java - REST API security - how to secure it instead of sessionid -
i got question security simple rest api application. implemented check security , on every attempt read/update data from/in database (this simple httpsession session= request.getsession(true); , check - if new session or old , if equals session id fro cookies).
but thing - if valid user , valid session - got url make user ignore other user:
http://localhost:8080/chatrest/rest/friendservice/ignorefriend/1/2
i change 2 users id (last 2 numbers) , send same request make other system user ignore else, example: http://localhost:8080/chatrest/rest/friendservice/ignorefriend/3/4
how can solve problem? googled lot (for example - restful authentication , related articles, including security questions). easiest way solve problem? quite beginner, i'll happy find simpliest solutions.
thank you!
any authentication mechanism allows handle this, provided users don't share same credentials. basic auth
, you'll able determine authenticated.
if logged in user id=1
, can perform http://localhost:8080/chatrest/rest/friendservice/ignorefriend/1/2
, can't ignore people other id
. in fact, since user id database, don't need first parameter. ignorefriend/2
, meaning "i want ignore person id i'm giving parameter".
Comments
Post a Comment