Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

how to secure apache cxf webservice(jax-ws) using oAuth 2.0

Tags:

web-services

apache

oauth-2.0

cxf

I have deployed webservice in Tomcat using Apache CXF. How would I proceed in securing that web service using OAuth 2.0?

I have gone through the below URL but without finding any suitable solution. A working example or tutorials on how to implement oAuth 2.0 for simple web service?

Original tutorial link:

  • JAX-RS: OAuth2
like image 333
user739115 Avatar asked Nov 03 '22 16:11

user739115

1 Answers

I was confronted with the same issue recently. After a decent amount of research, I have found (and this could be limited to me alone) that this is quite complicated.

It is possible to attach the required "authorization header" to a SOAP webservice call in this manner :

Map<String, Object> req_ctx = ((BindingProvider)port).getRequestContext();
req_ctx.put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, WS_URL);

Map<String, List<String>> headers = new HashMap<String, List<String>>();
headers.put("key", Collections.singletonList("yourkey"));
//... all other parameters required.
req_ctx.put(MessageContext.HTTP_REQUEST_HEADERS, headers);

The request can then be checked on the server side as such :

MessageContext mctx = wsctx.getMessageContext();

//get detail from request headers
    Map http_headers = (Map) mctx.get(MessageContext.HTTP_REQUEST_HEADERS);
    List userList = (List) http_headers.get("key");
//... get other information required here

And thus you can validate the request.

On a side note

It is to note, from my findings, oAuth2 is not very useful for simply securing your API - simply protecting it from outside use.

The reasoning

With oAuth 1, you could use the authentication to validate a user by their key. You knew they were authorized because they have successfully signed the request, and thus you would allow them access to the information.

With oAuth 2, the protocol requires you to use HTTPS. Then why not just use application authentication with your API? I have found oAuth 2 to be very useful to access 3rd party applications with the original set of credentials (the goal of the protocol). But unless you need to do this, there is no need (again IMO) to implement the full oAuth. If you ONLY looking to secure your API, just do it using SSL and a key or username/password combination.

See also:

  • Application Authentication With JAX-WS
  • CFX User Guide
  • How is OAuth 2 different from OAuth 1?
  • Designing a Secure REST API without oAuth - more useful for general understanding.
like image 64
blo0p3r Avatar answered Nov 15 '22 10:11

blo0p3r
Sign in to Comment

Related questions

WCF set Endpoint and Binding dynamically in code
How do I bind web service to a particular glassfish port?
The party model, permissions, customers and staff
Best way to cache an XML/JSON response into my application. Full text file?
How to perform a HTTP delete? All I am given is the URL
How best to implement link relations for HATEOAS in XML?
WSDL runtime validation with JAX-WS
web services - username token - Error on verifying message against security policy Error code:1000
How to consume a ColdFusion web service with dotnet
JAX-WS Asynchonous client techniques for calling web services
Querying a remote web API vs local MySQL DB during a traffic spike?
Generate webservice from WSDL with Document/literal format
How To Sign WCF Message With Certificate Using HTTPS Transport with Client Certificate
How to show marathi text in Android coming from webservice
mono shell execute
How can I set the CNAME record on network solutions for my heroku app?
generic soap client tool [closed]
How to invoke a Web Service using Java
Webhook callback security

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!