3:29 a.m.
Hi Steve,
first thanks again for your help.
I have another question / problem: I have now a running and working REST
API using client certificates auth. Now I would also like to provide an UI
which makes using the REST API easier for interactive usage. (so the web UI
would internally call the REST API)
a) I got my java web UI as war file. How can I register that war file
programmatically with undertow (which also runs my REST API)?
b) Would client certificates also work with web UIs? Would the browser then
just ask for the cert or how do I provide in this case the user cert? E.g.
when I point right now my browser on an URL of the REST API I just got
"Forbidden".
c) If b) is not possible or not easy to do, can I use a different security
realm and auth method for the web ui, maybe BASIC AUTH instead CLIENT CERT
(but just for the web ui?)
Best regards,
Dieter
6:57 a.m.
Hi Dieter,
I use undertow http core only so there is only single page applications
served by my server. Here is an example on how to serve REST API as well as
Single Page Application like Angular or React.
https://github.com/networknt/light-java-example/tree/master/webserver
The certificate will work for both web UI and your REST API but I cannot
confirm if it works for war file because it is on top of servlet container
which I never used. For performance reason, I would recommended to get rid
of servlet container as it is dozens times slower than core http.
Take a look at this page you can see Light-Java and Spring-Boot with
Undertow embedded performance difference. Of course, Spring added a lot of
overhead so it is not exactly Undertow core http vs Undertow servlet
container.
https://github.com/networknt/light-java-example/tree/master/performance
Even you have tls enabled, you might still need additional
authentication/authorization to protect your resources and basic auth is
one of them. Here is an example to use basic auth.
https://github.com/networknt/light-oauth2/tree/master/src/main/java/com/n...
Also, for you REST API, OAuth2 should be leveraged to protect your
endpoint. Here is an article that I wrote for that topic.
https://networknt.github.io/light-java/architecture/security/
Thanks,
Steve
On Sat, Dec 17, 2016 at 3:29 AM, Dieter Bogdoll <dieter(a)bogdoll.net> wrote:
Hi Steve,
first thanks again for your help.
I have another question / problem: I have now a running and working REST
API using client certificates auth. Now I would also like to provide an UI
which makes using the REST API easier for interactive usage. (so the web UI
would internally call the REST API)
a) I got my java web UI as war file. How can I register that war file
programmatically with undertow (which also runs my REST API)?
b) Would client certificates also work with web UIs? Would the browser
then just ask for the cert or how do I provide in this case the user cert?
E.g. when I point right now my browser on an URL of the REST API I just got
"Forbidden".
c) If b) is not possible or not easy to do, can I use a different
security realm and auth method for the web ui, maybe BASIC AUTH instead
CLIENT CERT (but just for the web ui?)
Best regards,
Dieter
_______________________________________________
undertow-dev mailing list
undertow-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/undertow-dev
2685
days inactive
2685
days old
1 comments
2 participants
participants (2)
-
Dieter Bogdoll -
Steve Hu