cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r818702 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-oauth2.html
Date Tue, 22 May 2012 14:47:55 GMT
Author: buildbot
Date: Tue May 22 14:47:55 2012
New Revision: 818702

Log:
Production update by buildbot for cxf

Modified:
    websites/production/cxf/content/cache/docs.pageCache
    websites/production/cxf/content/docs/jax-rs-oauth2.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/jax-rs-oauth2.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-oauth2.html (original)
+++ websites/production/cxf/content/docs/jax-rs-oauth2.html Tue May 22 14:47:55 2012
@@ -125,7 +125,7 @@ Apache CXF -- JAX-RS OAuth2
 
 
 <div>
-<ul><li><a shape="rect" href="#JAX-RSOAuth2-Introduction">Introduction</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-Mavendependencies">Maven dependencies</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-DevelopingOAuth2Servers">Developing OAuth2 Servers</a></li><ul><li><a
shape="rect" href="#JAX-RSOAuth2-AuthorizationService">Authorization Service</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-AccessTokenService">AccessTokenService</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-WritingOAuthDataProvider">Writing OAuthDataProvider</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-OAuthServerJAXRSendpoints">OAuth Server JAX-RS endpoints</a></li></ul><li><a
shape="rect" href="#JAX-RSOAuth2-ProtectingresourceswithOAuthfilters">Protecting resources
with OAuth filters</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Howtogettheuserloginname">How
to get the user login name</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Clientsidesupport">Client-side
support</a></li><li><a shape="r
 ect" href="#JAX-RSOAuth2-OAuth2withouttheExplicitAuthorization">OAuth2 without the Explicit
Authorization</a></li><li><a shape="rect" href="#JAX-RSOAuth2-OAuthWithoutaBrowser">OAuth
Without a Browser</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Designconsiderations">Design
considerations</a></li><ul><li><a shape="rect" href="#JAX-RSOAuth2-ControllingtheAccesstoResourceServer">Controlling
the Access to Resource Server</a></li><ul><li><a shape="rect" href="#JAX-RSOAuth2-Sharingthesameaccesspathbetweenendusersandclients">Sharing
the same access path between end users and clients</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-Providingdifferentaccesspointstoendusersandclients">Providing different
access points to end users and clients</a></li></ul><li><a shape="rect"
href="#JAX-RSOAuth2-SingleSignOn">Single Sign On</a></li></ul><li><a
shape="rect" href="#JAX-RSOAuth2-WhatIsNext">What Is Next</a></li></ul></div>
+<ul><li><a shape="rect" href="#JAX-RSOAuth2-Introduction">Introduction</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-Mavendependencies">Maven dependencies</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-DevelopingOAuth2Servers">Developing OAuth2 Servers</a></li><ul><li><a
shape="rect" href="#JAX-RSOAuth2-AuthorizationService">Authorization Service</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-AccessTokenService">AccessTokenService</a></li><ul><li><a
shape="rect" href="#JAX-RSOAuth2-AccessTokenValidationService">AccessTokenValidationService</a></li></ul><li><a
shape="rect" href="#JAX-RSOAuth2-WritingOAuthDataProvider">Writing OAuthDataProvider</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-OAuthServerJAXRSendpoints">OAuth Server JAX-RS endpoints</a></li></ul><li><a
shape="rect" href="#JAX-RSOAuth2-ProtectingresourceswithOAuthfilters">Protecting resources
with OAuth filters</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Howtogettheuserloginname">How
to get the user login
  name</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Clientsidesupport">Client-side
support</a></li><li><a shape="rect" href="#JAX-RSOAuth2-OAuth2withouttheExplicitAuthorization">OAuth2
without the Explicit Authorization</a></li><li><a shape="rect" href="#JAX-RSOAuth2-OAuthWithoutaBrowser">OAuth
Without a Browser</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Designconsiderations">Design
considerations</a></li><ul><li><a shape="rect" href="#JAX-RSOAuth2-ControllingtheAccesstoResourceServer">Controlling
the Access to Resource Server</a></li><ul><li><a shape="rect" href="#JAX-RSOAuth2-Sharingthesameaccesspathbetweenendusersandclients">Sharing
the same access path between end users and clients</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-Providingdifferentaccesspointstoendusersandclients">Providing different
access points to end users and clients</a></li></ul><li><a shape="rect"
href="#JAX-RSOAuth2-SingleSignOn">Single Sign On</a></li></ul><li><a
shape="rect" href="#JAX-RS
 OAuth2-WhatIsNext">What Is Next</a></li></ul></div>
 
