TBorba <tborba(a)outsoft.pt> wrote, in response to Vineet Reynolds:
Hi and thank you for your comment.
About serialization, that was my general idea too.
When talking security, I might be biased since my use case is a mix of characteristics
both in the "MAY NEED" and "MAY NOT NEED" OAuth, and that's
probably the reason I haven't settled yet for a single security framework.
In short, I have 3 types of WWW distributed entities:
a) remote client applications e.g. (smartphone app);
b) a Gateway black box that implements RSA, SSL sockets, and is very static (inserted in a
home appliance which relays its industry-specific protocol to the WWW, using a third party
electronic component. This is made by my potential client). Basically a provider that can
be read and written to, but that is vulnerable to eavesdrop and MITM when publishing
ServerSockets. It's also very "critical" (think medical application or home
climate);
c:) a central server which manages authentication and keeps mobile clients aware of the
gateway's dynamic location (non-static IP from the consumer's internet
connection), incoming listening port AND respective socket _public key_. It also hosts a
"register/manage appliances" web app with user authentication
Paraphrasing questions from the referenced article:
Hypothesis - "Do you want a central authentication server that manages authentication
and authorization for all your web apps?"
A - Yeap, I will need a website that pretty much uses the same credentials as the services
I will deploy for _a)_ (+for OAuth)
Hypothesis - "Do you want the allow users to grant temporary permission for third
parties to access services on behalf of them?"
Although they are indeed temporary, nope since the "services" on the _b)_
endpoint are very low level and do not provide standardized WEB services per say, instead
relying on. plain old SSL socket to transport application level messages (- against
OAuth)
Hypothesis - "Does your app already manage user logins and authorization?"
A - Not yet but eventually it must, and I'm considering Apache Shiro at the moment (-
against OAuth)
So from my understanding, OAuth/OAuth2 is indeed overkill since I am already in need to
provide an authentication for other components (the web app). Maybe I can just intercept
the REST requests just like a login page would, and prepare my mobile clients to answear
the challenges for refreshing their security tokens, or something like that
IP address: 84.91.197.21
Link to comment:
http://redirect.disqus.com/url?url=http%3A%2F%2Fjboss.org%2Fjdf%2Fexample...
Vineet Reynolds wrote:
Unfortunately in the case of serialization and deserialization of object graphs to various
formats, there is no standardized annotation available (yes, this can result in a mess if
you're not careful). The format-agnostic way to do this is to have custom
MessageBodyReaders/MessageBodyWriters but that tends to be an overkill in most scenarios;
besides, it also requires knowledge of the internals of libraries like Jackson.
About OAuth/OAuth2, I'd suggest reading this:
http://bill.burkecentral.com/2012/11/15/do-you-really-need-oauth2/. The summary of that
post is that you wouldnt need OAuth, unless you need to allow other parties to perform
operations on behalf of the identities registered in your identity store. If your users in
the store perform operations and do not delegate them to other...
-----
Options: You can moderate through email. Respond in the body with "Delete".
Reply with "Like" to like this comment, or respond with anything else to approve
this comment and post your message as a reply comment.
Or use the moderate panel:
http://jdf.disqus.com/admin/moderate/#/pending
Stop receiving notifications when new comments are posted:
http://disqus.com/account/#notifications