To encrypt / decrypt data, I use CryptoJS for encryption and decryption (Java), but apparently we need to send the passphrase in clear, the cipher and salt are encrypted. My question is why passphrase is plain text? it must be secret and then encrypted as well no?
As soon as you send the key (passphrase?) In clear - encryption is useless.
For reasonable client-server protection, use HTTPS. Simple, efficient and safe. This is usually a bad idea for encryption on the side of the web application, as the user or the person in the middle can retrieve or modify the key and data.
In another case, this is end-to-end protection, when the client encrypts messages, encrypts the data, and they are stored / processed as they are, and the encryption key is available only to the user. If this is not the case, and the service needs data for further operations, HTTPS is the way to go.
For the REST API, which standard to use for Java EE 7, the HTTP security header (basic-auth)? Json access icon? and how does it really work, where to store the user session / token in a cookie? I just want to know how to do this with Angular.
You have effectively specified the parameters. It's your decision. Each option has its pros and cons. Basically - if you are talking about services (REST), it does not matter which technology is used.
For REST services called directly from the browser, I would omit basic authentication (otherwise the user will get a pop-up authentication window)
You can use the JWT token (signed by the application secret, just add some expiration date), but then you cannot "log out" the user, just wait until the token expires. The advantage is that the token is "self-sufficient" and you do not need to worry about session management. The client sends the JWT token in the authorization HTTP header, you simply decode it, check it, and then you can take the identifier from the token.
Another option is a session token (cookie or sent as an authorization header), where you need to manage sessions (store tokens, clear the token when you log out, ...). Using an application server session cookie makes your services unusable by other applications (the question is still whether you want / need the services to be reused by third parties), but you get built-in authorization (JAAS, Roles, ...).
Maybe I can use classic JAAS with forms-based authentication and after that the request.login () request on the server side should be authenticated, then my EJB will be completely protected by @Role.
In fact, this is a way of authenticating and authorizing a user and issuing a token (jwt, cookie, other ...).
What is the way to protect pages in AngularJS? Right now I'm using web.xml and putting URL patterns, is there perhaps a better way?
The default authorization should be in order.
Still - keep it simple. According to my experience, static resources (web pages, images, scripts, css) should be static, and it doesn't really matter if they are publicly available. What matters is the execution (operations, data, ...), which are displayed as services, and that is the point where you perform the correct authentication and authorization.
Good luck