Announcement Announcement Module
No announcement yet.
Problems with authentication, session & RESTful services Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Problems with authentication, session & RESTful services


    I wasn't sure whether to post in Web or Security, its more of a problem with security that I am having, so I chose here.

    I am working on a team on a project, lets call it Sherlock. We are deploying to a websphere environment and so we are building 2 artifacts, ears, SherlockWeb.ear and SherlockServices.ear.

    The idea is that SherlockWeb and SherlockServices could be deployed to different servers, however currently they are deployed to the same application server.

    SherlockServices exposes RESTful webservices to perform CRUD operations, adding new users, cases, administrators etc, It looks after all the DB access and calling an Enterprise Service Bus and legacy systems.

    Somehow then we have SherlockWeb, Sherlock web as you would have guessed contains a war, which contains JSP's, JS, static content etc. The problem I think is we submit our forms using AJAX and the AJAX makes a post to RESTful webservices running on the front-end/SherlockWeb. So as well as having REST in the SherlockServices ear, we also have REST in the SherlockWeb ear.

    Finally, the security bit

    I was asked to implement a security solution for the Web application. I used spring security and at first all seems well. I can login, the authentication is working and the intercepts etc are working, the problem is quite randomly after a couple of calls to services the user will get booted out by a 302 temporary redirect to the login page.

    I've tried finding a solution but I'm beginning to think it is this goofy architecture that is the problem. I could refactor; either submitting the forms to a Form Controller and then invoking the webservices from the form controller or else, just removing all the services, controller out of the front end completely and just invoking the SherlockServices directly from the front-end.

    Can anyone definitively tell me what the problem is here. Is the inherent statelessness of REST causing my problem?
    From what I can see I can call a couple of services ok and then quite randomly one call will send a login page back to the AJAX call. I have some error handling then in the AJAX call which will redirect back to MY login page.

    any suggestions for fixing this problem greatly appreciated