1

Topic: Forced = (

All greetings. As at us here still hierarchy of forums, instead of it is simple , it is necessary a little . On REST I tried to set initially question in a forum about a web development, but yet very much came. Thought, can, here I will collect more - from java  Here a question: https://rsdn.org/forum/web/7057210.1 the Author: Slicer [Mirkwood] Date: 17.02 07:49 I Will mark at once on a moderation - if suddenly decide that I am wrong. ! Did not work! Tried to vote for sending in "garbage" - . Slicer

2

Re: Forced = (

Hello, Slicer [Mirkwood] [...] Well. And in what, actually, a question? If the logic of application demands to check the data - certainly them it is necessary to check. And bek-end should check the data and check access, time it is required. How to check - here to you is more visible. Can simply ignore the data in that field to which the user does not have access. Can return an error if any of this field generally though it is somehow filled. Can return an error if the field is filled also value there not such what is saved in basis. Can force to send in an explicit form the user two objects - old and new that  could count a difference without reversal to a database. Here the flight of fancy should be coordinated only with common sense and requirements.

3

Re: Forced = (

Hello, Artem Korneev, you wrote: AK> Can force to send in an explicit form the user two objects - old and new that  could count a difference without reversal to a database. Here the flight of fancy should be coordinated only with common sense and requirements. So it is clear that  everything is possible. Therefore I wanted to hear that already  to me, or can even links on any widely applied experts about which I did not know. You after all if be going to reach somewhere, do not invent new methods of relocation, and call a taxi smile Here for example, probably to check a validity of combinations of field values. And it is possible, as you mentioned, is simple not null to check. And someone does not check anything, even when the special reasons to trust the client like and are not present. And someone can be invented as to guarantee authenticity of the client (and accordingly anything it is not necessary to check). Almost total absence of answers, however, generally unsettles me. If someone really did "here so", he could after all write about it? And here such sensation appears that is real people check of nothing, or somewhere  throw check - where they had a mood. Or somehow did, but are not assured that it was the correct approach. Slicer

4

Re: Forced = (

Hello, Slicer [Mirkwood], you wrote: SM> Here for example, probably to check a validity of combinations of field values. And it is possible, as you mentioned, is simple not null to check. And someone does not check anything, even when the special reasons to trust the client like and are not present. So all rests against requirements. If you write online game simply ignore that field to which the client does not have access. And all. If you write banking system simply it is impossible to ignore already. It is necessary to return to the client an error and to ask to send request anew. If this field not simply digit, and any dial-up of values which edit some persons simultaneously you need to learn from each client what exactly it changed - as a variant, the client can send old and new value. SM> and someone can be invented as to guarantee authenticity of the client (and accordingly anything it is not necessary to check). So authorization is necessary. But it is necessary to check all the same. You say that the client at you has access to it API to a call, but has no right to change certain fields. If want to forbid to cause generally to the client method PUT role-based access control (RBAC) can help. If the client does not have demanded role already engine of REST-service does not allow it to address to that method and to check the rights manually it is not necessary any more. SM> If someone really did "here so", he could after all write about it? I in those projects over which worked, did almost all variants from this that I enumerated. In different cases different decisions approached.

5

Re: Forced = (

AK> So authorization is necessary. But it is necessary to check all the same. You say that the client at you has access to it API to a call, but has no right to change certain fields. Authorization a little the general has with authenticity of the client, it checks authenticity of the user. Well or if you suggest to apply to check of authenticity of the client any additional  authorization - too it would be interesting to learn, how you approached to it, that the malefactor could not pick up for example client secret. But in remaining I understood you, thanks. Slicer

6

Re: Forced = (

Hello, Slicer [Mirkwood], you wrote: AK>> So authorization is necessary. But it is necessary to check all the same. You say that the client at you has access to it API to a call, but has no right to change certain fields. SM> authorization a little the general has with authenticity of the client, it checks authenticity of the user. . Now understood, about what you. This task is very tightly intersected with questions of protection of programs from copying and other DRM/kopirajterskimi questions. Generally this task is not solvable yet. On occasion, type of mobile devices, normal race of algorithms is watched - defenders of a copyright invent new methods how to be convinced that the program is launched on not modified insertion, programmers invent new methods how to leave defenders of a copyright with a nose. This difficult and expensive pleasure. I do not know, what there the latest news at present, but Netflix for me quite normally works on mine  with the modified insertion so I so understand successes yet very much. Anyway, check of the rights on server side is strictly recommended is very simple and obvious action to which simply does not have sense to neglect. SM> well or if you suggest to apply to check of authenticity of the client any additional  authorization - too it would be interesting to learn, how you approached to it, that the malefactor could not pick up for example client secret. I not the expert in the cryptography, therefore I did not invent new methods of authentification. For those services over which I work, we use normal OAuth2 through Azure Active Directory for acknowledgement of the person of the user. From this that it was necessary there  - RBAC. How roles in Azure Active Directory are arranged, does not allow to use normally them in the applications working with users from different Active Directory (multitenant services). I.e. here if in one domain there is a role "doctor", I cannot is simple so to deliver access for this role on any REST API. Therefore as in other domain the same role can be named "healthcare professional" or "senior medical staff" or still as. It is necessary to enter the essence - service which displays logins of users on a dial-up of the roles which are available for them in our system. I.e. authentification we take from the domain, checking authenticity of the signed token. And authorization (access check) we do.