My team is developing a RESTful API in JAX-RS, and we need to limit the availability of certain rows in our database based on the identifier of the authenticated "Operator" (our word for the user). In other words, the Operator should have access only to objects under its jurisdiction. At the beginning of each request, we complete the authentication of the operator making the request, which allows us to provide security functions based on the role and identifier of the operator.
Authorization of endpoints, endpoint methods, and even the contents of an entity (which becomes serialized) turned out to be pretty simple, but row-level authorization seems like a big hairy beast.
Please note that we do not use Spring and do not plan to use Spring Security in our project.
We came up with several potential solutions, but we are not sure which is better. It is also very possible that we did not consider the solution; At the moment, I am open to everything. Here is what we still have:
- Database-level implementation (as discussed in this post ). Presumably, this involves using the security context of the request to pass the operator identifier to the database for each request. I do not quite understand the specifics of implementing this approach, therefore, if this is the best way to perform row-level security, I would appreciate further advice. For example, it makes sense how this will work for finding objects, but how will we change row-level permissions for newly created or updated objects?
- JPA level implementation (as discussed in this post from 2008). This may be due to the creation of a parameterized Hibernate filter, into which we will pass the identifier of the operator making the request. I have never used Hibernate filters, so it is very possible that this idea is out of base.
- Facade level implementation . We actually gave this idea a worthy thought, since until recently we were not aware of options (1) and (2). This involves joining between our tables to build the Criteria API predicate, which would limit our queries to only including those objects that are accessible to this operator. This, in fact, is a βmanualβ approach, as I understand it, and seems far from ideal.
, -, JAX-RS / , .
( , ):
- : MS SQL
- JPA: Hibernate
- JAX-RS: RESTEasy