File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Web Services and the fly likes Security In Rest Web application Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Web Services
Bookmark "Security In Rest Web application" Watch "Security In Rest Web application" New topic
Author

Security In Rest Web application

sandeep nanjegowda
Greenhorn

Joined: Mar 22, 2006
Posts: 7

Hi,

I have created a java web project with rest services accessing database ( JPA <=> java DB) . Html ,css , javascript ( UI ) is used to access these rest services. UI and rest services run as a single application ( in tomcat) . I want to provide security for this application. I don't want to login from each html page in the app. A user should login once and should be able to access all the HTML pages. using cookies are discouraged with rest services. Please guide on how I should implement security.

Thanks
Sandeep
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 60997
    
  65

Firstly, I would separate the REST service part and the GUI part into separate applications. If they are going to be in the same app, what's the point of the REST service in the first place?


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41519
    
  53
What, exactly, is "security" as per your definition? What kinds of attacks, and what kinds of attackers are you trying to guard against?

If they are going to be in the same app, what's the point of the REST service in the first place?

I disagree with this sentiment. It makes sense to provide a web GUI and a REST WS in the same web app if they provide access to the same functionality. It's not clear that this makes a difference with respect to designing security, though.


Ping & DNS - my free Android networking tools app
sandeep nanjegowda
Greenhorn

Joined: Mar 22, 2006
Posts: 7
Hi,

I want only registered users to access HTML pages and perform operations ( add,delete,update )..I also want to track which user performed which operation. In future I am planning to add authorization, i also want to send userid/password securely.

Thanks
Sandeep
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41519
    
  53
Authentication can be done using the mechanisms provided by the servlet container, provided you put some thought into the URL structure of the REST calls. See http://www.coderanch.com/how-to/java/ServletsFaq#security for more detail on that.

Tracking (by which I understand you to mean logging) can be done in whatever way you see fit - neither the Servlet API nor JAX-RS have facilities for that, so you need to implement your own.

i also want to send userid/password securely.

So you need to make sure that HTTPS is used when those are sent.
 
Don't get me started about those stupid light bulbs.
 
subject: Security In Rest Web application