1

I need some guidance with a task I've been assigned.

I have to create a java web application which will provide some functionalities and create a REST API for all the user actions and also pass credentials both to the web page and the API (i.e. I need to ensure that the API gives data only to the correct user).

So, I implemented the REST services with Spring but I'm not totally sure about how to pass the credentials, I mean, when I log in I send the user and password to the web page, but how can I pass them also to the API? I read a couple of SO posts suggesting OAuth, but I don't need to authenticate users from another applications, is there any other option?

Community
  • 1
  • 1
user2514849
  • 48
  • 5
  • Since you're already using spring, it shouldn't be too hard to just add [spring security](http://projects.spring.io/spring-security/) – azurefrog May 08 '14 at 17:46
  • Ah, thanks. Still learning this syntax :p – azurefrog May 08 '14 at 17:48
  • Hi @azurefrog, I'm already using Spring Security, my question is how can I send the credentials but not been logged in, i.e. just invoking the REST services from, for example, a main method in a Java class – user2514849 May 08 '14 at 17:49
  • So your methods are already annotated with the appropriate roles and whatnot? – azurefrog May 08 '14 at 17:52
  • @user2514849 I'm not clear about what you want. With Spring Security you configure what users are authorized to use your application. If you only want to use your API and send some "user" / "pass" parameters then you can add it to your service as simple parameter binding. You can check [this link](http://www.byteslounge.com/tutorials/spring-mvc-requestmapping-example). Is that what you want? – Federico Piazza May 08 '14 at 17:53
  • Hi @Fede, when I log in the application from a browser I pass the credentials, but what I want to know is how can I do it if I access the REST services, for example, from a separate Java application – user2514849 May 08 '14 at 17:59
  • I believe you can use jersey rest client and put the credentials in the "Authorization" header (or some custom header that only your application knows) and the request. The credentials could also be possibly encoded and encrypted for added security. You can add a Filter in your rest api which will look for this "Authorization" header in each request (or specific requests). I hope this is what you were looking for? – shahshi15 May 08 '14 at 18:01
  • Thanks @xmenymenzmen, but I have another question, can I also create a user interface to access the services with jersey (for example, I have created some jsp pages, can I show the results through this pages)? or is just to define the services? – user2514849 May 08 '14 at 18:11
  • I think there is a very good explanation of how to accomplish this as an answer to this question: http://stackoverflow.com/questions/13916620/rest-api-login-pattern – pragmatical May 09 '14 at 20:17

0 Answers0