JWT Authentication for REST Services
Demonstrates securing of a REST service with JWT authentication

Use Case Description

The REST service described under REST Service Mediation has to be secured by allowing access only to properly authenticated users. Unauthenticated requests to access the API should be declined with HTTP 401 responses with appropriate error messages.

Proposed Solution

The proposed authentication solution is based on JWT (JSON Web Tokens). In addition to the endpoint for handling API requests, a dedicated endpoint is introduced for user authentication and issuing of JWTs.

Basic authentication is utilized during the initial authentication, where the user sends a Basic Authorization header with a base 64 encoded, colon-separated username-password pair as part of the token request. UltraESB reads credentials from a CSV-formatted user credentials file, and decodes and validates passwords received on the Authorization headers against their respective usernames. If either the header cannot be parsed or it does not correspond to a valid username-password pair, UltraESB blocks the request and returns an HTTP 401 response along with an appropriate error message. Otherwise, a signed JWT is generated by enclosing the username, and sent back to the user.

When accessing the actual API endpoint, the user sends a Bearer Authorization header as part of the request, including the issued JWT. UltraESB decodes the JWT, compares the enclosed username against the user base and decides whether to allow the API call to proceed to the backend. If either the token cannot be decoded (due to tampering, signing secret key mismatch, etc.) or the enclosed user does not correspond to the existing user base, API access is denied with a HTTP 401 response. Otherwise the request is allowed to proceed as in the case of the original REST service mediation flow.

Version 17.01
Vendor AdroitLogic
Difficulty Intermediary

Documentation
External documentation for this sample project

Source Code
Full source code of this sample project

Contact Us