java - REST API security - how to secure it instead of sessionid -


i got question security simple rest api application. implemented check security , on every attempt read/update data from/in database (this simple httpsession session= request.getsession(true); , check - if new session or old , if equals session id fro cookies).

but thing - if valid user , valid session - got url make user ignore other user:

http://localhost:8080/chatrest/rest/friendservice/ignorefriend/1/2

i change 2 users id (last 2 numbers) , send same request make other system user ignore else, example: http://localhost:8080/chatrest/rest/friendservice/ignorefriend/3/4

how can solve problem? googled lot (for example - restful authentication , related articles, including security questions). easiest way solve problem? quite beginner, i'll happy find simpliest solutions.

thank you!

any authentication mechanism allows handle this, provided users don't share same credentials. basic auth, you'll able determine authenticated.

if logged in user id=1, can perform http://localhost:8080/chatrest/rest/friendservice/ignorefriend/1/2, can't ignore people other id. in fact, since user id database, don't need first parameter. ignorefriend/2, meaning "i want ignore person id i'm giving parameter".


Comments

Popular posts from this blog

scala - 'wrong top statement declaration' when using slick in IntelliJ -

c# - DevExpress.Wpf.Grid.InfiniteGridSizeException was unhandled -

PySide and Qt Properties: Connecting signals from Python to QML -