-
Feb 25th, 2011, 11:05 AM
#1
RestTemplate + Spring Security
Hi All
Up until now i have been pretty sure that i wanted to use Oauth to secure access to my Spring security secured Webservices.... just as it is with the Greenhouse android app.
Having read up on OAuth i really think it is not the correct choice for me, primarily because the consumer is my own app, any data im sharing is being shared with an app that ive written and as such trust. My webservices will never be made available to a third party, there isnt even a need to limit the access as with a vallet type pattern.
My questions.....
1) am i making the right choice, ie dropping OAuth because it seems like a sledge hammer?
2) How would i use the RestTemplate to access spring Secuity secured services? .... this is the biggy.
many thanks in advance
Harpritt
-
Feb 25th, 2011, 02:15 PM
#2
Re: RestTemplate + Spring Security
Harpritt:
The big issue is the username/password that you would use to access your web services. Do you want the user to enter their security credentials every time they bring up the application.
If the answer is yes, then Basic Auth/Digest over HTTPS would work fine. I want to point out that HTTPS is critical. Smartphones more than any other connected device is a heavy user of public Wi-Fi and therefore Basic Auth over HTTP would be a problem waiting to happen.
If you don't want to enter your security credentials every time, then they would need to be stored locally. What is the impact if the phone is lost and someone has access to the username/password? My assumption is that right now, your phone's storage is not encrypted as that does not seem to be standard operating procedures even for business phones.
So, it is safer to store an OAuth token on the phone rather than a username/password. However, most corporate web services do not and are not planning to implement OAuth. A majority want to use a username/password tied to their LDAP/Active Directory that identifies the person or application and what roles they have.
You did not say whether the backend was a corporate application or not. If corporate, then the conversation is really about what the security people are comfortable with.
Perry Hoekstra
-
Mar 1st, 2011, 06:02 AM
#3
Hi Dutch
Cheers for the reply
I decided to go with Basic auth over Https with encrypted storage. If ever the services need to go outside my org i will move over to Oauth.
Again many thanks
Harpritt
-
Mar 1st, 2011, 07:19 AM
#4
Re: RestTemplate + Spring Security
One other possibility is: Content-Signature
This is relevant to secure web services. You can find a description on Bill Burke's blog (JBoss/RESTEasy) here: http://bill.burkecentral.com
Are you encrypting the SD card or internal storage?
-
Mar 16th, 2011, 08:43 AM
#5
Cheers again mate
Ive go everything working now apart from encryption. im not sure how to do this as ive never done it. But it will have to wait until i have ironed out some usability issues
Cheers dude 
-
Mar 16th, 2011, 10:39 AM
#6
Re: RestTemplate + Spring Security
You mean encryption as in HTTPS or data storage encryption?
-
Mar 16th, 2011, 11:26 AM
#7
data storage encryption 
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
Reply With Quote