How to organize authentication for REST (stateless) applications (JAVA)?

A

Aksndr2014-10-13 09:48:02

Java

Aksndr, 2014-10-13 09:48:02

Good afternoon,
I ask for advice (best practice) on organizing client authentication in a stateless web application on Spring.
The crux of the question is how to avoid authentication for every request? Add some token to the headers and validate it on each request using a separate service?
Thank you in advance.

Reply

Answer the question

In order to leave comments, you need to log in

4 answer(s)

F

FanKiLL, 2014-10-13
@Aksndr

stateless - like all http means stateless.
Actually, it doesn't matter if they send you a login:password or a token tied to this login - you still have to authenticate. Climb into the database and check if there is such a token and so on. Just so as not to shine the login and password with each request (basic authentication), it is customary to send tokens tied to this login.
I prefer to send/receive tokens in the header so the urls stay clean than when the token is passed in the url parameter like facebook did.
Of course, you can cache, the simplest is a HashMap with a TTL token as a key, and a user as a value. First check the HashMap to see if there is such a key with the sent token, if there is, we pick up the user - if not, we climb into the database.
In spring, you can make an interceptor where you can check tokens, if everything is fine, skip the request further.
You can make an annotation, and hang it on the controllers or methods that we want to authenticate, and in the interceptor, first see if there is an annotation using the Reflection API.

S

Sergey, 2014-10-13
Protko @Fesor

WSSE, either just tokens or OAuth...

T

trerums, 2014-10-13
@trerums

Read about bearer tokens

S

Satisfied IT, 2016-11-10
@marataziat

Error binding parameter 0 - probably unsupported type