2-legged OAuth Security for RestFul API for Jersey - rest

I know... I know... there are a lot of articles, resources, etc out there regarding how OAuth and security RestFul APIs with it; however, I'm looking for an actual open-source or third-party product that's already built that I can throw in front of my controllers (as a filter or whatnot) and do my OAuth magic.
I'm perfectly happy (and mostly able) to "roll my own", but if there is already a commercial product out there I would be VERY happy to use it. I mean... I could create my own wheel, but so many other people do it so much better than I could.
I'm using Jersey (JSR-311) as my RestFul framework, not Spring, so I would prefer to not add the extra "weight" of the Spring Security libraries in my application.
Sorry to ask a question I'm sure has been asked 1 zillion times, but I just can't seem to find a very straight-forward product.
Thanks!

Jersey oauth module supports 2-legged OAuth.
Server-side OAuth support javadoc: http://jersey.java.net/nonav/apidocs/latest/jersey/contribs/jersey-oauth/oauth-server/index.html
Client-side OAuth support javadoc: http://jersey.java.net/nonav/apidocs/latest/jersey/contribs/jersey-oauth/oauth-client/index.html
(both are linked from the Jersey home page - http://jersey.java.net)
The modules are available on maven. See http://search.maven.org/#search%7Cga%7C1%7Cg%3A%22com.sun.jersey.contribs.jersey-oauth%22
If you run into issues, you can contact the Jersey team at users#jersey.java.net.

Related

Identity Provider Implementation with SAML V2 and Java

After successfully implementing SAML-V2 Service Provider (SP); for supporting some specific use-case, I have to implement my own SAML-2 IdP. After going through OASIS Documentation and many others about the SAML protocol, I have started implementing it.
My Use-case is just a single profile (Web Browser SSO Profile) with SP-Initiated SSO: Redirect Bindings only.
I am looking for some lean third-party library or java based implementation which I can refer/use to speed up the implementation and customize on top of that.
Would love for any recommendation or suggestion in this direction.
To be specific I'm looking for any/all of below :
Easy to use open-source library for implementing SAML-V2 Identity Provider in Java.
Detailed documentation/specification for above profile.
Any advice from experts who have past experience in implementation such kind of IdP.
There is lots of material available for SP. However, very few and complex for IdP.
Some of the java-based implementation which I am already looking are : KeyCloak and Lite-IdP.
"Very few and complex" is true because building a real-world identity provider is a serious project. OpenSAML as the library is your best option in Java - many enterprise-grade implementations that we know about are built with it. A good, stripped-down example of how to use OpenSAML in IdP context is https://github.com/OpenConext/Mujina .
Lite IdP is written in Go. If you're open to non-Java options, SimpleSAMLphp is excellent, it's certainly better documented than many others.
I'd post it as comment, but I don't have enough reputation.
But here you have almost the same question, regarding Spring SAML:
using-spring-saml-as-an-idp-rather-than-an-sp
Take a look at Vladimir's answer, I think it's what you're looking for. Here is the link suggested by him.
Cheers

How to create an API REST?

I want to reach the data saved in a mysql server for an Android phone. I thought about to connect directly the phone to the mysql but it is a bad practice because someone can get the user/pass of the DB.
However the REST architecture maybe it's a solution for my problem. I found the toolkit GWT but I don't know if it's the best way to solve my problem and what I need to use the GWT.
And I got 2 questions basically:
The GWT is good for my purpose?
Need a Tomcat server for example to set the GWT code?
One annotation, the data is for an app Android, there is no HTML interface .
Nowadays I'm working at localhost. Thanks for the answers.
As far as I understand, you want to implement a RESTful service (Web API). GWT targets the Web UI to be able to build it using Java and compile it into JavaScript. I think that it's not what you expect.
Here is a link that provides you hints about concepts of REST: https://templth.wordpress.com/2014/12/15/designing-a-web-api/. It will describe you what is a RESTful service and how to design it.
There are several technologies to build RESTful services (server-side frameworks). I can list two of them:
Restlet (see this link http://restlet.com/technical-resources/restlet-framework/tutorials/2.3 and http://restlet.com/products/restlet-framework/)
JAX-RS and its implementations (Restlet, Jersey, EasyRest). See this link for example: https://templth.wordpress.com/2015/03/06/getting-started-with-resteasy/.
Hope it helps you,
Thierry

What's RESTful API, and does it mean anything for a front end developer?

