如何使用Web登录页面凭据对REST Web服务进行身份验证

Question

I have an app A(client), which makes a web-service GET call to App B(server). App B is using web page authentication redirect for all these incoming web service get request calls. AppB is processing GET request some thing like:

protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException
        {
// code lines
//....
..
String login_URL = "https://sometestsite.com/pagLogin";
StringBuffer baseURL = request.getRequestURL();
String query = request.getQueryString();
String encReturnURL = URLEncoder.encode(baseURL.toString() + "?" + query, "UTF-8");
String final_URL = login_URL + encReturnURL ;
Cookie[] cookies = request.getCookies();
    if ((cookies == null) || (cookies.length == 0))
    {
        response.sendRedirect(noCookieURL);
                return;
    }
String cookieValue= null;

for (int i = 0; i < cookies.length; i++)
        {
            Cookie thisCookie = cookies[i];
            String cookieName = thisCookie.getName();

            if (cookieName == null)
            {               
                //logger.info("cookieName is null");
            }
            //logger.info("cookieName is " + cookieName);

            if (cookieName.equals("myCookie"))
            {           
                cookieValue = thisCookie.getValue();
                break;
            }
        }

String ESEncypt = esGatekeeper.esGatekeeper(cookieValue,"password");
if(ESEncrypt satisfies some condition){
    // construct output message and response
    String output = "{Some JSON message}";
    response.setContentType("application/json");
    response.getWriter().append(output);
}

}

I am working on appA(client) side, to make requests to appB(server), appA is java, REST, spring boot based micro-service.

Question: How can I successfully get through this authentication?

1) In appA I have tried using ApacheHttpClient, and URLConnection to establish a connection to url: https://sometestsite.com/pagLogin . and tried to send cookies to server appB using setRequestProperty("cookieName","value") on HttpURLConnection .

2) as appB uses sendRedirect in case no cookie exist, How to (is it a best practice to) send login crendentials along with get request from appA to appB, so that appB can forward those details when it makes sendRedirect call.

Answer 1

The setup seems to have implemented OAuth2.0 Authorization Code grant type. In OAuth2.0 terminology, the server hosting the login page is called "authorization server", the server hosting the API or any website requiring authentication is called "resource server" and the application trying to consume the api is called "client".

Now, if the "Client" acts on behalf of a user (consider an end user wants to log into a web application), the setup you described is the right setup. Any one of Authorization Code grant type, Implicit grant type and Resource Owner Password Credential grant type can be used and each of them will redirect the user to a login page as you mentioned above.

But when the "Client" is not acting on behalf of any individual user (eg a batch job) as in your case, the grant type to be used is Client Credential grant type. Here no redirection to login page will happen. Instead the "client" will directly communicate with the "authorization server" with a client id and client secret and the "authorization server" will return an access code. The client can the communicate with the api in "resource server" with the access code (may be through cookie).

Refer to Client Credential grant type description in RFC 6749 OAuth2.0 specification for complete details.