Long time software architect, CTO Authress, creating application security plug-ins for any software application with Authress. Talk to me about security in microservices or service authorization.
This is better known as AuthZ or Authorization (rather than authentication, what's the difference).
And realistically the solution is to always verify authorization at the service who owns the resource. In the case here that would be the service layer. If the web layer is really a composite service you still wouldn't make the check there. Only if it saved it own resource you could make check, and you should only be checking for the resource as it is owned/known by that service. Don't verify other services' permissions, those can change over time.
I know this is fairly complicated, which is exactly why services like Authress exist to solve this problem.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
This is better known as AuthZ or Authorization (rather than authentication, what's the difference).
And realistically the solution is to always verify authorization at the service who owns the resource. In the case here that would be the service layer. If the web layer is really a composite service you still wouldn't make the check there. Only if it saved it own resource you could make check, and you should only be checking for the resource as it is owned/known by that service. Don't verify other services' permissions, those can change over time.
I know this is fairly complicated, which is exactly why services like Authress exist to solve this problem.