AngularJs and Jboss and JAAS

Question

If one would to look at JBoss security framework as one possible explanation on how to enable JAAS using JBoss 6 and create this web.xml to configure JAAS security to protect i.e. a Rest api:

    <?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0">
    <context-param>
        <param-name>resteasy.scan</param-name>
        <param-value>true</param-value>
    </context-param>

    <context-param>
        <param-name>resteasy.servlet.mapping.prefix</param-name>
        <param-value>/api</param-value>
    </context-param>

    <listener>
        <listener-class>
            org.jboss.resteasy.plugins.server.servlet.ResteasyBootstrap
        </listener-class>
    </listener>

    <servlet>
        <servlet-name>resteasy-servlet</servlet-name>
        <servlet-class>
            org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher
        </servlet-class>
    </servlet>

    <servlet-mapping>
        <servlet-name>resteasy-servlet</servlet-name>
        <url-pattern>/api/*</url-pattern>
    </servlet-mapping>

  <welcome-file-list>
    <welcome-file>index.html</welcome-file>
  </welcome-file-list>

  <login-config>
    <auth-method>FORM</auth-method>
    <realm-name>fileRealm</realm-name>
    <form-login-config>
    <form-login-page>/login.html</form-login-page>
    <form-error-page>/error.html</form-error-page>
    </form-login-config>
  </login-config>

   <error-page>
     <error-code>403</error-code>
     <location>/accessdenied.jsp</location>
   </error-page>

  <security-constraint>
    <display-name>Secured Content</display-name>
    <web-resource-collection>
      <web-resource-name>Secured Content</web-resource-name>
      <url-pattern>/api/*</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      <http-method>HEAD</http-method>
      <http-method>PUT</http-method>
      <http-method>OPTIONS</http-method>
      <http-method>TRACE</http-method>
      <http-method>DELETE</http-method>
    </web-resource-collection>
    <auth-constraint>
      <role-name>ADMINISTRATOR</role-name>
      <role-name>MANAGER</role-name>
    </auth-constraint>
  </security-constraint>

  <security-role>
    <role-name>ADMINISTRATOR</role-name>
  </security-role>

  <security-role>
    <role-name>MANAGER</role-name>
  </security-role>

  <security-role>
    <role-name>EMPLOYEE</role-name>
  </security-role>

  <security-role>
    <role-name>USER</role-name>
  </security-role>

  <security-role>
    <role-name>DEFAULT</role-name>
  </security-role>

  <session-config>
    <session-timeout>5</session-timeout>
    <cookie-config>
      <name>SESSIONID</name>
    </cookie-config>
  </session-config>
</web-app>

then a URL like http://localhost:8080/webcontext/api/restpath will be protected and hitting this URL will redirect to the login page. And this works for me.

Now I would like to bring AngularJS into this mix as the frontend. Would it be possible? Is so, how should I implement it. If not, what is the alternatives? Ideally I would like to use JAAS.

I think what I like to know is, how can I change the

<form-login-config>
    <form-login-page>/login.html</form-login-page>
    <form-error-page>/error.html</form-error-page>
</form-login-config>

<form-login-page> to rather serve e.g. a /partial/view/login.html within the Angular app instead? (if this does make sense) In other words getting rid of the login.html file and have JAAS redirect to whatever page/file is define in Angular as the login form.

Redirect to angular app entry point and use angular routing to manage template loading based on authorization status — charlietfl, May 07 '15 at 21:51
That's not JAAS security, that's Servlet's security features. JAAS is not the universal security framework you probably think it is. — Arjan Tijms, May 09 '15 at 12:03
Well you are probably right but do you know at least if this is possible even? — Jannie, May 09 '15 at 14:38

score 3 · Answer 1 · answered May 10 '15 at 09:40

You can use Servlet/Java EE security for your REST endpoint, which I guess is what you're using for Angular.

However the FORM authentication method is probably ill suited for this, as it's more intended for actual user to app interaction, not code to API. Java EE also has a CUSTOM option. Take a look at this http://arjan-tijms.omnifaces.org/2014/11/header-based-stateless-token.html for the general idea.

You'd probably want to act just on the HTTP return codes. Have the Java EE authentication module return a 403* when the user is not authenticated, then in your Angular code display a native login page/dialog based on that. The login dialog could call a login endpoint where a username/password are exchanged for a token that you then use in the following REST calls.

Make sure that you access all the protected endpoints using HTTPS, but at least the login service. Additionally you probably want to expire the token after some time.

*) a 403 is good start point, but there's something to say for always returning a 404 so attackers can't start guessing which protected URLs exist. To check if authentication succeeded (not if the URL exists or is protected) you can echo the authenticated user's ID or name back in a header.

Awesome, thank you very much for that link and the detailed explanation. — Jannie, May 10 '15 at 15:57

AngularJs and Jboss and JAAS

1 Answers1

Linked