在RESTful服务资源级别的授权 [英] Resource level authorization in RESTful service
问题描述
让 /用户/ {ID}
在RESTful服务的资源URL。
Let /users/{id}
be a resource url in RESTful service.
基本身份验证被启用,只有认证用户被允许访问的URL。
Basic authentication is enabled and only authenticated users are allowed to access the url.
示例场景:
USER_1
&安培; User_2
进行身份验证与用户id 1和用户; 2。
由于两者都验证,两者都能够访问,
User_1
& User_2
are authenticated users with userId 1 & 2.
Since both are authenticated, both of them are having access to,
-
/用户/ 1
-
/用户/ 2
/users/1
/users/2
但期望是 USER_1
应该有机会获得 /用户/ 1
,而不是 /用户/ 2
或其他用户ID。
But the expectation is User_1
should have access to /users/1
and not to /users/2
or other userId.
问题:
如何做好资源级别的授权在RESTful服务?
Question: How to do resource level authorization in RESTful services?
请注意:我使用的JAX-RS(与Apache CXF实现),乐于助人,如果你能与JAX-RS解释执行的RESTful
Note: I am implementing RESTful using Jax-RS (with Apache CXF implementation), helpful if you could explain with Jax-RS.
-Barath
编辑:
由于多纳尔提到的,我不是在寻找基于授权而资源级别的授权角色。
As Donal mentioned, I am not looking for role based authorization rather resource level authorization.
要举一个例子,让我们说/用户/ {ID} /照片/ {} PHOTOID是另一个资源URL。 USER_1应给予访问照片只属于他。如果2 PHOTOID属于user_2,那么我们就应该给予USER_1 http_404错误code当请求/用户/ 1 /照片/请求2,[因为USER_1也验证的用户,他可以调用/用户/ 2 /照片/ 2,因此,我们必须按照比通过资源URL验证参数]
To give an example, lets say /users/{id}/photos/{photoId} be another resource url. User_1 should be given access to the photos belong to him only. If photoId of 2 belonging to user_2, then we should give http_404 error code for user_1 when a request /users/1/photos/2 is requested.[Since User_1 is also authenticated user he can invoke /users/2/photos/2, so we must identify the user id based on authentication parameters than via resource url]
只有解决办法,我能想到的是,包括唯一ID决定每个查询授权一样,
Only solution I can think of is, include the unique id which determines the authorization in each query like,
而不是 SELECT * FROM PHOTO_TBL WHERE PHOTO_ID = 2;
使用 SELECT * FROM PHOTO_TBL,USER_TBL WHERE PHOTO_ID = 2,USER_ID = 1 AND USER_ID = PHOTO_ID;
与该资源被提供属于特定的用户数据。 [应该有一种机制来prevent在客户端的唯一ID是用来对授权决定(在此情况下,用户id)的变形例中,因为所有的请求都是无状态的请求]
with this resources are delivering data that belongs to specific user. [There should be a mechanism to prevent the modification of the unique id in client side which is used to decide on authorization(userId in this case), since all requests are STATELESS request]
警告:每个查询应该是足够的智能来了解安全问题,包括额外的加盟。这是一个不好的设计,以安全逻辑绑到每一个业务功能。
Caveat: Each and every query should be intelligent enough to understand the security concerns and include extra join. This is a bad design to tie up security logic to every business function.
我还没有寻找到春天的安全性,以及它如何在这种使用情况下使用。
I am yet to look into Spring security and how it can be used in this use case.
推荐答案
我会建议没有在URL中的用户ID(因为如果它是由基本身份认证报头'有限的',那么你可能也只是把它'在基本认证头中指定')。这将减少引入直接对象引用漏洞的风险 - 的https://www.owasp.org/index.php/Top_10_2010-A4-Insecure_Direct_Object_References)
I would recommend not having the user id in the url (as if it's being 'limited' by a Basic Auth header then you may as well just have it 'specified' by the Basic auth header). This will reduce the risk of introducing a Direct Object Reference Vulnerability - https://www.owasp.org/index.php/Top_10_2010-A4-Insecure_Direct_Object_References)
在这种情况下,你可以有以下URL之一:
In this case you could have one of the following urls:
/users/CURRENT
/me
由于照片是一个子资源,那么你可以只创建照片与用户中的序列号。在SQL数据库中,这将意味着有跨用户和照片列的复合键。
As photos is a sub resource then you could just create the photos with a "sequence number" within the user. In a sql database this would mean having a "compound key" across both user and photo columns.
/users/CURRENT/photo/{user_photo_seq}
/me/photo/{user_photo_seq}
您SQL那么看起来是这样的:
Your SQL would then look something like:
SELECT * FROM PHOTO_TBL WHERE USER_ID=<BasicAuthUsername> AND PHOTO_ID=<path param value>;
基本身份验证头的一个很好的解释:
A good explanation of "Basic Auth Headers":
http://en.wikipedia.org/wiki/Basic_access_authentication
这篇关于在RESTful服务资源级别的授权的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!