I am working with microservices with spring boot. I added security to the router and it works fine. But I have no idea how should I implement solution that will allow users to manipulate only their own data.
For example I have Book microservice
@RestController("books")
public clas BookController{
@PostMapping
public Book saveBook(Book book){
return bookService.save(book);
}
@GetMapping("users/{userId}")
public List<Book> getBooks(@PathVariable Long userId){
return bookService.getBooksByUser(userId);
}
}
Let's say book entity contains field userId. I would like to forbid other users to save book with not their own userId.
I tried to do something like this:
- I added to posts mappings method url "users/{userId}"
- When user use endpoint POST "book-service/books/users/{userId}", then I check in router if userId from path matches userId from token.
- In my BookController, in method saveBook I override userId in Book entity with userId from path.
For me this solution looks not too good. Is there other option to secure it on router level, or should I allow this request to go to the microservice and there add another security level? Can someone tell me what is a good patern to resolve this issue, or maybe you can recommend me some Book/article/tutorial?
Thanks in advance
