问题
Here and here are good examples of best practices on dealing with REST token-based authentication.
But in my case I am worried about one user using his own token to modify another user's data. The problem arises when we just verify if a user has a valid token and if positive, then execute any operation the user asked for.
Of course the most simple way to defeat this is to check if the authorized user id is the same as the one in the Request JSON (e.g. user_id). But this is tedious (all endpoints need this logic) and error prone (we might forget to do it for one endpoint).
Are there any ways to automate this?
来源:https://stackoverflow.com/questions/55250719/best-practice-for-enabling-a-user-to-only-change-the-data-he-owns-on-jax-rs-and