You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Dan King <da...@yahoo.com> on 2010/07/20 15:36:45 UTC
Options for securing jax-rs web service?
Hi all,
I want to secure my restful web service, which is used internally only (i.e. no
3rd parties) and is accessed via a web tier using java, javascript, and flex.
However, I do not want to use basic authentication security, since I do want to
transfer back-and-forth the user name and password with each request.
I've looked into both OAuth and SSO as options for securing the web service, I'm
just not sure whether either is sensible. I'd appreciate it if others could
share what approach (OAuth, SSO, or whatever else used) they took for securing
their web service and why they selected that approach.
Also, if anyone knows where to find an implementation guide for OAuth, I'd
appreciate it if you could pass along that information. Thanks.
-Dan
Re: Options for securing jax-rs web service?
Posted by Łukasz Moreń <lu...@gmail.com>.
Hi,
I'm currently working on OAuth 1.0 extension for CXF JAXRS module.
You can find source code at:
https://svn.apache.org/repos/asf/cxf/sandbox/oauth_1.0a/rt/rs/
It is in early stage of development but maybe you will be interested.
Check this as well:
http://cxf.547215.n5.nabble.com/OAuth-client-and-server-demos-td1107099.html#a1107099
Hope it helps!
Cheers,
Lukasz
2010/7/20 Dan King <da...@yahoo.com>:
> Hi all,
>
> I want to secure my restful web service, which is used internally only (i.e. no
> 3rd parties) and is accessed via a web tier using java, javascript, and flex.
> However, I do not want to use basic authentication security, since I do want to
> transfer back-and-forth the user name and password with each request.
>
> I've looked into both OAuth and SSO as options for securing the web service, I'm
> just not sure whether either is sensible. I'd appreciate it if others could
> share what approach (OAuth, SSO, or whatever else used) they took for securing
> their web service and why they selected that approach.
>
> Also, if anyone knows where to find an implementation guide for OAuth, I'd
> appreciate it if you could pass along that information. Thanks.
>
> -Dan
>
>
>
>
>
>
Re: Options for securing jax-rs web service?
Posted by Dan King <da...@yahoo.com>.
----- Original Message ----
> From: SergeyBeryozkin <sb...@gmail.com>
> To: users@cxf.apache.org
> Sent: Tue, July 20, 2010 4:31:26 PM
> Subject: Re: Options for securing jax-rs web service?
>
> Hi
>
> Lukasz is leading the CXFJAXRSOAuth project, have just seen him
> replying...
> It appears though that you probably want a solution based upon OpenId
> (combined with OAuth if really needed) or may be CAS, or some other SSO
> based solution. You can also try to use a client certificate - may be an
> expensive option but just mentioning it.
>
> cheers, Sergey
Hi,
I believe Sergey's suggestion that a SSO better fits my current needs than OAuth
is accurate, with that in mind which SSOs should I look into?
Also, for future reference if I use CAS or JOSSO or OpenSSO, is it possible to
integrate OAuth in its current incarnation or with Lukasz'sextension? If yes, is
the integration relatively simple or complex? Thanks.
Best,
Dan
Re: Options for securing jax-rs web service?
Posted by Sergey Beryozkin <sb...@gmail.com>.
Hi
Lukasz is leading the CXF JAXRS OAuth project, have just seen him
replying...
It appears though that you probably want a solution based upon OpenId
(combined with OAuth if really needed) or may be CAS, or some other SSO
based solution. You can also try to use a client certificate - may be an
expensive option but just mentioning it.
cheers, Sergey
On Tue, Jul 20, 2010 at 2:36 PM, Dan King <da...@yahoo.com> wrote:
> Hi all,
>
> I want to secure my restful web service, which is used internally only
> (i.e. no
> 3rd parties) and is accessed via a web tier using java, javascript, and
> flex.
> However, I do not want to use basic authentication security, since I do
> want to
> transfer back-and-forth the user name and password with each request.
>
> I've looked into both OAuth and SSO as options for securing the web
> service, I'm
> just not sure whether either is sensible. I'd appreciate it if others could
> share what approach (OAuth, SSO, or whatever else used) they took for
> securing
> their web service and why they selected that approach.
>
> Also, if anyone knows where to find an implementation guide for OAuth, I'd
> appreciate it if you could pass along that information. Thanks.
>
> -Dan
>
>
>
>
>
>