cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject [CONF] Apache CXF Documentation > CXF OAuth 1.0
Date Tue, 07 Dec 2010 00:19:00 GMT
    <base href="">
            <link rel="stylesheet" href="/confluence/s/1810/9/1/_/styles/combined.css?spaceKey=CXF20DOC&amp;forWysiwyg=true"
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="">CXF
OAuth 1.0</a></h2>
    <h4>Page <b>edited</b> by             <a href="">Łukasz
                         <h4>Changes (1)</h4>
<div id="page-diffs">
            <table class="diff" cellpadding="0" cellspacing="0">
            <tr><td class="diff-snipped" >...<br></td></tr>
            <tr><td class="diff-unchanged" > <br>In above example _getInfo_
resource can be invoked only by the client which attached access token that was authorized
by the resource owner with <br></td></tr>
            <tr><td class="diff-changed-lines" >scope: /\*,&amp;nbsp;person/\*,
person/get/\* or <span class="diff-deleted-words"style="color:#999;background-color:#fdd;text-decoration:line-through;">/person/get/{particular_name}</span>
<span class="diff-added-words"style="background-color: #dfd;">/person/get/$particular_name</span>
and with permission associated with role: ROLE_USER. <br></td></tr>
            <tr><td class="diff-unchanged" > <br>h3. SpringSecurityExceptionMapper
            <tr><td class="diff-snipped" >...<br></td></tr>
</div>                            <h4>Full Content</h4>
                    <div class="notificationGreySide">
        <h1><a name="CXFOAuth1.0-CXFOAuth1.0extension"></a>CXF OAuth 1.0

<p>CXF OAuth 1.0 extension has been build during Google Summer of Code 2010 programme.
It&nbsp;implements specification: <a href="" class="external-link"
rel="nofollow">The OAuth 1.0 protocol (RFC 5849)</a>&nbsp;&nbsp;and&nbsp;allows
CXF users to build OAuth server</p>

<p>and perform&nbsp;OAuth 1.0 authorization on their JAXRS services in a easy manner,
by hiding complex OAuth flow.&nbsp;</p>

<h3><a name="CXFOAuth1.0-"></a><font color="#003366"><b>Downloading
CXF OAuth 1.0 module</b></font></h3>

<div class="error"><span class="error">Unknown macro: {TBD}</span> </div>

<h3><a name="CXFOAuth1.0-OAuthServerbasicconfiguration"></a>OAuth Server
basic configuration</h3>

<p>CXF, provides implementation for three endpoints from OAuth 1.0 specification:</p>
	<li><b>Temporary Credentials Endpoint</b></li>
	<li><b>Authorization Endpoint</b></li>
	<li><b>Token Credentials Endpoint</b></li>

<p>which are usual JAX-RS resources. They allow client application to receive access
token from the server required to access resources at that server.</p>

<p>Configuration is exatcly this same as for every JAX-RS service:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
&lt;!-- Publish OAuth endpoints--&gt;
    &lt;jaxrs:server id=<span class="code-quote">"oauthServer"</span> address=<span
            &lt;ref bean=<span class="code-quote">"oauthServices"</span>/&gt;
            &lt;ref bean=<span class="code-quote">"dispatchProvider"</span>/&gt;

    &lt;!--Definitions of OAuth module endpoints--&gt;
    &lt;bean id=<span class="code-quote">"oauthServices"</span>
          class=<span class="code-quote">"org.apache.cxf.auth.oauth.endpoints.OAuthDefaultServices"</span>&gt;
        &lt;property name=<span class="code-quote">"displayVerifierURL"</span>
value=<span class="code-quote">"http:<span class="code-comment">//"</span>/&gt;
</span>    &lt;/bean&gt;

    &lt;!--Redirects from Resource Owner Authorization Endpoint to sign in page--&gt;
    &lt;bean id=<span class="code-quote">"dispatchProvider"</span>&gt;
        &lt;property name=<span class="code-quote">"resourcePath"</span>
value=<span class="code-quote">"/oAuthLogin.jsp"</span>/&gt;
<p>OAuth Server requires to save and read an OAuth data (OAuth tokens, oauth_verifier,
client identifier ...)&nbsp;from the&nbsp;persistence&nbsp;storage specific for
the&nbsp;particural web application.&nbsp;</p>

<p>To make that transparent to the developers, CXF uses:</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
<p>interface as an integration point between llibrary and the application. There is
provided sample&nbsp;implementation of that interface that manages data stored in the

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">

<p>that is located in core OAuth module and&nbsp;</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
<p>in OAuth demo server module.</p>

<h2><a name="CXFOAuth1.0-OAuthEndpointsexplained"></a><b>OAuth Endpoints

<h5><a name="CXFOAuth1.0-TemporaryCredentials"></a><a href=""
class="external-link" rel="nofollow">Temporary Credentials</a></h5>

<p>Client sends oauth required parameters in order to receive temporary request token.
CXF handles request, validates it,&nbsp;reads required information about the client and</p>

<p>save state(request token returned to the client in the response) required in the
next OAuth request. CXF returns OAuth 1.0a specification compliant response.</p>

<h5><a name="CXFOAuth1.0-ResourceOwnerAuthorization"></a><a href=""
class="external-link" rel="nofollow">Resource Owner Authorization</a></h5>

