QnaList > Groups > Tomcat-Users > Jul 2013
faq

Authentication From A REST Service

Hello
I am in the process of setting up a web service between an android app and
Tomcat 6.0.26 implemented with Jersey. I already have client and server
communicating with each other by sending XML requests. But I would like the
user of the client to be authenticated by the server for a set period of
time and then have to re-authenticate after that time has expired.
Can anyone suggest anything?
Thanks
Martin O'Shea.

asked Jul 18 2013 at 02:34

Martin O'Shea 's gravatar image



16 Replies for : Authentication From A REST Service
Thanks Andre. I have already done so. I thought to ask it on both just in
case.

answered Jul 18 2013 at 06:25

Martin O'Shea 's gravatar image


Chris
It's a case of considering options at the moment. It doesn't matter too much about the actual expiration time of the session. But a question arises concerning use of a realm: if I have the following code in a realm in context.xml for existing browser-based logging in:
Could it be used also for the REST service? And would a servlet be required to handle authentication?
Thanks
Martin O'Shea.

answered Jul 18 2013 at 07:32

Martin O'Shea 's gravatar image


OK. So let me see if I understand what you’re suggesting: I already have client and server communicating with each other by sending XML requests via Jersey with a servlet implemented in web.xml.
So in addition to this, I would need a filter set to intercept request with a url pattern /rest/*. This filter can then call HttpServletRequest.login?

answered Jul 18 2013 at 10:08

Martin O'Shea 's gravatar image


Chris
I'm checking this with Jersey.
Thanks
Martin O'Shea.

answered Jul 18 2013 at 10:54

Martin O'Shea 's gravatar image


Are there any suggestions if I'm not using servlet 3?

answered Jul 27 2013 at 09:00

Martin O'Shea 's gravatar image


Chris
Have you an example at all?
At the moment, I've simply rigged a simple authentication method of my own . Have you a code example of container-provided authentication system, or could you refer me to one?
Thanks
Martin O'Shea.

answered Jul 28 2013 at 07:40

Martin O'Shea 's gravatar image


Sorry Chris, I'm not sure what I'm looking for here. Can you elaborate?

answered Jul 29 2013 at 09:30

Martin O'Shea 's gravatar image


Don't top-post; it makes the conversation impossible to follow.
Step 1: read the security section of the Servlet spec.
Step 2: read the Tomcat doc Chris pointed out to you.
Step 3: look at the WEB-INF/web.xml settings in the relevant examples that come with Tomcat, including the manager and host-manager webapps.
 - Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

answered Jul 29 2013 at 10:51

Caldarale, Charles R 's gravatar image


It may be better to ask this on the Jersey user's list.
I would imagine that Jersey provides a way to force the client to be authenticated. This 
would work via a session, and there is probably a way to set the session timeout.
After the last interaction + the timeout, the session will expire, and this should 
automatically force the client to re-authenticate at the next access.
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

answered Jul 18 2013 at 06:15

=?ISO-8859-1?Q?Andr=E9_Warnier?= 's gravatar image


Hash: SHA256
Martin,
If you are using Servlet 3.0, you can use HttpServletRequest.login to
authenticate the user using a realm configured for the context. If you
use FORM authentication, then the session's expiration time becomes
the duration of the login (a caveat being that the timeout is reset
for every request the client makes).
If you want fixed-login times (like 30-minutes max regardless of how
many requests are made), then stuff your own expiration date into the
user's session and then check that timeout with each request. This
could all be done in a Filter to keep things orthogonal to your
servlet code.
Or were you looking for something more elaborate?
- -chris
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJR5/YeAAoJEBzwKT+lPKRYoxwQALmCJCd2ZnPVPY2YB219GnZz
FysWbmNIxHENt3ZVif+7qjtRwa7WIlXlD8imfEDPgKCUoxH38biN8EBgaM39U6OY
6kRB+GsT9OcrfQV2A6bm1fOPmNdCSzNyFr418AP6knumyMGoqHEjdAP4OqD89W2Y
2O75E3qmXDdL/1e5QfvnyObfbF9rrQXk9Y5lcVdZP1NJAVG+N7JHNu5OpKCjkyXM
RlB9/gD3ar7sa06NL8dTdNfUPbPVHcqKyGFFPLMJGca7gfOc9aZuqEdp18M1OhVN
s4TarQn0MukQSlHAyc443uXvpJzr5ZJ5eofCeLacMgyV5C2oD6MOMC374OlLGU3i
J0iAkfN65haUIkQTMjAk7EdApBsqw97nvYsXD79w2Zxlr6qAaoC2Q5PNOvxnZBt+
+G86swCz3dbasI3Lh6qQr6VKVaQUl0/qXnnE+/RrURCupzbImzwVktZ9NUHPyEO3
LwWLa5bR/y+UM7jv/umsYhBdpTkJ/r0QauTdUXC8RUWXY1YjXCj7w7XY6NQOOgxC
K36vsMVgSm9cce51VgfpG0d1gyHIBfBejBArVe49G6UrbowAylAGN2e4iLGcP/aw
V8QWOQDaa98+YjPItWRmOS0aSoi06m/fTfaFP2fdPkAN6iNPD9yqraiJieJ+8Gh9
JFMNdCl4mZQF7yt17yh1
=i2aK
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

