Jax RS REST API - OAuth 2.0 and origin management

Question

Jax RS REST API - OAuth 2.0 and origin management

I have a REST API built using Java JAX-RS, the API will be published and protected by OAuth 2.0.

I plan to use this API from internal projects I create, and because this is my API, I do not expect the user to allow me to make calls to this API.

I am currently using filters to validate the access token and validate it against my OAuth provider, sample config:

<!-- Exposing the facility service as a REST service -->
<jaxrs:server id="restContainer" address="/">
    <jaxrs:serviceBeans>
      .. services beans
    </jaxrs:serviceBeans>
    <jaxrs:providers>
      <ref bean="oauthFilter"/> <-- filter to validate oauth
      <ref bean="apiUsageFilter"/> <-- filter to check api usage (integrated with 3scale)
      <ref bean="jacksonProvider" />
      <ref bean="exceptionMapper" />
    </jaxrs:providers>
    <jaxrs:extensionMappings>
      <entry key="json" value="application/json" />
      <entry key="xml" value="application/xml" />
      <entry key="html" value="text/html" />
    </jaxrs:extensionMappings>
    <jaxrs:features>
      <bean class="org.apache.cxf.feature.LoggingFeature"/>  
    </jaxrs:features>
</jaxrs:server>

I am wondering if I can implement a new filter to check the origin of the call if it is one of the listed ip (s) / domain (s) then bypasses oauth, if not then go to oauth.

Is this approach possible? would that be good practice? Pros and cons?

Thank!

+3

java rest jax-rs

Ahmad Alkhawaja Feb 19 13 at 12:08

source to share

1 answer

Ahmad Alkhawaja · Accepted Answer · 2014-01-25T17:02:30+0000

The solution was simple: we implemented client authorization permission for server-to-server applications and resource owner authorization permission for mobile applications (which do not have a backend) on the OAuth 2.0 server.

Jax RS REST API - OAuth 2.0 and origin management

More articles: