I have an API which need to be authorized before running.
So, the allowed roles and authorities here is:
1. hasRole('ADMIN') + hasAuthority('Edit_Post')
2. hasRole('USER') + hasAuthority('Manage_Post')
3. author of the post
So, the user needs to be either ADMIN and has editpost authority, or need to be user with manage_post right, or author of the post to edit post.
I know #PreAuthorize can manage to do with multiple role by using hasAnyRole, but it doesn't work as I expected in this one. I know how to do each of these separately, but combining them together is an issue.
I thought about use #PreAuthorize('hasAnyRole') and check for Authority in the backend block, but it would be the best if I have a way to deal with #PreAuthorize.
How should I do this. Thank you
Related
I'm trying to implement a GET method with Express in my nodeJs application.
I'd like to do something like this in order to display user data :
router.get("/user/:idUser", (req, res) => {
The user doesn't need to be authenticated in order to execute this code. However I don't want that anybody can execute this request with a user id of someone else. Because he could see data he's not supposed to see.
How could I proceed ? I thought about using some encryption process to have something like :
/user/PdfgdfJFDGTfrfgdsf
Your question isn't really making sense. You don't want authentication, but you only want a user to be able to view their own data so nobody else can view it.
The ONLY way to solve that is by using some form of authentication. The user has to prove to the server that they are allowed to view that data before the user renders the page for them.
Yes, you could obscure the URL (make it some mostly unguessable string of characters), but it's not clear what problem that is solving. The user themselves won't be able to remember it or type it so it would probably have to be a link in a web page and if it's a link in an unauthenticated web page, then anyone can get to it - thus defeating the purpose.
There are cases where temporary links (often done for privileged downloads) such as what you mention /user/PdfgdfJFDGTfrfgdsf are sent via an authenticated channel (either an authenticated webpage or sent to an email address known to belong to an authenticated user) and these links contain some unique and hard to guess code. The user can then click on that link (in authenticated webpage or in email) and access that resource without further authentication. In that case, the knowledge of the code in the URL is serving as a form of proof of authentication. Because URLs may be logged in service providers or corporate infrastructure and thus not remain entirely private, this technique has its limitations and is typically only used for short term (download this resource in the next 10 minutes) type of uses, not a long term substitute for authentication and not used for things that demand real security. You don't explain enough of your use case to know whether this is practical for your situation or not.
The user doesn't need to be authenticated in order to execute this code. However I don't want that anybody can execute this request with a user id of someone else. Because he could see data he's not supposed to see.
That's an inconsistent statement. You say "user doesn't need to be authenticated in order to execute this code" and then you say "I don't want that anybody can execute this request with a user id of someone else.". You can't have both. The user is either required to prove authorization or they aren't. Pick one. It can't be both.
you can use jwt for this and a auth middleware for this
upon decoding jwt token, you can implement logic to check if the decodedToken.user_id (given that you add user_id when encode token payload) is equal to the :idUser in route (or any kind of logic you want) there.
I want to create a closed community. So I wold have a lot of users but all of them will be invited by myself or somebody.
Moreover I want them to have only one option to login - social accounts.
I've implemented this functionality but for me it looks like set of hack:
1) forbid /api/register endpoint to prevent self registration by the registration form
2) Do not create new user if it is still has not been created (here SocialService#createUserIfNotExist)
3) Modify some email templates
My questions now are:
1) Is it is right way or you can suggest better solution?
2) Do you think that it may be a good option for further JHipster generator?
The most important thing is first to block the backend calls to the /api/register endpoint by blacklisting it using .denyAll() in the security configuration. This will right away reject any request with HTTP 401 Unauthorized.
Secondarily you can work backwards and remove frontend and backend call.
Open the corresponding route file (I think it's account ) and delete the entry to register, then open the login HTML file and delete the part referring to the registration. That should do the trick
We have a little discussion in my team how to handle http restriction in our app.
In our app a user can create products. So we have routes like /products and /product/1/show to list and show products of a user. A user can not see products of another user. The app uses a REST endpoint to fetch the data. The API call looks like this /api/product/1/ to fetch a single product.
We have more routes/API endpoint for other kinds of entities.
The question is how to protect a route/API request against other users?
We have two solutions:
use the firewall and voters. The voter gets the current url /product/1/show and checks if given product is owned by the current logged in user.
use a voter without the firewall: http://symfony.com/doc/current/cookbook/security/voters_data_permission.html
use the role system: http://jmsyst.com/bundles/JMSSecurityExtraBundle/master/annotations
I prefer solution 1. because all information we need (who is the owner of the product) still exist. We only need to fetch the entity and do a check.
In solution 2. we have to spread the voter logic over several controllers.
Are there recommendations or experiences on this problem?
If i have to choose between those three it would be 1. But i suggest a different route. I assume that the digit 1 in /product/1/show stands for the user number? If that is the case i suggest that you make new routes without the numbers e.g. /my-products/show . The controller must then use the id of the currently logged in user.
Im currently working on a nodejs project and require some authentication. As it stands I just use expresses basicAuth function, however I can't seem to figure out how to do more advanced operations. For example I have two url parameters say bob and steve. If the user navigates to website.com/bob I want it to ask for username:"user" and password:"password". However if the user navigates to website.com/steve I want it to ask for username:"user2" and password:"password123"
Would this be possible using basicAuth and if so how? Or would something like passportjs be able to accomplish this task? I dont need an amazing solution just something to stop people accessing certain areas.
What you are trying to achieve is probably access control and I suggest you use a access control list module which will allow you to implement policies as to which users/groups have access to which resources within your application.
This way, even if a user provides their username/password pair, they will not be allowed to access that resource based on the policy which is a better option application design wise.
For a start:
https://www.npmjs.org/package/acl
I have this scenario:
1 User - N Project
1 Project - N Task
1 Project - N Comment
When a user is authenticated he can do:
/api/tasks/1
to delete his task but when he is doing /api/tasks/2 he deletes the task of someone else
/api/comments/1
to get his comment but when he is doing /api/comments/2 he reads the task of someone else
How can I intercept the user action (manipulating the URI) and check in a general way wether the user is allowed to delete this Task.
The Task and Comment does not know anything about a userId so how can forbide the user to delete other peoples data?
I am not talking about user and roles scenario.
I am talking about manipulating the URI to delete ressources belonging to someone else.
UPDATE to answer #A Khudairy`s question
1) email + password is sent to api.
2) Api returns user with user token.
3) Then with every request the token is sent to api,( so that Iknow which user is doing what and handle this in backend.)
well I wouldn't personally solve this using the URI (I don't think there is a secure way to achieve that). I will implement a custom authorization filter Check this link for help on how to do that if you are not familiar with it.
In the filter I would use the token to get the user id, and use the route data to see what procedure is the user trying to do (and id of task or comment), then make decision if the user can continue based on that.
Filters can be registered then on top of controller class, or just on some action methods, or from global.asax to all actions if required.
Sounds to me like you are either going to have to add the UserId to the Comment and Task entities so that you can check easily or you are going to need to ensure that the Task or Comment belongs to a project that the user has access too?
Unless I am misunderstanding your question?
If the Task or Comment does not have a UserId, how are you going to distinguish between your own comments and tasks and someone elses?