1

Here and here are good examples of best practices on dealing with REST token-based authentication.

But in my case I am worried about one user using his own token to modify another user's data. The problem arises when we just verify if a user has a valid token and if positive, then execute any operation the user asked for.

Of course the most simple way to defeat this is to check if the authorized user id is the same as the one in the Request JSON (e.g. user_id). But this is tedious (all endpoints need this logic) and error prone (we might forget to do it for one endpoint).

Are there any ways to automate this?

Michel Feinstein
  • 13,416
  • 16
  • 91
  • 173
  • You should be able to able to do what you are suggesting inside of a filter. Have you tried it? Or maybe even AOP. – Paul Samsotha Mar 21 '19 at 04:31
  • I thought a filter, but I am not sure this is the best solution, as if I understand this correctly, all my Requests will have to use the same parameter names, such as `user_id`. If another developer in the project sends his user data as `userId`, the security check would not work. So I wanted to know if there was something more robust out there (I never used AOP before). – Michel Feinstein Mar 21 '19 at 05:17
  • I don't understand your concern about the parameter names and what it would have to do with this. You should try to implement it and see what you come up with. – Paul Samsotha Mar 21 '19 at 06:34
  • Well, I am not very experienced with Jersey, but my objective is to validate a Token and see if the user in the Token is the same user the Request is trying to set some data. So in the filter I will have to get the request parameters, search for any parameters that corresponds to a user id and compare if it's the same ID as the one in the Token. That's why I think I need the exact parameter name.... Or am I missing something? – Michel Feinstein Mar 21 '19 at 06:37

0 Answers0