1

I'm trying to implement token authentication for a REST service based on Spring MVC.

I'm followiong this SO answer: https://stackoverflow.com/a/10864088/1061499 as guideline, but now I need to understand some server-side detail.

When an user is successfully authenticated (first time via username + password) I return a token that stores some information. When the same user sent his token in a request header, I need to identify the associated user and define if is "session" is still alive.

So the way are basically two:

  1. encrypt the token with an algorithm (which one?) I can also use to decrypt on server side and extract user information
  2. store token-user association info in application DB also storing session info.

Most suggest the first solution, without storing any info about authentication in DB, but this solution seems to me less secure.

Any suggestion?

Community
  • 1
  • 1
davioooh
  • 23,742
  • 39
  • 159
  • 250
  • I am not sure but if client send you token(use unique session_id) within header then you don't want to encryption and decryption also you can store session_id into database also. It is better to use unique session_id for each user client for token – nilesh virkar May 15 '15 at 09:55
  • I would recommend not rolling your own and instead using an existing implementation such as Spring Session, depending on your (unclear) exact requirements. – chrylis -cautiouslyoptimistic- May 18 '15 at 16:42
  • @chrylis thank very much! I didn't know there was a Spring project about this. I'll take a look. – davioooh May 19 '15 at 08:05

0 Answers0