Spring security | Java Community | Help. Code. Learn. | Page 1

sage vector Sep 9, 2023, 3:29 PM

#

Hello! What is the best way to secure endpoints that contain a user ID? For example, let's assume I have an endpoint like "abc.com/users/1," and when I send a DELETE request to this endpoint as an authenticated user (I have a JWT token but with a different ID), I can remove this user. However, I mustn't do that because I'm the second user. Is there a better way to solve this problem other than using PreAuthorize? Thank you!

fossil wingBOT Sep 9, 2023, 3:29 PM

#

⌛ This post has been reserved for your question.

Hey @sage vector! Please use /close or the Close Post button above when you're finished. Please remember to follow the help guidelines. This post will be automatically closed after 300 minutes of inactivity.

TIP: Narrow down your issue to simple and precise questions to maximize the chance that others will reply in here.

cunning holly Sep 9, 2023, 3:32 PM

#

don't provide endpoints like that with the user id

#

e.g. instead of allowing requests like that to /users/123, create an endpoint for these requests /users/current

#

you can add an Authentication parameter

#

and use that for getting the current user information

sage vector Sep 9, 2023, 3:37 PM

#

This is my old method to get user but I changed it to be suitable for the rest design and for some admin operations.

#

I don't know how much it's correct to using /current for everything, because I have different services like recipe and I have to compare chef id with token subject, so what should I do in this case?

cunning holly Sep 9, 2023, 3:39 PM

#

you haev multiple options

sage vector Sep 9, 2023, 3:39 PM

#

or is it a good pratice to use current for every operation

cunning holly Sep 9, 2023, 3:39 PM

#

you could just ignore the user parameter and still use the Authentication

#

though that dosn't seem to make much sense with your model

#

or you could create a filter for all /user request and only allows them if the requested user is the current user

#

or you could add a check in the request handler comparing the Authentication with the requested user id

sage vector Sep 9, 2023, 3:41 PM

#

I will use one of these. Thanks!

fossil wingBOT Sep 9, 2023, 3:41 PM

#

sage vector I will use one of these. Thanks!

If you are finished with your post, please close it.
If you are not, please ignore this message.
Note that you will not be able to send further messages here after this post have been closed but you will be able to create new posts.

#Spring security