RESTful Java with JAX-RS 2.0 (Second Edition)
Introduction
1. Introduction to REST
- 1.1. REST and the Rebirth of HTTP
- 1.2. RESTful Architectural Principles
- 1.3. Wrapping Up
2. Designing RESTful Services
- 2.1. The Object Model
- 2.2. Model the URIs
- 2.3. Defining the Data Format
- 2.4. Assigning HTTP Methods
- 2.5. Wrapping Up
3. Your First JAX-RS Service
- 3.1. Developing a JAX-RS RESTful Service
- 3.2. Deploying Our Service
- 3.3. Writing a Client
- 3.4. Wrapping Up
4. HTTP Method and URI Matching
- 4.1. Binding HTTP Methods
- 4.2. @Path
- 4.3. Subresource Locators
- 4.4. Gotchas in Request Matching
- 4.5. Wrapping Up
5. JAX-RS Injection
- 5.1. The Basics
- 5.2. @PathParam
- 5.3. @MatrixParam
- 5.4. @QueryParam
- 5.5. @FormParam
- 5.6. @HeaderParam
- 5.7. @CookieParam
- 5.8. @BeanParam
- 5.9. Common Functionality
- 5.10. Wrapping Up
6. JAX-RS Content Handlers
- 6.1. Built-in Content Marshalling
- 6.2. JAXB
- 6.3. Custom Marshalling
- 6.4. Wrapping Up
7. Server Responses and Exception Handling
- 7.1. Default Response Codes
- 7.2. Complex Responses
- 7.3. Exception Handling
- 7.4. Wrapping Up
8. JAX-RS Client API
- 8.1. Client Introduction
- 8.2. Bootstrapping with ClientBuilder
- 8.3. Client and WebTarget
- 8.4. Building and Invoking Requests
- 8.5. Configuration Scopes
- 8.6. Wrapping Up
9. HTTP Content Negotiation
- 9.1. Conneg Explained
- 9.2. Language Negotiation
- 9.3. Encoding Negotiation
- 9.4. JAX-RS and Conneg
- 9.5. Leveraging Content Negotiation
- 9.6. Wrapping Up
10. HATEOAS
- 10.1. HATEOAS and Web Services
- 10.2. HATEOAS and JAX-RS
- 10.3. Building Links and Link Headers
- 10.4. Wrapping Up
11. Scaling JAX-RS Applications
- 11.1. Caching
- 11.2. Concurrency
- 11.3. Wrapping Up
12. Filters and Interceptors
- 12.1. Server-Side Filters
- 12.2. Reader and Writer Interceptors
- 12.3. Client-Side Filters
- 12.4. Deploying Filters and Interceptors
- 12.5. Ordering Filters and Interceptors
- 12.6. Per-JAX-RS Method Bindings
- 12.7. Exception Processing
- 12.8. Wrapping Up
13. Asynchronous JAX-RS
- 13.1. AsyncInvoker Client API
- 13.2. Server Asynchronous Response Processing
- 13.3. Wrapping Up
14. Deployment and Integration
- 14.1. Deployment
- 14.2. Configuration
- 14.3. EJB Integration
- 14.4. Spring Integration
- 14.5. Wrapping Up
15. Securing JAX-RS
- 15.1. Authentication
- 15.2. Authorization
- 15.3. Authentication and Authorization in JAX-RS
- 15.4. Programmatic Security
- 15.5. Client Security
- 15.6. OAuth 2.0
- 15.7. Signing and Encrypting Message Bodies
- 15.8. Wrapping Up
16. Alternative Java Clients
- 16.1. java.net.URL
- 16.2. Apache HttpClient
- 16.3. RESTEasy Client Proxies
- 16.4. Wrapping Up
17. Workbook Introduction
- 17.1. Installing RESTEasy and the Examples
- 17.2. Example Requirements and Structure
18. Examples for Chapter 3
- 18.1. Build and Run the Example Program
- 18.2. Examining the Source Code
19. Examples for Chapter 4
- 19.1. Example ex04_1: HTTP Method Extension
- 19.2. Example ex04_2: @Path with Expressions
- 19.3. Example ex04_3: Subresource Locators
20. Examples for Chapter 5
- 20.1. Example ex05_1: Injecting URI Information
- 20.2. Example ex05_2: Forms and Cookies
21. Examples for Chapter 6
- 21.1. Example ex06_1: Using JAXB
- 21.2. Example ex06_2: Creating a Content Handler
22. Examples for Chapter 7
- 22.1. Example ex07_1: ExceptionMapper
23. Examples for Chapter 9
- 23.1. Example ex09_1: Conneg with JAX-RS
- 23.2. Example ex09_2: Conneg via URL Patterns
24. Examples for Chapter 10
- 24.1. Example ex10_1: Atom Links
- 24.2. Example ex10_2: Link Headers
25. Examples for Chapter 11
- 25.1. Example ex11_1: Caching and Concurrent Updates
26. Examples for Chapter 12
- 26.1. Example ex12_1 : ContainerResponseFilter and DynamicFeature
- 26.2. Example ex12_2: Implementing a WriterInterceptor
27. Examples for Chapter 13
- 27.1. Example ex13_1: Chat REST Interface
28. Examples for Chapter 14
- 28.1. Example ex14_1: EJB and JAX-RS
- 28.2. Example ex14_2: Spring and JAX-RS
29. Examples for Chapter 15
- 29.1. Example ex15_1: Custom Security
- 29.2. Example ex15_2: JSON Web Encryption
30. Workbook
- 30.1. ex03_1:Your first JAX_RS Client and Server
- 30.2. ex04_1:Custom HTTP Method Annotations
- 30.3. ex04_2:@Path expressions
- 30.4. ex04_3:Locators and Subresources
- 30.5. ex05_1:Injection Annotations (1)
- 30.6. ex05_2:Injection Annotations (2)
- 30.7. ex06_1:JAX-RS and JAXB
- 30.8. ex06_2:MessageBodyReader/Writer
- 30.9. ex07_1:Exception Mappers
- 30.10. ex09_1:Content Negotiation
- 30.11. ex09_2:HTTP Content Negotiation
- 30.12. ex10_1:Linking and UriBuilder
- 30.13. ex10_2:Link Headers and UriBuilder
- 30.14. ex11_1:CacheControl and Other things
- 30.15. ex12_1:Response Filter with DynamicFeature
- 30.16. ex12_2:WriterInterceptor
- 30.17. ex13_1:Customer Chat
- 30.18. ex14_1:JAX-RS and EJB
- 30.19. ex14_2:Spring and JAX-RS
- 30.20. ex15_1:@NameBinding and SecurityContext
- 30.21. ex15_2:JSON Web Encryption with Customer Chat

