I have a webapp which has angularJS on the frontend and Java on the backed. Angular communicates with the java backend via Restful webservices consuming and sending JSON across HTTP. I need to build the authentication mechanism for this app and was wondering how would be the best approach, currently I'm using JAAS based authentication (JDBC user table). This is how my app is configured:
My web.xml configuration has:
<login-config>
<auth-method>FORM</auth-method>
<realm-name>userauth</realm-name>
<form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/loginError.html</form-error-page>
</form-login-config>
</login-config>
<security-constraint>
<display-name>ConstraintSSL</display-name>
<web-resource-collection>
<web-resource-name>protected</web-resource-name>
<description/>
<url-pattern>/checkout/*</url-pattern>
<url-pattern>/login/*</url-pattern>
<url-pattern>/login.*</url-pattern>
<url-pattern>/account/*</url-pattern>
<url-pattern>/ad/create</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<display-name>ConstraintUser</display-name>
<web-resource-collection>
<web-resource-name>user</web-resource-name>
<description/>
<url-pattern>/account/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>ADMINISTRATORS</role-name>
<role-name>USERS</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-role>
<description/>
<role-name>USERS</role-name>
</security-role>
<security-role>
<description/>
<role-name>ADMINISTRATORS</role-name>
</security-role>
<session-config>
<session-timeout>30</session-timeout>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
<welcome-file-list>
<welcome-file>init.html</welcome-file>
</welcome-file-list>
init.html only redirects to a index.html page which loads angular and starts the actual app.
Now here is my UserController which handles user related activities on the client side (browser):
myControllers.controller('UserController', ['$scope', '$routeParams', 'UserService',
function($scope, $routeParams, UserService) {
$scope.logged = false;
// if User is not detected by cookie
$scope.user = fetchUserFromCookie();
if (! $scope.user) {
// set default guest user
$scope.user = {
firstName : 'guest',
lastName : 'user',
preferredCurrency : "USD$",
sessionHash: "XXXXXX",
shoppingCart : {
totalItems : 0,
total : 0
}
};
}
$scope.login = function(userName, pass) {
$scope.user = UserService.login(userName, pass);
$scope.logged = true;
};
$scope.logout = function(userName) {
$scope.user = UserService.logout(userName); // warn server side you're logging out
$scope.logged = false;
$scope.user = null;
};
}]);
My goal is to provide a login page with JAAS based JDBC authentication, and to allow only those user which has a specific ADMIN role or USER role to see a certain page, how to achieve this in a angularJS + Java based app ?
my main concerns are with session tracking,
how to track that a specific user has granted access and has permissions to change a specific record ?
how to prevent manual hacks like manually changing JS code or changing a Cookie in order to hijack a user session ?
- index.html page should contain token inside html to avoid CSRF
- token shouldn't be stored in a cookie storage
- Each request should be signed with header param
- Server should validate every request by passed header
- If cookie usage is a must you should validate referer in order to prevent CSRF
来源:https://stackoverflow.com/questions/24129848/how-to-integrate-angularjs-and-java-jaas-based-authentication