How to structure path-colliding REST webservices with role-access

Without knowing more, and without adding a ton of work, I would suggest that you use one path and do a permission check on POST to make sure that the user can update the fields that they've updated. Respond with a 403 Forbidden if a USER tries to edit an EMPLOYEE field, or vice versa.

• Agreed. Just check the role before processing the change, and either ignore the attempted change or generate an error message or response if the role doesn't permit the change. Internal permissions checks generally shouldn't be part of the visible URL path.

  Todd Knarr

  – Todd Knarr

  2016年03月30日 14:52:30 +00:00

  Commented Mar 30, 2016 at 14:52
• Doesn't that entail mixing the security and business layers? I'm a bit lost here, but I think then I'd nedd either the role at application level, or the request object at security level (Spring security in this case)

  user3748908

  – user3748908

  2016年03月30日 15:04:03 +00:00

  Commented Mar 30, 2016 at 15:04
• 2
  This isn't so much security as permissions, and permissions are part and parcel of the business rules. You can move some of it to the Spring security component, eg. checking whether they have any access to edit a given user, but trying to move all of the permissions logic up there over-complicates things immensely and as you've found causes all sorts of design problems because you're trying to control what's inherently a question of application logic flow from a component that isn't connected to that logic flow.

  Todd Knarr

  – Todd Knarr

  2016年03月30日 16:50:27 +00:00

  Commented Mar 30, 2016 at 16:50

• rest
• web-services
• access-control