Please wait...
RBAC based API's

Tips for API Security :3 Of 12 Implement Authorization for routes using RBAC

API Security 1, Nov 2025

Security Misconfiguration is one of the top ten vulnerabilities in the OWASP list. Misconfigured security rules can lead to several types of “Services attack” where the API’s can be overwhelmed in several ways:
Injection : Commands or Macros can be passed to API’s as payloads which are then run in the background 
Malware : When API’s expect files such as a photos or documents, very Large files can be uploaded 
Abuse of Functionality : The API functionality can be exploited to attack itself

The first line of defense against these types of attacks is to implement authorization for routes in your application. The application firewall should be configured to check if the person has the required authorization to access the route. This is usually done by assigning a ROLE to the user during authentication.

Some authorization practices that we inherited from application development during the Client-Server days, where the connection between the client and server were synchronous, are still being implemented in internet based applications. However internet based applications being asynchronous poses a set of challenges that require a different approach.

In client server applications the user provided a username and passoword combination and the server validated the credentials against those stored in the database during login process. The application then displayed the menu based on the RBAC matrix and the user could visit only those that were displayed. If the session was inactive for a specified time the user was logged out and had to login once again.

In internet based applications its possible for a user to type-in the URL to a specific page directly into the browser without having to go through the autentication process. One way of preventing this is to implent the Single Page Application (SPA) framework, where the page that is called checks if the referrer page is a designated page like the “Home” page, or a “Dashboard” page. This ensures that the user’s entry into the application is always through a designated landing page. Hopwever this provides very little security, as there are command line tools that are used for testing internet based applications that allow us to pass the referrer page as a parameter, so its possible to access pages in an application by circumventing the designated page.

One way to protect pages is by defining Role Based Access Control for the URL paths or Routes in the application firewall. 


- { path: ^/docs, roles: PUBLIC_ACCESS }
- { path: ^/auth', roles: PUBLIC_ACCESS } 
- { path: ^/api/, roles: IS_AUTHENTICATED_FULLY }

The application firewall rules above use regular expressions to map URL routes to roles. The first rule allows vistors to the access the application documentation without having to be authenticated. The second rule allows any URL that is used for authentication like Login, Password change etc to be accssed without having to be logged in. While the third rule requres the visitor to be fully authenticated to access the other APIs. Identity Management Solutions like Auth0 and Okta provide RBAC authorization for API’s. 

We implement access control for routes in all our internet applications. This ensures that our API’s are not prone to being abused by external vectors.

Tags
RBAC

Categories

Recent Posts

Tags

How can we help you ?
Contact our Senior Consultants via our support channel
Contact us

About

We are a technology firm that serves Banks, Financial Institutions and new age Fintech Companies. Our philosophy is to develop products that are cost-effective so that our clients derive value by using them. For the last 11 years we have done so by embracing Cloud Technologies and developing unique capabilities like DevOps, Performance Tuning, Service Oriented Architectures that allow us to offer a Value Proposition that is unmatched in the industry today.