时间戳

首页 > 解决方案 > Is there a way to ensure a request is coming from a trusted UI application?

java - Is there a way to ensure a request is coming from a trusted UI application?

问题描述

So to give you a background, we have a backend application that has a huge number of APIs (Spring boot framework). And then there is a UI application with a mix of React and Ember.js. We are using OAuth2.0 access token.

Each page of the UI may use a number of API resources and permissions of the pages (including actions and buttons) are managed separately than permissions for accessing APIs directly.

Now the issue is that in order to stop anyone with their access token can directly call any API. To stop that, we decided to link the services/resources used in each page or a button to the route url (Ember.js routes) so that based on the user's permission to those routes, we determine whether they have access to particular service in the backend or not. In other words, if a user sends a request to a service directly and say that service is linked to a page that he doesn't have access to in the UI world, then security check stop him.

However, this is now becoming a headache. The pages are constantly changing, some services are being removed or new services are added and we have to continously maintain the SQL scripts to keep the linkage between the two. Now to mention that due to hierarchical structure of the UI (routes) this has become even more complicated.

Now I was wondering, if we could determine that a request is coming from a UI then we don't need to check the permission to API and given the UI won't be rendered if they don't have access to it, we can safely let the request comes in and served. And if the same user uses his UI token to access the API directly we simply block it. If a user need direct access to an API, then they have to get a special token used for API (Some user may need to use API directly for their).

Now the question is how can we determine the request is from UI and that UI page is the one we trust? I did a search in internet but couldn't really find anything any framework or protocol for this. Is it even possible?

标签: javaspring-bootember.jsuser-permissions

解决方案

Sorry if I've totally missed it, but isn't this just a simple case of Cross-Origin Resource Sharing (CORS)?

You'd set the allowed CORS on each controller to be that of your UI/frontend domain. 

@CrossOrigin(value = "example.com")
@RestController
public class PrivateController {

}

The controller will now reject anything that doesn't come from example.com.

推荐阅读