cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r814462 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-oauth2.html
Date Wed, 25 Apr 2012 18:48:50 GMT
Author: buildbot
Date: Wed Apr 25 18:48:50 2012
New Revision: 814462

Log:
Production update by buildbot for cxf

Modified:
    websites/production/cxf/content/cache/docs.pageCache
    websites/production/cxf/content/docs/jax-rs-oauth2.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/jax-rs-oauth2.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-oauth2.html (original)
+++ websites/production/cxf/content/docs/jax-rs-oauth2.html Wed Apr 25 18:48:50 2012
@@ -125,20 +125,20 @@ Apache CXF -- JAX-RS OAuth2
 
 
 <div>
-<ul><li><a shape="rect" href="#JAX-RSOAuth2-Introduction">Introduction</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-Mavendependencies">Maven dependencies</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-DevelopingOAuth2Servers">Developing OAuth2 Servers</a></li><ul><li><a
shape="rect" href="#JAX-RSOAuth2-AuthorizationService">Authorization Service</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-AccessTokenService">AccessTokenService</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-WritingOAuthDataProvider">Writing OAuthDataProvider</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-OAuthServerJAXRSendpoints">OAuth Server JAX-RS endpoints</a></li></ul><li><a
shape="rect" href="#JAX-RSOAuth2-ProtectingresourceswithOAuthfilters">Protecting resources
with OAuth filters</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Howtogettheuserloginname">How
to get the user login name</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Clientsidesupport">Client-side
support</a></li><li><a shape="r
 ect" href="#JAX-RSOAuth2-OAuth2withouttheExplicitAuthorization">OAuth2 without the Explicit
Authorization</a></li><li><a shape="rect" href="#JAX-RSOAuth2-OAuthWithoutaBrowser">OAuth
Without a Browser</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Designconsiderations">Design
considerations</a></li><ul><li><a shape="rect" href="#JAX-RSOAuth2-ControllingtheAccesstoResourceServer">Controlling
the Access to Resource Server</a></li><ul><li><a shape="rect" href="#JAX-RSOAuth2-Sharingthesameaccesspathbetweenendusersandconsumers">Sharing
the same access path between end users and consumers</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-Providingdifferentaccesspointstoendusersandconsumers">Providing different
access points to end users and consumers</a></li></ul><li><a shape="rect"
href="#JAX-RSOAuth2-SingleSignOn">Single Sign On</a></li></ul><li><a
shape="rect" href="#JAX-RSOAuth2-WhatIsNext">What Is Next</a></li></ul></div>
+<ul><li><a shape="rect" href="#JAX-RSOAuth2-Introduction">Introduction</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-Mavendependencies">Maven dependencies</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-DevelopingOAuth2Servers">Developing OAuth2 Servers</a></li><ul><li><a
shape="rect" href="#JAX-RSOAuth2-AuthorizationService">Authorization Service</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-AccessTokenService">AccessTokenService</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-WritingOAuthDataProvider">Writing OAuthDataProvider</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-OAuthServerJAXRSendpoints">OAuth Server JAX-RS endpoints</a></li></ul><li><a
shape="rect" href="#JAX-RSOAuth2-ProtectingresourceswithOAuthfilters">Protecting resources
with OAuth filters</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Howtogettheuserloginname">How
to get the user login name</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Clientsidesupport">Client-side
support</a></li><li><a shape="r
 ect" href="#JAX-RSOAuth2-OAuth2withouttheExplicitAuthorization">OAuth2 without the Explicit
Authorization</a></li><li><a shape="rect" href="#JAX-RSOAuth2-OAuthWithoutaBrowser">OAuth
Without a Browser</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Designconsiderations">Design
considerations</a></li><ul><li><a shape="rect" href="#JAX-RSOAuth2-ControllingtheAccesstoResourceServer">Controlling
the Access to Resource Server</a></li><ul><li><a shape="rect" href="#JAX-RSOAuth2-Sharingthesameaccesspathbetweenendusersandclients">Sharing
the same access path between end users and clients</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-Providingdifferentaccesspointstoendusersandclients">Providing different
access points to end users and clients</a></li></ul><li><a shape="rect"
href="#JAX-RSOAuth2-SingleSignOn">Single Sign On</a></li></ul><li><a
shape="rect" href="#JAX-RSOAuth2-WhatIsNext">What Is Next</a></li></ul></div>
 