 <h1><a shape="rect" name="JAX-RSOAuth2-Introduction"></a>Introduction</h1>
 
@@ -366,6 +366,9 @@ Headers: 
 
 <p>Note that the access token key is passed as the Bearer scheme value. Other token
types such as MAC ones, etc, can be represented differently.</p>
 
+<h3><a shape="rect" name="JAX-RSOAuth2-AccessTokenValidationService"></a>AccessTokenValidationService
</h3>
+<p>The  <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenValidationService.java">AccessTokenValidationService</a>
is a CXF specific OAuth2 service for accepting the remote access token validation requests.
Typically, OAuthRequestFilter (see on it below) may choose to impersonate itself as a third-party
client and will ask AccessTokenValidationService to return the information relevant to the
current access token, before setting up a security context. More on it below.</p>
+
 <h2><a shape="rect" name="JAX-RSOAuth2-WritingOAuthDataProvider"></a>Writing
OAuthDataProvider</h2>
 
 <p>Using CXF OAuth service implementations will help a lot with setting up an OAuth
server. As you can see from the above sections, these services rely on a custom <a shape="rect"
class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthDataProvider.java">OAuthDataProvider</a>
implementation.</p>
@@ -414,24 +417,48 @@ Most likely, you'd want to deploy Access
 
 <p>AccessTokenService listens on a relative "/token" path. Given that jaxrs:server/@adress
is "/oauth" and assuming a context name is "/services", the absolute address of AccessTokenService
would be something like "http://localhost:8080/services/oauth/token". </p>
 
-<p>AuthorizationCodeGrantService is better to put where the main application endpoint
is. It can be put alongside AccessTokenService - but the problem is that the end user is expected
to authenticate itself with the resource server after it has been redirected by a third-party
client to AuthorizationCodeGrantService. That would make it more complex for the OAuth server
endpoint to manage both OAuth (third-party client) and the regular user authentication - that
can be done, see more on it below in the Design considerations section, but the simpler option
is to simply get AuthorizationCodeGrantService under the control of the security filter enforcing
the end user authentication:</p>
+<p>If the remote token validation is supported then have AccessTokenValidationService
 added too:</p>
 
