3

I am working on a web application implementing online shopping functionality. I am using Struts2 + Spring + Hibernate. I am using Spring security to implement authorization and authentication.

Now my client wants to develop an iOS/Android App for the same where users of my web application can login and use some of the functionality using the app.

Mobile App will access the REST based web services on JSON which will be implemented using Jersey. Here are my questions:

  1. Users are going to have a role from three of the roles. Depending on the role they should be able to access the specific resources. I am thinking about using Spring Security 2.0 with Jersey and authenticate the users using OAuth 2.0. Is OAuth 2.0 right applicable choice?

  2. Also, Jersey doesn't support oAuth 2.0 on server side. Still I guess I should be able to use any other OAuth provider to secure Jersey services right?

  3. If oAuth is not the right choice then what I can use to provide role based authentication and authorization for Mobile App users to my REST web services.

Tim
  • 41,901
  • 18
  • 127
  • 145
Shailesh Vaishampayan
  • 1,766
  • 5
  • 24
  • 52
  • Hi there, I'm dealing with the same problem right now, did you manage to find a solution to this? I'm personally thinking to go perhaps with couldfoundry's UAA, since implementing my own auth server and resource server seems a bit excessive.. – Radi Radichev Oct 26 '14 at 19:04
  • @RadiRadichev No I have kept it on backburner for now as I am busy with other stuff.but yes I will update once I restart on this. It would be great if you answer the question with your implementation if you are successful. Thanks. Also I have dropped the idea of using JERSEY and will be using Spring MVC support for REST – Shailesh Vaishampayan Oct 28 '14 at 07:30

2 Answers2

1

Don't forget you can use simple HTTP BASIC auth (with SSL, of course).

For comparsions of OAuth versions, see this.

Community
  • 1
  • 1
Zerkz
  • 686
  • 1
  • 6
  • 25
0

After having to deal with the same problem I did some research and currently I can see 3 solutions.

  1. Pivotal actually have a piece of software which they use for their cloudfoundry services, called UAA (User Account and Authentication) Server. You can deploy this to your own server, and it's role is basically to provide OAuth2 access tokens. You will need to create your own Resource Server which will serve different resources if the correct OAuth token is provided in the request. (they have a couple of sample apps in the UAA repo which you can use) https://github.com/cloudfoundry/uaa

  2. Google actually provide services like that. If you host your backend on appengine you can use cloud endpoints to expose your API and they take care of Authentication and Authorization. https://cloud.google.com/appengine/docs/java/endpoints/

  3. You can create your own architecture. Basic approach would be to have an Authorization server (to generate tokens), an Resource Server (to serve your API) and some sort of storage for users and tokens.

Hope that helps a bit, I'm personally going to go with the UAA to try it out.

Radi Radichev
  • 562
  • 6
  • 13
  • thanks. As I said when I am back on this I will evaluate and accept your answer if its good. – Shailesh Vaishampayan Oct 30 '14 at 10:45
  • Hi Radi Actaully I started the work on this and I felt that using OAuth2 will be an overkill as mine is not a public API. So I went with simple option JWT tokens. I create a signed JWT token when user logs in for the first time. Then onwards this token is sent in header with every subsequent request. I verify the signature of the token and expiry of the token. if it is not expired and signature matches I go ahead otherwise I reject the request. For now I have kept the expiry sufficiently long so that users dont have to login everytime token expires. – Shailesh Vaishampayan Mar 27 '15 at 08:26
  • right now its very straightforward implementation and I will keep adding features like handling multiple logins from two devices etc. Please suggest if you see any problems in my implementation or improvements if you find – Shailesh Vaishampayan Mar 27 '15 at 08:26