cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r812559 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-oauth2.html
Date Thu, 12 Apr 2012 16:48:24 GMT
Author: buildbot
Date: Thu Apr 12 16:48:23 2012
New Revision: 812559

Log:
Production update by buildbot for cxf

Modified:
    websites/production/cxf/content/cache/docs.pageCache
    websites/production/cxf/content/docs/jax-rs-oauth2.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/jax-rs-oauth2.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-oauth2.html (original)
+++ websites/production/cxf/content/docs/jax-rs-oauth2.html Thu Apr 12 16:48:23 2012
@@ -249,33 +249,38 @@ INFO: Setting an instance of <span class
 
 <p>Note that a "/forms/oauthAuthorize.jsp" view handler will create an HTML view -
this is a custom JSP handler and whatever HTML view is required can be created there, using
the OAuthAuthorizationData bean for building the view. Most likely you will want to present
a form asking the user to allow or deny the consumer accessing some of this user's resources.
If OAuthAuthorizationData has a list of Permissions set then adding the information about
the permissions is needed.</p>
 
-<p>Next the user makes a decision and selects a button allowing or denying the consumer
accessing the resources. AuthorizationCodeGrantService does not need to know how a user has
been asked to make the decision: </p>
+<p>Next the user makes a decision and selects a button allowing or denying the consumer
accessing the resources. The form data are submitted to AuthorizationCodeGrantService: </p>
 
 <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
 <pre class="code-xml">
 Address: http://localhost:8080/services/social/authorize/decision
+Encoding: ISO-8859-1
 Http-Method: POST
 Content-Type: application/x-www-form-urlencoded
 Headers: {
 Authorization=[Basic YmFycnlAc29jaWFsLmNvbToxMjM0],
-Cookie=[JSESSIONID=eovucah9rwqp], 
-Referer=[http://localhost:8080/services/social/authorize?oauth_token=6dfd5e52-236c-4939-8df8-a53212f7d2a2],

-User-Agent=[Mozilla/5.0 (X11; Linux x86_64; rv:2.0) Gecko/20100101 Firefox/4.0]}
+Content-Type=[application/x-www-form-urlencoded],
+...
+}
 --------------------------------------
-09-Nov-2011 16:41:58 org.apache.cxf.jaxrs.utils.FormUtils logRequestParametersIfNeeded
-INFO: session_authenticity_token=e52b5033-9bf5-4b34-9d3a-39a7d5b7e686&amp;oauthDecision=allow&amp;oauth_token=6dfd5e52-236c-4939-8df8-a53212f7d2a2
+12-Apr-2012 15:36:29 org.apache.cxf.jaxrs.utils.FormUtils logRequestParametersIfNeeded
+INFO: updateCalendar-7_status=allow&amp;readCalendar_status=allow&amp;scope=updateCalendar-7+readCalendar&amp;redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fservices%2Freservations%2Freserve%2Fcomplete&amp;session_authenticity_token=4f0005d9-565f-4309-8ffb-c13c72139ebe&amp;oauthDecision=allow&amp;state=1&amp;client_id=123456789
 </pre>
 </div></div> 
 
-<p>AuthorizationRequestService will use a session_authenticity_token to validate that
the session is valid and will process the user decision next.<br clear="none">
-If it is set to "allow" then it will ask OAuthDataProvider to generate an authorization key
(verifier) and return this verifier alongside with the request token key and the state if
any by redirecting the current user back to the callback URI provided during the request token
request:</p>
+<p>AuthorizationCodeGrantService will use a session_authenticity_token to validate
that the session is valid and will process the user decision next. </p>
+
+<p>If the decision is "allow" then it will check the status of the individual scope
values. It relies on the "scopename_status" convention, if the form has offered the user a
chance to selectively enable individual scopes then name/value pairs such as "updateCalendar-7_status=allow"
are submitted. If none of such pairs is coming back then it means the user has approved all
the default and additional (if any) scopes.</p>
+
+<p>Next it will ask OAuthDataProvider to generate an authorization code grant and return
it alongside with the state if any by redirecting the current user back to the redirect URI:</p>
 
 <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
 <pre class="code-xml">
 Response-Code: 303
 Headers: {
-Location=[http://localhost:8080/services/reservations/reserve/complete?oauth_token=6dfd5e52-236c-4939-8df8-a53212f7d2a2&amp;oauth_verifier=00bd8fa7-4233-42a2-8957-0a0a22c684ba]
-}
+ Location=[http://localhost:8080/services/reservations/reserve/complete?state=1&amp;code=5c993144b910bccd5977131f7d2629ab],

+ Date=[Thu, 12 Apr 2012 14:36:29 GMT], 
+ Content-Length=[0]}
 </pre>
 </div></div>  
 
@@ -283,85 +288,91 @@ Location=[http://localhost:8080/services
 
 <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
 <pre class="code-java">
-Address: http:<span class="code-comment">//localhost:8080/services/reservations/reserve/complete?oauth_token=6dfd5e52-236c-4939-8df8-a53212f7d2a2&amp;oauth_verifier=00bd8fa7-4233-42a2-8957-0a0a22c684ba
+Address: http:<span class="code-comment">//localhost:8080/services/reservations/reserve/complete?state=1&amp;code=5c993144b910bccd5977131f7d2629ab
 </span>Http-Method: GET
-Content-Type: 
 Headers: {
-Authorization=[Basic YmFycnlAc29jaWFsLmNvbToxMjM0], 
-Cookie=[JSESSIONID=eovucah9rwqp],
-Referer=[http:<span class="code-comment">//localhost:8080/services/social/authorize?oauth_token=6dfd5e52-236c-4939-8df8-a53212f7d2a2],

-</span>User-Agent=[Mozilla/5.0 (X11; Linux x86_64; rv:2.0) Gecko/20100101 Firefox/4.0]}
+Accept=[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8],
+Authorization=[Basic YmFycnlAcmVzdGF1cmFudC5jb206NTY3OA==], 
+Cookie=[JSESSIONID=1c289vha0cxfe],
+}
 </pre>
 </div></div>
 
-<p>If a user decision was set to "deny" then no verifier will be sent back to the consumer.</p>
+<p>If a user decision was set to "deny" then the error will be returned to the client.</p>
 
-<p>Assuming the decision was "allow", the consumer has now received back the request
token and its verifier and is ready to exchange this pair for an access token.</p>
+<p>Assuming the decision was "allow", the consumer has now received back the authorization
code grant and is ready to exchange it for a new access token.</p>
 
 <h2><a shape="rect" name="JAX-RSOAuth2-AccessTokenService"></a>AccessTokenService
</h2>
 
-<p>The role of AccessTokenService is to exchange an authorized request token for a
new access token which will be used by the consumer to access the end user's resources. <br
clear="none">
+<p>The role of AccessTokenService is to exchange a token grant for a new access token
which will be used by the consumer to access the end user's resources. <br clear="none">
 Here is an example request log:</p>
 
 <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
 <pre class="code-xml">
 Address: http://localhost:8080/services/oauth/token
 Http-Method: POST
+
 Headers: {
-Accept=[application/x-www-form-urlencoded], 
-Authorization=[OAuth oauth_signature_method=<span class="code-quote">"HMAC-SHA1"</span>,

-                     oauth_consumer_key=<span class="code-quote">"123456789"</span>,

-                     oauth_token=<span class="code-quote">"6dfd5e52-236c-4939-8df8-a53212f7d2a2"</span>,

-                     oauth_verifier=<span class="code-quote">"00bd8fa7-4233-42a2-8957-0a0a22c684ba"</span>,

-                     oauth_timestamp=<span class="code-quote">"1320760259"</span>,

-                     oauth_nonce=<span class="code-quote">"16237669362301"</span>,

