5

I am about to start developing a REST service and security is an important aspect of this project but I can't find some definitive information on how to implement it. My service will be consumed by an Android App at first, but could be used by other platforms later. Controlling user access is critical, so Authorization and Authentication control of the REST services is very important.

Although I can find topics on how to make a secure REST API, like here, here and this big one here, to my surprise, all of them fail to point to a famous standard or framework or time tested solution, which usually is the "way to go" in securing software applications, where we avoid as much as we can to "roll your own security solution".

So far on my research I think OAUTH 2.0 (or even OAUTH 1.0) is the best way to go, it's a public widely used protocol and supports Authorization and Authentication and we can control the lifetime of keys and even have a special refresh key allowing the client to not store password information for acquiring a new key if needed.

I also think Apache Shiro is the best framework for Security, Authorization and Authentication in java, so it comes to a surprize for me when I can't find any integrations between Shiro and OAUTH 2.0...ok there is one that's 5 years old, and doesn't inspire much trust to me.

Even more curious is the fact that Les Hazlewood, the Apache Shiro PMC Chair, owns (ok, owned, he just sold it to Okta) Stormpath, a company made for Identity and User Management, so I would expect him to have provided some easy integrations between OAUTH 2.0 and Shiro, unless this would disrupt Stormpath business plan too much I guess (which I don't believe, since the Apache Foundation won't allow this kind of behavior).

So the final questions are:

1 - Are there any easy integrations between Shiro and OAUTH 2.0 or will I have to code my own?

2 - Does everyone implement their own OAUTH 2.0 solution for dealing with REST APIs access control or am I missing something?

Community
  • 1
  • 1
Michel Feinstein
  • 13,416
  • 16
  • 91
  • 173

2 Answers2

5

I know the Buji project uses Shiro and supports Oauth2. I haven't used it, but you can check it out.

Brian Demers
  • 2,051
  • 1
  • 9
  • 12
2

You definately don't need to code your own. There's some great java libraries and apps that you can use for oauth2 and you can choose from a low level library that you use to build your own oauth2 server up to a full featured standalone openid connect server.

Spring security provides oauth2 that you can use to embed an oauth2 server in your application. A tutorial is available at http://www.baeldung.com/rest-api-spring-oauth2-angularjs.

There's mitreid openid connect https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server, which has a war overlay that you can use to add a user and client admin app into your webapp.

Keycloak (https://www.keycloak.org/) provides a full featured standalone openid connect server.

httPants
  • 1,832
  • 1
  • 11
  • 13
  • 2
    those are interesting...but no Shiro + OAUTH 2.0 right? :/ – Michel Feinstein Mar 10 '17 at 04:01
  • I can't comment on Shiro + OAuth2.0 integration, but if you want OAuth2.0 then you can easily have it. I have used all the above oauth2.0 servers and find spring security oauth2.0 to be excellent. I don't personally agree with your statement that "Apache Shiro is the best framework for Security, Authorization and Authentication in java". In my experience, spring security gives you everything you need and is a very widely used security framework for java. – httPants Mar 10 '17 at 06:28
  • 1
    Everywhere I read people say both Shiro and Spring Security are great, but Shiro is a lot easier to use – Michel Feinstein Mar 10 '17 at 06:33
  • Everyone say that is easy but the lack of resources makes it hard. If you can't find a basic tutorial for oauth2 implementation than imagine if you will have later some edge cases. Besides, [I link you this issue](https://issues.apache.org/jira/browse/SHIRO-119) still open and idle from 2013 for supporting Oauth out of the box in Shiro. So no tutorials and no support, good luck – ihebiheb Jan 24 '19 at 15:32