 <h1><a shape="rect" name="JAX-RSOAuth2-Introduction"></a>Introduction</h1>
 
-<p>CXF 2.6.0 provides an initial implementation of <a shape="rect" class="external-link"
href="http://tools.ietf.org/html/draft-ietf-oauth-v2" rel="nofollow">OAuth 2.0</a>.
See also the <a shape="rect" href="jax-rs-oauth.html" title="JAX-RS OAuth">JAX-RS OAuth</a>
page for the information about OAuth 1.0.</p>
+<p>CXF 2.6.0 provides an initial implementation of <a shape="rect" class="external-link"
href="http://tools.ietf.org/html/draft-ietf-oauth-v2" rel="nofollow">OAuth 2.0</a>.
See also the <a shape="rect" href="jax-rs-oauth.html" title="JAX-RS OAuth">JAX-RS OAuth</a>
page for information about OAuth 1.0.</p>
 
-<p>Authorization Code, Implicit and Client Credentials grants are currently supported
with the new grant handlers to be added later.<br clear="none">
+<p>Authorization Code, Implicit and Client Credentials grants are currently supported
with other grant handlers to be added later.<br clear="none">
 Custom grant handlers can be registered.</p>
 
-<p>OAuth2 is a new protocol which offers a complex yet elegant solution toward helping
the end users (resource owners) authorize third-party providers to access their resources.</p>
+<p>OAuth2 is a new protocol which offers a complex yet elegant solution toward helping
end users (resource owners) authorize third-party providers to access their resources.</p>
 
-<p>The OAuth2 flow which is closely related to the original OAuth 1.0 3-leg flow is
called Authorization Code and involves 3 parties: the end user, the third party service (client)
and the resource server which is protected by OAuth2 filters. Typically a client offers a
service feature that an end user requests and which requires the former to access one or more
protected resources on behalf of this user which are located at the resource server. For example,
the client may need to access the end user's photos in order to print them and post to the
user or read and possibly update a user's calendar in order to make a booking.</p>
+<p>The OAuth2 flow is closely related to the original OAuth 1.0 3-leg flow is called
Authorization Code and involves 3 parties: the end user, the third party service (client)
and the resource server which is protected by OAuth2 filters. Typically a client offers a
service feature that an end user requests and which requires the former to access one or more
protected resources on behalf of this user which are located at the resource server. For example,
the client may need to access the end user's photos in order to print them and post to the
user or read and possibly update a user's calendar in order to make a booking.</p>
 
-<p>In order to make it happen, the third-party service application/client needs to
register itself with the OAuth2 server. This happens out-of-band and after the registration
the consumer gets back a consumer key and secret pair. Typically the client is expected to
provide the name and description of the application, the application logo URI, one or more
redirect URIs, and other information that may help the OAuth2 authorization server to identify
this client to the end user at the authorization time.  </p>
+<p>In order to make it happen, the third-party service application/client needs to
register itself with the OAuth2 server. This happens out-of-band and after the registration
the client gets back a client key and secret pair. Typically the client is expected to provide
the name and description of the application, the application logo URI, one or more redirect
URIs, and other information that may help the OAuth2 authorization server to identify this
client to the end user at the authorization time.  </p>
 
 <p>From then on, the authorization code flow works like this:<br clear="none">
 1. End User requests the third-party service using a browser.</p>
@@ -155,7 +155,7 @@ Custom grant handlers can be registered.
 
