On my Java EE6, REST service, I want to use authentication tokens for login from mobile devices. The user will send their username and password, and the server will send back a token, which will be used to authorize the user on their further requests for a given time.
Can I simply create a token myself like this? (I guess I do not need to encrypt this since I will use HTTPS.)
String token = UUID.randomUUID().toString().toUpperCase()
+ "|" + "userid" + "|"
+ cal.getTimeInMillis();
Or there is a more standard way to create these tokens? maybe it exists in one of the APIs?
The scheme you are proposing effectively allows a client unlimited access to your service. After an initial login, the UID and 'userid' will be made available to the client, which can be simply combined with an always valid timestamp.
If you need a service with 'login' and a session token, then why not just use an HttpSession?