 <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
-<pre class="code-java">
-&lt;bean id=<span class="code-quote">"authorizationService"</span> class=<span
class="code-quote">"org.apache.cxf.rs.security.oauth2.services.AuthorizationCodeGrantService"</span>&gt;
-  &lt;property name=<span class="code-quote">"dataProvider"</span> ref=<span
class="code-quote">"oauthProvider"</span>/&gt;
-&lt;/bean&gt;
-
-&lt;bean id=<span class="code-quote">"myApp"</span> class=<span class="code-quote">"org.myapp.MyApp"</span>&gt;
-  &lt;property name=<span class="code-quote">"dataProvider"</span> ref=<span
class="code-quote">"oauthProvider"</span>/&gt;
-&lt;/bean&gt;
-
-&lt;jaxrs:server id=<span class="code-quote">"oauthServer"</span> address=<span
class="code-quote">"/myapp"</span>&gt;
-   &lt;jaxrs:serviceBeans&gt;
-      &lt;ref bean=<span class="code-quote">"myApp"</span>/&gt;
-      &lt;ref bean=<span class="code-quote">"authorizationService"</span>/&gt;
-  &lt;/jaxrs:serviceBeans&gt;
-&lt;/jaxrs:server&gt;
+<pre class="code-xml">
+<span class="code-tag"><span class="code-comment">&lt;!-- implements OAuthDataProvider
--&gt;</span></span>
+<span class="code-tag">&lt;bean id=<span class="code-quote">"oauthProvider"</span>
class=<span class="code-quote">"oauth.manager.OAuthManager"</span>/&gt;</span>
+     
+<span class="code-tag">&lt;bean id=<span class="code-quote">"accessTokenService"</span>
class=<span class="code-quote">"org.apache.cxf.rs.security.oauth2.services.AccessTokenService"</span>&gt;</span>
+  <span class="code-tag">&lt;property name=<span class="code-quote">"dataProvider"</span>
ref=<span class="code-quote">"oauthProvider"</span>/&gt;</span>
+<span class="code-tag">&lt;/bean&gt;</span>
+<span class="code-tag">&lt;bean id=<span class="code-quote">"accessTokenValidateService"</span>
class=<span class="code-quote">"org.apache.cxf.rs.security.oauth2.services.AccessTokenValidateService"</span>&gt;</span>
+  <span class="code-tag">&lt;property name=<span class="code-quote">"dataProvider"</span>
ref=<span class="code-quote">"oauthProvider"</span>/&gt;</span>
+<span class="code-tag">&lt;/bean&gt;</span>
+
+
+<span class="code-tag">&lt;jaxrs:server id=<span class="code-quote">"oauthServer"</span>
address=<span class="code-quote">"/oauth"</span>&gt;</span>
+   <span class="code-tag">&lt;jaxrs:serviceBeans&gt;</span>
+      <span class="code-tag">&lt;ref bean=<span class="code-quote">"accessTokenService"</span>/&gt;</span>
+      <span class="code-tag">&lt;ref bean=<span class="code-quote">"accessTokenValidateService"</span>/&gt;</span>
+  <span class="code-tag">&lt;/jaxrs:serviceBeans&gt;</span>
+<span class="code-tag">&lt;/jaxrs:server&gt;</span>
+</pre>
+</div></div> 
+
+<p>The absolute address of AccessTokenValidateService would be something like "http://localhost:8080/services/oauth/validate".
</p>
+
+<p>AuthorizationCodeGrantService is easier to put where the application endpoints are.
It can be put alongside AccessTokenService, but ideally an SSO based authentication solution
will be also be deployed, for the end user to avoid signing in separately several times (see
more in it below). Here is an example of AuthorizationCodeGrantService being collocated with
the application endpoint:</p>
+
+<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
+<pre class="code-xml">
+<span class="code-tag">&lt;bean id=<span class="code-quote">"authorizationService"</span>
class=<span class="code-quote">"org.apache.cxf.rs.security.oauth2.services.AuthorizationCodeGrantService"</span>&gt;</span>
+  <span class="code-tag">&lt;property name=<span class="code-quote">"dataProvider"</span>
ref=<span class="code-quote">"oauthProvider"</span>/&gt;</span>
+<span class="code-tag">&lt;/bean&gt;</span>
+
+<span class="code-tag">&lt;bean id=<span class="code-quote">"myApp"</span>
class=<span class="code-quote">"org.myapp.MyApp"</span>/&gt;</span>
+
+<span class="code-tag">&lt;jaxrs:server id=<span class="code-quote">"appServer"</span>
address=<span class="code-quote">"/myapp"</span>&gt;</span>
+   <span class="code-tag">&lt;jaxrs:serviceBeans&gt;</span>
+      <span class="code-tag">&lt;ref bean=<span class="code-quote">"myApp"</span>/&gt;</span>
+      <span class="code-tag">&lt;ref bean=<span class="code-quote">"authorizationService"</span>/&gt;</span>
+  <span class="code-tag">&lt;/jaxrs:serviceBeans&gt;</span>
+<span class="code-tag">&lt;/jaxrs:server&gt;</span>
 </pre>
 </div></div>
 
@@ -469,6 +496,70 @@ Headers: 
 
 <p>This SecurityContext will not necessarily be important for some of OAuth2 applications.
Most of the security checks will be done by OAuth2 filters and security filters protecting
the main application path the end users themselves use. Only if you would like to share the
same JAX-RS resource code and access URIs between end users and clients then it can become
handy. More on it below. </p>
 
