0

I'm very new to enterprise java web app development, so please be gentle.

A co-worker and I are working on a small application for our company, and this will run entirely within the private network which has zero exposure to the big internet. Using Spring and writing the server side as a set of REST APIs.

Regarding REST authentication; I have done some research, including this topic which was very helpful.

I plan on using HTTP basic authentication over SSL, but I am worried about performance. Our company has an LDAP user-lookup authentication service. With REST being stateless, obviously every REST call needs to be authenticated. If LDAP is slow for some reason, every action in the application will be impacted.

I had an idea which I'm wondering if makes sense:

  • Have the user log in once, then we generate a unqiue token that gets stored in a session table - including the user's userid, log-in timestamp and last-action timestamp.
  • The token gets sent back to the client, and it is up to the client to continue to re-send it back with every REST call (we could stick it into the HTTP authentication header).
  • The token is checked for validity before any REST call is executed.
  • With every successful REST call, the user's last-action timestamp is updated in the sessions table.
  • Another thread runs on a 60 second cycle, which checks for elapsed time since last-action for each user -- and if anyone is inactive for a period of time (e.g. two hours) -- their session token is wiped out.

Is this a reasonable approach? I know I'd have to handle (or disallow) multiple logins from a single user from different clients; haven't thought through that yet.

Community
  • 1
  • 1
C C
  • 419
  • 1
  • 4
  • 18
  • Yes, this is a reasonable approach. HP ALM does a very similar approach, see their documentation: http://alm-help.saas.hp.com/en/12.50/api_refs/REST/webframe.htm#Authenticate.htm – Florian Albrecht Oct 13 '16 at 15:05
  • Thanks, Florian. And, anyone who downvotes please have the balls to explain why. I usually don't take this personally but seriously - why was this a bad question?? – C C Oct 13 '16 at 15:11
  • @CC Many reasons: 1. "I'm new, be gentle". 2. I've done *some* research (link to **one** topic on SO). 3. Wrong forum (more suited for programming.SE than SO) 4. Lack of googling. You've described token based authentication. Or is this a case of "I couldn't find anything on Google"? – Kayaman Oct 13 '16 at 15:21
  • thanks...and no, I did research for at least 2 hours - said "including this topic", not "found this topic". Your comments are much more helpful than the hit-and-run downvote which (IMHO) is a real problem at these exchanges. – C C Oct 13 '16 at 15:23
  • This is nothing to do with enterprise java web app development so I'm not sure why you have mentioned that specifically. My preferred method of authenticating REST requests is using digest authentication which is similar to what you describe. You can also use OAuth. If this application holds sensitive information I would advise against trying to implement your own authentication mechanism especially since you are quick to point out your inexperience. – FMC Oct 13 '16 at 15:48

0 Answers0