0

I am trying to write a RESTful web service in Java 8. I'm using Glassfish (Jersey and Grizzly)

Let's take the user resource.

http://localhost:8080/geocon/users

After I mapped the HTTP Verbs, I realised that, without a proper login strategy, everyone who knows an user ID (in this example I took 007 as userId) could call a DELETE to

http://localhost:8080/geocon/users/007

actually deleting the user with ID 007. Same as PUT verb, where anyone could overwrite old data with new - without any authorization. I am using Elasticsearch for storing users (and other types of resource) as JSON documents and I was wondering if I could still use it for storing password informations.

Considered that I don't mind using the basic HTTP authentication mechanism, how do I do it in practice? How could I check if an user is actually himself and has the permission to delete or refresh data refering to him? Thanks

Community
  • 1
  • 1
BlacK
  • 241
  • 7
  • 16
  • So basically I created another Elasticsearch type called "credentials" where are stored JSON with id and password inside. Now the thing is, I would like to use the basic http mechanism for sending user and password every time I "query" the web service. How? – BlacK Mar 15 '15 at 02:57
  • 1
    Check out some of the links [in this answer](http://stackoverflow.com/a/28271760/2587435). There's a link to the Java EE tutorial for implementing security in a webapp. There's also a link to a self-implementation of Basic Auth in a Jersy application. – Paul Samsotha Mar 15 '15 at 04:29

0 Answers0