Common authorization logic on a resource #41770
Replies: 1 comment 2 replies
-
Hi,
Is asserting with
You should be able to inject JAX-RS |
Beta Was this translation helpful? Give feedback.
-
Hi,
Is asserting with
You should be able to inject JAX-RS |
Beta Was this translation helpful? Give feedback.
-
Hi all,
I currently have a microservice leveraging a Keycloak instance for authentication. The microservice stores scenario data that a user or group of users owns. I was wondering if there is a best practice for implementing the common authorization logic on all endpoints of the following form:
/scenarios/{id}/**
. I would like to validate that the user is either the owner of the scenario data, or is a part of the group that owns the scenario data. If the user is not allowed to access the scenario data, I'd want to return a HTTP 403 status response. Otherwise, the request would proceed to the endpoint. Ideally, I'd also then store the scenario data retrieved from the database in a request scoped object. I thought about using filters, but I would not have access to the path parameter in a way that doesn't require parsing the URI. Has anyone attempted something similar and has found a way that works nicely? Thanks in advance.Beta Was this translation helpful? Give feedback.
All reactions