0

I have been trying hard to work this out for login authentication using angular as client and jersey exposed as rest web service at backend.

Here is what I achieved from last three days.

Angular code to capture email and password:

myApp.controller('loginController',['$scope','$http', function($scope, $http)
{
$scope.email = "" ;
$scope.password = "" ;

$scope.loginForm = function(){
    alert("login controller called");
    console.log($scope.email);
    console.log($scope.password);
    var encodedString = 'email=' +
            encodeURIComponent($scope.email) +
            '&password=' +
            encodeURIComponent($scope.password);
    $http({
        method:'POST',
        url: 'rs/loginResource',
        data: encodedString,
        headers: {'Content-Type' : 'application/x-www-form-urlencoded'}
    });
};
}]);

Java rest code:

@Path("/loginResource")
public class LoginResource {

    public LoginResource() {
    }

    @POST
    @Consumes("application/x-www-form-urlencoded")
    public void login(@FormParam("email") String email,
            @FormParam("password") String password) {
        System.out.println("Email is: " + email);       //prints output
        System.out.println("Password is: " + password); //prints output
    }
}

And now my question is where to go from here after getting the POST data from form submit. As you can see I am just printing the values rather I would like to check the email and password against database(oracle). How would I go about it? Shall I use simple connection class and dao or go for JPA which I haven't learned yet - what is the learning curve for it?

Is there any design pattern involved? Usually I use Dao and pojo if its plain java but I am new to rest api that too struggling with angular. I hardly find any examples on vanilla java+angular where most of them are based on spring+angular.

kittu
  • 6,662
  • 21
  • 91
  • 185

1 Answers1

-2

Generally login goes like this:

  • Client calls server with login details
  • Server verifies login details against the database, if valid, sets up a session. If invalid, the server will return a very generic error response. Important to not give the client any info about which part of the submission was wrong (gives attackers more info).

For this you'll want to read into sessions. Here are some links:

There's plenty of information on this problem on the internet.

Also, for generic REST APIs authentication will usually happen in the form of a token. The flow looks a little different:

  • Client calls server with some sort of auth info
  • The server generates a token using something like Json Web Tokens and returns it to the client. Generally these have an expiry. The server might also expire all other tokens for the user.
  • The client sends the token, generally as a header, with every future request.

There's lots of ways to encrypt a password when sending it from client -> server. Here's a simple one I suggest you try: RESTful Authentication

Community
  • 1
  • 1
Christian Stewart
  • 15,217
  • 20
  • 82
  • 139
  • Thanks for your answer. Can I hash or encrypt the password on client side before sending it in http pipeline? instead of tokens? just thinking in more scenarios. Also I am planning to hash the password on server side before storing it into db. – kittu Dec 26 '15 at 21:54
  • Also I heard about `Basic`, `Digest` and other type of authentications on client side for which I am getting more confused. Which way is more secured? I am not working on banking project to be very secured. – kittu Dec 26 '15 at 21:56
  • @kittu There's a lot of ways to secure a password before sending it to the server. I added one to my answer. – Christian Stewart Dec 26 '15 at 22:13
  • I cannot use http session for mobiles right? I have to go with token based authentication?? – kittu Dec 27 '15 at 08:02