I have a requirement to restrict attributes in the REST response by the caller. Consider the response in JSON format.
Ex:For a given REST endpoint, the default response is like
{
"id" : "111"
"name" : "John"
"age" : "30"
}
For the "caller 1" the response should be like
{
"id" : "111"
"name" : "John"
"age" : "null"
}
For the "caller 2" the response should be like
{
"id" : "111"
"name" : "null"
"age" : "30"
}
In above response JSONs, "null" means, such attributes are not exposed to such callers.
I am looking for a way to implement to control REST response by caller.
The implementation on the server side is heavily dependent on the underlying server technology stack (REST API, DB, User's Role layer, etc.). In some configurations, you defines the data authorization in the DB layer while in other on the REST layer. Implement field level authorization is a tricky one as not all frameworks provides this granularity.
One framework that do offer such granularity is Jello Framework (I am the author). One of Jello's key features is its inline Authorization Model where you can assign different access levels for data elements at any resolution (Namespaces, Entities, Fields, Actions) and specify who is authorized to access the data via the REST API.
For example - Let's say you want to expose the 'age' field only to the record owner and the site administrator. In Jello, it will look something like this:
public class Person extends JelloEntity {
@Expose @KeyElement
Integer id;
@Expose
String name;
@Expose({Role.OWNER, Role.ADMIN})
Integer age;
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With