I´m currently developing a "basic" Java EE 6 application with JSF (frontend) and JPA, EJB, and CDI (backend). Everything works well so far.
For the login part I've chosen form-based authentication together with a JDBC-Realm.
Now I like to offer some REST services (Jersey), which will be consumed by mobile devices. Therefore I need to add a second way to authenticate. But from my point of understanding there can only be one at a time.
I already tried to some PoC but every time I invoked a REST service which requires a valid user, the service redirected to the login page.
Are there any best practices how to handle this kind of problem?
Is it possible to add Oauth to the current login mechanism, because I don't want to send user/pass or the session id with every request. Some kind of token would be great.
If your application requires different authentication mechanisms for different services, then the login modules that are shipped with most Java EE implementations (servers) don't really suffice.
You probably have to take matters into your own hand by writing a custom login/auth module. Java EE 6 has an API for that: JASPIC. Alternatively you can use the proprietary login module API of your specific server.
In that login/auth module you can inspect the request, determine to which service that request belongs, and then delegate to the appropriate "real" module.
I wrote an article about JASPIC some time ago that might get you started.
Servers often have an option to stack login modules. This is a proprietary feature so there's a very remote chance that one of them allows stacking auth mechanisms.