7

I would like to implement OAuth 2.0 authorization on my JAX-RS RESTful services.

After some researches, I've found Apache CXF to do that. However, I haven't found any examples about it and it's unclear for me. Where can I find some examples of JAX-RS with OAuth 2.0?

cassiomolin
  • 124,154
  • 35
  • 280
  • 359
  • Did you find any good solution of this question or did you tried to develop cxf-auth2 of your own? if so please post the answer .. I am waiting.. – Mohasin Ali Sep 23 '16 at 16:27
  • 1
    @MohasinAli I've realised OAuth 2.0 would be too complex for my requirements. So ended up with a token-based authentication that I described in [this answer](http://stackoverflow.com/a/26778123/1426227). – cassiomolin Sep 23 '16 at 16:44
  • @MohasinAli During my research, I've found [Apache Oltu](https://oltu.apache.org), an implementation of OAuth in Java. – cassiomolin Sep 23 '16 at 16:47
  • Hi , I saw your answer in the above post. Its good, I have one more doubt, I appreciate you if you can clarify this, If a malicious user modifies the access token in the cookie using the debugger console (document.cookie="name=value" ) , by stealing the others access token (say the malicious user visits someothers computer and open the browser and see the access token and copies the someothers access token in his own computers browser), how could you avoid this kind of hack at server side ? – Mohasin Ali Sep 29 '16 at 17:39
  • 1
    I want to give 50 bounties to you add your answer link below as answer. – Mohasin Ali Sep 29 '16 at 17:48

2 Answers2

5

Disclaimer: This answer doesn't really provide a solution for securing a JAX-RS with OAuth 2.0. But it aims to give some insights to Mohasin Ali, who started a bounty on my question. Maybe, the solution I used can be useful for him.

Regarding the bounty:

The question is widely applicable to a large audience. A detailed canonical answer is required to address all the concerns.

After asking this question a while ago, I realized that OAuth 2.0 would be too complex for my requirements. Even Basic Authentication would be enough for my requirements. But I ended up using an authentication scheme based on JWT tokens signed on server side. I described my solution in this answer.

Apache CXF provides an implementation of OAuth 2.0. It may worth looking at it if you want to use OAuth for securing you API. Apache CXF also supports OAuth 1.0.

It doesn't matter the authentication method you decide to use, do it on the top of a HTTPS connection. You'll need a certificate for that. As a suggestion, have a look at Let's Encrypt. They claim to be a free, automated, and open Certificate Authority, currently sponsored by Mozilla, Akamai, Cisco, Chrome, Facebook and others.

Regarding the following situation, mentioned in the comments:

[...] a malicious user visits someone's computer, open the browser, see the access token and copies the access token to his own browser [...]

If a malicious user have physical access to a computer, HTTPS won't prevent this malicious user from stealing an authentication token from someone's computer. Actually, if it happens, I think you should have bigger concerns...

For an additional layer of security, you could consider storing the token along with the IP address of the user you issued the token for. For each request that hits your API, compare the IP of the incoming request with the IP of the user you issued the token for. If the IPs don't match, refuse the request.

If you go for JWT tokens, instead of storing the whole token, store only the JWT ID claim (jti). Just ensure this value is unique (java.util.UUID should be enough for generating the jti value).

For a completely stateless authentication (not storing the whole token neither storing token ID), you could store the IP address in a JWT token claim, but mind the token will be a few bytes longer.

Community
  • 1
  • 1
cassiomolin
  • 124,154
  • 35
  • 280
  • 359
3

Please see https://github.com/Talend/tesb-rt-se/tree/master/examples/cxf/jaxrs-oauth2 for one example, it has a collocated example (all endpoints in the same container) and more complex one with the endpoints distributed, with SAML SSO Web profile supporting SSO.

Sergey Beryozkin
  • 688
  • 1
  • 4
  • 9
  • The example https://github.com/Talend/tesb-rt-se/tree/master/examples/cxf/jaxrs-oauth2 is remove in master branch, but still exists in older branches/tags, for example "release/6.4.0.M0" https://github.com/Talend/tesb-rt-se/tree/release/6.4.0M0/examples/cxf/jaxrs-oauth2 – Ralph Jun 10 '21 at 05:08