Announcement Announcement Module
No announcement yet.
Restful Urls - securing direct object references? Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Restful Urls - securing direct object references?

    I have a Spring MVC App using Restful URLs. Security is currently Spring Security 3.1 operating in a stateless fashion ( create-session="stateless" ) with both Basic Http & Digest Authentication used for User Authentication. Stateless is important as this should be a truly restful App with no use of Sessions.

    A typical URI would be I'm wondering what is considered best practice in Spring Security for authorizing direct object references e.g. the user uses their browser's location box to update the url to which they should not have permission to (their account is ID 123, not 124).

    I've been surprised at the (apparent) lack of discussion I've found online around securing direct object references in Spring Security - perhaps my Google-powers just suck ;-) .

    I want to maintain a non-intrusive solution so at moment I would add a custom filter to the SS Filter chain - this filter would then check the ID of the requested resource against the database to ensure that the authenticated User actually owns this resource. I really don't like the thought of this performance-wise but don't see another option.

    Is there a best practice or alternative approach (WebInvocationPrivilegeEvaluator?) that anyone could recommend? Any input appreciated.

  • #2
    It depends. If you simply return the object from your controller you could use the @PostAuthorize annotation and write an expression (for instance only the user himself or someone with ROLE_ADMIN could access the object). Or you might want to use the @PreAuthorize to simply check the id and if it matches.