This question already has an answer here:
HTTP basic authentication over SSL for REST API
(1 answer)
Closed 8 years ago.
I have created a restful service using jersey in java.The API tested with HTTP client as well. its working fine.I need to secure my API with username and password. anyone can help me out to do this.. Thanks in advance.
No need to send username and password every time. On just first login api send username and password to server and then server returns on key which is stored as your session key in database at server side.
You need to send this key on every api call in header, so server side they authenticate user first on each api call and then go ahead only.
That means you need to send one key (may be auto generated alphanumeric string ) which is given by server in response of login api.
Related
I have a Java servlet (running on Google App Engine Standard) talking to a Flutter client that is also logged into Firebase. Can the Java servlet detect which user is logged in perhaps by using the admin SDK to read the HTTP headers or cookies? I can't find such a method in the SDK though. I guess the question is about having a Firebase client that talks both to Firebase and to other cloud services.
(I saw the servlet can talk to Firebase https://cloud.google.com/solutions/mobile/mobile-firebase-app-engine-flexible but my question was more simply if the servlet can verify which user is signed in)
Thanks!
The backend (it doesn't matter what it is) can't read anything directly from the client if the client doesn't pass that data along. Typically if the client using Firebase Authentication wishes to identify the user to the server, it will pass an ID token to the backend, usually through a header. The backend can then use the Firebase Admin SDK to verify the ID token. The ID token should be available in every request send to the backend where identity needs to be known.
I want to create a Swing application client that connects to an EJB project which will have a login method to a secured client session.
When the client is run, you will provide a username and password, and thus login. However, if you type the incorrect password, you can be given n tries to provide the credentials.
I have configured Glassfish 4 to work with jdbc realm. Jave EE7 has a method to request user with the username and password, but I wanted have more control over the incorrect password and login.
Can someone please tell me how to do this ?
I tried using programmatic login but it does not seems to work.
You did not provide enough information. The answer depends on which HTTP client do you use and which authentication type is supported by the server.
If the server supports form based authentication after the login it will redirect to the requested page. Check that your HTTP client can follow HTTP redirects. Also, you need to understand where the session token is kept. If it is kept in cookies you need to store it in client and send manually with each request to the server.
I have a project in java which utilize j_security_check and ldap for authentication. Now my employer want to change it to an authentication using a webservice provided . What they gave me is actually a link as shown below
"http://11.111.111.111/ADManager/ADlogin.asmx"
I am a total newbie to java and webservice.All I know is if we provide some data to a webservice it will give a response. my doubts are
Is it possible to create a login consuming that link they provided?
Should I ask them for more info?
Is it posible to replace the j_security_check and ldap already configured in my java project?
P.S : The one who assigned me this task doesn't seems to have much knowledge either.
The short answer is you can.
You need to do the following:
Each web resource is protected by a (servlet) filter. This filter checks each incoming request and validates the token which needs to be on the http header. If the token is valid then the request is served. If the token is invalid the filter is going to send back http 401 unauthorized. Then redirect to the loin page.
Login with rest service:
1) Create a custom login page with username/password field.
2) Create a rest web service, receives username/password. It will check the credentials against an external access management infrastructure like OpenAM.
3) First, call auth(username, password) rest api to get the auth token. If the given credentials are okay then just send back the auth cookie to the client with HTTP 200 response code.
4) Then, you can call protected rest apis. You need to send auth cookie with your request each time.
5) Servlet filter (or something similar) checks each incoming request and validates the token. If the token is valid then the request goes forward to the rest method, if not you need to generate an http 401/403 response.
I suggest you not to write your own authentication layer, please use an existing one, for example OpenAM.
This forum topic explain everything you.
I have my html basic form and java server(REST) side and MYSQL as my database.
I want to implement a secured authentication login form plus after login every rest api's must be called by the valid users only.
What are the points to consider for developing secure login page? One thing i know is login api must be an POST method. What are the other points needs to be taken care?
Where to save the state of the logged in user so that immediate calls can be verified using that state. Is it to be client side or server side? If on server side then that violets the RESTlet principles
Am i require to store the encrypted password in the database? If yes then which encryption algorithm is best?
Thanks,
This is a followup to my previous question about how to secure API calls from a mobile app to a Play app hosted on Heroku.
It was originally suggested that I implement OAuth, but it seemed more complicated then I needed and I considered just sending the password plaintext over HTTPS with each call and storing it on the device.
Would it be possible to just make up a long random string that I store in the app and require that on the API end as well? It seems this would prevent others from using the API, which is good.
If so, would it be secure to just send that token over HTTPS along with the username and password of the user?
While writing this, I came across this answer and it looks like an acceptable solution:
Use HTTPS for every call
After the first call, send back an authToken that is sent with each subsequent call
Expire the token every so often on the device and server