Access control to a page with REST service

Question

I have read many discussions about authentication, authorization etc. with REST services. I have now idea how to make authentication/authorization with REST.

But the thing I did not get is, how to control access to a web page with REST service. Is it a good practice? If so, how?

Example:

• root of REST services: localhost/services

• root of web pages: localhost/pages

Now, the scenario is:

1. Client tries to go to the page localhost/pages/join.html but, it does not have right to access.

2. Thus, server should check if the client has right to access to the page, and since it does not have right, should redirect the client to somewhere.

My question is not how the server would check, understand if the client has right or not.

However, I want to know, when and how I could make this check and redirection with REST service.

For example, the first idea that comes to my mind is, in the body of join.html, with <body onload> run a javascript that checks the access right of the client sending a JSON message to REST service, let say, to localhost/services/access.

Then, service will return its answer, and if it is OK, the page will be loaded, if not, it will be redirected with window.location.href. Is this the way to decide the right of access to a web page with REST service? Is there other common solution / practice?

Please again note that I am not asking, how to secure my REST API etc., but

How do I check access rights to my web pages with REST service?

Answer 1

You can send the token that is received from REST API, to the web server to make it to save in session object of browser-client.

Answer 2

I think it's better to make anthorization and autentication on the server side, client side is not safe, since your code and logic are fully exposed it's easy to fake a request.

Generally, on the server side, you could use an interceptor to interceptor the request, in that interceptor, check the user role and his access right, then decide whether to redirect the request(or send a 403 response) or send the normal resource.

The implementaion of the interceptor depends on which language you use on the server side.

For example if you use java(jax-rs): http://docs.oracle.com/cd/E24329_01/web.1211/e24983/secure.htm#autoId0

If you use servlet, build a filter.

If you use struts2, interceptor are directly supported. and with app developed using Spring, you can use AOP to intercept a request.

If you use node.js with express, you could build a middleware that handle the auth logic.

Hopes these will help :)

Updated:

the request flow is: get the request -> retrieve the client token(generally a cookie) -> find the user role according to that token -> check whether the role is allowed to access the resource -> server the resource