Spring @EnableResourceServer vs @EnableOAuth2Sso

These annotations mark your services with different OAuth 2.0 roles. @EnableResourceServer annotation means that your service (in terms of OAuth 2.0 – Resource Server) expects an access token in order to process the request. Access token should be obtained from Authorization Server by OAuth 2.0 Client before calling the Resource Server. @EnableOAuth2Sso: marks your service … Read more

Security of REST authentication schemes

A previous answer only mentioned SSL in the context of data transfer and didn’t actually cover authentication. You’re really asking about securely authenticating REST API clients. Unless you’re using TLS client authentication, SSL alone is NOT a viable authentication mechanism for a REST API. SSL without client authc only authenticates the server, which is irrelevant … Read more

RESTful Authentication

How to handle authentication in a RESTful Client-Server architecture is a matter of debate. Commonly, it can be achieved, in the SOA over HTTP world via: HTTP basic auth over HTTPS; Cookies and session management; Token in HTTP headers (e.g. OAuth 2.0 + JWT); Query Authentication with additional signature parameters. You’ll have to adapt, or … Read more

Best Practices for securing a REST API / web service [closed]

As tweakt said, Amazon S3 is a good model to work with. Their request signatures do have some features (such as incorporating a timestamp) that help guard against both accidental and malicious request replaying. The nice thing about HTTP Basic is that virtually all HTTP libraries support it. You will, of course, need to require … Read more