0

I am using the JWT concept in Spring Boot with Spring Security. Everything works promising, System is able to generate a Token and validate it with spring security.

The issue with the current implementation is Anyone "user X" can update/view the record of "User Y" using his/her own token. It's just not about the user Info. For example:

There are two tables in the Database:

  1. User
  2. Car

I am keeping userId in the car entity.

Right now "User x" can access the car details of "User Y" using the "CarID". How should I restrict "User X" to do any kind of transaction in a database which belongs to him/her only.

I followed the following options

  1. @PreAuthorize
  2. Adding User-Agent

But none of them are helping me out. Any hint would be appreciable.

Amit Pal
  • 10,604
  • 26
  • 80
  • 160
  • get the token userId from token and validate car.userId = token.userId in query. – GnanaJeyam Dec 03 '20 at 12:25
  • look here https://stackoverflow.com/questions/51712724/how-to-allow-a-user-only-access-their-own-data-in-spring-boot-spring-security – Amir Schnell Dec 03 '20 at 12:57
  • @GnanaJeyam That will happen on the Dao level, I want to put into the JWT level. – Amit Pal Dec 03 '20 at 15:09
  • A good concept would be to use `Multi-Tenancy`, With this you completely seperate the users. Each of them have a seperate DB or Schema. And anytime the user signs in with his JWT, he connects to his corresonding DB and this way, his data is isolated from other Users. – Renis1235 Dec 04 '20 at 07:17

0 Answers0