cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r812545 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-oauth2.html
Date Thu, 12 Apr 2012 14:48:12 GMT
Author: buildbot
Date: Thu Apr 12 14:48:11 2012
New Revision: 812545

Log:
Production update by buildbot for cxf

Modified:
    websites/production/cxf/content/cache/docs.pageCache
    websites/production/cxf/content/docs/jax-rs-oauth2.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/jax-rs-oauth2.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-oauth2.html (original)
+++ websites/production/cxf/content/docs/jax-rs-oauth2.html Thu Apr 12 14:48:11 2012
@@ -131,7 +131,8 @@ Apache CXF -- JAX-RS OAuth2
 
 <p>CXF 2.6.0 provides an initial implementation of <a shape="rect" class="external-link"
href="http://tools.ietf.org/html/draft-ietf-oauth-v2" rel="nofollow">OAuth 2.0</a>.
See also the <span class="error">[JAXRS OAuth]</span> page for the information
about OAuth 1.0.</p>
 
-<p>Authorization Code, Implicit and Client Credentials grants are currently supported
with the new grant handlers to be added later.</p>
+<p>Authorization Code, Implicit and Client Credentials grants are currently supported
with the new grant handlers to be added later.<br clear="none">
+Custom grant handlers can be registered.</p>
 
 <p>OAuth2 is a new protocol which offers a complex yet elegant solution toward helping
the end users (resource owners) authorize third-party providers to access their resources.</p>
 
@@ -218,34 +219,37 @@ Referer=[http://localhost:8080/services/
 
 <p>Note that the end user needs to authenticate. The Request URI includes the client_id,
custom scope value, response_type set to 'code', the current request state and the redirect
uri. Note the scope is optional - the Authorization Service will usually allocate a default
scope; however even if the client does include an additional custom scope the end user may
still not approve it. The redirect uri is also optional, assuming one or more ones redirect
URIs have been provided at the client registration time.</p>
 
-<p>First, AuthorizationRequestService will retrieve <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/RequestToken.java">RequestToken</a>
(which extends the base <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/Token.java">Token</a>
class) from OAuthDataProvider using the value provided by the "oauth_token" query parameter.
</p>
+<p>AuthorizationCodeGrantService will report a warning is no secure HTTPS transport
is used:</p>
+<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
+<pre class="code-xml">
+12-Apr-2012 13:26:21 org.apache.cxf.rs.security.oauth2.services.AbstractOAuthService checkTransportSecurity
+WARNING: Unsecure HTTP, Transport Layer Security is recommended
+</pre>
+</div></div>
 
-<p>Next it uses this token (which also links to Client) to populate an instance of
<a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/OAuthAuthorizationData.java">OAuthAuthorizationData</a>
bean and returns it. OAuthAuthorizationData contains application name and URI properties,
optional list of <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/Permission.java">Permission</a>s
and URIs. </p>
+<p>It can also be configured to reject the requests over un-secure HTTP transport.</p>
 
-<p>Two other important OAuthAuthorizationData properties are "oauthToken" and "authenticityToken",
both are important for processing the decision request coming from the authorization form.
The former is a request token key which will be used by AuthorizationRequestService to retrieve
the RequestToken again and the latter for validating that the current session has not been
hijacked - AuthorizationRequestService generates a random key, stores it in a Servlet HTTPSession
instance and expects the returned authenticityToken value to match it - this is a recommended
approach and it also implies that the authenticityToken value is hidden from a user, for example,
it's kept in a 'hidden' form field.</p>
+<p>AuthorizationCodeGrantService will retrieve the information about the <a shape="rect"
class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Client.java">client
application</a> to populate an instance of <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java">OAuthAuthorizationData</a>
bean and return it. OAuthAuthorizationData contains application name and URI properties, optional
list of <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Permission.java">Permission</a>s
and other properties which can be either presented to the user or kept in the hidden form
fields in order to uniquely identify the
  actual authorization request when the end user returns the decision. </p>
 
-<p>The helper "replyTo" property is an absolute URI identifying the AuthorizationRequestService
handler processing the user decision and can be used by view handlers when building the forms
or by other OAuthAuthorizationData handlers.</p>
+<p>One important OAuthAuthorizationData property is "authenticityToken". It is used
for validating that the current session has not been hijacked - AuthorizationCodeGrantService
generates a random key, stores it in a Servlet HTTPSession instance and expects the returned
authenticityToken value to match it - this is a recommended approach and it also implies that
the authenticityToken value is hidden from a user, for example, it's kept in a 'hidden' form
field. The other properties which are meant to be hidden are clientId, state, redirectUri,
proposedScope.</p>
 