RESTful Java with JAX-RS 2.0 (Second Edition)

OAuth 2.0

OAuth 2.0 is an authentication protocol that allows an entity to gain access to a user’s data in a secure manner without having to know the user’s credentials.¹⁵ A typical example is a news site like cnn.com. You’re reading an interesting political editorial and want to voice your opinion on the article in its comment section. To do this, though, you have to tell CNN who you are and what your email address is. It gives you the option of logging in via your Google or Facebook account. You are forwarded to Google and log in there. You grant CNN permission to ask Google who you are and what your email address is, and then you are forwarded back to cnn.com so that you can enter in your comment. Through this interaction CNN is granted an access token, which it then uses to obtain information about you via a seperate HTTP request.

Here’s how it works:

The CNN website redirects your browser to Google’s login page. This redirect sets a special cnn.com session cookie that contains a randomly generated value. The redirect URL contains client_id, state, and redirect_uri. The client_id is the Google username CNN has registered with Google.com. The state parameter is the same value that was set in the session cookie. The redirect_uri is a URL you want Google to redirect the browser back to after authentication. A possible redirect URL in this scenario thus would be http://googleapis.com/oauth?client_id=cnn&state=23423423123412352314&redirect_uri=http%3A%2F%2Fcnn.com.
You enter your username and password on Google’s login page. You then are asked if you will grant CNN access to your personal information.
If you say yes, Google generates an access code and remembers the client_id and redirect_uri that was sent in the original browser redirect.
Google redirects back to CNN.com using the redirect_uri sent by CNN’s initial redirect. The redirect URL contains the original state parameter you forwarded along with a code parameter that contains the access code: http://cnn.com/state=23423423123412352314&code=0002222.
With this redirection, CNN will also get the value of the special cookie that it set in step 1. It checks the value of this cookie with the state query parameter to see if they match. It does this check to make sure that it initiated the request and not some rogue site.
The CNN server then extracts the code query parameter from the redirect URL. In a separate authenticated HTTP request to Google, it posts this access code. Google.com authenticates that CNN is sending the request and looks up the access code that was sent. If everything matches up, it sends back an access token in the HTTP response.
CNN can now make HTTP requests to other Google services to obtain information it wants. It does this by passing the token in an Authorization header with a value of Bearer plus the access token. For example:

GET /contacts?user=billburke
Host: contacts.google.com
Authorization: Bearer 2a2345234236122342341bc234123612341234123412adf

In reality, sites like Google, Facebook, and Twitter don’t use this protocol exactly. They all put their own spin on it and all have a little bit different way of implementing this protocol. The same is true of OAuth libraries. While the core of what they do will follow the protocol, there will be many custom attributes to each library. This is because the OAuth specification is more a set of detailed guidelines rather than a specific protocol set in stone. It leaves out details like how a user or OAuth client authenticates or what additional parameters must be sent. So using OAuth may take a bunch of integration work on your part.

There are many different Java frameworks out there that can help you turn your applications into OAuth providers or help you integrate with servers that support OAuth authentication. This is where I make my own personal plug. In 2013, I started a new project at Red Hat called Keycloak. It is a complete end-to-end solution for OAuth and SSO. It can also act as a social broker with social media sites like Google and Facebook to make leveraging social media easier. Please check us out at http://www.keycloak.org.

¹⁵ For more information, see the OAuth 2.0 Authorization Framework.

RESTfu­­l Jav­a­ wit­h ­JAX­-­­RS 2.­0­ (Second Edition)

OAuth 2.0

RESTful Java with JAX-RS 2.0 (Second Edition)