authorization - Any alternative approaches to authorize acces to an endpoint based on bearer token subject - Stack Overflow

admin管理员组

文章数量:1125988

I have an api that exposes activities, let's say I have an endpoint

GET /users/123/activities

that is meant to return all activities that the user have joined.

I want to authorize only the owner of this particular resource to access it. For this purpose I map the subject id from the oidc to the user model in my service.

For now I came up with this solution in the controller/resource layer.

if (userService.isLoggedInUserTheOwner(id, identity.getPrincipal().getName())) {              
    return Response.status(403).build();         
}

I wonder if there are other way of achieving this, I tried making custom policy but injecting a service to it resulted in a server error:

You have attempted to perform a blocking operation on a IO thread.

Is there a way to create some custom annotation to handle this logic?

I will be using this authorization all around and I don't want to repeat this boilerplate everytime.

本文标签：