 <p>As you can see the flow can be complex yet it is very effective. A number of issues
may need to be taken care along the way such as managing expired tokens, making sure that
the OAuth2 security layer is functioning properly and is not interfering with the end user
itself trying to access its own resources, etc.</p>
 
-<p>Please check the <a shape="rect" class="external-link" href="http://tools.ietf.org/html/draft-ietf-oauth-v2"
rel="nofollow">specification</a> and the <a shape="rect" class="external-link"
href="http://en.wikipedia.org/wiki/OAuth2" rel="nofollow">Wikipedia article</a> as
well as other resources available on the WEB for more information you may need to know about
OAuth2. </p>
+<p>Please check the <a shape="rect" class="external-link" href="http://tools.ietf.org/html/draft-ietf-oauth-v2"
rel="nofollow">specification</a> and the <a shape="rect" class="external-link"
href="http://en.wikipedia.org/wiki/OAuth#OAuth_2.0" rel="nofollow">Wikipedia article</a>
as well as other resources available on the WEB for more information you may need to know
about OAuth2. </p>
 
 <p>CXF JAX-RS gives the best effort to making this process as simple as possible and
requiring only a minimum effort on behalf of OAuth2 server developers. It also offers the
utility code for greatly simplifying the way the third-party application can interact with
the OAuth2 service endpoints.</p>
 
@@ -174,21 +174,21 @@ Custom grant handlers can be registered.
 <h1><a shape="rect" name="JAX-RSOAuth2-DevelopingOAuth2Servers"></a>Developing
OAuth2 Servers</h1>
 
 <p>OAuth2 server is the core piece of the complete OAuth2-based solution. Typically
it contains 2 services for:<br clear="none">
-1. Authorizing request tokens by asking the end users to let consumers access some of their
resources and returning the<br clear="none">
-  grants back to the consumer (Authorization Service)<br clear="none">
+1. Authorizing request tokens by asking the end users to let clients access some of their
resources and returning the<br clear="none">
+  grants back to the client (Authorization Service)<br clear="none">
 2. Exchanging the token grants for access tokens (Access Token Service)</p>
 
 <p>CXF offers several JAX-RS service implementations that can be used to create the
OAuth2 servers fast: <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java">AuthorizationCodeGrantService</a>
and <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ImplicitGrantService.java">ImplicitGrantService</a>
for managing the redirection-based flows, as well as <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenService.java">AccessTokenService</a>
for exchanging the grants for new tokens.</p>
 
 <p>Note that some grants that do not require the redirection-based support, such as
SAML2 one, etc, may only require an Access Token Service be operational.</p>
 
-<p>All of these services rely on the custom <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthDataProvider.java">OAuthDataProvider</a>
which persists the access tokens and converts the opaque scope values to the information that
can be presented to the users. Additionally, <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeDataProvider.java">AuthorizationCodeDataProvider</a>
is an OAuthDataProvider which can keep the temporarily information about the authorization
code grants which needs to be removed after the tokens are requested in exchange.</p>
+<p>All of these services rely on the custom <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthDataProvider.java">OAuthDataProvider</a>
which persists the access tokens and converts the opaque scope values to the information that
can be presented to the users. Additionally, <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeDataProvider.java">AuthorizationCodeDataProvider</a>
is an OAuthDataProvider which can keep temporary information about the authorization code
grants which needs to be removed after the tokens are requested in exchange.</p>
 
 <p>Writing your own OAuthDataProvider implementation is what is needed to get the OAuth2
server up and running. In many cases all you need to do is to persist or remove the Authorization
Code Grant data, use one of the available utility classes to create a new access token and
also persist it or remove the expired one, and finally convert the optional opaque scope values
(if any are supported) to a more view-able information.</p>
 
 <h2><a shape="rect" name="JAX-RSOAuth2-AuthorizationService"></a>Authorization
Service</h2>
 
-<p>The main responsibility of OAuth2 Authorization Service is to present an end user
with a form asking the user to allow or deny the consumer accessing some of the user resources.
CXF offers <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java">AuthorizationCodeGrantService</a>
and <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ImplicitGrantService.java">ImplicitGrantService</a>
for accepting the redirection requests, challenging the end users with the authorization forms,
handling the end user decisions and returning the results back to the clients. </p>
+<p>The main responsibility of OAuth2 Authorization Service is to present an end user
with a form asking the user to allow or deny the client accessing some of the user resources.
CXF offers <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java">AuthorizationCodeGrantService</a>
and <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ImplicitGrantService.java">ImplicitGrantService</a>
for accepting the redirection requests, challenging the end users with the authorization forms,
handling the end user decisions and returning the results back to the clients. </p>
 
