How can I secure the communication between the business logic (java) running on Tomcat, and the UI written in AngularJS. The communication obviously will be over REST services. Can anyone advise on this, or provide links to some tutorials, examples?
There shouldn't be concern about securing you REST API in the server side. Because it's just a kind web resources like static CSS or Servlet. If you're using Spring in your application, I recommend you to consider Spring security. Here is a good example.
And you should not worry about accessing secured resources from your Ajax request. Probably, they will reuse the same session information (that is stored in the SESSIONID cookie).
You can find more information about securing your REST resources from here.
Related
I am planning to start a project and I am looking for the best approach to make a RIA application using AngularJS.
Right know I am pretty sure of those technologies:
AngularJS (+ bootstrap CSS) for the client UI, logic and server
requests.
Spring for bootstrapping the server business logic.
Hibernate + MySQL for persistent data access
Jersey for the Restful web service API.
Spring Security for url and data protection over authentication.
The only piece I feel is not ok is that my application will not be the typical one page app, because it will be large and I want to break it into multiple one page apps, some protected and others public. To serve every index.html I want another technology like Spring MVC, making those small one page apps secure for this points, and also not allowing the access to some resources.
¿Do you think this is a good approach or you would change any of this technologies (like supressing jersey/Spring MVC redundant dependencies)?
i think that in general your aprroach is a good one, but maybe you could use the webapp generator yeoman with the JHispster, a java web app generator.
Or if you don't like the ideia you could add to your data access layer the Spring-Data-JPA, because you will avoid to write the boilerplate code.
I'm developing a RESTeasy JSON API under JBoss-As 7.
I have another separate web-server.
I am developing with JAVA on server-side, and on client-side with Javacript, JQuery, AJAX.
So, I have 2 distinct *war*s, let say they can be accessed as following:
https.//localhost:8443/services
http.//localhost:8080/web
Now I want to secure these two guys; RESTeasy API and web-server.
Let me tell about my structure:
I keep the users in DB with username-password. These are the only users for now.
I have a login page to authenticate my users (I don't want http basic auth popup and any workaround about that)
The clients of REST API are browsers (not web server). The static page is load, and then some other dynamic things are load through REST API, calling within from browser using JQuery, AJAX, whatever.
All communication can be through SSL/TLS, no problem.
For the future, scalability (clients other than web-browsers, ability to authenticate with social network logins, etc.) should be in mind.
My scenario is as following:
Client is browser.
Client wants to access a web page web/aaa.html which is restricted to authenticated users.
Client is redirected to login page: web/login.html
Client filled the FORM and sent to ... either,
a) to the rest-api, or
b) to web-server,
not sure (So, here you have an implicit question).
But in any case, what a or b should do is the same:
Check username-password. Let say they are checked and the user is authenticated.
From now on, I should have got these two things at the same time:
1- Client is authorized to navigate the restricted pages.
2- Client will be authorized on REST API calls.
So, I need these 2 things at the same time happen, after authenticating in login page.
I have read lots of things, about authorization in REST API, with tokens, keys, etc. and yes I also have heard about Spring Security, Apache Shiro, etc.
And yes, I do not want to implement a new security framework by own and I will use one. I imagine that some framework can produce/check tokens etc. for me.
Before Spring Security and Apache Shiro, I want to know about resteasy skeleton key JBoss module.
There are these sources:
https://github.com/resteasy/Resteasy/tree/3.0.1.Final/jaxrs/examples/oauth2-as7-example
http://docs.jboss.org/resteasy/docs/3.0-beta-2/userguide/html/oauth2.html
But, they didn't seem to me very explicative, and also I am not sure if they are what I need.
Is there someone who knows how to configure skeleton key (or in general JBoss App layer) and give me useful example to achieve what I've described, please?
Or, could you give me some other advice/example to achieve my goal, especially noting that my question is about "how to implement"? I don't see where to begin.
Thanks in advance.
For securing REST Services, We can use following framework
OAuth (Open source - RFC6749)
Apigee
i'm new with web service programming and i want to create,using netbeans 6, a restful web service using Jersey over a Grizzly server and then a client javascript in order to use this web service through a browser. So i started learning more on restful web service and i read a lot of guide over the web, then i started learning more on grizzly and jersey by reading jersey user's guide http://jersey.java.net/nonav/documentation/latest/index.html. I succesfully follow the tutorial to create the helloword example resource. So i created all the resources needed for the job and tested successfully with the browser...but i'm still confused: in particular i want know how i can create a static homepage which can be used by the users to select what is the desired resource. Can you give me some tutorial or example?? Thanks to all!
