Win a copy of Think Java: How to Think Like a Computer Scientist this week in the Java in General forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Security In Rest Web application

 
sandeep nanjegowda
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Hi,

I have created a java web project with rest services accessing database ( JPA <=> java DB) . Html ,css , javascript ( UI ) is used to access these rest services. UI and rest services run as a single application ( in tomcat) . I want to provide security for this application. I don't want to login from each html page in the app. A user should login once and should be able to access all the HTML pages. using cookies are discouraged with rest services. Please guide on how I should implement security.

Thanks
Sandeep
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64830
86
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Firstly, I would separate the REST service part and the GUI part into separate applications. If they are going to be in the same app, what's the point of the REST service in the first place?

 
Ulf Dittmer
Rancher
Posts: 42967
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
What, exactly, is "security" as per your definition? What kinds of attacks, and what kinds of attackers are you trying to guard against?

If they are going to be in the same app, what's the point of the REST service in the first place?

I disagree with this sentiment. It makes sense to provide a web GUI and a REST WS in the same web app if they provide access to the same functionality. It's not clear that this makes a difference with respect to designing security, though.
 
sandeep nanjegowda
Greenhorn
Posts: 8
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

I want only registered users to access HTML pages and perform operations ( add,delete,update )..I also want to track which user performed which operation. In future I am planning to add authorization, i also want to send userid/password securely.

Thanks
Sandeep
 
Ulf Dittmer
Rancher
Posts: 42967
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Authentication can be done using the mechanisms provided by the servlet container, provided you put some thought into the URL structure of the REST calls. See http://www.coderanch.com/how-to/java/ServletsFaq#security for more detail on that.

Tracking (by which I understand you to mean logging) can be done in whatever way you see fit - neither the Servlet API nor JAX-RS have facilities for that, so you need to implement your own.

i also want to send userid/password securely.

So you need to make sure that HTTPS is used when those are sent.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic