Posts Tagged authorization

Oct 3 2013

Implement your 2-legged OAuth server with Java Restlet

In the previous post we’ve been looking into how we can implement a simple Java client to access resources protected via 2-legged OAuth.
This time we’ll focus on the server side code needed to develop a 2-legged OAuth server that enables your REST API’s resources to be protected with the same method.

In order to do so, we’ll use Restlet, a Java framework to create RESTful web services, and again Scribe, the simple OAuth Java library for the validation part. The code presented here has been tested and is ready to be used in your Restlet application.
Read More >>

About

Globetrotter Software Engineer. I try to conjugate where the ambitions lead me with an environment that makes me feel happy. I love sun and sea. My mind is always spinning, for good and for bad. I enjoy traveling and experiencing new places by being constantly surprised by things I would have never even conceived.

Aug 27 2013

2-legged OAuth Java client made easy

Some scenario

When you build up your RESTful web API, there comes a time when authorization comes in the game. You need to provide means to restrict and control the access to your protected resources.
One of the most popular approaches involves the use of OAuth, an open authorization protocol (in its 1.0 version, than a framework in its 2.0 counterpart) that puts simplicity and security as part of its main goals.
I will not spend time discussing the good and the bad of OAuth, or the large controversy around the development of the version 2.0. I’d like instead to focus on how to secure your API without losing your mind around the potential complexities of OAuth.

A good and nowadays fairly recognized approach to deal with this is the so-called 2-legged OAuth. For the details, I invite you to check the excellent article Designing a Secure REST (Web) API without OAuth. Don’t get confused by the title, the author describes the authorization methodology applied by Amazon for its AWS API which is basically identical to 2-legged OAuth, the latter being only a bit more restrictive on some protocol aspects (i.e. the hash algorithm, the order of the parameters to be hashed). Read More >>

About

Globetrotter Software Engineer. I try to conjugate where the ambitions lead me with an environment that makes me feel happy. I love sun and sea. My mind is always spinning, for good and for bad. I enjoy traveling and experiencing new places by being constantly surprised by things I would have never even conceived.