-                     oauth_version=<span class="code-quote">"1.0"</span>, 
-                     oauth_signature=<span class="code-quote">"dU%2BhXPNFfFpX2sC74IOxzTjdVrY%3D"</span>]
+Accept=[application/json], 
+Authorization=[Basic MTIzNDU2Nzg5Ojk4NzY1NDMyMQ==], 
+Content-Type=[application/x-www-form-urlencoded]
 }
+Payload: 
+
+grant_type=authorization_code&amp;code=5c993144b910bccd5977131f7d2629ab&amp;redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fservices%2Freservations%2Freserve%2Fcomplete
 </pre>
 </div></div> 
 
-<p>This request is very similar to a temporarily token request. Note that the request
token key is also included and this token key and its secret pair, as well as the consumer
key and secret pair are used to calculate the signature.</p>
+<p>This request contains a client_id and client_secret (Authorization header), the
grant_type, the grant value (code)<br clear="none">
+plus the redirect URI the authorization grant was returned to which is needed for the additional
validation.<br clear="none">
+Note that the alternative client authentication methods are also possible, in this case the
token service will expect a mapping between the client credentials and the client_id representing
the client registration available.</p>
+
+<p>After validating the request, the service will find a matching <a shape="rect"
class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AccessTokenGrantHandler.java">AccessTokenGrantHandler</a>
and request to create a <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ServerAccessToken.java">ServerAccessToken</a>
which is a server-side representation of the access token.<br clear="none">
+The grant handlers, such as <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java">AuthorizationCodeGrantHandler</a>
may delegate the creation of the actual access token to data providers, which may use the
available utility classes such as <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/bearer/BearerAccessToken.java">BearerAccessToken</a>
shipped with CXF or depend on other 3rd party libraries to create the tokens.</p>
 
-<p>AccessTokenService validates the signature, asks OAuthDataProvider to remove a RequestToken
identified by the "oauth_token" and compares the "oauth_verifier" value against the one stored
in this RequestToken.</p>
+<p>The data providers are also do not strictly required to persist the data such as
access tokens, instead the token key may an encrypted bag capturing all the relevant information.</p>
 
-<p>Note that if the "oauth_verifier" is missing then AccessTokenService will check
that RequestToken has been preauthorized and that its UserSubject property is initialized.
If both conditions are met then the access token request is allowed to continue. </p>
+<p>Now that the token has been created, it is mapped by the service to a <a shape="rect"
class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ClientAccessToken.java">client
representation</a> and is returned back as a JSON payload:</p>
 
-<p>Next it asks the data provider to create a new <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/AccessToken.java">AccessToken</a>
based on this RequestToken. The resulting access token key and secret pair is returned back
to a consumer:</p>
 <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
 <pre class="code-xml">
 Response-Code: 200
-Content-Type: application/x-www-form-urlencoded
-Headers: {Date=[Tue, 08 Nov 2011 13:50:59 GMT]}
-Payload: oauth_token=abc15aca-2073-4bde-b1be-1a02dc7ccafe&amp;oauth_token_secret=859dfe9e-ca4c-4b36-9e60-044434ab636c
+Content-Type: application/json
+Headers: {
+ Cache-Control=[no-store], 
+ Pragma=[no-cache], 
+ Date=[Thu, 12 Apr 2012 14:36:29 GMT]
+}
+
+Payload: 
+
+{<span class="code-quote">"access_token"</span>:<span class="code-quote">"5b5c8e677413277c4bb8b740d522b378"</span>,
<span class="code-quote">"token_type"</span>:<span class="code-quote">"bearer"</span>}
+
 </pre>
 </div></div> 
 
 <p>The consumer will use this access token to access the current user's resources in
order to complete the original user's request, for example, the request to access a user's
calendar may look like this:</p>
 <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
 <pre class="code-xml">
-Address: http://localhost:8080/services/user/calendar
+Address: http://localhost:8080/services/thirdPartyAccess/calendar
 Http-Method: GET
-Headers: {
-Accept=[application/XML], 
-Authorization=[OAuth oauth_signature_method=<span class="code-quote">"HMAC-SHA1"</span>,

-                     oauth_consumer_key=<span class="code-quote">"123456789"</span>,

