2

We have Rest calls like http://api.ourdomain.com/dashboard/resource-id Method: GET; where resource-id is the id of a resource which is tied to a logged-in user. We don't want any user be able to access other user's resources.

Thus, to determine if the resource is tied to the current logged-in user, we have to execute some queries(Joins) to know that this resource with resource-id is of logged-in user. Well, this is one of many cases we have. We certainly can't make a generalized AOP kind of method which will decide if requested resource is authorized to see by logged-in user, because the logic to decide that, is different for different resources. Other solution could be: to have "createdBy" column in every "resource" DB table so that the logic for deciding would be pretty simple i.e. just check if current logged-in user == resource record's createdBy column. But the latter seems a bit quirky one. Any suggestion, how we can design solution for this?

Sagar
  • 5,315
  • 6
  • 37
  • 66
  • How do you know the logged-in user? –  Nov 05 '13 at 14:59
  • We get the userId in the cookie and we get the User object from the DB using userId and check if the user object has logged-in == true. – Sagar Nov 05 '13 at 15:03
  • 1
    "because the logic to decide that, is different for different resources" Sounds like you need logic in each resource to determine if a user can see it. This seems more of a business logic question than a REST/Http issue. At the moment how are user permissions or roles worked out? – Cormac Mulhall Nov 05 '13 at 15:13
  • Agreed. The internal implementation details have nothing to do with REST. Also, using a cookie for that isn't RESTful, since it's an unnecessary coupling to HTTP. You should be using the Authorization header on every request. – Pedro Werneck Nov 05 '13 at 21:49
  • 1
    I didn't find this one before, but there is same question raised already which is unanswered.I am looking for authorization past authentication, resource level authorization to be specific. http://stackoverflow.com/questions/6634764/resource-level-authorization-in-restful-service – Sagar Nov 06 '13 at 16:27
  • I am also looking for same "authorization past authentication, resource level authorization to be specific." How to avoid database call or long logic to authorize resources? – ahmadalibaloch Jun 04 '14 at 13:02

0 Answers0