Security Problem: For REST URLs and Static HTMLs

I have a design like that:

• There is a core part runs Spring on it with REST.

• There is another part which has a Tomcat Server and has just HTML files(not jsp or anything else.) So if I want to change a page at tomcat side there is no need to restart application also design and code part separated. Let's accept that I am listing users at my web side(tomcat side). Then my web side makes a GET request and response c开发者_JAVA技巧omes as JSON. PUT, DELETE and POST happens with same methodology.

I have 2 security problem at this point.

First, When a user wants to see an URL at server side how I will check authorization and authentication? And how can I limit an authorized person to get my web page with a too wget?

Second, How can I hide my REST URLs. For example if a user debugs my JavaScript code he/she will see that I am making a DELETE request to an URL with some parameters so he/she will try to do the same(or can make thousands of GET request to my core server if learns the URL)

Thanks for advices.

---

Firstly, why do you use Tomcat to serve static files ? The approach I would take is this one:

• use a static server to serve static files (apache, lighttpd, nginx).
  • This server will do authN and authZ (using an LDAP directory e.g. or any other suitable auth backend).
  • AuthN is done using scheme like Http Basic + SSL, Http Digest, WebID, ...

This is a solution to your 1st problem

• Configure the static server to reverse proxy your app server and use the same auth rules.

URI are not "hidden", but they are no more accessible to anyone. Since the user is already authenticated to the static page, no auth should be necessary to request "rest uri".