Securing RESTful web services is a challenge in many regards. One approach? OAuth2, a protocol enabling a Client application, often a web application, to act on behalf of a User, but with the User’s permission. In this CloudFoundry article, written by Dave Syer, you'll get a good idea about how a user's identity can be conveyed and verified by the server, how information can be decoded and interpreted, how access control lists are used, and how all of this information gets managed.

OAuth2 is a protocol enabling a Client application, often a web application, to act on behalf of a User, but with the User’s permission. The actions a Client is allowed to perform are carried out by a Resource Server (another web application or web service), and the User approves the actions by telling an Authorization Server that he trusts the Client to do what it is asking. Clients can also act as themselves (not on behalf of a User) if they are permitted to do so by the Authorization Server.

The most common way for a Client to present itself to a Resource Server is using a bearer token, as covered in the core OAuth2 specification. The token is obtained from the Authorization Server, with the User’s approval if necessary, and stored by the Client. Then when it needs to access a Resource Server the Client sends a special HTTP header in the form:

Read the full article: Securing RESTful Web Services with OAuth2