Broken Access Control in Java

Question

I am trying to update the following code example (Java) to prevent broken access control, I understand in theory about broken access control. But I am stuck on the excate code changes I need to make around username, so that the user only see's what there allowed to see.

Any help would be great

import java.sql.*;
import java.util.*;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.Claims;

class LoggedOutException extends Exception {
    public LoggedOutException(String message) {
        super(message);
    }
}

public class External{

    public static HashMap<String, String> accountLookup(String accountId, String jwt) throws Exception{

        if (jwt == null) { ;
            throw new LoggedOutException("User is not logged in");
        } else {
            Claims claims = Jwts.parser()
                    .setSigningKey("Key".getBytes("UTF-8"))
                    .parseClaimsJws(jwt).getBody();

            if ((claims.get("logged_in")).toString().equals("true")) {

                Class.forName("com.mysql.jdbc.Driver");
                Connection con = DriverManager.getConnection("jdbc:mysql://mysql:3306/BankApp?useSSL=false", "root", "letmein");

                Statement stmt = con.createStatement();
                ResultSet rs=stmt.executeQuery("SELECT username FROM tbl_user WHERE id = '" + accountId + "';");

                if (!rs.next()) {
                    con.close();
                    throw new Exception("Account not found");
                }

                String user = new String();
                user = rs.getString("username");
                rs=stmt.executeQuery("SELECT balance, dob FROM tbl_account WHERE user_id = '" + accountId + "';");
                HashMap<String, String> results = new HashMap<String, String>();

                if(rs.next()){
                    results.put("balance", rs.getString("balance").toString());
                    results.put("dob", rs.getString("dob").toString());
                    results.put("username", user);

                }
                con.close();

                return results;
            } else {
                throw new LoggedOutException("User is not logged in");
            }
        }
    }
}

Answer 1

What you can do is add a custom claim to your token payload which you can later use to verify whether user is authorize to perform the action.

Here I have added "username" to token payload.

Jwts.builder()
    .claim("username", username)
    .claim("role", role)
    .setIssuedAt(Date.from(Instant.ofEpochSecond(1629736517L)))
    .setExpiration(Date.from(Instant.ofEpochSecond(1661272517L)))
    .signWith(
        SignatureAlgorithm.HS256,
        "Simple Secret"
     )
    .compact();

Then you can access this inside your accountLookup method,

Claims claims = Jwts.parser()
                .setSigningKey("Simple Secret")
                .parseClaimsJws(token).getBody();

String username = (String) claims.get("username");

Use the username to verify the accountId.

Answer 2

In this example the JWT decides if I have access or not but there is no verification that the accountId is actually mine.

You need to instead use the JWT to decide what to fetch from the database or to verify that the accountId I'm passing you is actually mine, or one I should have access to.