How to secure Spring Data REST associations requests?How to use java.net.URLConnection to fire and handle HTTP requestsHow to configure port for a Spring Boot applicationSpring data REST: Update a resource´s association using proper HTTP methodSpring Data Rest - _linksAdding associated elements with Spring Data REST and Restangularbest way to save child resource Spring Data RESTHow to avoid Spring Data Rest throwing HTTP 400 when an AccessDeniedException occurs on a controllerSpring Rest API Oauth2 SecurityExposing both parent and child entities as REST repositories in Spring Data RESTSaving Multipart Form Data With Spring Security giving error HTTP Status 405 - Request method 'POST' not supported

Etymology of 'calcit(r)are'?

Last survivors from different time periods living together

Phone number to a lounge, or lounges generally

How many pairs of subsets can be formed?

Can an Eldritch Knight use Action Surge and thus Arcane Charge even when surprised?

How Can I Tell The Difference Between Unmarked Sugar and Stevia?

Why does the Schrödinger equation work so well for the Hydrogen atom despite the relativistic boundary at the nucleus?

Was the Tamarian language in "Darmok" inspired by Jack Vance's "The Asutra"?

Russian equivalents of "no love lost"

Does an ice chest packed full of frozen food need ice?

What can cause the front wheel to lock up when going over a small bump?

Efficient integer floor function in C++

Company did not petition for visa in a timely manner. Is asking me to work from overseas, but wants me to take a paycut

Should an arbiter claim draw at a K+R vs K+R endgame?

What can plausibly explain many of my very long and low-tech bridges?

When writing an error prompt, should we end the sentence with a exclamation mark or a dot?

Version 2 - print new even-length arrays from two arrays

What does the "c." listed under weapon length mean?

How can drunken, homicidal elves successfully conduct a wild hunt?

Required to check-in in person at international layover airport

What risks are there when you clear your cookies instead of logging off?

Is any name of Vishnu Siva?

How to translate “Me doing X” like in online posts?

What's up with this leaf?



How to secure Spring Data REST associations requests?


How to use java.net.URLConnection to fire and handle HTTP requestsHow to configure port for a Spring Boot applicationSpring data REST: Update a resource´s association using proper HTTP methodSpring Data Rest - _linksAdding associated elements with Spring Data REST and Restangularbest way to save child resource Spring Data RESTHow to avoid Spring Data Rest throwing HTTP 400 when an AccessDeniedException occurs on a controllerSpring Rest API Oauth2 SecurityExposing both parent and child entities as REST repositories in Spring Data RESTSaving Multipart Form Data With Spring Security giving error HTTP Status 405 - Request method 'POST' not supported






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;








1















I'v created REST API using Spring Data REST. I have entity User and Post, where User can have multiple posts (One to Many). Now I need to add posts to my user. But I need that userA can't have possibilities to delete or update posts of userB.



Api structure




 "_links": 
 "users": 
 "href": "http://localhost:8081/api/users?page,size,sort",
 "templated": true
 ,
 "posts": 
 "href": "http://localhost:8081/api/posts?page,size,sort",
 "templated": true
 
 "profile": 
 "href": "http://localhost:8081/api/profile"



User structure




 "id": 1,
 "username": null,
 "password": null,
 "_links": 
 "self": 
 "href": "http://localhost:8081/api/users/1"
 ,
 "user": 
 "href": "http://localhost:8081/api/users/1"
 ,
 "posts": 
 "href": "http://localhost:8081/api/users/1/posts"



There are several ways to add related entity throw links.
Using PUT method and text/uri-list content type:



PUT /api/posts/1/user? HTTP/1.1
Host: localhost:8081
Content-Type: text/uri-list
Authorization: Bearer 270c6dc3-04a5-48cc-b42e-c275472df459
cache-control: no-cache
http://localhost:8081/api/users/1


But with this way I can add any URI to body and add any random user to random post, and I think, there is a security problem here.
Next method to add related resource is to add it in JSON like this:



PATCH /api/posts/1? HTTP/1.1
Host: localhost:8081
Content-Type: application/json
Authorization: Bearer 270c6dc3-04a5-48cc-b42e-c275472df459
cache-control: no-cache

 "user": "http://localhost:8081/api/users/1"



But and in this method the same problem. Any user can be added to any post.



Now I see only one solve of this problem - is customizing rest repository and check if added user is current authenticated user.






java spring spring-security spring-data-rest







share|improve this question




























    1















    I'v created REST API using Spring Data REST. I have entity User and Post, where User can have multiple posts (One to Many). Now I need to add posts to my user. But I need that userA can't have possibilities to delete or update posts of userB.



