stackoom
  简体   繁体   中英

Securing REST API in JBoss

 原文  2013-06-30 19:02:43       java/ web-services/ jboss/ resteasy/ restful-authentication

Question

I'm developing a RESTeasy JSON API under JBoss-As 7 .

I have another separate web-server.

I am developing with JAVA on server-side, and on client-side with Javacript , JQuery , AJAX .

So, I have 2 distinct * war *s, let say they can be accessed as following:

  • https.//localhost:8443/services
  • http.//localhost:8080/web

Now I want to secure these two guys; RESTeasy API and web-server .

Let me tell about my structure:

  • I keep the users in DB with username-password. These are the only users for now.
  • I have a login page to authenticate my users (I don't want http basic auth popup and any workaround about that)
  • The clients of REST API are browsers (not web server). The static page is load, and then some other dynamic things are load through REST API, calling within from browser using JQuery , AJAX, whatever.
  • All communication can be through SSL/TLS , no problem.
  • For the future, scalability (clients other than web-browsers, ability to authenticate with social network logins, etc.) should be in mind.

My scenario is as following:

  • Client is browser.
  • Client wants to access a web page web/aaa.html which is restricted to authenticated users.
  • Client is redirected to login page: web/login.html

  • Client filled the FORM and sent to ... either,

    a) to the rest-api, or

    b) to web-server,

    not sure (So, here you have an implicit question).

    But in any case, what a or b should do is the same:

    Check username-password. Let say they are checked and the user is authenticated.

  • From now on, I should have got these two things at the same time:

    1- Client is authorized to navigate the restricted pages.

    2- Client will be authorized on REST API calls.

So, I need these 2 things at the same time happen, after authenticating in login page.

I have read lots of things, about authorization in REST API, with tokens, keys, etc. and yes I also have heard about Spring Security , Apache Shiro , etc.

And yes, I do not want to implement a new security framework by own and I will use one. I imagine that some framework can produce/check tokens etc. for me.

Before Spring Security and Apache Shiro, I want to know about resteasy skeleton key JBoss module .

There are these sources:

https://github.com/resteasy/Resteasy/tree/3.0.1.Final/jaxrs/examples/oauth2-as7-example

http://docs.jboss.org/resteasy/docs/3.0-beta-2/userguide/html/oauth2.html

But, they didn't seem to me very explicative, and also I am not sure if they are what I need.

Is there someone who knows how to configure skeleton key (or in general JBoss App layer) and give me useful example to achieve what I've described, please?

Or, could you give me some other advice/example to achieve my goal, especially noting that my question is about " how to implement "? I don't see where to begin.

Thanks in advance.

1 answers

solution1
 0  2013-11-27 13:38:52

For securing REST Services, We can use following framework

  • OAuth (Open source - RFC6749 )
  • Apigee

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Securing REST api with Token Securing Jersey 2 Rest API Securing a REST Api with Spring Security Securing authentication through a REST API with an Android device? Securing my REST API from anonymous calls Securing Rest API using Spring Security with AJAX Authentication Azure Active Directory for securing Custom JS Frontend and Java Rest API Securing ActiveMQ Messaging in JBoss EAP Securing JNDI for remote clients on JBoss Securing REST services in Jersey
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM