Nov 6th, 2012, 10:06 AM
Spring Security OAuth with Spring Web Services
Is it possible to secure Spring Webservices with Spring Security OAuth? I've read somewhere (http://static.springsource.org/sprin...y.html#d5e2241) that Spring Security supports Spring Webservices but I'm not sure if OAuth would work too. If it does do you have any examples you can point me to?
I was thinking of implementing a WSDL/SOAP Web Service and secure it using OAuth, so if you could point me in the right direction it would be nice.
Last edited by petersaints; Nov 6th, 2012 at 10:16 AM.
Nov 6th, 2012, 10:17 AM
There's nothing special about OAuth. I doubt if you'll find any examples specifically of what you want, but all you really need is a <oauth:resource-server/> (assume OAuth2) and the Spring Security filter chain in your service config. Any examples you find of using Spring Security should work fine.
Nov 7th, 2012, 06:03 PM
Exactly. I thought that might work. Today I was able to configure the Spring WS Tutorial to use Spring Security In Memory implementation. I haven't tried OAuth yet... but a doubt arises. OAuth makes authentication based on HTTP headers (the Athorization: bearer <TOKEN> thing) and WSDL/SOAP web services use XML elements on the SOAP message header for authentication.
So if I do a request without the security header filed up but with a valid Access Token in the header of the HTTP request in it would authenticate correctly? Because I really doubt that the Spring Security OAuth will work with the SOAP security headers, that have no direct way of expressing authentication with a single token.
Nov 8th, 2012, 12:42 AM
The OAuth spec only recommends that you use a header for authentication and that's the default strategy in Spring OAuth. You could do it any way you like, but in any case your clients are going to have to know about it.