-                     oauth_token=<span class="code-quote">"abc15aca-2073-4bde-b1be-1a02dc7ccafe"</span>,

-                     oauth_version=<span class="code-quote">"1.0"</span>, 
-                     oauth_signature=<span class="code-quote">"dU%2BhXPNFfFpX2sC74IOxzTjdVrY%3D"</span>]
+Headers: 
+{
+  Authorization=[Bearer 5b5c8e677413277c4bb8b740d522b378], 
+  Accept=[application/xml]
 }
 </pre>
 </div></div> 
 
-<p>Note that the access token is set and the access token key and secret pair, as well
as the consumer key and secret pair are used to create a signature.</p>
+<p>Note that the access token key is passed as the Bearer scheme value. Other token
types such as MAC ones, etc, can be represented differently.</p>
 
 <h2><a shape="rect" name="JAX-RSOAuth2-WritingOAuthDataProvider"></a>Writing
OAuthDataProvider</h2>
 
-<p>Using CXF OAuth service implementations will help a lot with setting up an OAuth
server. As you can see from the above sections, these services rely on a custom <a shape="rect"
class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/provider/OAuthDataProvider.java">OAuthDataProvider</a>
implementation.</p>
+<p>Using CXF OAuth service implementations will help a lot with setting up an OAuth
server. As you can see from the above sections, these services rely on a custom <a shape="rect"
class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthDataProvider.java">OAuthDataProvider</a>
implementation.</p>
 
-<p>The main task of OAuthDataProvider is to persist request and access tokens and generate
authorization/verifier keys. The way it's done is really application-specific. Consider starting
with a basic memory based implementation and then move on to keeping the data in some DB.</p>
+<p>The main task of OAuthDataProvider is to persist and generate access tokens. Additionally,
as noted above, AuthorizationCodeDataProvider needs to persist and remove the code grant registrations.
The way it's done is really application-specific. Consider starting with a basic memory based
implementation and then move on to keeping the data in some DB.</p>
 
-<p>Note that OAuthDataProvider supports retrieving <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/Client.java">Client</a>
instances but it has no methods for creating or removing Clients. The reason for it is that
the process of registering third-party consumers is very specific to a particular OAuth application,
so CXF does not offer a registration support service and hence OAuthDataProvider has no Client
create/update methods. You will likely need to do something like this:</p>
+<p>Note that OAuthDataProvider supports retrieving <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Client.java">Client</a>
instances but it has no methods for creating or removing Clients. The reason for it is that
the process of registering third-party consumers is very specific to a particular OAuth2 application,
so CXF does not offer a registration support service and hence OAuthDataProvider has no Client
create/update methods. You will likely need to do something like this:</p>
 
 <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
 <pre class="code-java">
@@ -376,65 +387,38 @@ Authorization=[OAuth oauth_signature_met
 
 <p>CustomOAuthProvider will also remove all tokens associated with a given Client in
removeClient(String cliendId).</p>
 
-<p>When creating RequestToken or AccessToken tokens as well as authorization keys,
OAuthDataProvider will need to create unique identifiers.<br clear="none">
-The way it's done is application specific and custom implementations may also use a utility
<a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/provider/MD5SequenceGenerator.java">MD5SequenceGenerator</a>
shipped with CXF, for example:</p>
-<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
-<pre class="code-java">
-<span class="code-keyword">public</span> <span class="code-object">String</span>
setRequestTokenVerifier(RequestToken requestToken) <span class="code-keyword">throws</span>
OAuthServiceException {
-    requestToken.setVerifier(generateSequence());
-    <span class="code-keyword">return</span> requestToken.getVerifier();
-}
 
