Michael
Michael

Reputation: 42050

User authentication for web services in Java

Suppose I have a simple Java server application, which implements a few web (REST) services. The application is deployed as war in Tomcat. Now I would like to add user authentication as follows:

Does this approach make any sense? Is there any "ready-to-use" implementation of this approach in Java?

Upvotes: 1

Views: 1066

Answers (4)

Ben Burns
Ben Burns

Reputation: 15206

There are a ton of ways to skin this cat. First, you probably want to use digest authentication or SSL form-based authentication, since relying on a client-side hash can be subjected to replay attacks.

My recommendation would be to use Spring Security. Take a look at this example of HTTP digest authentication.

Another way might be to use the servlet container to accomplish this for you. Take a look here for both digest and form-based auth techniques.

Also, you should really read up on proper password storage techniques for web applications. Make sure you're using a sufficiently complex (aka slow) hashing algorithm like bcrypt and give each password a unique salt. Finally, make sure the transport of credentials is secure, either by using HTTP digest authentication (alright), or by using SSL form-based authentication (better).

Upvotes: 1

Adam Dyga
Adam Dyga

Reputation: 8896

Yes, there is a lot of existing good authentication solutions, from BASIC (via SSL), OAuth, Kerberos, Spring Security etc. I suggest making a research on WS-Security topic, as there are many layers (container, filters, application itself) where the authentication can take place.

Upvotes: 1

amamede
amamede

Reputation: 50

Use a RESTful framework like Jersey for example. But for authentication you must implement session management with request filters. As for users management you should use a database like MySQL.

Upvotes: 1

alex.p
alex.p

Reputation: 2739

Spring Security? This a non-intrusive way of securing web apps and very flexible in how the data can be stored - i.e. a plain text file, xml or a database of usernames and passwords.

Upvotes: 3

Related Questions