Public faced portal security questions


I plan a more or less social site in CUBA.
The portal portion will be public faced web site, where users can register and use the services after login (messages, mails, galery, etc)
The CUBA general ui portion will be the backend admin site where moderators and admins can administer the site and the public users
The portal portion will be more or less a pure api server, with AngularJS frontend (when the CUBA will have anonymous use pattern maybe we’ll switch over)

How we can protect the API End points? We think about JWT but in spring we can only use JWT with security filters, because Spring security does not support JWT out of the box. Or can be such way the every registered web user will create an sys$user entity? Is that is feasible with several thousands of public user?

Best Regards

What API endpoints are you writing about?
If it is your custom MVC controller, then it is up to you how to protect it.
If it is CUBA REST API, then it is secured only by passing a valid session id as a parameter. The new REST API which is scheduled to the release 6.3 will use the OAuth2 protocol.
A new user entity can be created with the standard REST API.
And yes - it is absolutely okay to store thousands of users in CUBA application.

1 Like