 <p>One of the differences between the AuthorizationCode and Implicit flows is that
in the latter case the grant is the actual access token which is returned as the URI fragment
value. The way the end user is asked to authorize the client request is similar between the
two flows. In this section we will assume that the Authorization Code flow is being exercized.</p>
 
@@ -201,7 +201,7 @@ Headers: {Location=[http://localhost:808
 </pre>
 </div></div> 
 
-<p>The consumer application asks the current user (the browser) to go to a new address
provided by the Location header and the follow-up request to AuthorizationCodeGrantService
will look like this:</p>
+<p>The client application asks the current user (the browser) to go to a new address
provided by the Location header and the follow-up request to AuthorizationCodeGrantService
will look like this:</p>
 
 <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
 <pre class="code-xml">
@@ -247,9 +247,9 @@ INFO: Setting an instance of <span class
 </pre>
 </div></div>
 
-<p>Note that a "/forms/oauthAuthorize.jsp" view handler will create an HTML view -
this is a custom JSP handler and whatever HTML view is required can be created there, using
the OAuthAuthorizationData bean for building the view. Most likely you will want to present
a form asking the user to allow or deny the consumer accessing some of this user's resources.
If OAuthAuthorizationData has a list of Permissions set then adding the information about
the permissions is needed.</p>
+<p>Note that a "/forms/oauthAuthorize.jsp" view handler will create an HTML view -
this is a custom JSP handler and whatever HTML view is required can be created there, using
the OAuthAuthorizationData bean for building the view. Most likely you will want to present
a form asking the user to allow or deny the client accessing some of this user's resources.
If OAuthAuthorizationData has a list of Permissions set then adding the information about
the permissions is needed.</p>
 
-<p>Next the user makes a decision and selects a button allowing or denying the consumer
accessing the resources. The form data are submitted to AuthorizationCodeGrantService: </p>
+<p>Next the user makes a decision and selects a button allowing or denying the client
accessing the resources. The form data are submitted to AuthorizationCodeGrantService: </p>
 
 <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
 <pre class="code-xml">
@@ -300,11 +300,11 @@ Cookie=[JSESSIONID=1c289vha0cxfe],
 
 <p>If a user decision was set to "deny" then the error will be returned to the client.</p>
 
-<p>Assuming the decision was "allow", the consumer has now received back the authorization
code grant and is ready to exchange it for a new access token.</p>
+<p>Assuming the decision was "allow", the client has now received back the authorization
code grant and is ready to exchange it for a new access token.</p>
 
 <h2><a shape="rect" name="JAX-RSOAuth2-AccessTokenService"></a>AccessTokenService
</h2>
 
-<p>The role of AccessTokenService is to exchange a token grant for a new access token
which will be used by the consumer to access the end user's resources. <br clear="none">
+<p>The role of AccessTokenService is to exchange a token grant for a new access token
which will be used by the client to access the end user's resources. <br clear="none">
 Here is an example request log:</p>
 
 <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
@@ -351,7 +351,7 @@ Payload: 
 </pre>
 </div></div> 
 
-<p>The consumer will use this access token to access the current user's resources in
order to complete the original user's request, for example, the request to access a user's
calendar may look like this:</p>
+<p>The client will use this access token to access the current user's resources in
order to complete the original user's request, for example, the request to access a user's
calendar may look like this:</p>
 <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
 <pre class="code-xml">
 Address: http://localhost:8080/services/thirdPartyAccess/calendar
@@ -372,7 +372,7 @@ Headers: 
 
 <p>The main task of OAuthDataProvider is to persist and generate access tokens. Additionally,
as noted above, AuthorizationCodeDataProvider needs to persist and remove the code grant registrations.
The way it's done is really application-specific. Consider starting with a basic memory based
implementation and then move on to keeping the data in some DB.</p>
 
