[undertow-dev] Question regarding serving a REST API and a WEB UI over the same Undertow instance
Steve Hu
stevehu at gmail.com
Sat Dec 17 06:57:33 EST 2016
Hi Dieter,
I use undertow http core only so there is only single page applications
served by my server. Here is an example on how to serve REST API as well as
Single Page Application like Angular or React.
https://github.com/networknt/light-java-example/tree/master/webserver
The certificate will work for both web UI and your REST API but I cannot
confirm if it works for war file because it is on top of servlet container
which I never used. For performance reason, I would recommended to get rid
of servlet container as it is dozens times slower than core http.
Take a look at this page you can see Light-Java and Spring-Boot with
Undertow embedded performance difference. Of course, Spring added a lot of
overhead so it is not exactly Undertow core http vs Undertow servlet
container.
https://github.com/networknt/light-java-example/tree/master/performance
Even you have tls enabled, you might still need additional
authentication/authorization to protect your resources and basic auth is
one of them. Here is an example to use basic auth.
https://github.com/networknt/light-oauth2/tree/master/src/main/java/com/networknt/oauth/handler
Also, for you REST API, OAuth2 should be leveraged to protect your
endpoint. Here is an article that I wrote for that topic.
https://networknt.github.io/light-java/architecture/security/
Thanks,
Steve
On Sat, Dec 17, 2016 at 3:29 AM, Dieter Bogdoll <dieter at bogdoll.net> wrote:
> Hi Steve,
>
> first thanks again for your help.
> I have another question / problem: I have now a running and working REST
> API using client certificates auth. Now I would also like to provide an UI
> which makes using the REST API easier for interactive usage. (so the web UI
> would internally call the REST API)
>
> a) I got my java web UI as war file. How can I register that war file
> programmatically with undertow (which also runs my REST API)?
>
> b) Would client certificates also work with web UIs? Would the browser
> then just ask for the cert or how do I provide in this case the user cert?
> E.g. when I point right now my browser on an URL of the REST API I just got
> "Forbidden".
>
> c) If b) is not possible or not easy to do, can I use a different
> security realm and auth method for the web ui, maybe BASIC AUTH instead
> CLIENT CERT (but just for the web ui?)
>
> Best regards,
> Dieter
>
> _______________________________________________
> undertow-dev mailing list
> undertow-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/undertow-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20161217/8163bc94/attachment-0001.html
More information about the undertow-dev
mailing list