OAuth

Skip to end of metadata
Go to start of metadata

Jersey and OAuth

Introduction

Jersey contains support for the signing and verififcation of requests, per the OAuth Core 1.0 specification. There are three modules in the Jersey contributions section that provide support for OAuth:

  • OAuth signature library: provides core support for handling OAuth signatures
  • OAuth Jersey client filter: outgoing requests are automatically signed with OAuth signature
  • OAuth Jersey server request wrapper: wraps Jersey server requests to verify OAuth signature

For sample code, check out the oauth-tests in svn co https://svn.java.net/svn/jersey~svn/trunk contribs/jersey-oauth/oauth-tests

OAuth signature library

The OAuth signature library provides core support for generation, verification and signing of requests.

It supports the signature methods outlined in OAuth Core 1.0 specification: HMAC-SHA1, RSA-SHA1, and PLAINTEXT. Additional signature methods can be implemented by third parties and automatically loaded at the time the signature library JAR file is loaded.

Code that utilizes the OAuth signature library implement the OAuthRequest interface to expose the request to the library for signature generation/verification. Additionally, an OAuthParameters object contains the parameters used in signing, and OAuthSecrets object is used to specify the secrets that back the consumer key and/or access/request token. The OAuthSignature class is used to sign and verify requests.

Example usage:

OAuth Jersey client filter

The OAuth Jersey client filter uses the OAuth signature library to automatically signs outgoing requests with established parameters and secrets. A filter instance can be added at one of two levels:

  • Client: all outgoing requests are signed with established parameters and secrets
  • WebResource: all requests to the resource are signed with established parameters and secrets

As WebResource objects are inexpensive to create, if the same resource must be signed with different parameters and/or secrets, new instances of the resource should be created to add a filter instance to.

The filter will not sign a request if an Authorization header is already present in the outgoing request. This allows previous filters in the chain to override behavior.

Example usage:

Notice in this example that timestamp and nonce are not explicitly set. When not set in the OAuthParameters object, the client will automatically set to the current time in seconds since epoch, and select a random nonce value. If a value is explicitly set, it is presumed to be intended to be sent in the request, and will not be overwritten.

OAuth Jersey server request wrapper

The OAuth Jersey server request wrapper uses the OAuth signature library to allow a Jersey server resource to manually verify the signature of an incoming request. It is a concrete implementation of the OAuthRequest interface in the OAuth signature library.

Example usage:

To comply with the OAuth protocol, this contrived example above should actually return a 400 or 401 status code in response rejecting the consumer request, depending on the reason of rejection.

Performing signature verification per-resource is generally discouraged; using a server filter method to verify incoming requests for groups of protected resources is far preferable. For example, the OpenSSO project has a working ServletFilter implementation in its OAuth extension that sets the user principal in the security context based on the OAuth signature. This allows JSPs and servlets to call the HttpServletRequest.getUserPrincipal method to determine the identity of the user that authorized the issuance of the access token.

Simple OAuth Authentication with a Container filter

Simple OAuth authentication for a servlet or filter may be set up using a Container Filter, which filters the request before the request is matched and dispatched to a root resource class. The Container Filter is registered using initialization parameters which point to a user defined class, such as the following:

OAuth implementations using Jersey

  • OAuth4J is an OAuth implementation using Jersey.
Labels:
oauth oauth Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.
  1. Aug 18, 2011

    That's a great post,
    but where do I find the jar containing ContainerRequestFilter ?

  2. Jan 22, 2012

    Hi, truly awesome addition to Jersey!

    I had a couple of question:

    - Do you have any plans to add in the signature methods for OAuth2.0?

    - How do you store the nonce to ensure it's not repeated?

    Thanks

Sign up or Log in to add a comment or watch this page.


The individuals who post here are part of the extended Oracle community and they might not be employed or in any way formally affiliated with Oracle. The opinions expressed here are their own, are not necessarily reviewed in advance by anyone but the individual authors, and neither Oracle nor any other party necessarily agrees with them.