Using iron to Encapsulate Cookies

Eran Hammer has recently created iron, a cryptographic procedure and tool to seal arbitrary data in a way so that it cannot be read and also cannot be changed without being noticed. Besides its intended use in combination with Oz it can also be used in other scenarios. One of them being encapsulated HTTP cookies. While it is in no way a new thing to pass state to Web clients in encrypted form so they...
Read more...

Beyond OAuth

Eran Hammer’s noisy departure from OAuth 2 woke me up to finally engage in that HTTP security investigation that had been buried in my todo list for years. Thanks a bunch for that, Eran! Starting from close-to-zero security knowledge it took some time to understand the points he is making but finally it all came together: Yep - sadly he’s spot on with his criticism. If in doubt, look at the OAuth 2.0 Threat Model...
Read more...

Getting Started Playing Around with JAX-RS 2.0 in an EE Container

Trying out the latest JAX-RS API advancements in an EE container is a bit of a pain because pulling in the latest JAX-RS 2.0 libraries into a Java EE environment creates conflicts with the EE-shipped JAX-RS version. Ah yes, and of course you want your IDE to pick up the correct libs for code completion. After trying and tweaking a bit the most workable solution for me was to download the latest Glassfish 4 build....
Read more...

JAX-RS 2.0 Essential Bookmarks

In my JAX-RS 2.0 talk at DEVOXX 2012 I promised to write down the useful links to play around with 2.0. Here they come: JAX-RS 2.0 * JSR339 Homepage * SNAPSHOT API docs * JAX-RS 2.0 Specification JIRA * Spec and API latest sources Jersey + glassfish * Jersey 2.0 API docs * Jersey 2.0 Snapshot User Guide * Jersey JIRA * Glassfish latest builds RESTEasy * RESTEasy JIRA Blogs * Marek’s Blog * Bill’s...
Read more...

JAX-RS 2.0 MVC

It is not unusual for services that expose a technical REST API to also need human-targeted UI for configuration, status checks or reporting. What I have seen a couple of times is that developers naturally use some form of REST framework (for example JAX-RS) for the technical API but then make use of yet another API technology (for example Spring or JSF) for the human-targeted UI. This not only increases the technology mix (something I...
Read more...

Declarative Cache Control with JAX-RS 2.0

UPDATE: The Maven/IDE setup below turned out not to work properly in all cases. Try this for better results. The final release of JAX-RS 2.0 is nearing. Time for a closer look at the new features. As JAX-RS 2.0 isn’t yet part of any standard release, some up front work is inevitable. Fortunately, Marek has some excellent write ups to get us started using the JAX-RS 2.0 reference implementation Jersey 2. I am currently working...
Read more...