I am developing a Restful Web Service using a jersey between my Android, iPhone and MySQL applications. I also use Hibernate to map data to a database.
I have sessionId (key). it is created when a user logs in.
In the User class:
public Session daoCreateSession() { if (session == null) { session = new Session(this); } else { session.daoUpdate(); } return session; }
In the Session Class:
Session(User user) { this.key = UUID.randomUUID().toString(); this.user = user; this.date = new Date(); } void daoUpdate() { this.key = UUID.randomUUID().toString(); this.date = new Date(); }
When the user login successfully, I send this sessionId to the client of the mobile application. Then, when I want to get some information from the database based on the registered user, I check this Session key as authentication in the REST Services for each request.
For example, for the list of the project in which the user participates, I use client.GET(SERVER_ADDRESS/project/get/{SessionID})
insert client.GET(SERVER_ADDRESS/project/get/{username}) .
And if this is not a valid session key, I will return the forbidden code to the 403 client. You can also look here.
The fact is that I'm not sure about my approach. what do you think of cons in this approach when considering for a jersey and mobile app?
I researched Spring Security . I still don't know if I can use it instead if the Session key approach is not suitable. Can you help me?
source share