I'm looking for some authentication/security mechanisms or best practices on an application stack set up like this:
If possible, I'd like Angular to present the login dialog so it's pretty and not the standard browser HTTP authentication dialog, but that's more of a preference than a requirement. I have a pretty good feel (based on angular-app) of how that could work.
I've already got the RESTEasy service set up to require LDAP authentication on JBoss so that a user can't simply hit the REST endpoints without authentication; I've used EE6 realms/roles for that part but I'm open to whatever works best.
Where I'm a bit stuck is the middle layer. Is there a way to use the same credentials to authenticate with both JBoss (to provide data) and NodeJS (so the app knows who the user is)?
I imagine the answer depends on whether the app uses CORS, and I'm fine with whatever makes sense there.
Edit: OAuth or other third-party authentication types aren't attractive, as this is purely an internal application.
Thanks!
I suppose you can generate an auth token for a given section in JBoss, the token is:
The node server can then use the token to cross verify if the client has been properly authenticated and protects pages (other then the login page).
Sort of a non-answer here but I'll describe how I got around my issue: I took Node out of the stack altogether. Both the API and web app are now hosted directly by JBoss. The HTTP Basic/LDAP auth done by JBoss takes care of my authentication. Since they're on the same machine, protocol, etc, CORS isn't required so I've sidestepped that issue as well.