Solved

spring security and Oauth

Posted on 2015-01-13
5
270 Views
Last Modified: 2015-01-18
What is reasons to integrate spring-security with Oauth2.0. But spring-security can do the same activity like authentication and authorisation as Oauth2 . let me know the reason for this. Oauth2.0 can be a separate entity from spring security but is they work same kind of activity or different?
0
Comment
Question by:roy_sanu
  • 3
  • 2
5 Comments
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 40548620
In short, OAuth is to reinforce check that only the assigned user access to your protected resources with the right permission level. This article is a good more depth on this portion as it include the workflow in getting a "passport" which will be requested in order for any external application access attempts to your protected resources. In fact, you define what sort of credentials in the passport to present to seek entry clearance.
https://techannotation.wordpress.com/2014/04/29/5-minutes-with-spring-oauth-2-0/

The main Spring-security Oauth2 sites below are suggested if needed to drill into specifics and include their overall spring forum
http://projects.spring.io/spring-security-oauth/
http://spring-security-oauth.codehaus.org/oauth2.html
0
 

Author Comment

by:roy_sanu
ID: 40555139
,thanks for the info... One more question like to ask you on secuirty of  web services, do restful and soap follow the same OAuth based with spring security or only OAuth  for soap and Restful will do........
0
 
LVL 63

Assisted Solution

by:btan
btan earned 500 total points
ID: 40555743
It will, especially the OAuth is standard for resource authorisation. You can consider it as:
- OAuth for Authorisation, Message Signing and Encryption
- Spring Security for Authentication
- Spring Security + TLS/SSL for Data in transit via secure channel

To secure a REST-ful webservice, Spring security + OAuth is possible.
E.g. (more on implementation code examples)
https://malalanayake.wordpress.com/2014/06/27/spring-security-on-rest-api/
E.g. (more on another description and flow, note SAML token and OAuth2)
http://blog.cloudfoundry.org/2012/10/09/oauth-rest/

To secure SOAP webservice, WS-Security is commonly used rather than OAuth. One instance is that OAuth makes authentication based on HTTP headers using Authorization: bearer <TOKEN> etc while SOAP web services use WS-Security which uses XML elements on the SOAP message header for authentication. There is Spring-WS which is based on WS-Security is required and more preferable instead of using OAuth.
E.g. http://docs.spring.io/spring-ws/site/reference/html/security.html

Having said that, OAuth may be still possible as shared below instance but it seems there are customisation. I rather not venture with that ideally if possible.
E.g. http://blog.avisi.nl/2012/11/22/consuming-oauth-secured-soap-webservices-using-spring-ws-axiom-signpost/

Overall Spring security can secure SOAP and REST-ful webservices
0
 

Author Comment

by:roy_sanu
ID: 40556080
There's no blueprint for where I should be. I see myself as a young, good actor who still has a lot to learn. There's nobody at any point in their career who is the finished article. Thanks for all the input, Hope i will cherish this on my
small register called memory...

Thank you Dear...
0
 
LVL 63

Expert Comment

by:btan
ID: 40556144
thanks for sharing
0

Featured Post

Watch Anatomy of a Wi-Fi Hack On-Demand

In less than a weekend, anyone with Internet access and some free time can become a Wi-Fi MitM to wreak havoc on your network. View our Wi-Fi Expert in an on-demand episode of our Secure Wi-Fi mini-series as he explores the motives, execution, and anatomy of a Wi-Fi hack.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question