rest api multi-tenant security -

-

I have a question in a multi-tenant about empowering apis and security environment:

imagine an endpoint: API / branches: branch ID / account / account ID

authentication through Bearer Tokens (oauth2) goes. Each token contains a group of claims related to the user coming in. A branch ID is included in the token, and each user is related to a branch.

Security restrictions are as follows:

  1. A store GET request to be connected to branch ID token claims.
  2. The account ID should be a valid account within the branch identified by the branch ID.

    The question is: which of the following solutions is correct?

    1. Maintain endpoint: API / Branches: Branch ID / accounts /: Account ID and perform necessary security check
    2. Change the end point to: api / accounts / Get account ID, branch ID from token, and then check remaining security.

      The application being a multi-tenant means that each branch is a tenant, and each user can access only one branch information. Thank you!

      I need to make a decision faster, so I'm of Solution 1 If someone has an argument in favor of one or the other, please join the conversation.

      Argument in the side:

      1. I fully agree with the answer: using the full URL should be determined more efficiently. Distribute the load according to which data store, and accordingly divide the load.
      2. In addition to this you can easily apply caching, and logging because the full url is descriptive enough
      3. Security and the independence of the API today I am using OAuth2 , But maybe tomorrow, I can send the request signature, and because the URL has a request to complete all the requests that it will work. Argument against:
        1. Information redundancy: The branch ID is on the URL and is encrypted on the token.
        2. A little more effort to implement

Comments

Post a Comment

Popular posts from this blog

php - PDO bindParam() fatal error -

-
I am trying to learn PDO, now I have written this small code, but it gives me a serious error: < P> Fatal error: Call a member function at a non-object dot () ... $ con = new mysqli ("127.0.0.1", "root", "", "csvdangercheck"); $ Query = $ con- & gt; ("Id,` var1`, `var2`) values ​​(" id,: var1,: var2) ";); $ query- & gt; bypass pattern (': id', $ id); $ query- & gt; BindParam (': var1', $ VAL1); $ Query- & gt; bindParam (': var2', $ val2); $ Query-> Executed (); I Trying to use print_r ($ con-> errorInfo ()) but Fatal error: Undefined method mysqli :: errorInfo ( ) ... can someone tell me what am I missing? Flaffeh said, you have PDO Missing Mysqy, try it: $ con = new PDO ('mysql: host = 127.0.0.1; dbname = csvdangercheck', 'root', '');
Read more

logging - How can I log both the Request.InputStream and Response.OutputStream traffic in my ASP.NET MVC3 Application for specific Actions? -

-
For a specific set of tasks, I need to log in to the incoming request inputstream as well as outgoing response. is. I am using an ActionFilterAttribute for this and overriding the OnActionExecuted and OnResultExecuted methods. So I'm starting with this idea ... Public category ActionLoggerAttribute: ActionFilterArrbit {Public Override Zero On-Offed Execution (ActionActioned Contact Filter Filter) {base.OnActionAxecuted (FilterContext); HttpRequestBase request = filterContext.HttpContext.Request; // TODO: Log the request. InputStream} Public Override Zero OnResultExecuted (ResultExecutedContext FilterContext) {base.OnResultExecuted (filterContext); HTTPRPSPointBase Response = FilterContacts Hpptex response; // TODO: Log on Response.OutputStream}} Ideally I'll hook it up with enterprise library logging because I'm already using it for error logging. Am I reaching the input and output stream at the right time? Can I easily use the Enterprise Library to log i
Read more

java - Why my included JSP file won't get processed correctly? -

-
I am trying to create Java web framework (and learning), and on the basis of 'Code Generator In the process of making the material view of the database in the process of development, I stumbled into a difficulty, which I do not know how to solve it. First of all, I want the following index.jsp : & lt; Body & gt; Use all pages to be created. & Lt;% @ include file = "header.jsp"% & gt; & Lt; Hours / & gt; & Lt;% @ included file = "body.jsp"%> & Lt; Hours / & gt; & Lt;% @ include file = "footer.jsp"% & gt; & Lt; / Body & gt; And, in body.jsp , I should have it like this: & lt; Jsp: include page = "$ {Application_modul}"%> Where application_modul is an attribute defined in its controller: request.setAttribute ("application_modul", "USER_ACCOUNT \\ ' View_user_account.jsp "); This file can be found properly, but the processed JSP does
Read more