-<span class="code-keyword">private</span> <span class="code-object">String</span>
generateSequence() <span class="code-keyword">throws</span> OAuthServiceException
{
-    <span class="code-keyword">try</span> {
-       <span class="code-keyword">return</span> tokenGenerator.generate(UUID.randomUUID().toString().getBytes(<span
class="code-quote">"UTF-8"</span>));
-    } <span class="code-keyword">catch</span> (Exception e) {
-       <span class="code-keyword">throw</span> <span class="code-keyword">new</span>
OAuthServiceException(<span class="code-quote">"Unable to generate the key"</span>,
e.getCause());
-    }
-}
-
-</pre>
-</div></div>
-
-<p>Generating tokens/keys and persisting them effectively is what OAuthDataProvider
all about.<br clear="none">
-Note that CXF will check that Request and Access tokens have not expired every time it uses
them and will ask OAuthDataProvider to remove the expired tokens, but the custom OAuthDataProvider
implementation may do its own checks too.</p>
-
-<p>Finally OAuthDataProvider may need to convert opaque scope values such as "readCalendar"
into a list of <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/OAuthPermission.java">OAuthPermission</a>s.
AuthorizationRequestService and OAuth security filters will depend on it (assuming scopes
are used in the first place). In the former case AuthorizationRequestService will use this
list to populate <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/OAuthAuthorizationData.java">OAuthAuthorizationData</a>
- the reason this bean only sees <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/Permission.java">Permission</a>s
is
  that the properties OAuthPermission keeps are of no interest to OAuthAuthorizationData handlers.</p>
+<p>Finally OAuthDataProvider may need to convert opaque scope values such as "readCalendar"
into a list of <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthPermission.java">OAuthPermission</a>s.
AuthorizationCodeGrantService and OAuth2 security filters will depend on it (assuming scopes
are used in the first place). In the former case AuthorizationCodeGrantService will use this
list to populate <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java">OAuthAuthorizationData</a>
- the reason this bean only sees <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Permission.java">P
 ermission</a>s is that some of the properties OAuthPermission keeps are of no interest
to OAuthAuthorizationData handlers.</p>
 
 <h2><a shape="rect" name="JAX-RSOAuth2-OAuthServerJAXRSendpoints"></a>OAuth
Server JAX-RS endpoints </h2>
 
-<p>With CXF offering OAuth service implementations and a custom OAuthAuthorizationData
provider in place, it is time to deploy the OAuth server.  <br clear="none">
-Most likely, you'd want to deploy RequestTokenService and AccessTokenService as two root
resources inside a single JAX-RS endpoint (or have one RequestTokenService and one AccessTokenService
endpoint), for example:</p>
+<p>With CXF offering OAuth service implementations and a custom OAuthDataProvider provider
in place, it is time to deploy the OAuth2 server.  <br clear="none">
+Most likely, you'd want to deploy AccessTokenService as an independent JAX-RS endpoint, for
example:</p>
 
 <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
 <pre class="code-xml">
 <span class="code-tag"><span class="code-comment">&lt;!-- implements OAuthDataProvider
--&gt;</span></span>
 <span class="code-tag">&lt;bean id=<span class="code-quote">"oauthProvider"</span>
class=<span class="code-quote">"oauth.manager.OAuthManager"</span>/&gt;</span>
-
-<span class="code-tag">&lt;bean id=<span class="code-quote">"requestTokenService"</span>
class=<span class="code-quote">"org.apache.cxf.rs.security.oauth.services.RequestTokenService"</span>&gt;</span>
-   <span class="code-tag">&lt;property name=<span class="code-quote">"dataProvider"</span>
ref=<span class="code-quote">"oauthProvider"</span>/&gt;</span>
-<span class="code-tag">&lt;/bean&gt;</span>
      
-<span class="code-tag">&lt;bean id=<span class="code-quote">"accessTokenService"</span>
class=<span class="code-quote">"org.apache.cxf.rs.security.oauth.services.AccessTokenService"</span>&gt;</span>
+<span class="code-tag">&lt;bean id=<span class="code-quote">"accessTokenService"</span>
class=<span class="code-quote">"org.apache.cxf.rs.security.oauth2.services.AccessTokenService"</span>&gt;</span>
   <span class="code-tag">&lt;property name=<span class="code-quote">"dataProvider"</span>
ref=<span class="code-quote">"oauthProvider"</span>/&gt;</span>
 <span class="code-tag">&lt;/bean&gt;</span>
 