    Api structure




     "_links": 
     "users": 
     "href": "http://localhost:8081/api/users?page,size,sort",
     "templated": true
     ,
     "posts": 
     "href": "http://localhost:8081/api/posts?page,size,sort",
     "templated": true
     
     "profile": 
     "href": "http://localhost:8081/api/profile"



    User structure




     "id": 1,
     "username": null,
     "password": null,
     "_links": 
     "self": 
     "href": "http://localhost:8081/api/users/1"
     ,
     "user": 
     "href": "http://localhost:8081/api/users/1"
     ,
     "posts": 
     "href": "http://localhost:8081/api/users/1/posts"



    There are several ways to add related entity throw links.
    Using PUT method and text/uri-list content type:



    PUT /api/posts/1/user? HTTP/1.1
    Host: localhost:8081
    Content-Type: text/uri-list
    Authorization: Bearer 270c6dc3-04a5-48cc-b42e-c275472df459
    cache-control: no-cache
    http://localhost:8081/api/users/1


    But with this way I can add any URI to body and add any random user to random post, and I think, there is a security problem here.
    Next method to add related resource is to add it in JSON like this:



    PATCH /api/posts/1? HTTP/1.1
    Host: localhost:8081
    Content-Type: application/json
    Authorization: Bearer 270c6dc3-04a5-48cc-b42e-c275472df459
    cache-control: no-cache

     "user": "http://localhost:8081/api/users/1"



    But and in this method the same problem. Any user can be added to any post.



    Now I see only one solve of this problem - is customizing rest repository and check if added user is current authenticated user.






    java spring spring-security spring-data-rest







    share|improve this question
























      1












      1








      1








      I'v created REST API using Spring Data REST. I have entity User and Post, where User can have multiple posts (One to Many). Now I need to add posts to my user. But I need that userA can't have possibilities to delete or update posts of userB.



      Api structure




       "_links": 
       "users": 
       "href": "http://localhost:8081/api/users?page,size,sort",
       "templated": true
       ,
       "posts": 
       "href": "http://localhost:8081/api/posts?page,size,sort",
       "templated": true
       
       "profile": 
       "href": "http://localhost:8081/api/profile"



      User structure




       "id": 1,
       "username": null,
       "password": null,
       "_links": 
       "self": 
       "href": "http://localhost:8081/api/users/1"
       ,
       "user": 
       "href": "http://localhost:8081/api/users/1"
       ,
       "posts": 
       "href": "http://localhost:8081/api/users/1/posts"



      There are several ways to add related entity throw links.
      Using PUT method and text/uri-list content type:



      PUT /api/posts/1/user? HTTP/1.1
      Host: localhost:8081
      Content-Type: text/uri-list
      Authorization: Bearer 270c6dc3-04a5-48cc-b42e-c275472df459
      cache-control: no-cache
      http://localhost:8081/api/users/1


      But with this way I can add any URI to body and add any random user to random post, and I think, there is a security problem here.
      Next method to add related resource is to add it in JSON like this:



      PATCH /api/posts/1? HTTP/1.1
      Host: localhost:8081
      Content-Type: application/json
      Authorization: Bearer 270c6dc3-04a5-48cc-b42e-c275472df459
      cache-control: no-cache

       "user": "http://localhost:8081/api/users/1"



      But and in this method the same problem. Any user can be added to any post.



      Now I see only one solve of this problem - is customizing rest repository and check if added user is current authenticated user.






      java spring spring-security spring-data-rest







      share|improve this question














      I'v created REST API using Spring Data REST. I have entity User and Post, where User can have multiple posts (One to Many). Now I need to add posts to my user. But I need that userA can't have possibilities to delete or update posts of userB.



      Api structure




       "_links": 
       "users": 
       "href": "http://localhost:8081/api/users?page,size,sort",
       "templated": true
       ,
       "posts": 
       "href": "http://localhost:8081/api/posts?page,size,sort",
       "templated": true
       
       "profile": 
       "href": "http://localhost:8081/api/profile"



      User structure




       "id": 1,
       "username": null,
       "password": null,
       "_links": 
       "self": 
       "href": "http://localhost:8081/api/users/1"
       ,
       "user": 
       "href": "http://localhost:8081/api/users/1"
       ,
       "posts": 
       "href": "http://localhost:8081/api/users/1/posts"



      There are several ways to add related entity throw links.
      Using PUT method and text/uri-list content type:



      PUT /api/posts/1/user? HTTP/1.1
      Host: localhost:8081
      Content-Type: text/uri-list
      Authorization: Bearer 270c6dc3-04a5-48cc-b42e-c275472df459
      cache-control: no-cache
      http://localhost:8081/api/users/1


      But with this way I can add any URI to body and add any random user to random post, and I think, there is a security problem here.
      Next method to add related resource is to add it in JSON like this:



      PATCH /api/posts/1? HTTP/1.1
      Host: localhost:8081
      Content-Type: application/json
      Authorization: Bearer 270c6dc3-04a5-48cc-b42e-c275472df459
      cache-control: no-cache

       "user": "http://localhost:8081/api/users/1"



      But and in this method the same problem. Any user can be added to any post.



