Securing JAX-RS - RESTful Java with JAX-RS 2.0

Java Reference

In-Depth Information

Verifying the Server

HTTPS isn't only about encrypting your network connection, it is also about establishing

trust. One aspect of this on the client side is verifying that the server you are talking to is the

actual server you want to talk to and not some middleman on the network that is spoofing it.

With most secure Internet servers, you do not have to worry about establishing trust because

the server's certificates are signed by a trusted authority like VeriSign, and your JAX-RS cli-

ent implementation will know how to verify certificates signed by these authorities.

In some cases, though, especially in test environments, you may be dealing with servers

whose certificates are self-signed or signed by an unknown authority. In this case, you must

obtain a truststore that contains the server certificates you trust and register them with the

Client API. The ClientBuilder has a method for this:

abstract

abstract class

class ClientBuilder

ClientBuilder {

public

public abstract

abstract ClientBuilder trustStore ( final

final KeyStore trustStore );

}

How you initialize and populate the KeyStore is beyond the scope of this topic.

OAuth 2.0

OAuth 2.0 is an authentication protocol that allows an entity to gain access to a user's data in

a secure manner without having to know the user's credentials. [ 15 ] A typical example is a

news site like cnn.com. You're reading an interesting political editorial and want to voice

your opinion on the article in its comment section. To do this, though, you have to tell CNN

who you are and what your email address is. It gives you the option of logging in via your

Google or Facebook account. You are forwarded to Google and log in there. You grant CNN

permission to ask Google who you are and what your email address is, and then you are for-

warded back to cnn.com so that you can enter in your comment. Through this interaction

CNN is granted an access token, which it then uses to obtain information about you via a

seperate HTTP request.

Here's how it works:

1. The CNN website redirects your browser to Google's login page. This redirect sets a

special cnn.com session cookie that contains a randomly generated value. The redirect

URL contains client_id , state , and redirect_uri . The client_id is the Google

username CNN has registered with Google.com. The state parameter is the same

value that was set in the session cookie. The redirect_uri is a URL you want

Google to redirect the browser back to after authentication. A possible redirect URL

Search WWH ::

Custom Search

Home