Setting up bearer header in jax-rs

Question

So I used answer for this question as my tutorial for token based authentication. But I still have a problem with setting up authorization header.

In my authenticateUser method I tried to set up a bearer header, here's th code

@POST
@Path("/users/authentication")
@Produces("application/json")
@Consumes("application/x-www-form-urlencoded")
public Response getUsers(@FormParam("username") String username,
        @FormParam("password") String password){    

    try{
        if(userDao.existUser(username, password)){
            User uUser = new User(userDao.getUser(username, password));
            uUser.setToken(userDao.issueToken());
            uUser.setTokenExpDate();
            userDao.updateUser(uUser);
            Response response = Response.ok(userDao.getUser(uUser.getId()).getToken())
                    .header(HttpHeaders.AUTHORIZATION, "Bearer "+userDao.getUser(uUser.getId()).getToken())
                    .build();
            System.out.println(response.getHeaderString(HttpHeaders.AUTHORIZATION));
            return response;                
            }
        }catch(Exception e){
            return Response.status(Response.Status.UNAUTHORIZED).build();
        }
    return null;
}

As you can see I'm setting it on response variable and it's there. But once I go to secured method and my AuthenticationFilter activates I find out that the header that i get from requestContext is null. How do I sent token to this header properly in this situation? Here's my full code

Answer 1

The header must be included by the client, not by the server. The general flow is this

1)the client authenticates in your Service with credentials, then the server builds a token and returns it to the client, which stores the token in a secure storage

2)the client performs a request and include the token in the header.

POST /yourservice Authorization: Bearer thetoken

3)The server checks the header, extracts the token and validate it