-<p>Note that OAuthDataProvider supports retrieving <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Client.java">Client</a>
instances but it has no methods for creating or removing Clients. The reason for it is that
the process of registering third-party consumers is very specific to a particular OAuth2 application,
so CXF does not offer a registration support service and hence OAuthDataProvider has no Client
create/update methods. You will likely need to do something like this:</p>
+<p>Note that OAuthDataProvider supports retrieving <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Client.java">Client</a>
instances but it has no methods for creating or removing Clients. The reason for it is that
the process of registering third-party clients is very specific to a particular OAuth2 application,
so CXF does not offer a registration support service and hence OAuthDataProvider has no Client
create/update methods. You will likely need to do something like this:</p>
 
 <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
 <pre class="code-java">
@@ -414,7 +414,7 @@ Most likely, you'd want to deploy Access
 
 <p>AccessTokenService listens on a relative "/token" path. Given that jaxrs:server/@adress
is "/oauth" and assuming a context name is "/services", the absolute address of AccessTokenService
would be something like "http://localhost:8080/services/oauth/token". </p>
 
-<p>AuthorizationCodeGrantService is better to put where the main application endpoint
is. It can be put alongside AccessTokenService - but the problem is that the end user is expected
to authenticate itself with the resource server after it has been redirected by a third-party
consumer to AuthorizationCodeGrantService. That would make it more complex for the OAuth server
endpoint to manage both OAuth (third-party consumer) and the regular user authentication -
that can be done, see more on it below in the Design considerations section, but the simpler
option is to simply get AuthorizationCodeGrantService under the control of the security filter
enforcing the end user authentication:</p>
+<p>AuthorizationCodeGrantService is better to put where the main application endpoint
is. It can be put alongside AccessTokenService - but the problem is that the end user is expected
to authenticate itself with the resource server after it has been redirected by a third-party
client to AuthorizationCodeGrantService. That would make it more complex for the OAuth server
endpoint to manage both OAuth (third-party client) and the regular user authentication - that
can be done, see more on it below in the Design considerations section, but the simpler option
is to simply get AuthorizationCodeGrantService under the control of the security filter enforcing
the end user authentication:</p>
 
 <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
 <pre class="code-java">
@@ -435,11 +435,11 @@ Most likely, you'd want to deploy Access
 </pre>
 </div></div>
 
-<p>AuthorizationCodeGrantService listens on a relative "/authorize" path so in this
case its absolute address will be something like "http://localhost:8080/services/myapp/authorize".
This address and that of AccessTokenService will be used by third-party consumers.</p>
+<p>AuthorizationCodeGrantService listens on a relative "/authorize" path so in this
case its absolute address will be something like "http://localhost:8080/services/myapp/authorize".
This address and that of AccessTokenService will be used by third-party clients.</p>
 
 <h1><a shape="rect" name="JAX-RSOAuth2-ProtectingresourceswithOAuthfilters"></a>Protecting
resources with OAuth filters</h1>
 
-<p><a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java">OAuthRequestFilter</a>
request handler can be used to protect the resource server when processing the requests from
the third-party clients. Add it as a jaxrs:provider to the endpoint which deals with the consumers
requesting the resources.</p>
+<p><a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java">OAuthRequestFilter</a>
request handler can be used to protect the resource server when processing the requests from
the third-party clients. Add it as a jaxrs:provider to the endpoint which deals with the clients
requesting the resources.</p>
 
 <p>When checking a request like this:</p>
 
@@ -467,7 +467,7 @@ Headers: 
 
 <p>4. Finally, it will create a CXF <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/api/src/main/java/org/apache/cxf/security/SecurityContext.java">SecurityContext</a>
using this list of <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/data/OAuthPermission.java">OAuthPermissions</a>,
the <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/UserSubject.java">UserSubject</a>
representing the client or the end user who authorized the grant used to obtain this token.</p>
 
