0

I am trying to integrate a very old Java web application and a AngularJs front end. I can't use Spring framework and basically have to code the pieces by hand. Here are my specific questions:

  1. I post the login form to the servlet for authentication, the servlet replies with a permission object and a Jsessionid. How do I avoid re-login when I navigate away and come back to the page ? Do I need another cookie to store username/password?

  2. How do I provide CSRF protection with this architecture ?

An example would be very highly appreciated.

Improve this question

2 Answers 2

Reset to default
2

My suggestion is to use JWT tokens with Satellizer library which simplifies your work. After user has been logged in and you issued JWT token to him, he should pass back this token on every http request, (Satellizer injects it automatically after successful login). You need to validate it and permit/restrict user's action accordingly. There're few Java libraries which simplifies work with JWT tokens on a server side. I've used in a couple of my projects jose4j library, and have positive experience with it.

Satellizer and jose4j both have good examples on their wiki how to use them.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

This is a very good lead thank you . But at this point I am looking for a cookie based approach instead of JWT .
0

I actually implemented two solutions one using JWT and the other using traditional Java Servlet implementation using a Jsessionid cookie. So far I feel the cookie one is cleaner so here are some details:

  1. Login.html posts a username/password form to a servlet. The servlet validates the credentials and if successful starts a new session (which results in a jsessionid cookie). If an authentication fails, a HttpServletResponse.SC_UNAUTHORIZED is returned.

    a. If the callback is successful the client redirects the browser to my application.html page.

    b. If failed prompts a message and stays on the login.html page.

  2. when application.html page loads it immediately sends a dummy get request to the login servlet to make sure the session is still valid. If yes, it loads the rest of the page, if not redirects back to the login page.
  3. Web services are secured the same way using an Auth filter that checks the session id.

so far it looks good and very straight forward.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.