Login system

[joeledstrom]

• Research HTTP Basic Auth vs other alternatives:
  The rest API should probably be stateless (Maybe Basic Auth then?)
  While the admin website might be better served with a session cookie.
• Probably implement testing of auth http headers in a javax.servlet.Filter

Update:

Implemented Basic and Cookie based authentication

Things left TODO:

Important

• Different permissions for some URLs based on role
• Maybe a special URL for fetching your own account information?
  Something like /api/staff/me
• Disable certain features on the website based on role

Security

• Password + salt hashing (store salt per user in db)
• Randomly generated login cookie (has to be stored in the db)
  NOTE: Please save this until the very last, as it makes it impossible to reuse your login cookie between relaunches of the server (especially annoying for local development, having to login all the time)

[joeledstrom]

As of 149e3c4:

• LoginServlet added for handling POST from /system/admin/login.htm, it creates a cookie that allows access to the rest of the admin website
• AuthFilter that currently runs if URL matches any of these patterns:
  ['/api/*', '/system/admin/*'].
  It filters requests by either:
  Checks for the cookie set in the LoginServlet
  Or checks for HTTP Basic Auth header from the app

As of eecdd83:

The website and the app now requires login:
User: root
pass: toor