|
|
|||||||||||||||||||||||||||||||||||||||||||||
Ryan Heaton's Blog
OAuth is HandyPosted by stoicflame on May 16, 2008 at 09:50 AM | Permalink | Comments (0)OAuth for Spring Security was released this week, and I thought I'd take a stab at why you might be interested. What is OAuth? I like to explain OAuth by describing the problem it is trying to solve. So here goes. Let's say you're a sizeable social networking site and you'd like to offer a feature to your users to allow them to search their webmail contacts for import into their social network. The problem is, you (the "consumer") need access to a resource that is protected by a another site (a.k.a. "service provider"). How do you go about doing that? Option 1: Just ask the user for his/her credentials and promise that you won't store them or do anything bad with them. Well, it works, I suppose, but this isn't a great general-purpose practice for online applications. And it's not hard to see why. Sure, you might be trustworthy, but there are plenty of other sites who are not. And what about the service provider? How would you feel about your users giving out their credentials to other sites that want access to the resources you protect? Option 2: Use OAuth. OAuth is a protocol that was defined to address this problem. Continuing the above example, let's say that you've established a trust with the webmail service providers. You share a "secret" (which in practical terms is a passphrase or a public key or something) that you can use to gain access to the webmail contacts—provided, of course, that the user approves it. In order to gain this approval, all you have to do is redirect the user to the login page of the webmail service provider and have the user tell the service provider that it's okay that you access his/her contacts. OAuth is a protocol standard that can be used to enable this mechanism. How do I try it out? OAuth for Spring Security has a really nice tutorial that walks you through setting up both a service provider and a consumer on your local box. Once those are set up, you can see OAuth in action by walking through the user flow. How do learn more?
Enunciate 1.7: Security and Custom Content TypesPosted by stoicflame on May 06, 2008 at 03:22 PM | Permalink | Comments (2)Enunciate 1.7 has been released!The primary feature of Enunciate 1.7 is support for securing your Web service endpoints using Spring Security. There is additional support for OAuth, with OpenID and WS-Security planned for 1.8. In addition, Enunciate 1.7 introduces the concept of custom REST content types, which you can use to support custom serialization formats for REST responses (beyond the default XML and JSON endpoints). Enjoy! |
June 2008
Search this blog:CategoriesCommunity: Java Web Services and XMLWeb Services and XML Archives
May 2008 Recent EntriesEnunciate 1.7: Security and Custom Content Types Web Service Programming for the Masses, Part II: Developing the RIA | ||||||||||||||||||||||||||||||||||||||||||||
|
|