On Feb 9, 2010, at 10:48 AM, Kevin Duffey wrote:
> Thanks Marc,
>
> by Basic Auth + MD5 + SSL I meant using Basic Auth hader with an MD5 encoded password over HTTPS (SSL).
>
OK. I think the main advantage of OAuth over something like the above is that the OAuth signature includes the HTTP request method, URL and any form parameters so the authn is tied to a particular request and is therefore more resistant to playback attacks.
Marc.
>
>
> --- On Tue, 2/9/10, Marc Hadley <Marc.Hadley_at_Sun.COM> wrote:
>
> From: Marc Hadley <Marc.Hadley_at_Sun.COM>
> Subject: Re: [Jersey] OAuth integration with Jersey.. anyone using it
> To: users_at_jersey.dev.java.net
> Date: Tuesday, February 9, 2010, 6:34 AM
>
> On Feb 8, 2010, at 8:22 PM, Kevin Duffey wrote:
> >
> > I am looking to use OAuth for some public services I'd like to offer eventually. I have read a bit about it, but wanted to see if anyone on the list has successfully got it working, and if so would mind providing a few pointers or code snippets on how you got it working.
> >
> > In particular I am looking at allowing a user to sign up on my site as a consumer of my public APIs, request a token that they can then use to authenticate any number of applications that they may write that consume my APIs. I would like the use of this mechanism to provide as much security as possible.
> >
> > I am also wondering if the two-legged or three-legged approach is best with regards to REST services. If I understand correctly the two-legged approach is best for making service calls, while the three legged approach would be for something like a user allowing another user to access some resource(s) of their's.. basically giving them permission to access the services. I am still reading/learning about OAuth tho, so I apologize if this is incorrect.
> >
> IIUC, the legged-ness is essentially the same as the number of parties in the process. Three legged OAuth allows a user (1st party) of a service (2nd party) to delegate access to the data held by that service to another 3rd party (often another service the user wants to link in). Two legged OAuth is essentially the same security mechanisms applied to a simpler 1-1 interaction.
>
> > Lastly regarding using OAuth, can I provide my own user database, and from that use OAuth to retrieve tokens/secrets from the incoming request, look them up myself, validate it, and so forth? Or is it essential to have something like OpenSSO to validate incoming OAuth requests? I know I can use Basic Auth right now with my own tables and that works just fine. I am curious tho if Basic Auth with say MD5 hash + SSL is "as good" or similar to using OAuth... I've gotten the impression that OAuth is fast becoming the industry standard way of handling secure authentication and/or sharing resources tho, so hence why I am looking into it now.
> >
> > Thank you. Appreciate any pointers/help/examples of using it.
> >
> You don't *need* OpenSSO, I imagine it will just mean less coding for you if you use it. I'm not sure exactly what you mean by Basic Auth with MD5 + SSL but generally I'd suggest sticking with any widely used approach - you clients will thank you if they don't have to roll another custom authn module.
>
> Marc.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_jersey.dev.java.net
> For additional commands, e-mail: users-help_at_jersey.dev.java.net
>
>