Securing REST Web Service using token (Java)

Question

This question is in some way related to the below linked question. However, I need a little more clarity on some aspects and some additional information. Refer: REST Web Ser

Answer 1

Why not simplify it to the following?

For first request:

1. User establishes HTTPS connection to server (service does not listen on any other ports) and POSTs credentials to login service.
2. Server replies with HSTS header to ensure all further communication is HTTPS.
3. If credentials are valid we:
   • Generate a random temporary token which is securely generated using a CSPRNG. Make this long enough to be secure (128 bit).
   • Store the random token on server mapping it to actual username.
   • Send the random token to the client

For subsequent requests:

1. Client sends token in a custom HTTP header over HTTPS.
2. Token is located in the DB and mapped to the username. If found access is configured based on allowed roles and allowed operations.
3. If not found user is considered unauthenticated and will have to authenticate with the login service again to get a new token.

On the server side the token will be stored with an expiry date. On each access to the service this date will be updated to create a sliding expiration. There will be a job that will run every few minutes to delete expired tokens and the query that checks the token for a valid session will only check those that have not deemed to have expired (to prevent permanent sessions if the scheduled job fails for any reason).

There is no need to hash and encrypt the tokens within the database - it adds no real value apart from a touch of security through obscurity. You could just hash though. This would prevent an attacker that managed to get at the session data table from hijacking existing user sessions.