Apr 4th, 2011, 12:18 PM
Access Token and Acegi on a REST/JSON Webservice
I've read the forums a bit and wanted to get some advice on the best approach -
I'm trying to setup a REST/ JSON web service using CXF and Acegi (yes not Spring Security yet). The primary consumer of the webservice is a mobile device. The webservice must be able to authenticate a user on the very first call, and then assign a token that can be used to authenticate the user on subsequent requests. I'd like to confirm if -
1) Acegi provides an access token solution out of the box?, or,
2) Will a filter need to be setup, before the Acegi filters are hit, so that it can accept a token from the request header, map it to a username/ password and add these credentials to the SecurityContext?
3) Should I use OAuth, which seems overkill since the webservice does not need to communicate with a facebook or linkedin.
4) Is Kerberos an option given my application is on a Unix box?
Apr 8th, 2011, 07:49 AM
A small update -
A team member investigated OAuth, and determined that a 2-legged authentication fits nicely, while securing access to a webservice API via access tokens.
Tags for this Thread