16

On my web app using Java EE 6. I want to expose some of my functionality as a Json Rest Service. I want to use authentication tokens for login, User will send their username, password and server will send back a token, which will be used to authorize the user on their further requests for a given time..

A few questions bothering me so far;

  • When the server creates the token and sends to client, should server save it in a DB OR in a Bean using something like a hashtable as userid-token pairs?

  • Can I get some help using any Java EE specific API or this has to be all custom code?

Improve this question
6
  • 1
    I would suggest you take a look at JAAS. It is a J2EE standard and is very useful for declarative authentication/authorization. Commented Dec 21, 2012 at 9:16
  • @Apache Fan tnx, I guess JAAS will come into play AFTER I receive the token from the client and I want to auhenticate him? Commented Dec 21, 2012 at 9:22
  • Nop . You will not have to play with any tokens. In JAAS you can just define URL patterns .grant Principal com.tagish.auth.TypedPrincipal "user" { permission com.xor.auth.perm.URLPermission \ "/myapp/someService"; }; Commented Dec 21, 2012 at 9:33
  • @Apache Fan I updated the question Commented Dec 21, 2012 at 9:34
  • Well JAAS process goes something like this -1. JAAS can be configured with some backend table for userid-role mapping. Once a request comes JAAS will check if it is authenticated. If it is not than user is redirected to login page. 2. If the user is authenticated then it is checked if the user has rights to access your URL based on the ACL rules Commented Dec 21, 2012 at 9:36

3 Answers 3

Reset to default
11

Heres my input:

  • I would save the token in DB, in case you need to restart the server you don't want to lose all your user's tokens. You could potentially save it in memory as well to speed up requests and only look it up in DB if it is not found in memory.

  • I would accept the token in the header. I would put the rest service on HTTPS so the request is encrypted and then you don't need to worry about encrypting the token manually in the request

  • I would probably look at JAX-RS and see what features it offers

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

could you also look at this one? I created another question, stackoverflow.com/questions/13997040/…
6

I recently blogged on how to set up Role-based authorization in a JAX-RS REST API using both a simple session token approach and a more secure method of signing requests using the session token as a shared secret.

It boils down to:

  • Get a session token from the server along with some identifier for the user
  • Use the token to encrypt the information in the request
  • Also use a timestamp and nonce value to prevent MITM attacks
  • Never pass the session token back and forth except for when retrieving it initially
  • Have an expiry policy on session tokens
Improve this answer

Comments

1

Saving the token in a bean or hash table would not be persistent. A DB would persist between executions.

If you are going to be using REST then you can either pass the authentication in the parameters to the method, or in the request header itself. Encryption is a different matter. I guess it depends on the scale of the system, and how open it is. If security is a top importance, then yes, you should find some form of encryption.

I have done similar things using the Spring Framework, and Spring Security. These things are relatively simple using this. To write custom code is to reinvent the wheel. There are many frameworks out there which will help you. However, you would then have the learning curve of the framework.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.