-<p>So the populated OAuthAuthorizationData is finally returned. Note that it's a JAXB
XMLRootElement-annotated bean and can be processed by registered JAXB or JSON providers given
that AuthorizationRequestService supports producing "application/xml" and "application/json"
(See the OAuth Without Browser section below for more). But in this case we have the end user
working with a browser so an HTML form is what is really expected back.</p>
+<p>The helper "replyTo" property is an absolute URI identifying the AuthorizationCodeGrantService
handler processing the user decision and can be used by view handlers when building the forms
or by other OAuthAuthorizationData handlers.</p>
 
-<p>AuthorizationRequestService supports producing "text/html" and simply relies on
a registered <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-redirection.html#JAX-RSRedirection-WithRequestDispatcherProvider">RequestDispatcherProvider</a>
to set the OAuthAuthorizationData bean as an HttpServletRequest attribute and redirect the
response to a view handler (can be JSP or some other servlet) to actually build the form and
return it to the user. Alternatively, registering <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-advanced-xml.html#JAX-RSAdvancedXML-XSLTsupport">XSLTJaxbProvider</a>
would also be a good option for creating HTML views.  </p>
+<p>So the populated OAuthAuthorizationData is finally returned. Note that it's a JAXB
XMLRootElement-annotated bean and can be processed by registered JAXB or JSON providers given
that AuthorizationCodeGrantService supports producing "application/xml" and "application/json"
(See the OAuth Without Browser section below for more). But in this case we have the end user
working with a browser so an HTML form is what is really expected back.</p>
 
-<p>Assuming RequestDispatcherProvider is used, the following example log shows the
initial response from AuthorizationRequestService:</p>
+<p>AuthorizationCodeGrantService supports producing "text/html" and simply relies on
a registered <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-redirection.html#JAX-RSRedirection-WithRequestDispatcherProvider">RequestDispatcherProvider</a>
to set the OAuthAuthorizationData bean as an HttpServletRequest attribute and redirect the
response to a view handler (can be JSP or some other servlet) to actually build the form and
return it to the user. Alternatively, registering <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-advanced-xml.html#JAX-RSAdvancedXML-XSLTsupport">XSLTJaxbProvider</a>
would also be a good option for creating HTML views.  </p>
+
+<p>Assuming RequestDispatcherProvider is used, the following example log shows the
initial response from AuthorizationCodeGrantService:</p>
 <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
 <pre class="code-xml">
-08-Nov-2011 13:32:40 org.apache.cxf.jaxrs.provider.RequestDispatcherProvider logRedirection
-INFO: Setting an instance of <span class="code-quote">"org.apache.cxf.rs.security.oauth.data.OAuthAuthorizationData"</span>
as HttpServletRequest attribute <span class="code-quote">"data"</span> and redirecting
the response to <span class="code-quote">"/forms/oauthAuthorize.jsp"</span>.
-
-08-Nov-2011 13:32:40 org.apache.cxf.interceptor.LoggingOutInterceptor
----------------------------
-Response-Code: 200
-Content-Type: text/html
+12-Apr-2012 13:26:21 org.apache.cxf.jaxrs.provider.RequestDispatcherProvider logRedirection
+INFO: Setting an instance of <span class="code-quote">"org.apache.cxf.rs.security.oauth2.common.OAuthAuthorizationData"</span>
as HttpServletRequest attribute <span class="code-quote">"data"</span> and redirecting
the response to <span class="code-quote">"/forms/oauthAuthorize.jsp"</span>.
 </pre>
 </div></div>
 
-<p>Note that a "/forms/oauthAuthorize.jsp" view handler will create an HTML view -
this is a custom JSP handler and whatever HTML view is required can be created there, using
the OAuthAuthorizationData bean for building the view. Most likely you will want to present
a form asking the user to allow or deny the consumer accessing some of this user's resources.
If OAuthAuthorizationData has a list of Permissions set then addig the information about the
permissions is needed, same for a list of URIs.</p>
+<p>Note that a "/forms/oauthAuthorize.jsp" view handler will create an HTML view -
this is a custom JSP handler and whatever HTML view is required can be created there, using
the OAuthAuthorizationData bean for building the view. Most likely you will want to present
a form asking the user to allow or deny the consumer accessing some of this user's resources.
If OAuthAuthorizationData has a list of Permissions set then adding the information about
the permissions is needed.</p>
 
-<p>Next the user makes a decision and selects a button allowing or denying the consumer
accessing the resources. AuthorizationRequestService does not need to know how a user has
been asked to make the decision, but it expects to receive a form-based submission containing
the following 3 parameters, named "session_authenticity_token" and "oauth_token" with values
matching those of OAuthAuthorizationData's "authenticityToken" and "oauthToken" properties,
and "oAuthDecision" with either "allow" or "deny" values: </p>
+<p>Next the user makes a decision and selects a button allowing or denying the consumer
accessing the resources. AuthorizationCodeGrantService does not need to know how a user has
been asked to make the decision: </p>
 
 <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
 <pre class="code-xml">



Mime
View raw message