| [jetty-users] How to implement token based authentication for a website? (not a single page application) |
|
Hello Many years ago, I succeeded in implementing authentication by using a simple login form, (HttpOnly) cookies to store the credentials, jsessionid, ... I used some simple examples provided with Jetty, it took me only a few hours to get something working. I have currently some additional constraints, I must implement cookieless authentication, the first technology that comes to my mind is JWT even though nothing prevents a programmer from storing a JWT token into a cookie. Using the JJWT library with Jakarta Restful web services is quite easy for me, I just put the received JWT token into the header field "Authorization: Bearer", the server checks if the token is still valid and returns the expected result if so. Things become trickier for a real website except if I'm missing something obvious. I would like to put this token into the header when I go from a web page to another page of the same domain, a bit like it works for cookies. I know how to simulate that by using the _javascript_ Fetch API to fetch the source code of the next web page (fetch() allows to pass some header fields) and by replacing the body of the current document by the fetched HTML source code but it's probably not the cleanest solution. I could store the encrypted and signed JWT token in a local or session storage and pick it in the _javascript_ source code on the client side too. Maybe I could use a service worker to modify the headers on the fly before sending the request to the server. I have to implement such a system for Jetty >= 11. Am I missing something on the server side or on the client side? Is there a more simple solution? I sum up my investigations here: Jetty specific solutions are warmly welcome. It's the first time I have to implement token based authentication, sorry if my question seems to be stupid. Best regards. |