Re: [Jersey] OAuth integration with Jersey.. anyone using it

From: Paul Sandoz <Paul.Sandoz_at_Sun.COM>
Date: Tue, 09 Feb 2010 18:12:15 +0100

On Feb 9, 2010, at 3:34 PM, Marc Hadley wrote:

> On Feb 8, 2010, at 8:22 PM, Kevin Duffey wrote:
>> I am looking to use OAuth for some public services I'd like to
>> offer eventually. I have read a bit about it, but wanted to see if
>> anyone on the list has successfully got it working, and if so would
>> mind providing a few pointers or code snippets on how you got it
>> working.

There are a couple of other people on the list using Jersey's OAuth
client/server filter support (and a bug was recently fixed in the
trunk). Perhaps developers using Jersey's OAuth modules can provide
some details?

>> In particular I am looking at allowing a user to sign up on my site
>> as a consumer of my public APIs, request a token that they can then
>> use to authenticate any number of applications that they may write
>> that consume my APIs. I would like the use of this mechanism to
>> provide as much security as possible.
>> I am also wondering if the two-legged or three-legged approach is
>> best with regards to REST services. If I understand correctly the
>> two-legged approach is best for making service calls, while the
>> three legged approach would be for something like a user allowing
>> another user to access some resource(s) of their's.. basically
>> giving them permission to access the services. I am still reading/
>> learning about OAuth tho, so I apologize if this is incorrect.
> IIUC, the legged-ness is essentially the same as the number of
> parties in the process. Three legged OAuth allows a user (1st party)
> of a service (2nd party) to delegate access to the data held by that
> service to another 3rd party (often another service the user wants
> to link in). Two legged OAuth is essentially the same security
> mechanisms applied to a simpler 1-1 interaction.
>> Lastly regarding using OAuth, can I provide my own user database,
>> and from that use OAuth to retrieve tokens/secrets from the
>> incoming request, look them up myself, validate it, and so forth?
>> Or is it essential to have something like OpenSSO to validate
>> incoming OAuth requests? I know I can use Basic Auth right now with
>> my own tables and that works just fine. I am curious tho if Basic
>> Auth with say MD5 hash + SSL is "as good" or similar to using
>> OAuth... I've gotten the impression that OAuth is fast becoming the
>> industry standard way of handling secure authentication and/or
>> sharing resources tho, so hence why I am looking into it now.
>> Thank you. Appreciate any pointers/help/examples of using it.
> You don't *need* OpenSSO, I imagine it will just mean less coding
> for you if you use it.

Right, Jersey has support the client construction of the
Authentication header and server-side processing/verification of. It
does not supply an OAuth service (although a simple service might well
be something useful if anyone wants to contribute such a service).


> I'm not sure exactly what you mean by Basic Auth with MD5 + SSL but
> generally I'd suggest sticking with any widely used approach - you
> clients will thank you if they don't have to roll another custom
> authn module.
> Marc.
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail: