saml: https://github.com/onelogin/java-saml/#Settings
https://hnryjms.io/2014/07/oauth2/
http://scottksmith.com/blog/2014/07/02/beer-locker-building-a-restful-api-with-node-oauth2-server/
http://resources.infosecinstitute.com/securing-web-apis-part-ii-creating-an-api-authenticated-with-oauth-2-in-node-js/#gref
http://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified
http://blog.csdn.net/seccloud/article/details/8192707
http://code.tutsplus.com/articles/oauth-20-the-good-the-bad-the-ugly--net-33216
http://simpleprogrammer.com/2011/05/25/oauth-and-rest-in-android-part-1/
http://simpleprogrammer.com/2011/05/25/oauth-and-rest-in-android-part-2/
http://www.wired.com/2012/12/when-the-answer-is-oauth-what-was-the-question/
http://www.techiecommunity.net/Webservices/REST-Interview-Questions-Answer
What is the difference between HTTP POST and PUT requests?
http://stackoverflow.com/questions/107390/whats-the-difference-between-a-post-and-a-put-http-request
http://java.dzone.com/articles/rest-web-service-interview
http://javarevisited.blogspot.com/2012/01/rest-web-services-framework-interview.html
http://www.iqspdf.com/2014/04/web-service-interview-questions-and-answers-pdf.html
http://www.javaface.com/19-restful-web-service-interview-questions/
.What are the different application integration styles?
The implicit grant flow is primarily targeted at browser-based (e.g. javascript) applications. Browser-based applications cannot maintain a client secret because the source code is located on the browser of the user. These are known as public clients.
One characteristic of this flow is that there is no refresh token, and any time a client requires a new access token for example, expiry, or restarting the browser, then user authorization must be re-obtained. Such authorization may be automated at the service provider, essentially making the requirement be that the user only needs to authenticate to the authorization endpoint, but not actually view or post a consent page.
Here are my thoughts:
1)The purpose of auth code + token in authorization code flow is that token and client secret will never be exposed to resource owner because they travel server-to-server.
2)On the other side, If the user-agent and the client are coupled (e.g. native mobile application, javascript application), implicit grant flow is for clients that implemented entirely using javascript and running in resource owner's browser. You do not need any server side code to use this flow. Then, if everything happens in resource owner's browser via hash as stated here:.
only authorization code is useless, because it has to be used with client id/secret unless the client is implicitly trusted, eg. web browser.
This is why an intermediary one-time-use "authorization code" is provided that only the legitimate receiver will be able to exchange (because you need the client secret) and that the code will be useless to potential hackers intercepting the requests over unencrypted transactions (because they don't know the client secret).