java - Securing spring restfull web service with oauth is a good approch? -
i not security expert. have prepared spring restfull web service spring security.
now have confusion best approach secure our web service.
we going have ssl connection well. our web service utilize our mobile application , web application.
i read oauth 1.0 , 2.0 protocol popular nowadays authorize web services.
so can guide me should utilize oauth mechanism because utilize accessing 3rd party data, in our case not require our client approaches utilize oauth2.0 or ssl sha hashing algorithm fine secure web service?
if there no third-party client applications access web service, oauth 2.0 not needed. probably, https + basic authentication enough.
if there possibility may sense allowing third-party client applications access web service in future, worth designing web apis based on oauth 2.0 architecture beginning. in such case, "client credentials flow" want implement first among four flows defined in rfc 6749 (oauth 2.0). "client credentials flow" not require authorization end-user. is, flow cares client credentials (client id , client secret). initial implementation of client credentials flow issue access token client application.
my one-sentence definition of oauth 2.0 follows.
oauth 2.0 framework user of service can allow third-party application access his/her info hosted in service without revealing his/her credentials (id & password) application.
whether should adopt oauth 2.0 or not depends on whether third-party client applications access web service or not.
java spring security oauth
No comments:
Post a Comment