Authorization and Authentication with AngularJS + Jersey
Workflow User provides credentials which are sent to the server for identification. When the user is identified we perform the following task: A highly random, un-guessable string is generated. A JWT is generated with the User ID as subject and the random string as a claim . Store the JWT in cookie with HttpOnly , Secure flags (our session cookie). Store the random string in an another cookie with Secure flag only (xsrf cookie). The Login resource : All ajax requests should append the random string as the X-XSRF-Token Header. The server should reject any request that does not match between the supplied header and the claim of the session cookie. The Jersey filter : The AngularJS way... The session cookie is hidden from javascript because of HttpOnly flag. Consequently, we need to make a request (i.e. /api/current) on route change event ( AuthService.getUser() ). If the session cookie has expired or does not exist the endpoint should return