1

I have read many discussions about authentication, authorization etc. with REST services. I have now idea how to make authentication/authorization with REST.

But the thing I did not get is, how to control access to a web page with REST service. Is it a good practice? If so, how?

Example:

  • root of REST services: localhost/services

  • root of web pages: localhost/pages

Now, the scenario is:

1. Client tries to go to the page localhost/pages/join.html but, it does not have right to access.

2. Thus, server should check if the client has right to access to the page, and since it does not have right, should redirect the client to somewhere.

My question is not how the server would check, understand if the client has right or not.

However, I want to know, when and how I could make this check and redirection with REST service.

For example, the first idea that comes to my mind is, in the body of join.html, with <body onload> run a javascript that checks the access right of the client sending a JSON message to REST service, let say, to localhost/services/access.

Then, service will return its answer, and if it is OK, the page will be loaded, if not, it will be redirected with window.location.href. Is this the way to decide the right of access to a web page with REST service? Is there other common solution / practice?

Please again note that I am not asking, how to secure my REST API etc., but

How do I check access rights to my web pages with REST service?

Mert Mertce
  • 1,614
  • 3
  • 21
  • 32

2 Answers2

2

I think it's better to make anthorization and autentication on the server side, client side is not safe, since your code and logic are fully exposed it's easy to fake a request.

Generally, on the server side, you could use an interceptor to interceptor the request, in that interceptor, check the user role and his access right, then decide whether to redirect the request(or send a 403 response) or send the normal resource.

The implementaion of the interceptor depends on which language you use on the server side.

For example if you use java(jax-rs): http://docs.oracle.com/cd/E24329_01/web.1211/e24983/secure.htm#autoId0

If you use servlet, build a filter.

If you use struts2, interceptor are directly supported. and with app developed using Spring, you can use AOP to intercept a request.

If you use node.js with express, you could build a middleware that handle the auth logic.

Hopes these will help :)

Updated:

the request flow is: get the request -> retrieve the client token(generally a cookie) -> find the user role according to that token -> check whether the role is allowed to access the resource -> server the resource

ltebean
  • 1,019
  • 6
  • 15
  • 1
    Thanks for answer. I understand that REST service is not appropiate for that kind of thing, right? So, let say I use servlet filter, for example, and it is in another project(.war) than my REST services. How do I understand if the user was authenticated using my REST services? (not using Database) Because altough the client send a token, cookie, or whatever to Servlet that has taken from REST service, Servlet would not be able to check this token, since it does not have the correct one. So, Should I ask this to my REST service from within Servlet? This does not seem a good practice, right? – Mert Mertce May 12 '13 at 10:19
  • Access control should be binded into the rest service server, see my updated answer. – ltebean May 12 '13 at 10:42
  • 1
    But the thing I don't see is: requeest is made to /pages/a.html, which is not REST service. How do I interrupt this and use REST service? – Mert Mertce May 12 '13 at 10:46
  • Got it! You web project uses the rest service underlying right? I think it's ok to ask the rest service to get the user role from your web project, but the auth logic should be on the server side(using a filter to intercept the request to the html page, ask the rest service for access right, finally decide whether to serve the page) – ltebean May 12 '13 at 11:00
  • 1
    Yes! Ok, so you tell that ask to the REST service from within servlet, no? – Mert Mertce May 12 '13 at 11:20
  • Yes, send request to the rest service from servlet – ltebean May 12 '13 at 11:26
  • 1
    Not useful. Request that is sent from browser to servlet is different from the one sent from servlet to web service to ask if the user is authenticated. Many work-arounds are necessary here. – Mert Mertce May 15 '13 at 09:33
2

You can send the token that is received from REST API, to the web server to make it to save in session object of browser-client.

Mert Mertce
  • 1,049
  • 7
  • 34