2

Before, I had asked a question Access control to a page with REST service

But maybe I need to ask more briefly and more generally to get the idea.

I have a REST API. Client is browser. "login" is also one of my REST Service, where user enters his credentials and authenticated. Then, the user begins navigate different pages.

Please note that I do not ask about REST API security, authentication/authorization etc.

The question is:

How do I check if the user was authenticated before, through REST API, to see if the user has right to view a particular web page? (Web Server is based on java)

Thank you for any idea.

Edit:

I see that the question is understood how to authorize with REST API.

After authentication via REST API, I'm not asking the other requests to REST API. I want to see that authentication in my Web Server, which is at another domain, isolated from REST Server. I imagine some work-arounds; however I would like to hear design alternatives. Isn't there anyone who has separated his Web Server and REST API? Is this totally wrong?

Community
  • 1
  • 1
Mert Mertce
  • 1,614
  • 3
  • 21
  • 32

1 Answers1

2

Authentication is whether user can login into your application.
Authorization is whether user has rights to view a particular page.
I assume you are asking about authorization after authentication.
While handling login Post request, you can create a session id(encypted and time-bound) and set it into response headers, and then whenever that user sends another request, it should be a part of request headers, and in your server side you can check this session request header to authorize a user.

Vineet Singla
  • 1,609
  • 2
  • 20
  • 34
  • I have changed the title with "authorize", thanks to see that confusion. My doubt about your answer is: If I set the response header from REST Server, would the browser also send it to the Web Server (another domain)? Or just to the REST Server, or should I explicitly do that? – Mert Mertce May 15 '13 at 10:31
  • See when you set the session id in response headers , it will be passed to the client webserver..as REST response, you need to do something like response.getheaders(). then the user/client has to retrieve this header information and send it in his next request – Vineet Singla May 15 '13 at 10:39
  • Then I need to add custom header for every page request, but it does not seem possible if it is not ajax request (simple link, for example). – Mert Mertce May 15 '13 at 11:11
  • Yes, you add a custom header, it is possible everywhere you are creating a request to send it. – Vineet Singla May 15 '13 at 11:21
  • Here says that not possible in simple links http://stackoverflow.com/questions/15835783/adding-http-request-header-to-a-a-href-link – Mert Mertce May 15 '13 at 11:30
  • What language are you using for REST server ? Let me explain you – Vineet Singla May 15 '13 at 11:31
  • JBoss RestEasy. So, it is also Java. But my problem is not with sending request to REST Server, but sending that info that you've suggested in header (the session id, token or whatever) while simply navigating pages; clicking on links ( – Mert Mertce May 15 '13 at 11:37
  • Oh ok.. If you want to send this as part of href then , you can also put it as post request attribute or url rewrite. I was suggesting http header for HTTP requests coming from clients, not on internal navigations. – Vineet Singla May 15 '13 at 11:50