advanced authentication protocols like OAuth, which allow you to make invocations on ser-
vices on behalf of other users.
This chapter first focuses on the various web protocols used for authentication in a standard,
vanilla Java EE, and servlet environment. You'll learn how to configure your JAX-RS ap-
plications to use standard authentication, authorization, and encryption. Next you'll learn
about various formats you can use to digitally sign or encrypt message bodies. Finally, we'll
talk about the OAuth protocol and how you can use it within your applications.
When you want to enforce authentication for your RESTful web services, the first thing you
have to do is decide which authentication protocol you want to use. Internet protocols for au-
thentication vary in their complexity and their perceived reliability. In Java land, most servlet
containers support the protocols of Basic Authentication, Digest Authentication, and authen-
tication using X.509 certificates. Let's look into how each of these protocols works.
Basic Authentication is the simplest protocol available for performing authentication over
HTTP. It involves sending a Base 64-encoded username and password within a request head-
er to the server. The server checks to see if the username exists within its system and verifies
the sent password. To understand the details of this protocol, let's look at an example.
Say an unauthorized client tries to access one of our secure RESTful web services:
HTTP / 1.1
Since the request does not contain any authentication information, the server would reply
with an HTTP response of:
HTTP / 1.1 401 Unauthorized
WWW-Authenticate : Basic realm="CustomerDB Realm"
The 401 response tells the client that it is not authorized to access the URI it tried to invoke
on. The WWW-Authenticate header specifies which authentication protocol the client should
use. In this case, Basic means Basic Authentication should be used. The realm attribute
identifies a collection of secured resources on a website. The client can use the realm inform-
ation to match against a username and password that is required for this specific URI.
To perform authentication, the client must send a request with the Authorization header set
to a Base 64-encoded string of our username and a colon character, followed by the pass-
word. If our username is bburke and our password geheim , the Base 64-encoded string of