React + application server + authentication / authorization

Navigation
0

From now on I apologize for the long text but I need to detail the problem to make me understand.

I'm trying to develop a SPA application using ReactJS trying to use the application server's native security (Wildfly 12, in my case). I read something about JWT and Spring Security, but before going for these alternatives I would like to exhaust the ability to use what is already natively implemented on the application server.

I already have JSF + Primefaces applications using application server security along with my custom authentication and authorization modules, and everything works fine. I send the username and password to a ManagedBean and it performs authentication by invoking the request login method (HttpServletRequest.login (username, password)). From this point the application server recognizes the authenticated user and its privileges. All subsequent requests are submitted to the application server security which takes care of verifying the authorization and everything works perfectly.

What I'm trying to do is to perform the same type of authentication and authorization, but from my SPA application invoking a restful webservice via ajax to execute the same request.login () to authenticate and authorize the user, but apparently this is not as simple as I imagined.

The process in summary form is:

  • In the login form the user informs his username and password clicks the button to authenticate.
  • The authentication webservice receives the request with this information and invokes the request.login (username, password).
  • Authentication is successful and the result returned to the client (SPA application) which then invokes another webservice to obtain the privileges of the authenticated user (authorization) to decide which features will be made available to the user in the interface.
  • The webservice that queries the privileges identifies the authenticated user by invoking the request.getUserPrincipal () method from there to query their privileges and return them to the client.

    • That's where the problem occurs. Even the user being successfully authenticated to the request made prior to the authentication webservice, the request.getUserPrincipal always returns null when the webservice for obtaining the privileges is invoked. It is as if the user had never been authenticated or a new session had been created (which I think is the case).

    I have tried to do the same operation deploy the application on a Tomcat to see and it was something specific related to Wildfly but the result was the same. I've also tried using a servlet instead of a webservice getting the same result.

    I do not know if I'm correctly addressing the security aspect of this type of SPA application or if there are other more effective means of using application server authentication and authorization.

    Although I have a lot of experience as a java and jee developer it is the first time that I am trying this type of approach and I have no idea what the best practices are. All the materials I found do not describe this situation.

    Any help will be greatly appreciated. Thank you in advance.

        
    asked by anonymous 28.04.2018 / 04:53

    0 answers

    Limit items in a dictionary Problems with ICEFaces components