Login authentication using angular + java rest api

Question

I have been trying hard to work this out for login authentication using angular as client and jersey exposed as rest web service at backend.

Here is what I achieved from last three days.

Angular code to capture email and password:

myApp.controller('loginController',['$scope','$http', function($scope, $http)
{
$scope.email = "" ;
$scope.password = "" ;

$scope.loginForm = function(){
    alert("login controller called");
    console.log($scope.email);
    console.log($scope.password);
    var encodedString = 'email=' +
            encodeURIComponent($scope.email) +
            '&password=' +
            encodeURIComponent($scope.password);
    $http({
        method:'POST',
        url: 'rs/loginResource',
        data: encodedString,
        headers: {'Content-Type' : 'application/x-www-form-urlencoded'}
    });
};
}]);

Java rest code:

@Path("/loginResource")
public class LoginResource {

    public LoginResource() {
    }

    @POST
    @Consumes("application/x-www-form-urlencoded")
    public void login(@FormParam("email") String email,
            @FormParam("password") String password) {
        System.out.println("Email is: " + email);       //prints output
        System.out.println("Password is: " + password); //prints output
    }
}

And now my question is where to go from here after getting the POST data from form submit. As you can see I am just printing the values rather I would like to check the email and password against database(oracle). How would I go about it? Shall I use simple connection class and dao or go for JPA which I haven't learned yet - what is the learning curve for it?

Is there any design pattern involved? Usually I use Dao and pojo if its plain java but I am new to rest api that too struggling with angular. I hardly find any examples on vanilla java+angular where most of them are based on spring+angular.

Answer 1

Generally login goes like this:

• Client calls server with login details
• Server verifies login details against the database, if valid, sets up a session. If invalid, the server will return a very generic error response. Important to not give the client any info about which part of the submission was wrong (gives attackers more info).

For this you'll want to read into sessions. Here are some links:

• https://tomcat.apache.org/tomcat-5.5-doc/servletapi/javax/servlet/http/HttpSession.html
• https://medium.com/opinionated-angularjs/techniques-for-authentication-in-angularjs-applications-7bbf0346acec#.z4vdsyrty

There's plenty of information on this problem on the internet.

Also, for generic REST APIs authentication will usually happen in the form of a token. The flow looks a little different:

• Client calls server with some sort of auth info
• The server generates a token using something like Json Web Tokens and returns it to the client. Generally these have an expiry. The server might also expire all other tokens for the user.
• The client sends the token, generally as a header, with every future request.

There's lots of ways to encrypt a password when sending it from client -> server. Here's a simple one I suggest you try: RESTful Authentication