Geek Answers Handbook

Securing JAX-RS with Apache CXF and OAuth 2.0

I would like to implement OAuth 2.0 authorization in my JAX-RS RESTful services.

After some research, I found Apache CXF for this. However, I did not find examples, and this is not clear to me. Where can I find some examples of JAX-RS with OAuth 2.0?

+7
java jax-rs cxf
source share
2 answers

Disclaimer: This answer does not really provide a solution for securing JAX-RS using OAuth 2.0. But he seeks to give some insight into Mohasin Ali, who began generosity on my issue. Perhaps the solution I used may be useful for him.

Regarding the award:

The question is widely applicable to a large audience. To solve all problems, a detailed canonical answer is needed.

Having asked this question several times, I realized that OAuth 2.0 would be too complicated for my requirements. Even for Basic Authentication would be enough for my requirements. But in the end, I used an authentication scheme based on JWT tokens signed on the server side. I described my decision in the answer.

Apache CXF provides an OAuth 2.0 implementation . It might be worth taking a look at this if you want to use OAuth to protect your API. Apache CXF also supports OAuth 1.0 .

It does not matter which authentication method you decide to use, do so at the top of the HTTPS connection. For this you need a certificate. For a suggestion, see Let encrypt . They claim to be free, automated, and public certificates currently sponsored by Mozilla, Akamai, Cisco, Chrome, Facebook, and others.

Regarding the following situation mentioned in the comments :

[...] an attacker visits some computer, opens a browser, sees an access token and copies the access token into his browser [...]

If an attacker has physical access to a computer, HTTPS will not prevent an attacker from stealing an authentication token from some computer. Actually, if this happens, I think you should have big problems ...

For an additional level of security, you can consider storing the token along with the IP address of the user to whom you issued the token. For each request that affects your API, compare the IP address of the incoming request with the IP address of the user to whom you issued the token. If the IP addresses do not match, cancel the request.

If you go to JWT tokens instead of storing the entire token, save only the JWT claim ID ( jti ). Just make sure this value is unique ( java.util.UUID should be enough to generate the jti value).

For fully authenticated without authentication (without storing the entire token, without storing the token identifier), you can save the IP address in the application for the JWT token, but remember that the token will contain several bytes.

+4
source share

Refer to https://github.com/Talend/tesb-rt-se/tree/master/examples/cxf/jaxrs-oauth2 for one example, it has a combined example (all endpoints in one container) and more complex with endpoints are distributed, with the SOML SSO web profile supporting SSO.

+2
source share

More articles:


All Articles