      Now I see only one solve of this problem - is customizing rest repository and check if added user is current authenticated user.






      java spring spring-security spring-data-rest




      java spring spring-security spring-data-rest






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Mar 24 at 15:30









      John DevJohn Dev

      61




      61






















          1 Answer
          1






          active

          oldest

          votes


















          1














          Looking at your use case "Only User is responsible for CRUD operation on its POST"



          Yes one way of solving this would be "is customizing rest repository and check if added user is current authenticated user."



          Assuming you have Spring Security



          I would suggest you don't pass any User id for your Posts and pick up User from Logged in User ID from Security Context or from Token.



          This way your post will be independent of User at API level.






          share|improve this answer























            Your Answer






            StackExchange.ifUsing("editor", function ()
            StackExchange.using("externalEditor", function ()
            StackExchange.using("snippets", function ()
            StackExchange.snippets.init();
            );
            );
            , "code-snippets");

            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "1"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader:
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            ,
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );













            draft saved

            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55325400%2fhow-to-secure-spring-data-rest-associations-requests%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            1














            Looking at your use case "Only User is responsible for CRUD operation on its POST"



            Yes one way of solving this would be "is customizing rest repository and check if added user is current authenticated user."



            Assuming you have Spring Security



            I would suggest you don't pass any User id for your Posts and pick up User from Logged in User ID from Security Context or from Token.



            This way your post will be independent of User at API level.






            share|improve this answer



























              1














              Looking at your use case "Only User is responsible for CRUD operation on its POST"



              Yes one way of solving this would be "is customizing rest repository and check if added user is current authenticated user."



              Assuming you have Spring Security



              I would suggest you don't pass any User id for your Posts and pick up User from Logged in User ID from Security Context or from Token.



              This way your post will be independent of User at API level.






              share|improve this answer

























                1












                1








                1







                Looking at your use case "Only User is responsible for CRUD operation on its POST"



                Yes one way of solving this would be "is customizing rest repository and check if added user is current authenticated user."



                Assuming you have Spring Security



                I would suggest you don't pass any User id for your Posts and pick up User from Logged in User ID from Security Context or from Token.



                This way your post will be independent of User at API level.






                share|improve this answer













                Looking at your use case "Only User is responsible for CRUD operation on its POST"



                Yes one way of solving this would be "is customizing rest repository and check if added user is current authenticated user."



                Assuming you have Spring Security



                I would suggest you don't pass any User id for your Posts and pick up User from Logged in User ID from Security Context or from Token.



                This way your post will be independent of User at API level.







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Mar 25 at 6:02









                MyTwoCentsMyTwoCents

                3,61021131




                3,61021131





























                    draft saved

                    draft discarded
















































                    Thanks for contributing an answer to Stack Overflow!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid


                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.

                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55325400%2fhow-to-secure-spring-data-rest-associations-requests%23new-answer', 'question_page');

                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    -

                    Popular posts from this blog

                    Kamusi Yaliyomo Aina za kamusi | Muundo wa kamusi | Faida za kamusi | Dhima ya picha katika kamusi | Marejeo | Tazama pia | Viungo vya nje | UrambazajiKuhusu kamusiGo-SwahiliWiki-KamusiKamusi ya Kiswahili na Kiingerezakuihariri na kuongeza habari

                    Image
                    Pages using ISBN magic linksMbegu za lughaKamusiIsimu nenoKiarabukitabulughaKiswahilialfabetimaanaufafanuzimanenomuhtasarisarufividahizoalfabeti Kamusi Kutoka Wikipedia, kamusi elezo huru Jump to navigation Jump to search Kamusi za Kiswahili Kamusi ya Kiswahili-Kiswahili (kamusi wahidiya) Kamusi ya Kiswahili - Kiingereza (kamusi thania) Kamusi (kutoka neno la Kiarabu قاموس qamus ) ni kitabu ambacho kinaorodhesha maneno ya lugha yaliyokusanywa kutoka kwa watumiaji wa lugha fulani, kwa mfano lugha ya Kiswahili. Maneno hupangwa kwa mtindo wa alfabeti, hutoa maana, asili na ufafanuzi wa utumizi wa maneno na jinsi yanavyotumika au yanavyotamkwa. [1] Yaliyomo 1 Aina za kamusi 2 Muundo wa kamusi 2.1 1. Utangulizi wa kamusi 2.2 2. Matini ya kamusi 2.3 3. Sherehe ya kamusi 3 Faida za kamusi 4 Dhima ya picha katika kamusi 5 Marejeo 6 Tazama pia 7 Viungo vya nje Aina za kamusi | Kuna aina mbalimbali za kamusi ambazo ni: Kamusi wahidiya yaani ya l
                    Read more

