Rest back-end, Angular.js front-end lots of questions

Question

Okey, so time to build an webapplication using Jboss, restEasy as backend and i wanted to go for some MVC front-end framework like Angular.js.

Never done this before so here is a million questions:

Should i be using security roles in java or have my own security authentication and declare my own roles?

J_security_check is wierd, it only prompts you to log in if you try to access a forbidden resource. Then it reroutes you to the login page. How can i use this with Angular? seems to me this can be a very messy rerouting-game.

Message Digest is hardly any explanation, but seems to be the way to go, but i have no idea how to use it.

Can someone please try to explain to me the steps how authentication process should work, when running restEasy and angular. And how the communication should be between back-end front end during usage.

If i set up roles in the back-end how does angular know what roles there are and what views to show? do i have to send roles in each request and store in a cookie? or is the sessionID anough for back-end to keep track?

everything is just messy in my head.

but this is what i think atm:

1. surf to http:/www.mydomain.com/
2. welcomepage is a servlet that checks for a cookie, if there is none, creates a cookie with some sort of guest-info and then it serves up the angular single page application. Angular reads cookie and gives you the login-page.
3. login calls restservice via SSL and back-end digests and authenticates the user. Here i dont know what i should do, should i return a cookie with the new role? or not? should i store in beck-end the logged in user in a sessionBean and always check session bean when making a restcall? should i protect my restservice behind java security roles? or all of the above?

im in the dark here, please help.

Answer 1

Since you are using a RESTfull service in your back-end, I think it would be better to use a token authentication instead of a cookie.

With a cookie, it wouldn't be stateless and REST have to be stateless. you can find many options here.

For the roles management, after the user is authenticated, you can call a service from the back-end (with the token in the header) to get the roles. In angular you can store them using a service, in a localStorage or in a sessionStorage. After that you don't have to send the roles in each request (only the token for the requests that have to be authenticated).

The steps would be :

1. surf to http:/www.mydomain.com/
2. If the user IS authenticated, i.e the token is in the service, a localStorage or a sessionStorage, then you'll display your welcome page
3. If the user IS NOT authenticated (no token), you display the login page. He authenticates himself, angular receives the token, make the call to get the roles then go on to the welcome page like in step 2.

In your back-end, you manage this by verifying the token if it's in the request's header. If it's invalid or totally absent, you send back a status code 401 Unauthorized. The front-end will then know that it has to display the login page.