oath 2 legged rest web service security
I have a mvc website and a rest webservice. the website has been secured so that the users have to log in with username password. To perform some functions the website needs to make calls on a webservice which accesses some of the users data.
The webservice invocation does not require the oauth dance where the user is prompted to authorise access - hence why i believe i need the 2 legged oauth implementation.
Before calling the webservice i need to get some sort of oauth token from the webservice passing required user details, i then need to sign the request with this token when making the webservice invocation.
I am very confused as to how to achieve this using spring security. I have read lots of stuff on the internet all with varying info. I would really appreciate if some of you learned ppl can help particularly with:
1. how to secure the webservice so that it only accepts requests with valid oauth tokens
2. how to configure the webservice so that it is a 2 legged oauth provider
3. how the webapp can get a oauth token on behalf of the user and sign subsequent web service requests with that token.
I am using spring 3.1.
I would really appreciate your help with this as this has left me very confused.