- From: Owen Rubel <orubel@gmail.com>
- Date: Mon, 23 Sep 2024 15:15:28 -0700
- To: HTTP Working Group <ietf-http-wg@w3.org>
- Message-ID: <CAAzevgnu6cRBX9McdaGLSJUn+5BMNa0Pot8PjZLrASWsH6+gSA@mail.gmail.com>
So following up on other who have commented on this...
To me, this seems a bit like a bypass for what 'controllers' and services
are for (see MVC). They pull in the RESOURCE and allow checks to take place
so that processing/logic is separate from data (see separation of concern).
As a result, this is allowing for a security bypass in the fact that it
will not allow for RBAC/ABAC checks which are tightly bound to endpoints.
For example, in springboot:
@GetMapping("/jwt")
@PreAuthorize("hasAuthority('Administrator')")
public String jwt(@AuthenticationPrincipal Jwt jwt) {
return String.format("Hello, %s!\nClaims: %s",
jwt.getSubject(), jwt.getClaims());
}
This is important for multiple reasons:
- *we don't always arrive at an endpoint by passing through the gateway
first*; we can do internal redirects in the application in which case we
still need to check the credentials of the client
- *not all clients may send/receive the same data*; for example, when
requesting user data, a 'user' PRINCIPLE can be derived from the JWT for a
USER role but for an ADMIN role, we may want them to be able to send an ID
to be able to pull up a user of their choice.
Thus separation of CONTROLLER/BUSINESS LOGIC can lead to bad structuring
and poor security decisions.
Owen Rubel
orubel@gmail.com
Received on Monday, 23 September 2024 23:25:29 UTC