JBoss.orgCommunity Documentation

Chapter 39. Authentication

39.1. OAuth core 1.0a
39.1.1. Authenticating with OAuth 1.0a
39.1.2. Accessing protected resources
39.1.3. Implementing an OAuthProvider

Since Resteasy runs within a servlet container you can use most (all?) mechanism available in your servlet container for authentication. Basic and Digest authentication are probably the easiest to set up and fit nicely into REST's stateless principle. Form security can be used, but requires passing the session's cookie value with each request. We have done some preliminary work on OAuth and also plan to work on OpenID and SAML integration in the future.

RESTEasy has preliminary support for OAuth core 1.0a. This includes support for authenticating with OAuth (as described by the spec section 6) and OAuth authentication for protected resources (as described by the spec section 7).


This API is deprecated and will be removed in subsequent versions of Resteasy unless there is an outcry from the community. We're focusing on OAuth 2.0 protocols. Please see our OAuth 2.0 Work.

OAuth authentication is the process in which Users grant access to their Protected Resources without sharing their credentials with the Consumer.

OAuth Authentication is done in three steps:

  1. The Consumer obtains an unauthorized Request Token. This part is handled by RESTEasy.

  2. The User authorizes the Request Token. This part is not handled by RESTEasy because it requires a user interface where the User logs in and authorizes or denies the Request Token. This cannot be implemented automatically as it needs to be integrated with your User login process and user interface.

  3. The Consumer exchanges the Request Token for an Access Token. This part is handled by RESTEasy.

In order for RESTEasy to provide the two URL endpoints where the Client will request unauthorized Request Tokens and exchange authorized Request Tokens for Access Tokens, you need to enable the OAuthServlet in your web.xml:

<!-- The OAuth Servlet handles token exchange -->

<!-- This will be the base for the token exchange endpoint URL -->

The following configuration options are available using <context-param> elements:

Table 39.1. OAuth 1.0a Servlet options
Option Name Default Description
oauth.provider.provider-class *Required* Defines the fully-qualified class name of your OAuthProvider implementation
oauth.provider.tokens.request /requestToken This defines the endpoint URL for requesting unauthorized Request Tokens
oauth.provider.tokens.access /accessToken This defines the endpoint URL for exchanging authorized Request Tokens for Access Tokens