0

I have a couple of days following a few issues but I can not find the solution .

I have followed these issues: Custom JAX-RS authorization - using JWT in each request and

Best practice for REST token-based authentication with JAX-RS and Jersey

but I do not understand how to use filters.

I need to create a token for a android app Use the resources of my web service.

I can not just create a token and send it ?

I 'm using jjwt https://github.com/jwtk/jjwt but I think it right, a piece of code:

       @POST
       @Produces("application/json")
       @Consumes("application/x-www-form-urlencoded")
       public Response authenticateUser(@FormParam("username") String username, 
                                 @FormParam("password") String password) {

    try {

        // Authenticate the user using the credentials provided
       // authenticate(username, password);

        // Issue a token for the user
        String compactJws = Jwts.builder().setSubject(username).signWith(SignatureAlgorithm.HS512, "pepe").compact();

        // Return the token on the response
        return Response.ok(compactJws).build();

    } catch (Exception e) {
        return Response.status(Response.Status.UNAUTHORIZED).build();
    }      
}

If anyone can help me , thanks ...

Si alguno me puede responder en castellano, mejor.

PD: Sorry if I asked the question wrong, I'm new in stackover... and sorry for my English

Community
  • 1
  • 1
Matias Blanco
  • 71
  • 3
  • 8

2 Answers2

0

The code you have provided is valid to a issue a new token for a web application (uses application/x-www-form-urlencoded), but for android application It would probably be more appropriate send credentials as a json POST or in a Authorization header

After this, the client application receives the token, stores it and needs to include the JWT in every request to server. You can include the token in headers or in a request param. The server must validate the token signature, and other fields like sub (the userId) and exp (expiration time).

Using a filter, like the AuthenticationFilter provided in the example, simplifies the authentication process. It can intercept all the requests and perform the validation in a unique point. If not, you would have to validate the JWT in each method of your bussiness logic

If you have doubts about how to configure the filters I suggest to post in SO an specific question

pedrofb
  • 37,271
  • 5
  • 94
  • 142
  • Thank you @pedrofb, now I understood why consuming a json and no application / x -www -form- urlencoded .. But I made the app in android that sends user name and password , and receiving the response, print and I see the token. – Matias Blanco Jul 28 '16 at 12:59
0

I am the author of the answer about token-based authentication in JAX-RS. This authentication method can be summarized in the following steps:

Exchanging hard credentials for a token

No filters are required to do it. You should have an endpoint (a JAX-RS resource method) to perform the authentication using hard credentials (like username and password). If the credentials are valid, the endpoint is going to issue a token that will be sent to the client in the response payload. The client must sent this token in the Authorization header of each request.

The endpoint that issues the tokens must not be protected, that is, no authentication must the required to access it. Once you have an Android application as client, I think you will find better consuming application/json instead of application/x-www-form-urlencoded. My answer provides details on how to do it.

Validating the token

Here the authentication filter comes into play. When using filters to validate the tokens, you can keep your endpoints lean and business focused.

The idea behind the filter is to intercept the requests to protected resources, extract the token from the Authorization header and validate it. If the token is valid, the request will proceed to the requested endpoint. If the token is invalid, the request will be aborted.

Besides the authentication filter, you can have other filters to perform authorization, for example. In the authentication filter, you must check if the token is valid and then find the user you issued the token for. In the authorization filter, you must ensure the user has enough permissions to access the requested resource. Other filters can be created according to your needs.

Community
  • 1
  • 1
cassiomolin
  • 124,154
  • 35
  • 280
  • 359
  • Thanks , I begin to understand .. I will work , if I have problems I detail them better they are. Thank you very much. – Matias Blanco Jul 28 '16 at 12:52
  • @MatiasBlanco If you need any additional information, let me know. – cassiomolin Jul 28 '16 at 12:55
  • Hello@Cássio Mazzochi Molin, I received an error: Advertencia: StandardWrapperValve[jersey-serlvet]: Servlet.service() for servlet jersey-serlvet threw exception java.lang.ClassNotFoundException: com.auth0.jwt.JWTSigner But i have those imports: import com.auth0.jwt.JWTSigner; import com.auth0.jwt.JWTVerifier; import com.auth0.jwt.JWTVerifyException; My method for auth:http://pastebin.com/1zXYGQ2H My class Token http://pastebin.com/h5qPkvg9 Can you help me?. Best regards. – Matias Blanco Jul 28 '16 at 22:06
  • @MatiasBlanco Please consider asking a new question. – cassiomolin Jul 28 '16 at 22:54
  • Ahhh, ok. I make a new question. Thx. – Matias Blanco Jul 28 '16 at 23:03