This week's book giveaway is in the Server-Side JavaScript and NodeJS forum.
We're giving away four copies of Micro Frontends in Action and have Michael Geers on-line!
See this thread for details.
Win a copy of Micro Frontends in Action this week in the Server-Side JavaScript and NodeJS forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Paul Clapham
  • Bear Bibeault
  • Junilu Lacar
Sheriffs:
  • Jeanne Boyarsky
  • Tim Cooke
  • Henry Wong
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • salvin francis
  • Frits Walraven
Bartenders:
  • Scott Selikoff
  • Piet Souris
  • Carey Brown

How to secure an API in which only the owner of an article can delete/update that article?

 
Ranch Hand
Posts: 649
2
Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Suppose I have two entities User and

Article

which are having One-to-Many relationship.
Now, User theCoder created an article - "How to ask question?" . Article got saved in Article table with foreign key theCoder.
Now, another user theHacker logged into the application from somewhere and read the "How to ask question?" article. Now, he/she tried to perform delete/update actions on the article, which they are not allowed to. Only the owner of the article can delete/update the article.

How should I achieve this?

One way is to check the principle(logged in user's username) and then compare the user who create that article. If they match, delete/update the post otherwise throw 403 unauthorized.

But that would be a lot to do in multiple controllers. Is there something handy provided by the Spring security?

I looked for it and there is ACL security, but I don't understand if it's the one I am in use of. Nor there are some good articles/blogs/tutorials found on the web.
 
Saloon Keeper
Posts: 12295
259
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I think Domain Object ACLs are probably overkill, because they store a list of users that can access the object, per object. Unless you want to grant modification permissions to users other than the author, this is probably not what you want, because the database already contains the information indicating which user can edit an article: The associated author.

How would that be a lot to do in multiple controllers? Assuming you have an ArticleController, it could look something like this:
 
Puspender Tanwar
Ranch Hand
Posts: 649
2
Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks Stephan.
Suppose in future, I want to grant few users some extra permissions. Like you are the Author of the Spring forum, so you have some extra permissions.
In the same manner, users of my website would be granted special permissions based on their points.

How this is handled? ACL?
 
Stephan van Hulst
Saloon Keeper
Posts: 12295
259
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
No. ACL explicitly grants specific users access to specific objects.

When you want to do something like: "I'm the author of this article, but I want to explicitly grant user #123 and user #456 authorization to edit it as well", then you would use ACL.

If I wanted users to gain a set of special permissions that don't necessarily have to do with specific objects, I'd probably use roles. For instance, users that have a certain amount of points could be granted the 'editor' role, and they are allowed to edit all articles regardless of whether they are the author or not.
 
Puspender Tanwar
Ranch Hand
Posts: 649
2
Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks Stephan. That's helpful to know the usecase.
 
It's hard to fight evil. The little things, like a nice sandwich, really helps. Right tiny ad?
the value of filler advertising in 2020
https://coderanch.com/t/730886/filler-advertising
reply
    Bookmark Topic Watch Topic
  • New Topic