answered Jul 18 2013 at 07:05

Christopher Schultz 's gravatar image


Hash: SHA256
Martin,
FWIW, MD5 is basically deprecated at this point. I would use at least
SHA-256 for password-hashing. Honestly, I'd use a password-mangling
algorithm and not a straight-up hash (like bcrypt, scrypt, PBKDF2, etc.).
(I've been toying-around with modifications to Tomcat's Realms and
underlying code to help support such things, but I haven't come up
with a good patch, yet).
This should be removed: it must have come from an old configuration.
You can use it for anything you'd like.
No, you can use a Filter. I'm not sure how Jersey is implemented, but
I suspect that you configured either a Servlet or a Filter at some
point in WEB-INF/web.xml. Just make sure that your own Filter performs
whatever is necessary to authenticate (e.g. calling
HttpServletRequest.login) and then sets-up the request so that Jersey
knows that the user has been successfully authenticated (it probably
just checks ServletRequest.getPrincipal, which will be set up
correctly after a successful call to HttpServletRequest.login).
- -chris
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJR5/4EAAoJEBzwKT+lPKRYvWoQALyBVTxUYWCvLCqBPdG5jTsZ
B+KnQVuqA3NBVLOgTmxH8UDZjeOgbACsdt+F/VUNL5Fdek4U0kF0GSQgOI18t9Tn
Fp76pNd8AWshkLp49YWmpsbuHDSUZtVruISWlVMlD1D/e7doK6r6HjXeuv7NA+5X
ni5j2ZaaWJ/blpB3gGymnQsNz+L2JNjCrqrxuty6Og0D7BeHJojSVTnJRdAvCDjo
PGtoXTGbJmPNJLfwzgwlbqe1BN0ynZlDPnuqLbxmA1qXH8mlY8Iecegy3AbgQODn
fRixy5rrMf7c3nafivGzEYYsttIJTAT9mb9/6GnmmcCDZ9lhoP34QJutEacAvNw/
126yaXy6z2ix6d3ARq7bVFRbaXv8fUHMBZws0y3PAdgwBhbGPw1ReALeyL1qsQ3s
3Ahoi1jToceglgTVxAghmQ0241f62kVqv32LKQ3GaMp31AxLe7QYz0IXFeb8DGWL
XnAd42JNipbRnB7Jzsm7XMrsDJp1+XnvToMMeXoiXE0PkpJAX1lpLMJd88hT6Diw
neTDLIXY6hgyXCn/qBQiZTH8a8MB9n7efU1mevnL532QYsfvJaLzyRjQ+naoeT99
PALvtnewBY2sKN8GE0MYR0lvXt1eUiqSL6tcDh4xxvr6w4sZNDQfNLN1X2zirOKw
o7zzBwgHpk4/Ec8raBXT
=i5Uc
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

answered Jul 18 2013 at 07:39

Christopher Schultz 's gravatar image


Well, apart from the layers of obfuscation added by Jersey, fundamentally the "REST 
service" is still a webapp, composed of servlets.
So it is more a case of "does Jersey provide an authentication servlet (or filter) ? and 
what can it do ?". No ?
Or does Jersey rely on container-based authentication ?
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