 <span class="code-tag">&lt;jaxrs:server id=<span class="code-quote">"oauthServer"</span>
address=<span class="code-quote">"/oauth"</span>&gt;</span>
    <span class="code-tag">&lt;jaxrs:serviceBeans&gt;</span>
-      <span class="code-tag">&lt;ref bean=<span class="code-quote">"requestTokenService"</span>/&gt;</span>
       <span class="code-tag">&lt;ref bean=<span class="code-quote">"accessTokenService"</span>/&gt;</span>
   <span class="code-tag">&lt;/jaxrs:serviceBeans&gt;</span>
 <span class="code-tag">&lt;/jaxrs:server&gt;</span>
 </pre>
 </div></div>  
 
-<p>RequestTokenService listens on a relative "/initiate" path, AccessTokenService -
on "/token". Giving the that jaxrs:server/@adress is "/oauth" and assuming a context name
is "/services", the absolute address of RequestTokenService would be something like "http://localhost:8080/services/oauth/initiate"
and that of AccessTokenService - "http://localhost:8080/services/oauth/token". </p>
+<p>AccessTokenService listens on a relative "/token" path. Given that jaxrs:server/@adress
is "/oauth" and assuming a context name is "/services", the absolute address of AccessTokenService
would be something like "http://localhost:8080/services/oauth/token". </p>
 
-<p>AuthorizationRequestService is better to put where the main application endpoint
is. It can be put alongside RequestTokenService and AccessTokenService - but the problem is
that the end user is expected to authenticate itself with the resource server after it has
been redirected by a third-party consumer to AuthorizationRequestService. That would make
it more complex for the OAuth server endpoint to manage both OAuth (third-party consumer)
and the regular user authentication - that can be done, see more on it below in the Design
considerations section, but the simpler option is to simply get AuthorizationRequestService
under the control of the security filter enforcing the end user authentication:</p>
+<p>AuthorizationCodeGrantService is better to put where the main application endpoint
is. It can be put alongside AccessTokenService - but the problem is that the end user is expected
to authenticate itself with the resource server after it has been redirected by a third-party
consumer to AuthorizationCodeGrantService. That would make it more complex for the OAuth server
endpoint to manage both OAuth (third-party consumer) and the regular user authentication -
that can be done, see more on it below in the Design considerations section, but the simpler
option is to simply get AuthorizationCodeGrantService under the control of the security filter
enforcing the end user authentication:</p>
 
 <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
 <pre class="code-java">
-&lt;bean id=<span class="code-quote">"authorizationService"</span> class=<span
class="code-quote">"org.apache.cxf.rs.security.oauth.services.AuthorizationRequestService"</span>&gt;
+&lt;bean id=<span class="code-quote">"authorizationService"</span> class=<span
class="code-quote">"org.apache.cxf.rs.security.oauth2.services.AuthorizationCodeGrantService"</span>&gt;
   &lt;property name=<span class="code-quote">"dataProvider"</span> ref=<span
class="code-quote">"oauthProvider"</span>/&gt;
 &lt;/bean&gt;
 
@@ -451,7 +435,7 @@ Most likely, you'd want to deploy Reques
 </pre>
 </div></div>
 
-<p>AuthorizationRequestService listens on a relative "/authorize" path so in this case
its absolute address will be something like "http://localhost:8080/services/myapp/authorize".
This address and those of RequestTokenService and AccessTokenService will be used by third-party
consumers.</p>
+<p>AuthorizationCodeGrantService listens on a relative "/authorize" path so in this
case its absolute address will be something like "http://localhost:8080/services/myapp/authorize".
This address and that of AccessTokenService will be used by third-party consumers.</p>
 
 <h1><a shape="rect" name="JAX-RSOAuth2-ProtectingresourceswithOAuthfilters"></a>Protecting
resources with OAuth filters</h1>
 



Mime
View raw message