I am developing Web Service using REST Jersey. For user access and authentication i have to maintain session throughout application (like Servlet).I have planned to use google OAuth 2.0.
How to apply in my application ? ?
Any other OAuth 2.0 libraries available. please suggest?
Any Ideas where to start? If so any tutorials kindly share?
Thanks in advance
You can let the servlet container handle the session for you using standard JSESSION cookies. That will save you from revalidating the access token on each REST request. Then you simply use oauth for authentication.
A lot depends on what the REST client will be, and hence what the UX will be. That will shape your architecture. The server bit is easy.
Related
I have created some APIs using JAX-RS jersey. I have been given task to secure them using Oauth 2.0. In google I found many articles in which they explain how can I access google API, facebook API etc. they told me how to access already created APIs
But my question is how can I make my API secure using Oauth in java so that when another applcation want to access, it needs to provide authorization and authentication token etc.
Can anybody help me with the code in java. you can suggest some even paid tutorial of udemy coursera if you know. I will opt for them. I am not using any framework like Spring or Springboot.
I would advies checking out the following page:
https://www.baeldung.com/spring-security-oauth-jwt
It makes use of keycloack for authorization server and spring for configuring the resource server.
I have created REST web service in java but need to secure it so that only the authorised clients should be able to access the service. I have never implemented security before. Hence I have no idea where to start to be honest. Do I need to implement any token based security where client need to provide the token in the header of request and I need to verify on my end ?
As RESTful Web Services work with HTTP URL Paths, it is very important to safeguard a RESTful Web Service in the same manner as a website is secured.
For understanding of importance of security consider the following links:
http://howtodoinjava.com/security/restful-web-services-security-guide/
How to secure RESTful web services?
While for Implementation using Spring use the given link:
https://dzone.com/articles/securing-restful-web-service
Starting a new project to create a restful Web Service that requires callers to be Authenticated by Kerberos (Active Directory).
The web service will be hosted by Tomcat and I was planning to use JAX-RS with JAAS but I'm not finding much information on this, does anyone have information or experience on getting this to work?
Should I be looking at Spring and Spring Security instead?
Apache provides good documentation for using JAXRS with kerberos. Here is the link:
http://cxf.apache.org/docs/jaxrs-kerberos.html
I have the same issue. I googled extensively and not found a good answer.
The problem is that the issue has several layers and most answers point to (usually vague) solutions for only one layer.
And there is not a single complete and clear example for the end-to-end solution.
LAYERS
Client call to rest service using kerberos/windows logged in credentials.
Answers usually show how to use kerberos to authenticate but fail to say how to use it to pass the logged in credentials to the REST service.
Both Spring REST client functionality and native Java seem capable of doing this but it is not clear how.
Processing by the REST service of the authentication request by the client that is authenticating via windows/kerberos.
Spring REST service functionality appears to be the easiest way to implement it but again it is not clear how to tell the REST service to expect that authentication method.
Either forwarding the client kerberos credentials to whatever resource the REST service is trying to access, or get a success/failure and then the REST service uses kerberos/windows authentication itself (different credentials from the clients) to access a resource.
I hope this clarification of the issue helps in producing a good answer.
In Kerberos there are two severs url involved authentication server and the other ticketing server. If you go to browser console under ticketing server response parameter you can see a cookie that you can utilise to authenticate your rest api by utilising it as a request parameters.
That’s the only solution to authenticate your rest api.
I'm pretty new to REST and am currently developing an API with JAX-RS Jersey. I am curious on what is the easiest way to implement a user Management. I.e. users must log in and have restricted access to different resources depending on their role. From what I understand, using OAuth 2.0 is the current standard. Can I implement that with Jersey? Does anyone have a few links for me to get me started (examples, tutorials)? Or would you suggest another approach?
Thanks a lot
There are multiple ways to achieve that, let me point few of them:
HTTP Basic authentication (BA) implementation is the simplest technique for enforcing access controls to web resources because it doesn't require cookies, session identifier and login pages. Rather, HTTP Basic authentication uses static, standard HTTP headers which means that no handshakes have to be done in anticipation.
Role based access control for J2EE applications using realm
OAuth with REST:
There's an OAuth 1.0 contrib for Jersey # https://wikis.oracle.com/display/Jersey/OAuth
Works great for me. OAuth 2 is not really a standard yet as it's not finished and there's still a lot of debate and interoperability issues around it.
We are currently evaluating building a new web-application which consists of the following technology:
Back-end:
ee6 jax-rs restful web service
Front-end:
html5 UI using backbone.js (and various other libraries)
The question is, what is the best way to implement a secure session? Limitations are we cannot use oAuth (due to legacy login service we will be consuming). We need a financial industry level of security.
We are thinking about using HTTPS basic authentication with the rest server (back-end), and use backbone.js's session to elegantly handle the front end.
What are the security implications of adopting this strategy?
When you approach security issues, you must remember that your security is as strong as your weakest link. I hope you fully realize you need to secure all your communication, and not just the login.
Also, what key length are you going to use? 128bit?
I would recommend you to check about SPEGNO .. I think this might assist you.