Symantec Access Management

  • 1.  OAuth Authorization Grant and Best Practices in a JEE Application Server

    Posted Feb 04, 2016 09:43 PM

    There was a discussion today that I did not really agree so I figured I'd ask others in the community to see if someone else can chime in.

     

    I have REST services that are running on an application server like JBoss for example.  I want to expose services externally using the Authorization Grant with OAuth 2.0  Let us say that the OAuth 2.0 dance is taken care of by the CA Gateway.  I still need to authenticate in my JBoss server.

     

    The discussion is around who the authenticated party on the JBoss server is.  Is it the resource owner (the person that granted the access) or is it the client-id that was used to request the OAuth token.



  • 2.  Re: OAuth Authorization Grant and Best Practices in a JEE Application Server
    Best Answer

    Broadcom Employee
    Posted Jun 07, 2017 11:40 AM

    This should open a question with Red Hat who is the vendor for JBoss.

     

    Thanks,

    Sagi



  • 3.  Re: OAuth Authorization Grant and Best Practices in a JEE Application Server

    Posted Jun 07, 2017 12:00 PM

    I don't agree, I was simply asking what others have done to create trust between the gateway environment and my application server. 

     

    What we ended up doing is signing a JWT token from the gateway and we verify signature in our application server.  The JWT token contains all the security claims necessary to build a JAAS subject which is built in a custom login module.  We are currently experimenting with Spring Security to replace those login modules. 

     

    So at the end the specific implementation would be vendor specific but what I wanted to hear where best practices which never got answered.