A question regarding securitizing OData API calls in the SAPUI5 application.
In the legacy system, once a user successfully passed an authorization, it is possible to send a request with a User ID and desired data directly from a client-side to OData API without any additional security check on a server side.
My concern is that any authorized user in the system can behave as a trojan, theoretically spoofing their own User ID and performing some actions under the name of another user. As mitigation mean, there is an option to encapsulate an OData API from a client-side by introducing a server-side wrapper, which will perform a sender authentication before forwarding request to the OData API.
Are there already some out-of-box approaches in SAPUI5 platform to secure the use of OData API, to ensure that the request sender can't fake a User ID and do something in a system under another name?
Assuming, the access to OData service is not anonymous, you will have some sort of “currently logged in user” information on the server.
Now, it is an important task of the service implementation to check if the user is allowed to access the data he is requesting.
I’ll make up some sample requests.
/UserData('ALICE')
/UserData('BOB')
The service implementation must check if the requesting user is allowed to get the data. For example, Alice will get the data for the first request, and a 404 for the second request. Bob the other way around. A superuser may get the data for both.
As another example, something like that may be possible: every employee can access own data, a team lead is allowed to access data of everyone in her team.
Bottom line: service must check if the user is allowed to access the data.