I've been reading around trying to understand what RESTful API is all about. I guess I understood the general outlines and a bit about how it's related to HTTP and all that.
In fact, one of the jobs I recently applied for required a 'must' knowledge of a RESTful API!! The job description was messy anyway and seemed it had been written by an HR person, or somebody who didn't actually have an advanced technical knowledge.
I fail to see how, as a frontend developer / UI/UX designer, I could benefit from the vague RESTful API stuff? What's the connection?! Should really be bothered?
Thanks!
Simple and Precisely NO.
For only a front End Developer; it is not necessary, it is must (or SOAP bases API) for BackEnd Application Developer.
I am Android app Developer, made REST api for my app and my friend is just working on Web Page UI for that APP.!
Ajax calls are little to know for you.!
But one should know little bit about APIs, it never hurts :)
RESTful api, and web services in general, are a way to abstract back ends from front end developpers. It allows front-end developpers to do their interfaces without the need to code any server-side logic.
Web services contain all the business logic. As a front-end developper, you'd need to know how to interact with such services, but the whereabouts of the api call are not required of you to understand.
Finally, it's a way to define clear separation between what the application looks like and what the application does.
REST is a way to think applications. To make short, the client is stateless and you use HTTP methods for what they are designed to in order to interact with your server resources. You also leverage HTTP status codes, media types, content negotiation (Conneg).
If you want to know more about principles of RESTful services and Web API, you could have a look at this link: https://templth.wordpress.com/2014/12/15/designing-a-web-api/.
Hope it helps you,
Thierry
From client perspective the two main differences between REST and other e.g. SOAP webservices, that you have to use stateless communication (so you won't have a server side session, login, logout, etc...) and you have to use hyperlinks as request templates instead of building request from scratch. Because of these constraints your client breaks much harder by API changes.

Adding OAuth to a Scalatra web service

I am looking to build a Scalatra based API. One of the requirements is OAuth authentication. I noticed the guide for OAuth isn't yet put up on the official Scalatra site. Is the best way to currently add OAuth support by figuring out how to add an OAuth based strategy into Warden? I come from a Ruby on Rails based background, so new to a lot of Scala/Java conventions. There's probably several ways to tackle this but I'm hoping for any solution that's documented and can be referenced for implementation in my own application.
I am currently rewriting a Ruby/Sinatra app in Scala/Scalatra. I found the easiest way to add OAuth is to use Scribe (https://github.com/fernandezpablo85/scribe-java). There is a guide on using Scribe with Scala here:
https://github.com/earldouglas/nuevos#consuming-the-twitter-api-in-scala-with-scribe
Note that the exact implementation of the Twitter API is outdated. He made some minor updates to the code without actually updating the README (That confused me for some time.) I suggest you read the normal Java Scribe guide first, then take a look at the source code of the Scalatra example.

Visual REST API playground

What are some web apps that allow me to play with any REST APIs visually (by clicking) and also get some code generated (in any language) that captures what I have described visually?
Similar to Swagger or Google API Playground but allows me to talk to anything that speaks REST (assuming I have the proper auth credentials and I know what messages it understands).
Bonus points for something that can also "discover" what messages are understood, given a URL endpoint.
Microsoft has 2 that I know of
OData API explorer
The data market service explorer (requires signing in, and then you can access free data sets)
Considering that REST API's are going to follow their own conventions, terms, and have their own documentation (hopefully), this is an impossible problem. If you restrict your quest to visualizing API's that follow a "standard" form of self-documentation (see REST web service WSDL? for some hopeful scenarios) you might be able to accomplish this.
Or you can use something like http://www.programmableweb.com/ to discover tutorials, tools, examples, and mashups of various existing APIs.
You could mock an API at http://apiary.io/.
You could explore and existing one through tools (e.g. REST Console for Chrome)
What you can't have, is one-size-fits-all explorer for "every possible REST API." Some APIs follow conventions that others don't.
apigee and apihub (now part of mulesoft) are two that I frequently visit. Of the two, apigee is my preferred provider.
One of the reasons that you're not going to see a lot of websites like this is because of the same-origin policy. This means that you can't access a RESTful API located at api.google.com from a web app running at, say, www.restfiddle.com without sending all the API traffic through restfiddle.com's servers. Sites like JSFiddle can exist (and are used widely) because all the processing is done on the client side.
Browser plugins, however, are exempt from the same-origin policy. If you're using Chrome, try Postman. If your REST client doesn't need to be web-based, check out SoapUI. IntelliJ IDEA has a nice REST client as well.
Try Restlet Studio, it's the only visual API designer I've found, and seems pretty good, it imports and exports swagger & RAML.
http://studio.restlet.com/