0

best way to implement authorization in REST API's developed on JERSEY Framework. For example, the following is my API end point URI and I would like to authorize so that only person access the API.

/api/swimpool/v1/swimpool/12

I read few article about securing REST services, but they dealt with authentication and static configuration in tomcat-users.xml in tomcat environment and little configuration in web.xml of the application.

Token based authentication is one I came across for authorization. Are there any alternatives or best practices for securing web services.

UPDATE

How does facebook application protect there resources, for example API is there which will list/displays the photos in a given album. But how does facebook secures (authorizes) the end-points not to access other's album.

For example, User A can view photos in his album, but can not view photos present in another user B. User A may try to guess the API (as the API is same for all the users) call being made to fetch the photos and modify the path parameters and try to fetch the details.

Thanks

  • I recommend to read this topic http://stackoverflow.com/questions/26777083/best-practice-for-rest-token-based-authentication-with-jax-rs-and-jersey – Dawid Naczke Apr 25 '17 at 10:48
  • I had tried to go through the thread and I see a point, by using roles, but the role information becomes static. I will update the question with few more details –  Apr 25 '17 at 10:53
  • You have differents way to implement security in jersey. You can create your own annotation to secure a resource, you can use OAuth +/or JSON Web Token. About the photos, you have to implement in your business logic what data the user could see. – Wilder Valera Apr 26 '17 at 13:00

0 Answers0