Hi David,
Please check http://cxf.apache.org/docs/jax-rs-oauth2.html
I think Apache Oltu may also be used with CXF
Thanks, Sergey
On 19/01/14 19:27, KARR, DAVID wrote:
-----Original Message-----
From: Sergey Beryozkin [mailto:[email protected]]
Sent: Sunday, January 19, 2014 10:58 AM
To: [email protected]
Subject: Re: Can I use a simpler secured service scheme than oauth2?
Hi David, Andrei
On 19/01/14 16:10, Andrei Shakirin wrote:
Hi,
I would firstly evaluate HTTP Basic Authentication + SSL. It is enough for
70-80% of use cases.
OAuth perfectly fit for the situations when resource owner provides access
to restricted resources for third party applications.
It seems the momentum is growing for using OAuth2 as an 'umbrella' for
many types of authentication/authorization combinations.
Specifically, a couple of OAuth2 flows can be used as a possible
replacement for Basic Authentication, I've checked some resources, here
is the first one which looks related:
http://apiux.com/2013/07/10/oauth-2-trumps-basic-authentication/
This looks like a very good fit for what I need to do. Are there any examples
for doing this with CXF?
It also occurs to me that I'll have to map the security tokens I send back with
the authorization info I get from the proprietary authorization framework, so
I'll know what auth is associated with later requests.
I think the idea in the end is to suggest that tokens is a better
alternative to passing base64-encoded credentials every time, I believe
in WS tokens are also used a lot
For the old-style "form post submit" web architecture, where authentication is
associated with a session, basic auth can work. It's not practical for Ajax requests not
associated with a session.
CXF also provides possibility to use SecurityTokenService for validate
Basic Authentication and it supports authentication via SAML tokens.
For the authorization you can easily integrate container based
authorization (like Tomcat or Spring) or use simple embedded
AuthorizingFilter solution.
Look following link for details: http://cxf.apache.org/docs/secure-jax-rs-
services.html.
Thanks, Sergey
Regards,
Andrei.
-----Original Message-----
From: KARR, DAVID [mailto:[email protected]]
Sent: Sonntag, 19. Januar 2014 04:09
To: [email protected]
Subject: Can I use a simpler secured service scheme than oauth2?
I may need to implement some secured REST services in the next few
months. I've deployed a few REST services so far, but none of them were
secured, so I need to get more familiar with this.
I would assume that I should be looking into oauth2, but it occurs to me
that
perhaps for at least one particular application, I might be able to do
something simpler.
For one particular application, I already have a "skeleton" using an
enterprise-specified login service that presents its own login page and
also
facilitates authorization features. As a result, I can provide a simple
entry
point that can read an authenticated user name and authorization
properties. It seems to me, that in this context, oauth2 is probably not
the
right fit. I would think that I could now generate some sort of a digest
value
that I could send to the front-end client (javascript). I'm not sure what
protections I need to provide for that digest value. Perhaps simply
replacing
it with new values when the current value is sent on a request might
suffice.
What is a reasonable approach for this?
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com
