Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

REST, caching, and authorizing with multiple user roles

Tags:

rest

caching

roles

authorization

We have a multi-tenant system with multiple different levels of access--sometimes even for the same user as they switch between multiple roles. We're beginning a discussion on moving over to a RESTful implementation of things. I'm just starting to get my feet wet with the whole REST thing.

So how do I go about limiting access to the correct records when they access a resource, particularly when taking caching into consideration? If user A access example.com/employees they would receive a different response than user B; user A may even receive a different response as he switches to a different role. To help facilitate caching, should the id of the role be somehow incorporated into the uri? Maybe something like example.com/employees/123 (which violates the rules of REST), or as some sort of subordinate resource like example.com/employees/role/123 (which seems silly, since role/### is going to be appended to URIs all over the place). I can help but think I'm missing something here.

edited to mention multi-tenancy

like image 408
keithjgrant Avatar asked Apr 19 '10 23:04

keithjgrant

1 Answers

Having the user credentials act as an out of band resource identifier (ie. presenting different views on the same URL to different roles) will turn nasty down the road. Users and applications exchange URLs between them, things turn sour when that happens and the URL simply returns different content for different credentials.

I would say that each role has a different view of the world, therefore each role should access a different path to the service:

  • admins connect to example.com/admin/employees
  • users connect to example.com/users/employees
  • role foo probably connects to example.com/foo/employees

This way you separate the 'this role sees the world as such and such' part from the 'this view of the world is accessible to role foo' part. An admin can connect to example.com/users/employees and verify how an ordinary user sees the world, w/o the admin having to impersonate a lower privileged alias first.

You can also use the DNS part for same purpose: admin.example.com/employees vs. users.example.com/employees. This is specially viable for a related scenario, when the 'role' is not a security role but a multi-tenant namespace (ie. each service provisioned account gets its own 'view' of the service).

like image 119
Remus Rusanu Avatar answered Sep 19 '22 08:09

Remus Rusanu
Sign in to Comment

Related questions

secure a REST API for use by Android clients
Optimistic locking in a RESTful application
Spring REST with both JSON and XML
How to send password to REST service securely?
How to connect separate microservice applications?
Spring RestController : reject request with unknown fields
SpringMVC - dispatcher servler's url pattern style
Use Yii2-user for user registration in Yii2 Rest Api
Spring NumberFormatException: Failed to convert value of type 'java.lang.String' to required type 'java.lang.Long
Write to tmp folder
RESTful API design - how to handle foreign keys?
Respond with large amount of objects through a Rails API
How to separate application logic from network layer in Android using Retrofit 2
How to dynamically change depth in Django Rest Framework nested serializers?
RESTful API - Get last of an element [closed]
Infinite scroll on real-time data
Calling RESTful Web Services from PostgreSQL procedure/function
Github GraphQL API: How can I gather specific user's repositories?
REST API design: one endpoint with if/else logic or two separate role based endpoints
Force WCF to call a method on every request before entering actual function

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!