I have started implement spring security for my rest controller. Background The security design is JWT token with spring security.
I have work on implemeting WebSecurityConfigurerAdapter.
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers("/managers/**").hasRole("MANAGER_USER)
.anyRequest().authenticated()
.and().cors();
httpSecurity.addFilterBefore(authenticationJwtTokenFilter(), UsernamePasswordAuthenticationFilter.class);
}
My question is relating to basic understanding: When calling the rest controller endpoint from Angular I have rest call which include manager id, when a call is made the server return list of users for the manager.
The security working fine, only user with the MANAGER_USER role is able to access the method, otherwise return 403. Teoriaclly, Angular can send a request with different manager id and retrive users which it not belong to him. In postman you can easily change the id and retreive different results but is there a risk that someone hack the Angular app to send different id? And if yes, no solution can be found for this?
For example, some urls include ids in the url, so the user can actually chnage the id in the url.
Like you explained it, anyone can send a http request via postman, browser etc. So yes, frontend frameworks can also be modified to send out custom requests - but that's not really the question here I believe. Everything on the frontend side is unsafe and should be considered so, the layers of security we add to the frontend side are basically to keep regular users from not doing something we don't want. A tech-savvy person will find the endpoints and figure out how your system works regardless of how good of frontend security you put up. Never trust the frontend.
If you want to avoid an authenticated person with role MANAGER_USER to only query "users" that only belong to them you need to increase security or re-configure how the users are queried.
For the latter, it could be the way your database is set-up. Associate manager_id with each user and have endpoint /GET/users return only users that belong to the manager making the query. (idk what your endpoint or id's actually are, I just used the above ones as an example).