3

I have following problem:

I have JAX-RS service which has a get operation:

@Path("/unsecure/")
@Produces("application/json")
public class MyUnsecureService {
    public MyUnsecureService() {

    }

    @GET
    @Path("/get/{id}")
    @Produces("application/json")
    public User get(@PathParam("id") String id) {
        return User.get(id);
    }
}

now, I'm going to open this API for mobile devices and I need authentication and authorization mechanism to access the API.

My problem is that I have trusted apps (internal jobs, a website which runs on my hosting) which should be able to expose this API as they want, with no limitation, and mobile devices, which should be able to expose this API only if they have a token, formed using real User's encrypted login/pass, which can be used on service-side to determine:

  1. If the request to that method is allowed.
  2. If the parameters are correct (so, the user can't get other user's info).

Is this possible to do using OAuth1 or OAuth2?

Maarten Bodewes
  • 90,524
  • 13
  • 150
  • 263
inteloid
  • 747
  • 1
  • 7
  • 19

2 Answers2

0

This is a very valid question to raise.

You might want to have a look at Oz (backgroud), which AFAIU will go a long way towards your use cases. Personally, I have interest to solve the issue for Java and track Eran's work with Java implementations ( jiron, hawkj ). To finally do Oz (or something like it) in Java.

Much is not ripe for publishing right now, but get in touch for details if you like.

Specific problem with JAX-RS right now seems to be SecurityContext.

Jan Algermissen
  • 4,930
  • 4
  • 26
  • 39
0

The answer is found:

Using Client Credentials and Resource Owner authorization grants, which are implemented in OAuth2 implementation of Apache CXF.

inteloid
  • 747
  • 1
  • 7
  • 19