Dynamic authentication and permissions

Asked

Viewed 359 times

0

I need to provide a number of features in a REST service, but security is dynamic. That is, an administrator can change permissions according to his will.

In my research, I only found authentication forms where resource permissions are pre-established via configuration file/roles, that is, a user must belong to a group (role) and this group has access to a list of resources. This does not work for me as more groups can be created at any time with different permissions.

One way I imagined is to send the user/password to each request and define if the user has permission at the time of execution of this method, but I believe there is a more sophisticated way to resolve this.

java rest
  • 1

    Could you give more details of the architecture? the client is what? Mobile, web and/ or etc... which technologies used?

  • @Mateus os clients podem ser app mobile ou sites via javascript. As for architecture, the project is starting now (the REST part) so I’m open to architectural opinions. At first I’m only using Jersey in a Tomcat8 container.

1 answer

0

Nilson,

One of the ways I’ve solved in a project is every login through a mobile app, the authentication response plus security token and other stuff, returns a Profile object. This profile object is a list of actions. This list of actions contains all the important transactional actions the user can exercise on the system or not (explicitly). By groups it is complicated because often it is very "granular" the authorization characteristics (I mean: very detailed access in each function / option / screen / field).

When an action is modified (withdrawn or acquired) for that user, a PUSH arrives and I modify it in the application profile. The profile stays in the application’s memory at all times as a single instance Singleton. Whenever I need, I consult whether he can perform that operation and grant access or not/ display the resource. This avoids doing a pooling timer (consuming bandwidth and server unnecessarily).

This is actually a method that is independent of the technology adopted. If you use for example Spring with Java, you will have some facilities to make the transactions controlled by the routes, create a third party to decide whether or not the resource can be accessed.

Any questions can be commented and we will try to help in more detail.

  • 1

    How does the token question work? Does the app receive the token and send it to each request? How do I intercept this token on the server to find out if the user/token actually has permission?

  • @Nilsonuehara first login, the app produces a token and sends it to the server. In sequence the token is derived from the first and subsequent for each request. At each request in WS, before performing, the server checks if the token sent is valid, if it is, it processes the request and returns a new token. All this with signed certificate to ensure safety in shipping. SSL/TLS. But implement without certificates. Even the token can be used for the tips to derive an encryption key. Our Nilson, goes far the kkkk thing, but let’s talk...

  • 1

    But checking the token is done by the method or has how to create a filter to intercept the request header and check the token?

  • In Header, always, to ensure safety. Previously, before Json etc, this technique was very famous, see if it helps to clarify a little this exchange of username-token: https://www.oasis-open.org/committees/download.php/13392/wss-v1.1-spec-pr-UsernameTokenProfile-01.htm

  • What I still don’t do is the Interceptador or filter... as I take the header to make the check?

  • Forget... just use a normal filter and access the header parameters via Httpservletrequest.

  • @Nilsonuehara yes...

Show 2 more comments

Browser other questions tagged java rest

You are not signed in. Login or sign up in order to post.