0

I'm new to web applications and security and I have a basic question.

Imagine a single java web application with a single database but multiple accounts. Let's think about a to-do list for simplicity where people can access only their own 'items' at /item/item-id. EG:

  • User1 creates items 1 and 2;
  • User2 creates items 3 and 4;

How do I prevent User2 from accessing /item/1 for instance?

This seems to go beyond Authentication (who is this?) and Authorization (what role does he/she have?) to me.

Should I keep a persisted map of user-items and check every time before returning a response?

Are there any Spring (or other) tricks/helpers for this problem?

Improve this question

2 Answers 2

Reset to default
1

Authorization isn't "What role do you have?". It's "Are you allowed to do this?". The role will play a part in deciding if the subject is allowed.

What you are describing is exactly the purpose of authorization.

User2 is trying to access (think of CRUD in HTTP GET,POST,DELETE,PUT) the resource at /item/1. Are they allowed? No. So deny them access.

Should I keep a persisted map of user-items and check every time before returning a response?

How you perform authorization is up to you. Spring security definitely offers some good tools to do it from a database while separating that logic from your application logic (if need be).

I'd also like to recommend another security framework: Apache Shiro. I think it's a little easier to configure than Spring security and I find its authentication/authorization logic more straightforward .

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

thanks! Can you point me to any documentation or sample code that leverage Spring Security for Authorization decoupled from the application logic? There is way too much useless stuff on the web unfortunately...
Or Shiro examples that do something along my needs. I would prefer to mix too many things together but if Shiro provides a good amount of simplification that's great.
@Gevorg There should be some Shiro examples online. But their documentation is the best place to start. Learn about the two main components: the Realm and the Subject.
0

In addition to Spring Security and Apache Shiro, you want to consider XACML-based authorization frameworks e.g. SunXACML, WSO2, Axiomatics (disclaimer: I work for Axiomatics).

XACML is the eXtensible Access Control Markup Language. It's the de-facto standard for fine-grained authorization. Much like SAML is great at identity federation / SSO, XACML helps you achieve authorization.

XACML gives you an architecture (see picture below) as well as an authorization language which you can use to express specific authorization scenarios e.g.

  • doctors can view medical records of patients they are assigned to
  • nurses can view medical records of patients that belong to the same clinic
  • patients can view their own records and that of patients for whom they are the guardian

You can have as many rules as you like. There is no limit.

The XACML architecture with at its core the Policy Decision Point or PDP

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.