Announcement Announcement Module
No announcement yet.
RestTemplate + Spring Security Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • RestTemplate + Spring Security

    Hi All

    Up until now i have been pretty sure that i wanted to use Oauth to secure access to my Spring security secured Webservices.... just as it is with the Greenhouse android app.

    Having read up on OAuth i really think it is not the correct choice for me, primarily because the consumer is my own app, any data im sharing is being shared with an app that ive written and as such trust. My webservices will never be made available to a third party, there isnt even a need to limit the access as with a vallet type pattern.

    My questions.....

    1) am i making the right choice, ie dropping OAuth because it seems like a sledge hammer?

    2) How would i use the RestTemplate to access spring Secuity secured services? .... this is the biggy.

    many thanks in advance


  • #2
    Re: RestTemplate + Spring Security


    The big issue is the username/password that you would use to access your web services. Do you want the user to enter their security credentials every time they bring up the application.

    If the answer is yes, then Basic Auth/Digest over HTTPS would work fine. I want to point out that HTTPS is critical. Smartphones more than any other connected device is a heavy user of public Wi-Fi and therefore Basic Auth over HTTP would be a problem waiting to happen.

    If you don't want to enter your security credentials every time, then they would need to be stored locally. What is the impact if the phone is lost and someone has access to the username/password? My assumption is that right now, your phone's storage is not encrypted as that does not seem to be standard operating procedures even for business phones.

    So, it is safer to store an OAuth token on the phone rather than a username/password. However, most corporate web services do not and are not planning to implement OAuth. A majority want to use a username/password tied to their LDAP/Active Directory that identifies the person or application and what roles they have.

    You did not say whether the backend was a corporate application or not. If corporate, then the conversation is really about what the security people are comfortable with.

    Perry Hoekstra


    • #3
      Hi Dutch

      Cheers for the reply

      I decided to go with Basic auth over Https with encrypted storage. If ever the services need to go outside my org i will move over to Oauth.

      Again many thanks



      • #4
        Re: RestTemplate + Spring Security

        One other possibility is: Content-Signature

        This is relevant to secure web services. You can find a description on Bill Burke's blog (JBoss/RESTEasy) here:

        Are you encrypting the SD card or internal storage?


        • #5
          Cheers again mate

          Ive go everything working now apart from encryption. im not sure how to do this as ive never done it. But it will have to wait until i have ironed out some usability issues

          Cheers dude


          • #6
            Re: RestTemplate + Spring Security

            You mean encryption as in HTTPS or data storage encryption?


            • #7
              data storage encryption