-<p>This SecurityContext will not necessarily be important for some of OAuth2 applications.
Most of the security checks will be done by OAuth2 filters and security filters protecting
the main application path the end users themselves use. Only if you would like to share the
same JAX-RS resource code and access URIs between end users and consumers then it can become
handy. More on it below. </p>
+<p>This SecurityContext will not necessarily be important for some of OAuth2 applications.
Most of the security checks will be done by OAuth2 filters and security filters protecting
the main application path the end users themselves use. Only if you would like to share the
same JAX-RS resource code and access URIs between end users and clients then it can become
handy. More on it below. </p>
 
 <h1><a shape="rect" name="JAX-RSOAuth2-Howtogettheuserloginname"></a>How
to get the user login name</h1>
 
@@ -566,21 +566,21 @@ However, supporting other types of end u
 
 <p>One of the most important issues one need to resolve is how to partition a URI space
of the resource server application.</p>
 
-<p>We have two different parties trying to access it, the end users which access the
resource server to get to the resources which they own and 3rd party consumers which have
been authorized by the end users to access some of their resources. </p>
+<p>We have two different parties trying to access it, the end users which access the
resource server to get to the resources which they own and 3rd party clients which have been
authorized by the end users to access some of their resources. </p>
 
 <p>In the former case the way the authentication is managed is completely up to the
resource server application: basic authentication, two-way TLS, OpenId (more on it below),
you name it.</p>
 
-<p>In the latter case an OAuth filter must enforce that the 3rd party consumer has
been registered using the provided consumer key and that it has a valid access token which
represents the end user's approval.  It's kind of the authentication and the authorization
check at the same time.</p>
+<p>In the latter case an OAuth filter must enforce that the 3rd party client has been
registered using the provided client key and that it has a valid access token which represents
the end user's approval.  It's kind of the authentication and the authorization check at the
same time.</p>
 
 <p>Letting both parties access the resource server via the same URI(s) complicates
the life for the security filters but all the parties are only aware of the single resource
server URI which all of them will use.</p>
 
-<p>Providing different access points to end users and consumers may significantly simplify
the authentication process - the possible downside is that multiple access points need to
be mantained by the resource server.</p>
+<p>Providing different access points to end users and clients may significantly simplify
the authentication process - the possible downside is that multiple access points need to
be mantained by the resource server.</p>
 
 <p>Both options are discussed next.</p>
 
-<h3><a shape="rect" name="JAX-RSOAuth2-Sharingthesameaccesspathbetweenendusersandconsumers"></a>Sharing
the same access path between end users and consumers</h3>
+<h3><a shape="rect" name="JAX-RSOAuth2-Sharingthesameaccesspathbetweenendusersandclients"></a>Sharing
the same access path between end users and clients</h3>
 
-<p>The first problem which needs to be addressed is how to distinguish end users from
third-party consumers and get both parties authenticated as required.<br clear="none">
+<p>The first problem which needs to be addressed is how to distinguish end users from
third-party clients and get both parties authenticated as required.<br clear="none">
 Perhaps the simplest option is to extend a CXF OAuth2 filter (JAX-RS or servlet one), check
Authorization header, if it is OAuth2 then delegate to the superclass, alternatively - proceed
with authenticating the end users:</p>
 
 <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
@@ -631,25 +631,25 @@ For example, consider the following JAX-
 </pre>
 </div></div>
 
-<p>Lets assume that the 3rd party consumer has been allowed to read the public user
Calendars at "/calendar/{id}" only, how to make sure that the consumer won't try to:<br
clear="none">
+<p>Let's assume that the 3rd party client has been allowed to read the public user
Calendars at "/calendar/{id}" only, how to make sure that the client won't try to:<br clear="none">
 1. update the calendar available at the same path <br clear="none">
 2. read the private Calendars available at "/calendar/{id}/private"</p>
 
