Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Securing JSON-PATCH paths in Spring Boot Data Rest application

Tags:

java

spring-mvc

spring

json-patch

I'm using a pretty vanilla spring-boot-starter-data-rest setup and enabled the PATCH method. All is working, but I have a security concern and wonder what's the recommended way of mitigating it.

The problem is that PATCH paths allow reachable entities to be updated from a different endpoint. So, suppose I have a comments endpoint and an article endpoint. Each comment has a to-one association with its article. A user that has permission to edit a comment could then do something like this:

PATCH http://some.domain.foo/api/comments/1234
Content-Type: application/json-patch+json

[
    { "op": "replace", "path": "/article/title", "value": "foobar2" }
]

and thereby change the title of the article !!

Clearly this ain't good.

In this case, for other parts of the API the association to the "article" needs to be traversable. But it must be read-only.

So... how do I accomplish this in Spring?

Intercept the request? Implement a handler method? Write my own Controller from scratch ?

Thanks!

like image 932
sofend Avatar asked Mar 03 '17 23:03

sofend

People also ask

How are REST services secured using Spring Security?

It uses the results of the login call to set the value of the token variable, and if the token is present, the protected call sends the token in the authorization header. The server will use that token to validate the user's auth when the user accesses the secure endpoint.

Does patch have request body?

The PATCH HTTP method requires a request body. The body of the request must contain representation of the JSON Patch operations that you want to perform on the resource.

1 Answers

Seems that current implementation on spring-data-rest converts paths to SpEL to apply values directly on beans. See PatchOperation (v2.5.x).

Consider these options:

  • Instead of json-patch use json-merge PATCH request to send partial updates (with "application/json" or "application/merge-patch+json" content type). This will respect @JsonIgnore and other Jackson annotations and also treat associations differently.
  • You can disable "json-patch+json" completely, for example by adding a security filter
  • You can always create your custom json-patch implementation, if you still need it
  • Use application-level joining not relying on JPA, i.e. only exposing IDs of the linked entities and providing custom links in your ResourceProcessor.

Additionally, if you're using JPA and Comment.article is annotated with @ManyToOne make sure that there's no cascading on association. Even if the article object is modified with patch it won't be saved together with the comment.

like image 173
aux Avatar answered Oct 12 '22 15:10

aux
Sign in to Comment

Related questions

Download files from Google Storage using Java
Java : Compare, mark and interpret HTML texts in Java
JavaFx Could not load @font-face font because of com.sun.javafx.css.StyleManager loadStylesheetUnPrivileged
Modify @OneToMany entity in Spring Data Rest without its repository
How to cache server results in GWT with guava?
Should I return CompletableFuture or Future when defining API?
What's the difference between 'configure' and 'configureGlobal' methods?
hystrixCommand annotation - what is purpose of commandKey
How to parse part of a YAML file in SnakeYaml
Jersey webservice scalable approach to download file and reply to client
Why does `GMT+8` fail to parse with pattern `O` despite being copied straight out of doc?
Spring Data Redis NoSuchBeanDefinitionException: No qualifying bean of type
JUnit and Mocks in Liferay
Print a PDF file to a printer using PrintWriter via Socket connection
Mocking a server-client connection with Mockito
What does `android.accounts.Account.type` reference?
Setting the Resource Folder in a Java Gradle project
FileNotFoundException while running as a jar
why @Qualifier not allowed above constructor?
How to implement a re-try logic in RestAssured for a failed REST call

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!