We have decided to split our application into two parts for the cloud:
/ui -- contains all HTML + Javascript + CSS files and is deployed as WAR along with web.xml
/app -- contains REST services whith session handling and so on (spring based), deployed as a seperate WAR
Both are seperate WAR artifacts and deployed independent into one cloud instance.
The /ui make calls to the /app via JSON REST interface.
Now we want to introduce the SAP cloud security concept and found following issue, where we have no real idea howto handle this:
- we have setup security constraints as described in https://help.netweaver.ondemand.com/default.htm?enabling_id.html#concept_93EA4D93901D4E63B7F6F447F14AD5D2_106
- we figured out, that we need to setup such constraints in both applications (/ui and /app) to protect the REST services AND become the form for the user login
The first call to the /ui application redirects to the FORM and we can give username and password and the UI starts (fine). Then the UI makes a REST call to the /app and the /app wants to get also authenticated ... and this does not work ... /ui seems to hang. (current hack is to call the app in another tab of Firefox, authenticate with same user and refresh the /ui ... then all subsequent calls working)
What we want in the end is a way, to authenticate the user in the /ui and protecting the /app . The /app should also get the "real" user information (like userName, firstname and so on) from the user management service. The /ui itself should not be protected.
Is it possible to "foreward" an cookie/special header to the /app which tells the /app that a authentication succeeded and no further authentication is required? An if someone access the /app without such cookie/http header he needs to authenticate first?