Authentification for SPA application

[astik]

This issue is not an issue but a feature proposition for both ngBonita and Bonita itself =)

As Philippe said in the 03/10/15 webinar, authentification for a frontend application needs specific attention as we may not be part of Bonita native authentication system.

For Single Page Application, we often see integration of JWT (JSON Web Token) which is quite simple to work with. Projects exist for the Angular part (https://github.com/auth0/angular-jwt) and the java part (https://github.com/auth0/java-jwt). At least for ngBonita, not much work would be needed. For the Bonita part, I'm not familiar with JAAS but I guess I won't be much work to do for someone at ease with JAAS in Bonita (get the token, validate it with java-jwt, retrieve the user info, ...).

The idea is :

• if user calls bonita without a token : it needs an authentication : an event could be send on Angular side (frontend)
• if user calls bonita with a token : token is validated on server side
• token management must be transparent to user, angular is managing all token handling

The advantage of token is the flexibility :

• not session dependent
• can have an expiration defined on both side
• easier to work with native application than cookie / session : easier to write application for smartphone for example
• to logout, user only have to delete the token
• no more user session managed on server side : easier to scale