answered Jul 18 2013 at 07:42

=?ISO-8859-1?Q?Andr=E9_Warnier?= 's gravatar image


Hash: SHA256
Martin,
Yes, this is exactly what I'm suggesting. I'm sure there are other ways
to do it. I'm assuming that Jersey is using ServletRequest.getPrincipal
to get authentication information from the caller (which is a reasonable
assumption IMO). If it's being done in some other way, then this
technique may not work.
- -chris
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJR6Cs4AAoJEBzwKT+lPKRY+s8QAKL/f+wrnbsFQT+9sS6Yyx5i
lIlKhNbM1/Ns7y363DoWD7fXUMWIalop83YCuAi0+Sldr0vlppvDmoBH5S6QRk4i
ExEjOlRggZD5jLRTb2bQvWQec4b+9RoJvKM1Hq4HUbZ8Bal56a37mxb7yBxMz+Rn
Xe3wD+E+AD3ux5Qig4GApDl0OMoufKuSS8LrA5AXGhbG4EFVuGZz141v6ildSh4S
5P8B3p3mPjO2UyeqbA/wUsXr8TOfFWRQEuiHCj1bTt+MAvp+XgcxbJpLxSSZ06Hq
SFRo0CUOGjcv1vP/CziFnY/OtGlrduOnW7p52TJhYLq7uxVTZgEchANVi9ztL1TZ
/2r9VLeftuszjVbEwTR4JwE5ZNdVPqdCrz2q9TLO1Cr+kMaw2sAhoiL2TLbtZZLW
gUSgcXgB/zOipxMa9t3D7ZenUg09n2T22qTNmSGrpjBHwazisceyZLhsZXcUdDFF
I89GqkdeSzHDWiyOdMcDPAQios2Bxe8z+LiDc+qfAyhT0VEEVXAG/ucsyHBGTUdN
unJ22t3XLulCuON941XV0AcUm+lhVOuyMjsbxD/L0fFosVtoPH/zGEUf2ZVsTMC1
jq6qVSCJlLwccCOoMPeSd1MLQCgDgftJ6UYKune6JhVZ3l3ro5At4cpyYxxiOJbi
t7VKPMLheCZvqZXO4AXa
=O44G
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

answered Jul 18 2013 at 10:51

Christopher Schultz 's gravatar image


Hash: SHA256
Martin,
Any reason the container-provided authentication system (e.g. HTTP
BASIC) isn't acceptable?
- -chris
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJR9Sx/AAoJEBzwKT+lPKRYnNwP/jkKNS3GAgciwXh7nkdBsVnd
eengy++YrJNLpEABkJDWY635EvX2fksZH/2ALufepybuyY9pkYehhtC/v971JFtW
p63fvsNA+4t4a8HFkU19AB0HJuz+nvQxyDD741oZUM/5853ATY6OPUX+JCYGcDR4
tQrSH3dWriwTNVHpVw2WOU+FPB2V73jN4WOW2wcr5R5Y2nX5ad+HhMIwfzr20UTa
ZDuVvuYw18v7XQ+ghc3DsDc2XJCAUlfIci6T5v7YuW/5xbbpxcjZuXUbXNgX4O74
7/gH7UNXXCKbzaDsrIF95gT68hXGQ0g63tDCcikohv9lJbH94pNgqMt27SivAt5c
Ht5K4t0VZ6Lv9kPYi2c/mUdBL51I8QYsHwix4ot+T69iwW8Lt5jrryrtxdSKiTZh
bygF5bGAg44/VHWisyhIjzjAOzychzw1D9MCC3wM+oMep/XTKEwyNHUC6h4cTlQg
TwqSSjwJ2vBXvsOWFOCJ7SwEdS1NOa2HoEpqtMWwlXJBIHYk2RuCN1UC3NlBytW3
jz92C0ERVcvA39fb8+EvOP2yT8M3adBdqVOvLSOmhixvZd4l4rhxfrzNmfUtJSZQ
emzbkvO4JVRP+Lf8bGiDiUrIqV0/6L+YoB4GVSNqnJbh6xP7yZ9AY7G/z6+tAHEk
AE+WCdC4cDVn9G58vo7l
=Na0c
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