                    SQL error code 1064 with creating Laravel foreign keysForeign key constraints: When to use ON UPDATE and ON DELETEDropping column with foreign key Laravel error: General error: 1025 Error on renameLaravel SQL Can't create tableLaravel Migration foreign key errorLaravel php artisan migrate:refresh giving a syntax errorSQLSTATE[42S01]: Base table or view already exists or Base table or view already exists: 1050 Tableerror in migrating laravel file to xampp serverSyntax error or access violation: 1064:syntax to use near 'unsigned not null, modelName varchar(191) not null, title varchar(191) not nLaravel cannot create new table field in mysqlLaravel 5.7:Last migration creates table but is not registered in the migration table

                    Image
                    Does a multiclassed wizard start with a spellbook? Minimizing medical costs with HSA Boss has banned cycling to work because he thinks it's unsafe Is there a typical layout to blocking installed for backing in new construction framing? In the Seventh Seal why does Death let the chess game happen? Why has Novell never written its own boot loader? Should I warn my boss I might take sick leave Why is the saxophone not common in classical repertoire? Is it possible to spoof an IP address to an exact number? Motorcyle Chain needs to be cleaned every time you lube it? Bypass with wrong cvv of debit card and getting OTP Do we have a much compact and generalized version of erase–remove idiom? how can i make this execution plan more efficient? Why did moving the mouse cursor cause Windows 95 to run more quickly? What's the big deal about the Nazgûl losing their horses? Has chattel slavery ever been used as a criminal punishment in the USA since the passage
                    Read more

                    은진 송씨 목차 역사 본관 분파 인물 조선 왕실과의 인척 관계 집성촌 항렬자 인구 같이 보기 각주 둘러보기 메뉴은진 송씨세종실록 149권, 지리지 충청도 공주목 은진현

                    Image
                    송씨은진 송씨충청남도 소재 성씨논산시 충청남도논산시은진면한국의 성씨고려송명의회덕 황씨류준고흥 류씨송유조선송준길문묘송시열좌의정문묘종묘송준길송규렴송상기송시열송인수송환기송치규송근수충청남도논산시은진면백제757년충청남도은진군논산군논산시은진면송유 은진 송씨 위키백과, 우리 모두의 백과사전. (회덕 송씨에서 넘어옴) 둘러보기로 가기 검색하러 가기 은진 송씨 (恩津 宋氏) 관향 충청남도 논산시 은진면 시조 송대원(宋大源) 주요 중시조 송명의(宋明誼) 주요 집성촌 대전광역시 충청남도 논산시 전라남도 진도군 전라남도 여수시 경상남도 거제군 경상남도 남해군 경상남도 합천군 주요 인물 송인수, 송기수, 송이창, 송갑조, 송준길, 송시열, 송규렴, 송상기, 송환기, 송치규, 송근수, 송병선, 송병준, 송지헌, 송종헌, 송순기, 송화식, 송진백, 송건호, 송원영, 송두호, 송백헌, 송자, 송진훈, 송민순, 송영무, 송영선, 송언석, 송중기 인구 (2015년) 226,050명 은진 송씨 (恩津 宋氏)는 충청남도 논산시 은진면을 본관으로 하는 한국의 성씨이다. 목차 1 역사 2 본관 3 분파 4 인물 5 조선 왕실과의 인척 관계 6 집성촌 7 항렬자 8 인구 9 같이 보기 10 각주 역사 은진 송씨(恩津 宋氏)의 시조 송대원 (宋大源)이 고려 때 판원사(判院事)를 지내고 나라에 공을 세워 은진군(恩津君)에 봉해졌다고 한다. 송대원의 증손자인 송명의(宋明誼)가 1362년(공민왕 11) 문과에 급제하고 사헌부 집단(司憲府執端)에 이르렀으나 고려가 망하자 불사이군(不事二君)의 충절로 낙향하여 처가인 회덕 황씨촌에 자리잡았다. 송명의(宋明誼)의 아들 송극기(宋克己)가 류준(柳濬)의 딸 고흥 류씨(高興柳氏)와 결혼하여 아들 송유(宋愉, 1388년 ~ 1446년)를 두었다. 송유는 12세에 부사정(副司正)이 되었는데, 13세에 관직을 버리고 고향 회덕으로 돌아와 학문에 정진하였다. 은진 송씨는 조선시대 문과 급
                    Read more