I have a slight problem understanding where i should store my token (client side). So it is sent every time i change page on the server.

     @Override
    public User getValue(HttpContext c) {
      // This is where the credentials are extracted from the request
      final String header = c.getRequest().getHeaderValue(CUSTOM_HEADER);
      try {
        if (header != null) {
          final Optional<User> result = authenticator.authenticate(new Credentials(header,"",""));
          if (result.isPresent()) {
            return result.get();
          }
        }
      } catch (AuthenticationException e) {
        throw new WebApplicationException(Response.Status.UNAUTHORIZED);
      }

      if (required) {
        throw new WebApplicationException(Response.Status.UNAUTHORIZED);
      }

      System.out.println("NO TOKEN RETURNING NULL");

      return null;
    }
  }

This is how my authentication looks like in dropwizard. I need the token to be sent with the HttpContext.

So if i try to go into adress/securedpage. Then the HttpContext should have this token. So the server knows if the user is authorized to access or not

So after a successful login from the clientside. Where should i put the token that is received from the server?

I have a slight problem understanding where i should store my token (client side). So it is sent every time i change page on the server.

     @Override
    public User getValue(HttpContext c) {
      // This is where the credentials are extracted from the request
      final String header = c.getRequest().getHeaderValue(CUSTOM_HEADER);
      try {
        if (header != null) {
          final Optional<User> result = authenticator.authenticate(new Credentials(header,"",""));
          if (result.isPresent()) {
            return result.get();
          }
        }
      } catch (AuthenticationException e) {
        throw new WebApplicationException(Response.Status.UNAUTHORIZED);
      }

      if (required) {
        throw new WebApplicationException(Response.Status.UNAUTHORIZED);
      }

      System.out.println("NO TOKEN RETURNING NULL");

      return null;
    }
  }

This is how my authentication looks like in dropwizard. I need the token to be sent with the HttpContext.

So if i try to go into adress/securedpage. Then the HttpContext should have this token. So the server knows if the user is authorized to access or not

So after a successful login from the clientside. Where should i put the token that is received from the server?

• javascript
• http
• authentication
• dropwizard

• why not an http-only cookie? – Daniel A. White Commented Mar 4, 2015 at 13:53
• Wouldn't it be better if a DB server from your side holds the session tokens with the timers and what not? – Jared Teng Commented Mar 4, 2015 at 13:59
• im pretty new to authentication. So im still trying to learn. The server is storing the token (or i am going to store is as fast as i get the client side going). But my guess is that the client needs to send it so the server know what client wants what. – Jemil Riahi Commented Mar 4, 2015 at 14:03
• How does the http-only cookie work like? – Jemil Riahi Commented Mar 4, 2015 at 14:03
• 1 It looks like you're implementing stateless RESTful service, therefore the client needs to store the token, and send it each time. @Daniel and JaredT are leading you towards the stateful/session solution. Just to clear things up. Your question and the code sample is focusing on the server side, while the actual question is about the client side. It's better if you could put some client-side code, as well as the context (using any specific libraries/framework?). From the tags I can see it's javascript so you probably should look for browser storage options. – Natan Commented Mar 14, 2015 at 23:23

1 Answer 1

You have many options. This is a good link to understand pros and cons https://stormpath./blog/where-to-store-your-jwts-cookies-vs-html5-web-storage/

1. Store it in local browser storage. As described in the previous link it has some risks.
2. Store it in a cookie in client side, it can be safer than local browser storage.
3. Don't store the token but store username and password in the browser or client-side cookie, and then retrieve a new token by sending credentials silently.
4. Use a client side javascript library like https://github./IdentityModel/oidc-token-manager to rely on its token management features. By default it stores the retrieved token in localStorage (available throughout all the tabs) and it can be configured with silent_renew:true so that it automatically refreshes the token prior to its expiration using an iframe (without explicit browser redirection).