1

I got a question about security for my simple REST API application. I implemented check for security and on every attempt to read/update data from/in database (this is a simple HttpSession session= request.getSession(true); and check - if this is a new session or old and if it equals session id fro cookies).

But the thing is - even if this is a valid user and valid session - I got an URL which make a user to ignore other user:

http://localhost:8080/ChatRest/rest/FriendService/ignoreFriend/1/2

I could change 2 users id (last 2 numbers) and send the same request to make other system user to ignore somebody else, for example: http://localhost:8080/ChatRest/rest/FriendService/ignoreFriend/3/4

How can I solve this problem? I googled a lot (for example - RESTful Authentication and related articles, including security questions). But what is the easiest way to solve this problem? I quite a beginner, so I'll be happy to find the simpliest solutions.

Thank you!

Community
  • 1
  • 1
Aleksey Kiselev
  • 331
  • 1
  • 7
  • 21
  • Just in case, I also read http://stackoverflow.com/questions/7238094/securing-rest-api-without-reinventing-the-wheel article and others, but they are pretty hard for implementation and understanding for me... Or there is no so easy way to solve my problem – Aleksey Kiselev May 25 '16 at 05:18

1 Answers1

1

Any authentication mechanism allows you to handle this, provided that users don't share the same credentials. Even with Basic AUTH, you'll be able to determine who authenticated.

If the logged in user is id=1, then he can perform http://localhost:8080/ChatRest/rest/FriendService/ignoreFriend/1/2, but he can't ignore people for any other id. In fact, since you get the user id from the database, you don't even need the first parameter. It would be ignoreFriend/2, meaning "I want to ignore the person whose id I'm giving as a parameter".

Kayaman
  • 72,141
  • 5
  • 83
  • 121
  • Yep, concept is great. thank you! Just to clarify - what is the best way to store this user **id** on the server side? Cause if I'm using http://localhost:8080/ChatRest/rest/FriendService/ignoreFriend/2 I should get my id from somewhere. Or it will be enough to have a simple global variable? – Aleksey Kiselev May 25 '16 at 21:05
  • A database would be the standard mechanism for storing persistent data. – Kayaman May 26 '16 at 06:03
  • So, I need to store link between session id and id and based on the session id - get this **id** by query for every call of the REST method? – Aleksey Kiselev May 26 '16 at 08:26
  • I don't see any reason why you'd need a session. How have you implemented authentication? – Kayaman May 26 '16 at 08:27
  • I'm verifying login and password for right now. I'm planing to generate session id and put session id and id to db. I'll be able to get id based on my session id in every sql statement then. – Aleksey Kiselev May 26 '16 at 16:03
  • Well, if you really feel that you need a session. I'd just use basic auth for every request, then you'd have a stateless REST API and you wouldn't need to worry about things like session timeouts or other related handling. – Kayaman May 27 '16 at 06:14