-2

i'm developing a web application(servlets,jsp) with Rest services using jax rs. In the web application UI i'm calling these webservices through jaxrs client with the help of servlets(servlets calls jax-rs client, client inturn calls webservices).parallely i'm exposing these webservices.

Now i'm trying to add authentication, authorization such that when calls made to these webservices through web UI(HTML, Servlets, jax-rs client) there should not be any checking . but when calls made to the webservices directly through browser url or some plugins like advanced rest api, postman it should show authentication error. How can i achieve this

Inshort - how to differentiate the direct webservices calls and UI calls made to these webservices.

Thanks in advance

king934324
  • 11
  • 2
  • Basically: you can't. A Postman request can be setup to be exactly a request as a particular browser would send it. Push comes to shove its a request coming from a particular client machine; you can't control what piece of software on that client machine sent the request. Nor should you care, you want to authenticate and authorise the client, not the software. – Gimby Aug 01 '16 at 11:16
  • Possible duplicate of [How can I get client infomation such as OS and browser](http://stackoverflow.com/questions/1326928/how-can-i-get-client-infomation-such-as-os-and-browser) – Raedwald Aug 03 '16 at 07:08

1 Answers1

0

If I understand correctly, you want to differentiate "internal" calls that are origin from within the system, vs "external" calls coming from the Internet.

What you can do is add HTTP basic authentication. It is basically an HTTP header that contains user + password that are verified when the HTTP arrives in the web server. The servlets that initiate calls to REST services can add the HTTP header with predefined credentials. Not only this provides authentication, you can then set different authorization levels for different users.

There are several libraries that support this feature (authentication + authorization) I am using Apache Shiro and it also contains session management in the form of cookies

Note: You sohuld be aware that the HTTP basic authentication header is not encrypted. it relies on secure HTTP connection (i.e. HTTPS) for security.

EDIT: following a question in a comment: Although it is not officialy supported, you can have multiple URI paths that point to the same REST service (effectively as if specifying multiple @Path annotations on the same class or method) the trick is to utilize regular expressions, see this question for details Can we have more than one @Path annotation for same REST method

so, assuming you have /path1 and /path2 that point to the sme REST service, you can define the authentication filter to be invoked only on /path1

Community
  • 1
  • 1
Sharon Ben Asher
  • 13,849
  • 5
  • 33
  • 47
  • Thanks sharonbn that answers my question. – king934324 Aug 01 '16 at 11:50
  • as of now i'm using servlet filters for basic authentication, so what ever call i make whether its webservice call from browser or its a button click in the UI, control goes to this filter.The problem is if i call from any plugins postman..etc i can add username and password in header and can do authentication. but if the call is made internally(button click in the Ui ...etc) than i dont have this authorization header in the request(eg: when i'm trying to login into application). how to handle this issue.@sharonbn – king934324 Aug 01 '16 at 12:05
  • first of all, you can add the header to the login page, using a simple js script. if you wish to have no header, you can have multiple paths point to the same service but apply the filter only to one of them – Sharon Ben Asher Aug 01 '16 at 14:12
  • could you please elaborate "multiple paths point to the same service but apply the filter only to one of them" – king934324 Aug 02 '16 at 05:49
  • i'm refering this stack overflow for my question. but the problem is instead of triggering servlet from the dispatcher i have to call REST API, and also how i can take care of this infinite loop, is there any way how i can achieve this http://stackoverflow.com/q/2725102/5615132 – king934324 Aug 03 '16 at 15:47