<p>To assure more flexible authorization and access control to the server resources
there were added two custom parameters:</p>
	<li><b>x_oauth_scope</b> &#45; specifies comma separated server uri's
to which client wants to have access</li>
	<li><b>x_oauth_permission</b> &#45; specifies comma separated list
of permissions to x_oauth_scope uri's which client wants to have (every permission is associated
with role, ROLE_USER, ROLE_ADMIN, etc..)</li>

After granting permissions by the user to server resources, CXF saves this data that will
be required in later access control evaluation, generates oauth_verifier&nbsp;and returns
it to the client. <span class="image-wrap" style=""><img src="/confluence/download/attachments/24188735/confirmation.png?version=1&amp;modificationDate=1291674219959"
style="border: 1px solid black" /></span></p>

<p><b>Examplar screen where server user allows/denies access for a third party

<p>Location of above confirmation screen can be configured by registering dispatch provider
as shown in&nbsp;OAuth Server basic configuration. CXF returns OAuth compliant errors
in case of wrong client requests.&nbsp;</p>

<h5><a name="CXFOAuth1.0-TokenCredentials"></a><a href=""
class="external-link" rel="nofollow">Token Credentials</a></h5>

<p>Client sends request to the Authorization Server in order to exchange received in&nbsp;previous&nbsp;step&nbsp;<b>oauth_verifier</b>
for an access token. Similarly in this step CXF handles request and return suitable response.<br/>
If the request is correct client receives an OAuth access token.<br/>
Access token give the rights to the user on the particular client to access previously authorized
scopes with associated permissions.<br/>
Client need to attach access token with every request to oauth protected resource. In this
implementation access token, represented by a string consist information of:</p>

	<li>client application&nbsp;</li>
	<li>resource owner which provides credentials to authorize client to the server</li>
	<li>list of scopes accepted&nbsp;by the resource owner</li>
	<li>list of permissions (list of roles)</li>

<h2><a name="CXFOAuth1.0-"></a><font color="#003366">Intercepting
OAuth authenticated requests</font></h2>


<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
<p>intercepts OAuth authenticated request perform basic OAuth validation and check if
requested scope is not greater than authorized by the resource owner.</p>

<p>Initial http request is wrapped with overrided:&nbsp;getUserPrincipal&nbsp;and&nbsp;isUserInRole
methods and passed further. OAuth security filter does not assure access control based on
permissions associated with the scope. It needs to be done by developer or&nbsp;</p>

<p>by using: SpringOAuthAuthenticationFilter</p>

<h2><a name="CXFOAuth1.0-"></a><font color="#003366">Spring Security

<h3><a name="CXFOAuth1.0-SpringOAuthAuthenticationFilter"></a>SpringOAuthAuthenticationFilter</h3>

<p>Spring Security extension provides integration of OAuth flow with security annotations
like: @RolesAllowed or @Secured</p>

<p>The only thing that needs to be done is adding</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
<p>configuration in web.xml file <b>following</b> OAuthSecurityFilter. SpringOAuthAuthenticationFilter
initializes SpringSecurityContext and allows to benefit from Spring Security framework.<br/>
Sample JAX-RS service could looks like:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
@Path(<span class="code-quote">"/"</span>)
<span class="code-keyword">public</span> class SampleResourceProvider {

    @Produces(<span class="code-quote">"text/html"</span>)
    @Path(<span class="code-quote">"/person/get/{name}"</span>)
    @Secured ({<span class="code-quote">"ROLE_USER"</span>})
    <span class="code-keyword">public</span> Response getInfo(@PathParam(<span
class="code-quote">"name"</span>) <span class="code-object">String</span>
name, @Context HttpServletRequest request) {
        <span class="code-keyword">return</span> Response.ok(<span class="code-quote">"Successfully
accessed OAuth <span class="code-keyword">protected</span> person: "</span>
+ name).build();

<p>In above example <em>getInfo</em> resource can be invoked only by the
client which attached access token that was authorized by the resource owner with<br/>
scope: /&#42;,&nbsp;person/&#42;, person/get/&#42; or /person/get/$particular_name
and with permission associated with role: ROLE_USER.</p>

<h3><a name="CXFOAuth1.0-SpringSecurityExceptionMapper"></a>SpringSecurityExceptionMapper</h3>
<p>This exception mapper converts Spring Security exceptions (i.e. AccessDeniedException)
into http response that is compliant with OAuth 1.0 specification.</p>

<h2><a name="CXFOAuth1.0-"></a><font color="#003366">OAuth Demo Server</font></h2>
<p>Sample implementation of an OAuth server, build with using CXF OAuth extension. Provides
simple functionality for preregistering OAuth clients, viewing authorized clients and revoking
access to the server.</p>

<h2><a name="CXFOAuth1.0-"></a><font color="#003366">OAuth Demo Client</font></h2>
<p>OAuth 1.0 client web application that is able to make OAuth authenticated requests</p>
        <div id="commentsSection" class="wiki-content pageSection">
        <div style="float: right;">
            <a href=""
class="grey">Change Notification Preferences</a>
        <a href="">View
        <a href="">View
        <a href=";showCommentArea=true#addcomment">Add

View raw message