users@jersey.java.net

Re: [Jersey] oAuth HMAC_SHA1 implementation bug

From: Paul Sandoz <Paul.Sandoz_at_Sun.COM>
Date: Wed, 26 Aug 2009 10:11:05 +0200

Hi Dirk,

You should be able to use a container request filter or a resource
filter, see the following for more details:

   https://jersey.dev.java.net/nonav/apidocs/1.1.1-ea/jersey/com/sun/jersey/api/container/filter/package-summary.html

See the source code for RolesAllowedResourceFilterFactory that
operates on sub-resource locator or resource methods and supports the
@RolesAllowedAnnotation:

   https://jersey.dev.java.net/nonav/apidocs/1.1.1-ea/jersey/com/sun/jersey/api/container/filter/RolesAllowedResourceFilterFactory.html

   http://fisheye4.atlassian.com/browse/jersey/trunk/jersey/jersey-server/src/main/java/com/sun/jersey/api/container/filter/RolesAllowedResourceFilterFactory.java?r=2584

Paul.

On Aug 25, 2009, at 8:57 PM, DirkM wrote:

>
>
> Paul C. Bryan wrote:
>>
>> Good catch, thanks. I've checked-in a fix to the trunk.
>>
>
> Wow, that was quick, you guys don't mess around :)
>
> I have a question about oAuth and Jersey. In the
> http://wikis.sun.com/display/Jersey/OAuth wiki an example is given
> for
> applying oAuth at a per-service level.
>
> We have a use-case in which we need to apply oAuth to all service
> calls, in
> other words, at the application level. The authentication mechanism
> is very
> simple: essentially a token, nonce, timestamp and hash verified with a
> private key shared manually in advance.
>
> The wiki page recommends using server filters for securing groups of
> resources. Is it possible to implement a Provider or similar in
> order to
> secure all service calls as described above, within Jersey? I'm not
> familiar
> with OpenSSO or ServletFilters and it looks fairly involved to set
> up, so
> I'd just like to know if there's a simpler solution.
>
> Thanks again,
> Dirk
> --
> View this message in context: http://n2.nabble.com/oAuth-HMAC-SHA1-implementation-bug-tp3506009p3511853.html
> Sent from the Jersey mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_jersey.dev.java.net
> For additional commands, e-mail: users-help_at_jersey.dev.java.net
>
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.