• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Liutauras Vilda
  • Tim Cooke
  • Jeanne Boyarsky
  • Bear Bibeault
Sheriffs:
  • Knute Snortum
  • paul wheaton
  • Devaka Cooray
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Ron McLeod
  • Piet Souris
  • Ganesh Patekar
Bartenders:
  • Tim Holloway
  • Carey Brown
  • salvin francis

How to secure an API in which only the owner of an article can delete/update that article?

 
Ranch Hand
Posts: 640
2
Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Suppose I have two entities User and

Article

which are having One-to-Many relationship.
Now, User theCoder created an article - "How to ask question?" . Article got saved in Article table with foreign key theCoder.
Now, another user theHacker logged into the application from somewhere and read the "How to ask question?" article. Now, he/she tried to perform delete/update actions on the article, which they are not allowed to. Only the owner of the article can delete/update the article.

How should I achieve this?

One way is to check the principle(logged in user's username) and then compare the user who create that article. If they match, delete/update the post otherwise throw 403 unauthorized.

But that would be a lot to do in multiple controllers. Is there something handy provided by the Spring security?

I looked for it and there is ACL security, but I don't understand if it's the one I am in use of. Nor there are some good articles/blogs/tutorials found on the web.
 
Saloon Keeper
Posts: 10528
224
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I think Domain Object ACLs are probably overkill, because they store a list of users that can access the object, per object. Unless you want to grant modification permissions to users other than the author, this is probably not what you want, because the database already contains the information indicating which user can edit an article: The associated author.

How would that be a lot to do in multiple controllers? Assuming you have an ArticleController, it could look something like this:
 
Puspender Tanwar
Ranch Hand
Posts: 640
2
Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks Stephan.
Suppose in future, I want to grant few users some extra permissions. Like you are the Author of the Spring forum, so you have some extra permissions.
In the same manner, users of my website would be granted special permissions based on their points.

How this is handled? ACL?
 
Stephan van Hulst
Saloon Keeper
Posts: 10528
224
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
No. ACL explicitly grants specific users access to specific objects.

When you want to do something like: "I'm the author of this article, but I want to explicitly grant user #123 and user #456 authorization to edit it as well", then you would use ACL.

If I wanted users to gain a set of special permissions that don't necessarily have to do with specific objects, I'd probably use roles. For instance, users that have a certain amount of points could be granted the 'editor' role, and they are allowed to edit all articles regardless of whether they are the author or not.
 
Puspender Tanwar
Ranch Hand
Posts: 640
2
Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks Stephan. That's helpful to know the usecase.
 
ice is for people that are not already cool. Chill with this tiny ad:
Enterprise-grade Excel API for Java
https://products.aspose.com/cells/java
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!