Hi Dieter,

I use undertow http core only so there is only single page applications served by my server. Here is an example on how to serve REST API as well as Single Page Application like Angular or React.

https://github.com/networknt/light-java-example/tree/master/webserver

The certificate will work for both web UI and your REST API but I cannot confirm if it works for war file because it is on top of servlet container which I never used. For performance reason, I would recommended to get rid of servlet container as it is dozens times slower than core http. 

Take a look at this page you can see Light-Java and Spring-Boot with Undertow embedded performance difference. Of course, Spring added a lot of overhead so it is not exactly Undertow core http vs Undertow servlet container.

https://github.com/networknt/light-java-example/tree/master/performance

Even you have tls enabled, you might still need additional authentication/authorization to protect your resources and basic auth is one of them. Here is an example to use basic auth.

https://github.com/networknt/light-oauth2/tree/master/src/main/java/com/networknt/oauth/handler

Also, for you REST API, OAuth2 should be leveraged to protect your endpoint. Here is an article that I wrote for that topic. 

https://networknt.github.io/light-java/architecture/security/

Thanks,

Steve

On Sat, Dec 17, 2016 at 3:29 AM, Dieter Bogdoll <dieter@bogdoll.net> wrote:
Hi Steve,

first thanks again for your help.
I have another question / problem: I have now a running and working REST API using client certificates auth. Now I would also like to provide an UI which makes using the REST API easier for interactive usage. (so the web UI would internally call the REST API)

a) I got my java web UI as war file. How can I register that war file programmatically with undertow (which also runs my REST API)?

b) Would client certificates also work with web UIs? Would the browser then just ask for the cert or how do I provide in this case the user cert? E.g. when I point right now my browser on an URL of the REST API I just got "Forbidden".

c) If b) is not possible or not easy to do, can I use a  different security realm and auth method for the web ui, maybe BASIC AUTH instead CLIENT CERT (but just for the web ui?)

Best regards,
Dieter

_______________________________________________
undertow-dev mailing list
undertow-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/undertow-dev