May 30th, 2012, 07:23 AM
What is the best way to secure REST Services developed using Spring MVC
Can any one let me know What is the best way to secure REST Services developed using Spring MVC?
We are developing these services to access from mobile devices & web portal.
We will be having a reverse proxy to route the requests to REST services.
We are planning to have a basic authentication over TSL is it sufficient or it is better to secure using oAUTH2.
Please help me with your answers.
May 31st, 2012, 02:44 AM
Basic auth is fine for small systems or for machine-machine interactions. As long as you are happy with a shared secret then it will work, and it's nice and simple (you are either authenticated or not). OAuth2 has a more extended vocabulary, and is less simple to set up and use. It is designed primarily for apps acting on behalf of users, so your web portal and your mobile apps don't need to collect or store user credentials, for instance. It has an explicit approval model, where users have to approve an app to act on their behalf, and can limit the scope of what the app can do. It also has the ability to expire credentials, manually or automatically after a timeout. OAuth2 is *not* an authentication protocol - you still need to authenticate somewhere, but authentication can be delegated, and managed centrally.
I'm sure you will find many articles on the net about OAuth2 and what it does and doesn't do. The first question really is do you want the extra complexity? Spring will support you whatever you choose to do.
Tags for this Thread