Apache CXF + Spring Security + Oauth

Printable View

Jul 15th, 2011, 04:07 AM
abhi12482

Apache CXF + Spring Security + Oauth

We have apache CXF configured RESTful services for our application. Now the requirement is to secure the web services and that too in a manner that WS client doesn't need to send username password in each request. So I decided to go with Oauth two legged and spring security. I have following questions:

1. is this combination feasible as i didnt find any blog/discussion with such a combination.
2. google code base : http://code.google.com/p/cxf-spring-security/ has done spring security integration with CXF WS (SOAP) does it also works for REST.
3. for two legged oauth should i go for oauth 1.0a or oauth 2.0.

I am trying to find a feasible solution but not sure whether i am going in right direction. Kindly suggest.

Thanks,
Abhishek
Jul 18th, 2011, 04:58 AM
abhi12482

CXF supports oauth 1.0

CXF supports oauth 1.0

http://cxf.apache.org/docs/cxf-oauth-10.html

I am trying it out and will update if successful.
Dec 22nd, 2011, 07:59 AM
shivnarayan

Apache CXF + Spring Security + Oauth

Hi Abhishek,

How was your experience with Apache CXF + Spring Security + Oauth.

I am trying this combination to authenticate iPhone users.

How was your experience.

Can you please kindly share..

Regards, Shiv
Dec 22nd, 2011, 08:03 AM
abhi12482

No Success in implementing the same

I didnt found much help on this and gave up after investing 1 week in the same. :(:(
Dec 22nd, 2011, 09:26 AM
Dave Syer

I think you might have been asking the wrong questions. The purpose of OAuth is not to avoid sending authentication with every request. If your WS clients have a shared secret with the server, and they don't act on any one else's behalf then basic auth should be fine. Both vanilla shared secrets over HTTP basic and OAuth can be used to secure a web service using Spring Security (CXF or whatever), but which you would use depends on your requirements.
Dec 22nd, 2011, 10:34 AM
abhi12482

Hi Dave,

Thanks for the clarification. What i was targeting to achieve was have an Oauth server above my webservice server.

So that client will provide the username password once and oauth server will generate some shared secret which will be implicitly passed from client in further calls.

And as used by other oauth systems this key will have some expiry time and other features provided by oauth.

Thanks,
Abhishek