In which layer to implement RBAC in a web application?

Question

I have an enterprise application comprising of EJBs and have some REST apis as well . Also i have some other services which consume my beans e:g ui services . My EJBs are annotated with role based annotations i:e RolesAllowed , DeclareRoles . I have some REST APIs as well in my application where i need to have access control for few resources and have some other APIs with unrestricted access.

In such a scenario where should RBAC be implemented? At the bean level or at the REST API level ?

Answer 1

Here are some elements of response:

1. First of all try to define your access control layer in configurable, decoupled way. Using a framework such as spring-security, jaas, or xacml is a great way forward. This is called externalized authorization.
2. Secondly, think of what matters to you most: is it the functionality exposed via REST? Is it the beans? Is it the data? You typically want to protect as close as possible to what matters most to you.
3. Thirdly, does it make sense to protect in two places at the same time? Often times, it will. For instance, you want to protect your data (e.g. sensitive banking data). At the same time you want to control access to the processes (i.e. the functions exposed via your API, be it REST or something else).

Ultimately, what matters most is that you centralize your autorization logic into a single repository: this could be a set of roles and permissions (as defined in rbac) or a set of policies (as defined in abac). What you then do in your API layer and / or your EJB layer is call out to that centralized location to check for authorization.

Have a look at this diagram (which stems from xacml. It shows that you can apply your authorization checks wherever you deem necessary so long as you call out to the external decision point or so long as you consistently manage your roles across your different systems: