Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Authentication and authorization for RESTfull API (java jersery)

implementing service something similar with tinyurl or bit.ly, I'm would like to expose service as API, I'm using java and jersey as RESTfull service implementation.

I'm looking for simplest way for authentification of users who use API, OAuth is first thing coming in mind, but the problem is I don't need this 3 iteration calls with request token query, than access token query with callback url passing. I just need to give user ability to invoke api with no additional security calls to my server.

like image 384
Andriy Kopachevskyy Avatar asked May 08 '10 19:05

Andriy Kopachevskyy


People also ask

How do I add basic authentication to Jersey client?

x you can do this to authenticate each request with basic auth (preemptive mode): client. register(HttpAuthenticationFeature. basic(userName, password)); // rest invocation code ..

How do I authenticate to your RESTful API?

Users of the REST API can authenticate by providing a user ID and password to the REST API login resource with the HTTP POST method. An LTPA token is generated that enables the user to authenticate future requests. This LTPA token has the prefix LtpaToken2 .


1 Answers

Thanks to patrickmcgraw comment I used 2-legged oauth authentificaton. Here is some java code.

For client side (using Jersey api):

OAuthParameters params = new OAuthParameters().signatureMethod("HMAC-SHA1").
    consumerKey("consumerKey").version("1.1");

OAuthSecrets secrets = new OAuthSecrets().consumerSecret("secretKey");
OAuthClientFilter filter = new OAuthClientFilter(client().getProviders(), params, secrets);


WebResource webResource = resource();
webResource.addFilter(filter);

String responseMsg = webResource.path("oauth").get(String.class);

On provider side:

@Path("oauth")
public class OAuthService {
    @GET
    @Produces("text/html")
    public String secretService(@Context HttpContext httpContext) {
        OAuthServerRequest request = new OAuthServerRequest(httpContext.getRequest());

        OAuthParameters params = new OAuthParameters();
        params.readRequest(request);
        OAuthSecrets secrets = new OAuthSecrets().consumerSecret("secretKey");

        try {
            if(!OAuthSignature.verify(request, params, secrets)) 
                return "false";
        } catch (OAuthSignatureException ose) {
            return "false";
        }

        return "OK";
    }
}

Here is code for PHP client:

<?php 

require_once 'oauth.php';

$key = 'consumerKey';
$secret = 'secretKey';
$consumer = new OAuthConsumer($key, $secret);

$api_endpoint = 'http://localhost:9998/oauth';
$sig_method = new OAuthSignatureMethod_HMAC_SHA1;

$parameters = null;
$req = OAuthRequest::from_consumer_and_token($consumer, null, "GET", $api_endpoint, $parameters);
$sig_method = new OAuthSignatureMethod_HMAC_SHA1();
$req->sign_request($sig_method, $consumer, null);//note: double entry of token

//get data using signed url
$ch = curl_init($req->to_url());
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$res = curl_exec($ch);

echo $res;
curl_close($ch);
like image 190
Andriy Kopachevskyy Avatar answered Nov 15 '22 00:11

Andriy Kopachevskyy