users@jersey.java.net

[Jersey] Re: Two legged Oauth 1 server example

From: Sobieralski, Damian Michael <dsobiera_at_indiana.edu>
Date: Thu, 24 Jul 2014 15:01:05 +0000

It was my understanding Jersey 2 only supported OAuth 2 client (no server implementation). That is in the docs. Hence why I went w/ the Oauth 1 route as the docs sstate that there is a server implementation. Is that in error?

“15.3.2. OAuth 2 Support
At the moment Jersey supports OAuth 2 only on the client side.”

As far as what the docs lack, from a new user perspective they do not show how to get a trivial webservice secured (via either 2 or 3 legged). The best they do is link to the Oauth specification - http://tools.ietf.org/html/rfc5849

Which is great for understanding how OAuth works. But it is useless in helping me understand how Jersey implemented this in Jersey 2.

- Damian

From: Craig McClanahan [mailto:craigmcc_at_gmail.com]
Sent: Thursday, July 24, 2014 12:42 AM
To: users_at_jersey.java.net
Subject: [Jersey] Re: Two legged Oauth 1 server example

Is there something you need that the Jersey Security Docs[1] do not cover?

I will echo the advice of others, though ... if you are writing green field applications you should really be looking at OAuth 2 rather than OAuth 1.

Craig

[1] https://jersey.java.net/documentation/latest/security.html

On Wed, Jul 23, 2014 at 12:49 PM, Sobieralski, Damian Michael <dsobiera_at_indiana.edu<mailto:dsobiera_at_indiana.edu>> wrote:
I'm new to Jersey. But so far I am loving it! I have implemented a very basic RESTful webservice using Jersey 2.10

I've reached a point where I need to secure my webservice in some fashion. Oauth 1 seems like a good choice at first glance. However, I don't need 3 legged. The consumers of my webservice are within my own company so a 2 legged approach will suffice.

However, I cannot for the life of me find an example of how to do this (2 or 3 legged). The docs do a really good job starting out explaining Oauth but sort of leave it as an exercise to the user to finish an implementation :(

https://jersey.java.net/documentation/latest/security.html#d0e10929

I don't see how to actually secure my java webservice class - the thing with:

@GET
@Produces( { MediaType.APPLICATION_JSON, MediaType.TEXT_XML, MediaType.TEXT_PLAIN, MediaType.TEXT_HTML })

nor do I see how to setup the /oauth starting path and using the consumer and secret keys. Is there an annotation that I use in my webservice methods to secure it? Or some check that I need to do at the start of my method to make sure a 2 legged oauth session has passed the mustard?

I thought I found this as an example but this doesn't seem to be complete for me to use it.

http://stackoverflow.com/questions/2795404/authentication-and-authorization-for-restfull-api-java-jersery

Will a kind soul offer a link to an example or preferably a trivial code/config example to give me a boost in the right direction in implementing a 2 legged server approach in Jersey 2?

Thanks!

- Damian

© Oracle | By contributing to this project, you are agreeing to the terms of use described here.