Java REST service using authentication token

Question

On my web app using Java EE 6. I want to expose some of my functionality as a Json Rest Service. I want to use authentication tokens for login, User will send their username, pa

Answer 1

I recently blogged on how to set up Role-based authorization in a JAX-RS REST API using both a simple session token approach and a more secure method of signing requests using the session token as a shared secret.

It boils down to:

• Get a session token from the server along with some identifier for the user
• Use the token to encrypt the information in the request
• Also use a timestamp and nonce value to prevent MITM attacks
• Never pass the session token back and forth except for when retrieving it initially
• Have an expiry policy on session tokens