Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rest API: the authentication of privileges #131

Open
leefrank9527 opened this issue Apr 17, 2024 · 1 comment
Open

Rest API: the authentication of privileges #131

leefrank9527 opened this issue Apr 17, 2024 · 1 comment
Assignees
@obrienben @jeremy-liss @hannakoppelaar
Labels
improvement

Comments

@leefrank9527
Copy link
Contributor

Currently the default role of Privilege is used for debug inside RestApiAuthFilter.java. That should be changed to use the actual role. There are 2 options to set the role of request.

  • Option 1: Set the role in the http header from the client side. But it's not secure, the attackers can set the privileged role for the other roles. To resolve this, the server should validate the consistence of the role and path, method.
  • Option 2: Calculate the role according to the request path and method.

Both options need to be implemented from the server side. The option 2 seems friendly to the client. The client don't have to know and understand the concept of role.
@hannakoppelaar
Copy link
Collaborator

Yes, there's currently no authorization in the API. There's a FIXME in RestApiAuthFilter.java ;) I agree, this can only be done server-side, without relying on client parameters.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@obrienben obrienben

@jeremy-liss jeremy-liss

@hannakoppelaar hannakoppelaar

Labels
improvement
Projects
WCT UI Upgrade
Status: No status
Milestone
No milestone
Development

No branches or pull requests
4 participants
@obrienben @jeremy-liss @hannakoppelaar @leefrank9527