I am using Spring security 3.0.3 (with spring-security-oauth 3.19.SS3) + Spring 3.05 + Jersey 1.4.
I am securing a bunch of web services. Using 2-legged OAUTH 1.0
Its working fine, but now I want to do 1-way encryption on the consumer secrets in the database, so only the consumers know the secret for their key. But if I do that during secret creation (when I store them in the database), I have a problem with SSOauth3.19 ... I can't figure out where to plug the hashing of the incoming secret during requests... where should I implement that? I was thinking about implementing a filter and run it before the OAuthProviderProcessingFilter is called but I am using HMAC-SHA1 during commmunication so there is a conflict there since that filter will try to hash the secret it gets from the consumer details and compare it to the incoming hashed secret...
I was thinking then about disabling HMAC-SHA1 and send the secret in plain text over SSL... then I dont have to worry about that... but still I need to some how fix the issue of the secret comparison in the filter... it sounds way too much of a hack.. is there a nice elegant way to implement this withing the API? anything to subclass or a contract to implement and then inject the concrete class?
Thanks for any insight!