Announcement Announcement Module
No announcement yet.
Apache CXF + Spring Security + Oauth Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Apache CXF + Spring Security + Oauth

    We have apache CXF configured RESTful services for our application. Now the requirement is to secure the web services and that too in a manner that WS client doesn't need to send username password in each request. So I decided to go with Oauth two legged and spring security. I have following questions:

    1. is this combination feasible as i didnt find any blog/discussion with such a combination.
    2. google code base : has done spring security integration with CXF WS (SOAP) does it also works for REST.
    3. for two legged oauth should i go for oauth 1.0a or oauth 2.0.

    I am trying to find a feasible solution but not sure whether i am going in right direction. Kindly suggest.


  • #2
    CXF supports oauth 1.0

    CXF supports oauth 1.0

    I am trying it out and will update if successful.


    • #3
      Apache CXF + Spring Security + Oauth

      Hi Abhishek,

      How was your experience with Apache CXF + Spring Security + Oauth.

      I am trying this combination to authenticate iPhone users.

      How was your experience.

      Can you please kindly share..

      Regards, Shiv


      • #4
        No Success in implementing the same

        I didnt found much help on this and gave up after investing 1 week in the same.


        • #5
          I think you might have been asking the wrong questions. The purpose of OAuth is not to avoid sending authentication with every request. If your WS clients have a shared secret with the server, and they don't act on any one else's behalf then basic auth should be fine. Both vanilla shared secrets over HTTP basic and OAuth can be used to secure a web service using Spring Security (CXF or whatever), but which you would use depends on your requirements.


          • #6
            Hi Dave,

            Thanks for the clarification. What i was targeting to achieve was have an Oauth server above my webservice server.

            So that client will provide the username password once and oauth server will generate some shared secret which will be implicitly passed from client in further calls.

            And as used by other oauth systems this key will have some expiry time and other features provided by oauth.