-<p>As noted above, <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthPermission.java">OAuthPermission</a>
has an optional URIs property. Thus one way to solve the problem with the private calendar
is to add, say, a uri "/calendar/{id}" or "/calendar/1" (etc) property to OAuthPermission
(representing a scope like "readCalendar") and the OAuth filter will make sure no subresources
beyond "/calendar/{id}" can be accessed. Note, adding a "*" at the end of a given URI property,
for example, "/a*" will let the consumer to access "/a", "/a/b", etc.</p>
+<p>As noted above, <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthPermission.java">OAuthPermission</a>
has an optional URIs property. Thus one way to solve the problem with the private calendar
is to add, say, a uri "/calendar/{id}" or "/calendar/1" (etc) property to OAuthPermission
(representing a scope like "readCalendar") and the OAuth filter will make sure no subresources
beyond "/calendar/{id}" can be accessed. Note, adding a "*" at the end of a given URI property,
for example, "/a*" will let the client access "/a", "/a/b", etc.</p>
 
 <p>Solving the problem with preventing the update can be easily solved by adding an
httpVerb property to a given OAuthPermission.</p>
 
-<p>One more option is to rely on the role-based access control and have @RolesAllowed
allocated such that only users in roles like "consumer" or "enduser" can invoke the getCalendar()
method and let only those in the "enduser" role access getPrivateCalendar() and updateCalendar().
OAuthPermission can help here too as described in the section on using OAuth fiters.</p>
+<p>One more option is to rely on the role-based access control and have @RolesAllowed
allocated such that only users in roles like "client" or "enduser" can invoke the getCalendar()
method and let only those in the "enduser" role access getPrivateCalendar() and updateCalendar().
OAuthPermission can help here too as described in the section on using OAuth fiters.</p>
 
-<h3><a shape="rect" name="JAX-RSOAuth2-Providingdifferentaccesspointstoendusersandconsumers"></a>Providing
different access points to end users and consumers</h3>
+<h3><a shape="rect" name="JAX-RSOAuth2-Providingdifferentaccesspointstoendusersandclients"></a>Providing
different access points to end users and clients</h3>
 
-<p>Rather than letting both the end users and 3rd party consumers use the same URI
such as "http://myapp.com/service/calendars/{id}", one may want to introduce two URIs, one
for end users and one for third-party consumers, for example, "http://myapp.com/service/calendars/{id}"
- for endusers, "http://myapp.com/partners/calendars/{id}" - for the 3rd party consumers and
deploy 2 jaxrs endpoints, where one is protected by the security filter checking the end users,
and the one - by OAuth filters. </p>
+<p>Rather than letting both the end users and 3rd party clients use the same URI such
as "http://myapp.com/service/calendars/{id}", one may want to introduce two URIs, one for
end users and one for third-party clients, for example, "http://myapp.com/service/calendars/{id}"
- for endusers, "http://myapp.com/partners/calendars/{id}" - for the 3rd party clients and
deploy 2 jaxrs endpoints, where one is protected by the security filter checking the end users,
and the one - by OAuth filters. </p>
 
-<p>Additionally the endpoint managing the 3rd party consumers will deploy a resource
which will offer a resticted URI space support. For example, if the application will only
allow 3rd party consumers to read calendars then this resource will only have a method supporting
@GET and "/calendar/{id}". </p>
+<p>Additionally the endpoint managing the 3rd party clients will deploy a resource
which will offer a resticted URI space support. For example, if the application will only
allow 3rd party clients to read calendars then this resource will only have a method supporting
@GET and "/calendar/{id}". </p>
 
 <h2><a shape="rect" name="JAX-RSOAuth2-SingleSignOn"></a>Single Sign On</h2>
 
-<p>When dealing with authenticating the end users, having an SSO solution in place
is very handy. This is because the end user interacts with both the third-party and its resource
server web applications and is also redirected from the consumer application to the resource
server and back again. OpenID or say a WebBrowser SSO profile can help - CXF may offer some
support in this area. </p>
+<p>When dealing with authenticating the end users, having an SSO solution in place
is very handy. This is because the end user interacts with both the third-party and its resource
server web applications and is also redirected from the client application to the resource
server and back again. OpenID or say a WebBrowser SSO profile can help - CXF may offer some
support in this area. </p>
 
 <h1><a shape="rect" name="JAX-RSOAuth2-WhatIsNext"></a>What Is Next</h1>
 



Mime
View raw message