Keep Authentication enable in REST services

Question

So the problem is: I've developed REST services in Jersey, that run on Glassfish. For authentication, I implemented Basic-Authentication . On the client side, I implemented Authentication through ApacheHTTPClient .

My idea is just to ask for authentication when a registered user enters - like a Login. Is that configured in the Client Application (to keep the authentication valid until the user Logout), or in the REST services, where I configured the Basic-Authentication?

Thanks!

---

This is how I'm doing the Login on the Client App:

import java.util.ArrayList;
import java.util.List;
import org.apache.http.HttpEntity;
import org.apache.http.HttpResponse;
import org.apache.http.NameValuePair;
import org.apache.http.auth.AuthScope;
import org.apache.http.auth.UsernamePasswordCredentials;
import org.apache.http.client.entity.UrlEncodedFormEntity;
import org.apache.http.client.methods.HttpPut;
import org.apache.http.impl.client.DefaultHttpClient;
import org.apache.http.message.BasicNameValuePair;
import org.apache.http.params.HttpConnectionParams;
import org.apache.http.util.EntityUtils;

public class UserLogin {

    private static final String BASE_URI = "http://localhost:8080/LULServices/webresources";

    public static void main(String[] args) throws Exception {

    final DefaultHttpClient httpclient = new DefaultHttpClient();

    try {
            httpclient.getCredentialsProvider().setCredentials(
                new AuthScope("localhost", 8080),
                new UsernamePasswordCredentials("zzzzz", "xxxxx"));

    HttpPut httpPut = new HttpPut(BASE_URI + "/services.users/login");
    HttpConnectionParams.setConnectionTimeout(httpclient.getParams(), 10000);

    httpPut.addHeader("Content-type", "multipart/form-data");

    List<NameValuePair> nameValuePairs = new ArrayList<NameValuePair>();
    nameValuePairs.add(new BasicNameValuePair("login", "zzzzz"));
    nameValuePairs.add(new BasicNameValuePair("password","xxxxx"));

    httpPut.setEntity(new UrlEncodedFormEntity(nameValuePairs));

    HttpResponse response = httpclient.execute(httpPut);

    try {
            System.out.println("Executing request " + httpPut.getRequestLine());
            HttpEntity entity = response.getEntity();

            System.out.println("----------------------------------------");
            System.out.println("HTTP Status: " + response.getStatusLine());

            String putResponse = EntityUtils.toString(entity);
            System.out.println(putResponse);
            EntityUtils.consume(entity);

        } finally
            httpPut.releaseConnection();

        } finally
            httpclient.getConnectionManager().shutdown();
    }
}

It returns to the user his secret_id.

Answer 1

As mentioned by Darrel Miller , REST based services should be stateless. But to help you solve your current issue, I would suggest to use an auth token and a refresh policy.

Description: After every successful authentication your server can return a unique 27[any length you want] digit string. This token may or may not have a expiry policy[depends on what you want]. So for subsequent authentications [when the client application has an auth token]you can actually provide a new auth token and invalidate the previous one.

Additionally for every other API call you can send this auth token to validate whether the request is from an authenticated source or not. Now when the user logs out of the application you can simply remove the auth token from the client side.

Next time when the user returns to the application, the app will not have a auth token and can be redirected to the login screen.

Answer 2

REST based services should be stateless. Ideally, there should be no notion of login on the server. You can simulate login/logoff on the client by deciding whether to send the authn header or not.