(Moreover i want to learn more on grizzly server and creating jersey restful web service, can someone give me a useful guide or book??)
So, the key to understanding RESTful web services is to understand the HTTP protocol more thoroughly. That's what makes it easier than (and often preferable to) RPC style services epitomized by SOAP. When you pull down a static web page, for example, you can think of it as a limited "web service" which serves only GET requests. In order to make a static web page which "selects resources," you would only need to provide URLs to the resources in question, as long as they're accessed via GET, because that's the same HTTP method used for retrieving web pages (and therefore is the default method for web browsers). If you want to access other types of resources, such as sending POST requests, you can use a form; other than that (with PUT, DELETE, HEAD, OPTIONS, etc.) you'll want to use Javascript or a more programmatic API for accessing the HTTP resources.
There are many good books in this space, and I've found these particularly useful:
RESTful Web Services
RESTful Web Services Cookbook
RESTful Java with Jax-RS
SOA With REST
The first two approach REST in theory and practice; they are more about the concepts than specific technology. The third addresses the Java standard for RESTful services as defined in JSR 311, of which Jersey is the reference implementation.
The last is more of an "enterprisey" book, but it's been useful to me from the approach of designing a system of web services, as opposed to one-off service resources.
Regarding Grizzly you can take a look at Grizzly User's Guide, specifically Http Server framework chapter. If you have more questions don't hesitate to ask on Grizzly mailing lists.
As per the title, I am wondering what are some best practices for Web service user authentication and session management, mainly for backend implementation, especially using Java (J2EE).
Has anyone published anything on the subject? What kind of security considerations should one keep in mind when working with user authentication? What kind of design patterns are related? How should sessions be managed? What does a well-designed architecture look like?
Are there existing systems that could be used as good examples, or even bad examples?
As the Java EE specifications for web services actually consist in exposing a stateless session bean as a web service, you won't be able to implement session management without a "home-made" solution such as including a user token in each of your request.
Not specifically REST but we use same authentication mechanism for standard webservices as for any other web container request. Means send basic authentication data to backend. Over SSL. Never had any issues.
I am new to web serivce. I have written a few clients using AXIS2 but nothing more. Now I have to create some service that will be consumed by others. We have a web application written using wicket.
Does my webservice need to be a part of the web application. Can it be a deployed seperately, but still use the same code that is used by the web application.
any tips of how to start including security, authentication etc. Any reference to reading material, tutorial is greatly appreciated.
Taking the questions one at a time:
Does the webservice need to be part of the web application? No. It can be a completely separate project with it's own deployment.
Can it be deployed separately? Yes, see #1.
Can it use the same code as the web app? Yes. This is a matter of how you reference the web app. You might consider branching the code, or just building it in to the web app to begin with.
A couple of resources:
RESTful webservices with Wicket
Web service API for Wicket
Bear in mind, I've never used wicket before so I have no idea if the above links are worthwhile.
Regarding security. You usually provide a web api "key" of some sort to your clients. That key is then passed in to every api call which you then validate for both authentication and authorization. This is how most systems work.
Also, just like with web apps, the calls to the API should go over an SSL connection in order to try and prevent anyone from eavesdropping on the conversation.
As far as logging, this is no different than logging you would set up for a normal web app. There are plenty of logging tools out there like log4j.
Short answer: Generically, yes, you can deploy your web service as part of your web application. You should think of your web service as another "view" on your business logic. If you have followed good patterns (e.g. putting your business logic in a library, not controllers) this shouldn't be too hard.
You may want to "enforce" this by putting shared business logic in one library, and then split the web service and web application into another project.
There are really too many options for web services to list them all, but here's a place to look as a tutorial:
http://static.springsource.org/spring-ws/sites/1.5/reference/html/tutorial.html
Follow the below link that explains how to expose your ASP.Net web application functionality as a web service. The below article takes TrendsInInvestment web application to explain the procedure.Features like authentication,caching and pagination has been included while implementing web service.
1)Link for article.
http://securityresearch.in/index.php/tutorials/how-to-expose-your-asp-net-web-application-functionality-as-awebservice
2)Link for the modified web application,web service and its sample code .
http://securityresearch.in/index.php/projects/f_security/trends-in-investment-web-service-1-0-is-now-available