Security measures needed for exposing Restful services through OAuth 2

OAuth is an open protocol to allow secure authorization in a simple and standard method from web, mobile, and desktop applications. As an application developer, services that provide HTTP APIs supporting OAuth, let you access parts of their service on behalf of your users. The OAuth 2.0 framework replaced the absolute OAuth 1.0, The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf, While the market is hugely accepting REST based architectures due to their light weight nature, there is a strong need to secure these web services from various forms of web attacks. Since it is stateless in nature, the mechanisms of securing these services are different from standard web application where it is easily handled by session management, but in the case of REST, no session can be maintained as the calling point may or may not be a web browser. There are several mechanisms available to secure the web service. Some of these options are: HTTP Basic, HTTP Digest, Client certificates and two legged, three legged OAuth 1.0, and OAuth 2.0 All of the above mechanisms can be picked along with the transport layer security using SSL. These methods have their own pros and cons. This paper will primarily focus on implementing security using Spring Security for OAuth 2.