have an API:

/bank/accounts
/bank/accounts/{guid}
/customers/{guid}/

I have two potential types of users that can hit these services, the customer themselves and/or customer service representative. I'm wondering if anyone would like to share insight into the best way to secure such services. Do you even have the same services to serve both types of users?

In particular how do you ensure that the data that is being requested can be returned to the user requesting the information.

I think RolesAllowed works great if the check is as simple as "does this user have access to call the API". How do you ensure that user 1 can't see user 2's data. Is there a best practice? What are others doing?

I did happen to come across this which does address what I'm thinking. This was answered in 2009, so I'm wondering if there are other alternatives 6 years later.

JAX-RS access control

Cœur
  • 37,241
  • 25
  • 195
  • 267
Jesus Of Suburbia
  • 84
  • 5
  • 1
    If you are not against bringing Spring into the fold, Spring Security is pretty much the industry standard for doing what you are talking about. It can be as simple as mapping Roles to URL patterns to control who can access what. While the library has changed a bit since 2009, the core concepts are still the same, and it is still the most popular solution. – rmlan Feb 09 '16 at 14:06
  • http://stackoverflow.com/a/26778123/1426227 May it be useful for you? – cassiomolin Feb 09 '16 at 14:17
  • I highly recommend to implement CSRF token to prevent [csrf Attacks](http://www.acunetix.com/websitesecurity/csrf-attacks) – hzitoun Feb 09 '16 at 15:02

0 Answers0