I am developing a RESTeasy JSON API in JBoss-As 7 .
I have another separate web server.
I develop with JAVA on the server side, and on the client side - Javacript , JQuery , AJAX strong>.
So, I have 2 distinct * war * s, let's say they can be accessed, as shown below:
- HTTPS.//local: 8443 / services
- HTTP.//local: 8080 / web
Now I want to protect these two guys; RESTeasy API and web server .
Let me tell you about my structure:
- I save users in DB with username password. So far these are the only users.
- I have a login page to authenticate my users (I don't want HTTP basic auth popup and any workaround about this)
- REST API clients are browsers (not a web server). A static page is loading, and then some other dynamic things are loaded via the REST API, calling inside from a browser using jQuery , AJAX, whatever.
- All messages can be via SSL / TLS , no problem.
- In the future, it is necessary to take into account scalability (clients other than web browsers, the possibility of authentication by logging into social networks, etc.).
My scenario is as follows:
- Client is a browser.
- The client wants to access the web page
web/aaa.html , which is limited to authenticated users. - The client is redirected to the login page:
web/login.html The client filled out the FORM and sent ...,
a) for rest-api or
b) to a web server,
not sure (So, you have an implicit question).
But in any case, what a or b should do is the same:
Verify username password. Let them say that they are verified and the user is authenticated.
From now on, I had to have these two things at the same time:
1 - The client has the right to navigate through restricted pages.
2 - The client will be authorized for REST API calls.
So, I need these two things at the same time, after authentication on the login page.
I read a lot of things about authorization in the REST API, with tokens, keys, etc., and yes, I also heard about Spring Security , Apache Shiro , etc.
And yes, I do not want to implement a new security infrastructure myself, and I will use it. I believe some frameworks can produce / check tokens, etc. For me.
Before Spring Security and Apache Shiro, I want to know about the JBoss skeleton key module .
The following sources exist:
https://github.com/resteasy/Resteasy/tree/3.0.1.Final/jaxrs/examples/oauth2-as7-example
http://docs.jboss.org/resteasy/docs/3.0-beta-2/userguide/html/oauth2.html
But they did not seem very explanatory to me, and I'm also not sure that I need them.
Is there anyone who knows how to customize the skeleton key (or the JBoss App layer in general) and give me a useful example to achieve what I described, please?
Or, can you give me another piece of advice / example to achieve my goal, especially noting that my question is β how to implement β? I donβt see where to start.
Thanks in advance.