java - Spring endpoint take session id and HEATEOS -
i working spring controller , adding authorization , authentication it. spring controller uses hateoas , supposed add service verifies session id inside request header.
using spring security seems not fitting since asking outside service authentication , authorization based on resources. authorization of resources happens on metadata inside database.
i looking simple , best practice way that.
i have following spring controller endpoint:
@apioperation(value = "gets bucket's metadata id") @apiresponses(value = { @apiresponse(code = 404, message = "bucket not found"), @apiresponse(code = 401, message = "user not authenticated"), @apiresponse(code = 403, message = "permission denied"), }) @requestmapping(value = "/{bucketid}", method = get) public bucketmetadata getmetadata( @apiparam(value = "sessionid", required = true) @requestheader(value = "sessionid", required = true) string sessionid, @pathvariable long bucketid) throws notauthenticatedexception, accessdeniedexception { restapiaccessservice.checkaccessbysessionidandthrowifdeclined(sessionid, bucketid); return bucketservice.getbucketmetadata(bucketid); }
the service relies on microservice validates sessionid, , authorization service validates access bucketid.
1) have not seen spring examples use session id inside controller. can improve design?
the reason why questioning session id in endpoint because hateos linkto accessing controller needs session id.
linkto(methodon(catalogobjectcontroller.class).getraw(sessionid,bucketid,urlencoder.encode(name,"utf-8")));
the above code doesn't right , forces me handle not authenticated , not authorized exceptions.
i happy type of examples or input me create clean, simple, short , maintainable solution.
thank you, tobias
Comments
Post a Comment