Search code examples
javarestsecurity-constraint

how to exclude special users from security check validation in restful webservice

I am using rest web-service to fetch file path. Here i a using security context to provide some extra security. I used validation about logged-in user must be same as user name specified in web service URL (security check).

But i have one special case where, i have one user which is used to fetch special files path from server. If i passes this user from web-service URL, it is getting caught in security context validation, because logged-in user and URL specified user is not same.

So there is any other way to exclude special user from security check. Can i specify some config in web.xml to solve this problem.

e.g

condition 1 

logged-in user - xyz
web-service URL - 192.168.0.132/download.ws/xyz/fileid

passed in security checked.

and

condition 2 

logged-in user - xyz
abc is valid and authorized user.
web-service URL - 192.168.0.132/download.ws/abc/fileid

failed in security checked.

i want to make it passed without, doing when user from URL is abc then allow it in security check.

here is web-service code to check for valid user

public String getCallerId(SecurityContext sc) {

        // we always create a GenericPrincipal object in AuthService
        GenericPrincipal userPrincipal = (GenericPrincipal) sc.getUserPrincipal();
        String szUserEmailID= userPrincipal.getName();

        return szUserEmailID;
    }

    public boolean authorizeRequest(SecurityContext osc, String szResourceID,   String reqType) {
            if( getCallerId(osc).equalsIgnoreCase(szResourceID)) // check for logged-in user and user specified in web-service url
                return true;
            return false; 
        }
Solution

  • You should use roles and Security Annotations. https://blogs.oracle.com/swchan/entry/servlet_3_0_security_annotations

    Also I don't understand, why the username is part of the url. It doesn't have to be that way. You know the username. The Url should be for all users the same and only return the relevant data for the current authenticated user. Thus you wouldn't have these problems.

    You can then allow following:

    @RolesAllowed("StandardRole") 192.168.0.132/download.ws/fileid

    @RolesAllowed("SuperUser") 192.168.0.132/download.ws/{special_path_pattern}/fileid