Just looking for the API docs?Look here: http://kaeppler.github.com/signpost/index.html.
Want to read about recent changes?It's on my blog: http://brainflush.wordpress.com/tag/signpost. Follow me on Twitter: http://twitter.com/twoofour
Looking for the source code?Source code's on GitHub now: http://github.com/kaeppler/signpost.
Looking for example code?Examples are on GitHub now: http://github.com/kaeppler/signpost-examples.
What is Signpost?Signpost is the easy and intuitive solution for signing HTTP messages on the Java platform in conformance with the OAuth Core 1.0a standard. Signpost follows a modular and flexible design, allowing you to combine it with different HTTP messaging layers. Click here for a list of supported HTTP libraries.
Signpost is a community effort and may be downloaded, modified, and redistributed under the terms of the Apache License version 2.
Goals of SignpostSignpost has been designed with several principal goals in mind:
SimplicityUsing Signpost is as simple as it could possibly get -- all actions are executed with only a few lines of code. For example, this is how you would sign a classic Java HTTP message using Signpost:
// create an HTTP request to a protected resource
URL url = new URL("http://api.example.com/protected")
HttpURLConnection request = (HttpURLConnection) url.openConnection();
// sign the request (consumer is a Signpost DefaultOAuthConsumer)
// send the request
request.connect();Signpost exposes a minimalistic API designed for two purposes: Signing HTTP messages and requesting tokens from an OAuth service provider. Everything else is beyond the scope of the OAuth specification, and is thus left to the HTTP messaging layer, where it belongs.
For more exhaustive examples, please refer to GettingStarted.
UnobtrusivenessSignpost tries to be as unobtrusive as possible. Unlike other implementations, Signpost does not wrap the entire HTTP layer and hides its features from the client. Instead, you simply pass an HttpRequest object to it, and Signpost will sign the message using the credentials it was configured with.
This means that all the power and flexibility of the underlying HTTP engine is still at your fingertips!
ModularitySince version 1.1, Signpost comes in modules. Apart from the core module, which you always need, you can download additional modules to support other HTTP messaging libraries than the one coming with the standard Java platform (which would be java.net.HttpURLConnection).
Apart from HttpURLConnection, Signpost currently has modules for Apache Commons HTTP version 4, and Jetty HTTP Client version 6.
LimitationsSignpost strives to be a simple library. In order to reduce API and implementation complexity, Signpost does currently not support the following things:
Message signing using public key encryption (as per section 9.3) is currently unsupported. Message signing using the PLAINTEXT and HMAC-SHA1 methods is supported, however. Writing OAuth protocol params to the WWW-Authenticate header field I believe that even with those restrictions in place, Signpost will work for the majority of its users. Trading in rarely used features for more simplicity and ease of use was a design decision. If that doesn't work for your setup, Signpost is probably not the best choice for you.
Thread SafetySignpost is not thread safe and probably will never be. Signpost objects are very lightweight, so you are adviced to create an OAuthConsumer and OAuthProvider for every thread in your application that must send signed HTTP requests. Both objects are also serializable, so you can persist and restore them later.
Google AndroidSignpost is already used in several applications running on Android, Google's software stack for mobile devices. In fact, Signpost has already signed thousands of HTTP requests at this very moment, as it is an integral part of Qype Radar, our geo-sensitive mobile application for Android that finds the best places near you.
OAuth Service ProvidersIf neither Signpost nor the OAuth service providers out there would be buggy, then Signpost would work with all of them. That's quite an optimistic expectation though, so on a slightly more conservative note, here's a list of service providers that have been tested to work with Signpost:
Twitter (instructions, example code) YAHOO! Fire Eagle (example code) Google services (example code) Qype Netflix Support and discussionsPlease use the Signpost Google Group for questions, feedback and discussion.