Tip:
Highlight text to annotate it
X
[ MUSIC ]
POWERS: Welcome to This Week on developerWorks.
I'm your host, Calvin.
If you've ever given a website or an application permission to post things to Twitter stream
on your behalf, you've used a hunk of Internet plumbing called OAuth.
This week on developerWorks we talk about how WebSphere Application Server can help Web sites
and applications provide those sorts of services.
But first let's look at some of the other new content this week on developerWorks.
Don't forget you can get links to everything you see mentioned here
at ibm.com/developerworks/thisweek.
IBM has recently released a study called, Cyber Security for the Next Generation,
which documents the growing skills gap in cyber security and recaps the guidance it developed
after interviewing academic institutions all over the globe.
David Jarvis is one of the co-authors of the study, and he was recently interviewed
by developerWorks to discuss some of the key guidance and case studies cited in the report.
There are many tools and techniques for protecting sensitive information in a database.
One tool in the toolbox is to allow database connections only from trusted hosts.
Mihai Iacob and Walid Rjaibi have published an article on developerWorks called,
Restricting Database Connections Using the CONNECT_PROC Database Configuration Parameter.
This article shows you how to implement this security control
on DB2 for Linux, UNIX and Windows.
The article shows you a step-by-step guide for how to use the CONNECT_PROC statement.
Rick Gunderson has just launched a new article series on developerWorks.
It's called, Constructing REST Services with WebSphere Application Server.
This article series will walk you through the WebSphere Application Server's implementation
of JAX-RS, which is the standard for RESTful Web services for Java interfaces.
This article series describes the design and implementation of a sample application scenario
to help you understand how you can apply JAX-RS to a WebSphere Application Server app.
Jeff Hoy joins us this week on developerWorks.
He's a senior security architect in IBM Security Systems.
Jeff, welcome to This Week on developerWorks.
For folks who might not be aware, what exactly is OAuth?
HOY: Thank you, Calvin.
OAuth is a open standard for a delegated authorization.
And that's actually a mouthful, and it's also a protocol
that is widely misunderstand in a lot of scenarios.
So usually when describing OAuth, the easiest scenario
to imagine it is kind of the valet key situation.
When you go maybe to park for a hotel and give the valet who's picking up your car a valet key,
in that case you're giving him a key to your vehicle,
but it's kind of limited access to your vehicle.
The valet key might have restrictions on the car, for example, it can't open the trunk
or maybe you can only drive 50 miles with the valet key.
So that's kind of the background for where OAuth is.
In the world of Web services, you might have a couple different companies where you want
to share data between the two services.
Traditionally and in an insecure world, those services might have asked users
for their user ID and password to the other service in which case they could access the data
on your behalf, But really that's a security problem largely due to the fact
that you're giving full security access and administration privileges to a Web service
that you may or may not fully trust.
So the example I like a little bit better in OAuth is kind
of the canonical print example and photo sharing on the Web.
So if you've got a photo sharing service, you might upload your photos there and share them
with your friends, but when you want to go print the photos at that point,
there's another printing service that you can use as a Web service to print them.
And the challenge to get the data between your printing service
and the photo sharing service is easily solved with OAuth and solved in a way
where you don't need to share your password with either of the services.
And in fact you can give limited access, maybe read-only access or read-only access only
to a subset of your photos, to the print service so they can go out and print them.
POWERS: Thanks, Jeff.
That's a great way of explaining OAuth so that everybody can understand it.
And I understand that WebSphere Application Server has been rolling out support
for OAuth in its most recent release.
Can you kind of give us an overview
about how WebSphere Application Server plays in this world?
HOY: Absolutely.
In WebSphere, we added OAuth 2.0 Service Provider support.
And this is a capability that really in the past has been developed by Web services.
And it can be a substantial effort to roll your own OAuth 2.0 implementation
on the service provider side.
Traditionally in OAuth 2.0 the clients are very easy to implement.
Your company, for example, might have a client that you use on your own
or you might have picked up some open source libraries or user clients.
But being able to do the service provider capability, it's really a major enhancement
in WebSphere and it's similar to enhancements that have been added in the past for things
like [SOMA and FPA] capability to be able to get you up and running very quickly
as an OAuth 2.0 Service Provider to protect your applications.
And this will be important, for example, if you're planning
to do an external facing application where you might put WebSphere as a Web service
that you want to integrate with other capabilities.
Or, even internally -- if you can have your integration points where you want to go
with business providers or if you have other services internally, OAuth is an easy way to get
up and running and integrated across domains
that aren't necessarily federated using single sign-on.
POWERS: Yes, it sounds like a service that's going to save application writers a lot of time
and effort developing applications to support OAuth.
Now, I understand you have just published a new article on developerWorks called,
Enabling the OAuth Service Provider on WebSphere Application Server.
Tell us a little bit about what people are going to learn in that article.
HOY: As you might expect, it can get a little complicated to set it
up in OAuth 2.0 Service Provider in WebSphere,
largely because there's a large number of configuration parameters.
The capability that was added to WebSphere is a full OAuth 2.0 core specification
as well as bare token support.
So if you want to do things on your service provider like public clients, private clients,
if you want to add refresh tokens, each of the grant types and flows, there's full capability
to do that in WebSphere, but really you'll have to know what you want for your environment
and then be able to go into the configuration and set it up.
So what we did in the developerWorks article is go through a quick cookbook on how to get OAuth
up and running in WebSphere as a basic service provider, basically assuming
that you have a simple Web application that you want to protect and that you want
to take the default settings more or less.
So we have five different sections in the article ranging from what you need
for prerequisites, for example, installing WebSphere Application Server,
what you need to understand about OAuth, all the way down through how
to configure an OAuth service provider, how to enable it in WebSphere.
And it's worth mentioning that it's not enabled by default; you need to actually go
into WebSphere and enable it as a security measure if you want set up OAuth.
And then the last two sections of OAuth are how to protect your application with OAuth,
setting up a client; and finally, the validation step, which is mostly important.
So, once you enable the OAuth service provider on WebSphere,
you don't necessarily get any feedback from the service
that says, okay, OAuth is up and running.
I mean, it will tell you that, but you won't actually know
until you try it out with a client.
So we've got steps in there as well using the call command line client
or using your own...bring your own client,
you can test out the new service provider capabilities.
POWERS: Thanks, Jeff.
That sounds like a great set of reference material for folks.
Once again, the article is called, Enabling the OAuth Service Provider
on WebSphere Application Server.
That's all the time we have for this episode.
Don't forget to visit us at ibm.com/developerworks/this week,
and you can get links to Jeff's article
and all the other articles you hear mentioned in this episode.
We'll see you next week on This Week on developerWorks.
[ MUSIC ]