sebaaastian sebaaastian - 1 month ago 13
Java Question

Jersey rest framework - authorization - some doubts

I read about jersey framework for rest service on this page http://howtodoinjava.com/jersey/jersey-restful-client-api-authentication-example/|

And I don't understand one thing.
For instance, when we have

@Path("/users")
public class JerseyService
{
@RolesAllowed("USER")
public String doLogin(@QueryParam("username") String uname,
@QueryParam("password") String result)


It means that user with role user can modify (by this method) ALL the users? Not only himself in the database? I am writing android app and I can imagine situation where someone is using for instance Advanced REST client. He logs on the service and modifying queries in appropriate way and strongly mess my database. For instance write some points to other user or something similar. How can I shut out this situation?

Answer

Jersey (and similar Spring Security) operate on Resource Types and Roles.

So, if you permit Role "USER" to operate on resource "Users", you can't block specific user from editing other users with Jersey only.

What you can do is use SecurityContext to get current user, and block dangerous operations if his credentials are different from user being changed.

Here's a good example on SecurityContext:
https://simplapi.wordpress.com/2015/09/19/jersey-jax-rs-securitycontext-in-action/