answered Jul 28 2013 at 07:36

Christopher Schultz 's gravatar image


Hash: SHA256
Martin,
Container-provided authentication can be done without writing any code
at all:
http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html
- -chris
Version: GnuPG v1.4.14 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJR9pZtAAoJEBzwKT+lPKRYEcQP+wd5ky4aJGl4waVhZyt3akVR
RfAZml9Lk2D4I1CUdq5dyuLyVK5viekgw2OlpwYgKkmSeHWj8tDW5aqhzlf3XX/p
ZLlw8327ro3rDeuhoj0tQaebe8VIoW0ubFcoEp8uWkMU5tZjBuq9LkjLTkhVbvoR
2cZBi6gP8Pt9ePWVQAmKtA8+hMZ6o37dWC+8jAey014H7CpSJhxsRHAv7zrE87nT
f3qzdJXjoAW1PuXJ3Fsdrs7Tk0ABQmE+WbtLzQP5e56MVzTKJrDwlv6t90uog/LY
krIyi4OzJ58oHJUgZGAE2g45jXOxYL6RBWbEXS4LQZS/R05VUc1rMt9yA6myWx4b
qN8jfW7/C1d2VPGSW5e3CH0WS298X3HI+9Yqn5sjn3icp7+UFyHpAH7SAIx+BFjl
l73Q+3r/D9IQirCAnLqNEvY8NbZDWfxvxkzggHQkXTLqpSUoslw+9xNZCZ9A2SrK
TrKnTEO3f2Uviap+PWxlC+fBJ3zEcBL1COnuhLVlGveP/AqjCoBxrV4bdaSEi/Q5
a2O1dlBINtqv0zbdpTKHbiplxNFDghRdUTkLDmE5FLQnAf1JLfVlNr4kkjml4iqD
t0wxt8LE8MUat5mm08OnOjPAWdqe2KNmniUBAQ1nYTvfKSsvL+sfYJGPX8bArGMF
+iXZF8ULpPyc+HzisZUF
=eqkF
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

answered Jul 29 2013 at 09:21

Christopher Schultz 's gravatar image


Hash: SHA256
Martin,
Just read the whole page:
If you don't understand, come back and ask more specific questions.
- -chris
Version: GnuPG v1.4.14 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJR989xAAoJEBzwKT+lPKRY8VUP/1DQKKTOcQCfMOBjg408Ow5T
aryNprNv6d6FoOfgYkc1NSkjzhkEp9JTkcplHT+EpIAL1m7VSrP+3zWZYvdhypEN
2lOCbYO6QYnYJVkX2NUuKwU4f7jpQbiPkSC0Hl2BSz4JKJaC2OMUsPe38hsedGLY
8exZ8VntTUmmvYhKBB3On0Gm2ckSnsWwsLWlOEDFPXgA9856c6Bgy8EFlF7Cws3d
0FxIUBA3YP2SZ2Iz9n4bxSA96Bu1geh2+/lHav01I6+GSXVPDXyYk0o7N40arPQ3
88jBghVR4Z6GoqeMlj+1cDC1W/2BiAatRhzQrBIt38pv4xEkM4E/njxnDxEm/VMI
RHp57d2NHm39C/Qymrs4hWtn4llHvs5TIkFzk6cTV0bIWJIbPLyjU+6m4J6zSYto
qaw/t5qeXziElZBCY/W3RkPmenEPdgVFyaZisretiCcTmaM3M3LHGU4K8XFfJWC5
R0xsf+smPNJn7dl/BvI+9sugGTfznraJnUJTUc11O2u9HAjy7RIH4GxEcsOqgfqp
IJnCktp4lGJxA2icM4i+jYtqYOeHz8bKatkqy+TESrbZI0DdVi/cadHNky0DcMO2
5MdMKkUU/LaKNRaUmgRl94v2jdEbXlry22ZW0kltdkj3iahxH4hHfMCp69kVqmH8
3scrp+O5WeSMaUIuFrLc
=8GgT
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

answered Jul 30 2013 at 07:36

Christopher Schultz 's gravatar image


Related discussions

Tagged

Group Tomcat-users

asked Jul 18 2013 at 02:34

active Jul 30 2013 at 07:36

posts:17

users:4

Tomcat-dev

Tomcat-users

©2013 QnaList.com . QnaList is part of ZisaTechnologies LLC.