+<p>Here is one example of how OAuthRequestFilter can be configured:</p>
+
+<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
+<pre class="code-xml">
+<span class="code-tag">&lt;bean id=<span class="code-quote">"oauthProvider"</span>
class=<span class="code-quote">"oauth.manager.OAuthManager"</span>/&gt;</span>
+<span class="code-tag">&lt;bean id=<span class="code-quote">"oauthFiler"</span>
class=<span class="code-quote">"org.apache.cxf.rs.security.oauth2.filters.OAuthRequestFilter"</span>&gt;</span>
+  <span class="code-tag">&lt;property name=<span class="code-quote">"dataProvider"</span>
ref=<span class="code-quote">"oauthProvider"</span>/&gt;</span>
+<span class="code-tag">&lt;/bean&gt;</span>
+
+<span class="code-tag">&lt;bean id=<span class="code-quote">"myApp"</span>
class=<span class="code-quote">"org.myapp.MyApp"</span>/&gt;</span>
+
+<span class="code-tag">&lt;jaxrs:server id=<span class="code-quote">"fromThirdPartyToMyApp"</span>
address=<span class="code-quote">"/thirdparty-to-myapp"</span>&gt;</span>
+   <span class="code-tag">&lt;jaxrs:serviceBeans&gt;</span>
+      <span class="code-tag">&lt;ref bean=<span class="code-quote">"myApp"</span>/&gt;</span>
+  <span class="code-tag">&lt;/jaxrs:serviceBeans&gt;</span>
+  <span class="code-tag">&lt;jaxrs:providers&gt;</span>
+      <span class="code-tag">&lt;ref bean=<span class="code-quote">"oauthFilter"</span>/&gt;</span>
+  <span class="code-tag">&lt;/jaxrs:providers&gt;</span>
+  
+<span class="code-tag">&lt;/jaxrs:server&gt;</span>
+</pre>
+</div></div>
+
+<p>It will rely on an instance of OAuthDataProvider to get the information about the
current access token and will validate it.<br clear="none">
+This option works OK for when it is easy to get the same OAuthDataProvider shared between
this filter, as well as Authorization and AccessToken services. OAuthDataProvider can also
be implemented such that it manages the information in the distributed manner so the above
configuration option may scale well for more sophisticated deployments.</p>
+
+<p>When one has Authorization and AccessToken service not collocated with the application
endpoints, the following may work better:</p>
+
+<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
+<pre class="code-xml">
+
+     <span class="code-tag">&lt;bean id=<span class="code-quote">"tvServiceClientFactory"</span>
class=<span class="code-quote">"org.apache.cxf.jaxrs.client.JAXRSClientFactoryBean"</span>&gt;</span>
+         <span class="code-tag">&lt;property name=<span class="code-quote">"address"</span>
value=<span class="code-quote">"http://localhost:${http.port}/services/oauth/validate"</span>/&gt;</span>
+         <span class="code-tag">&lt;property name=<span class="code-quote">"headers"</span>&gt;</span>
+            <span class="code-tag">&lt;map&gt;</span>
+               <span class="code-tag">&lt;entry key=<span class="code-quote">"Accept"</span>
value=<span class="code-quote">"application/xml"</span>/&gt;</span>
+            <span class="code-tag">&lt;/map&gt;</span>
+         <span class="code-tag">&lt;/property&gt;</span>
+     <span class="code-tag">&lt;/bean&gt;</span>
+     
+     <span class="code-tag">&lt;bean id=<span class="code-quote">"tvServiceClient"</span>
factory-bean=<span class="code-quote">"tvServiceClientFactory"</span> factory-method=<span
class="code-quote">"createWebClient"</span>/&gt;</span>
+
+     <span class="code-tag">&lt;bean id=<span class="code-quote">"tokenValidator"</span>
class=<span class="code-quote">"org.apache.cxf.rs.security.oauth2.filters.AccessTokenValidatorClient"</span>&gt;</span>
+         <span class="code-tag">&lt;property name=<span class="code-quote">"tokenValidatorClient"</span>
ref=<span class="code-quote">"tvServiceClient"</span>/&gt;</span>
+     <span class="code-tag">&lt;/bean&gt;</span>
+
+     <span class="code-tag">&lt;bean id=<span class="code-quote">"oauthFiler"</span>
class=<span class="code-quote">"org.apache.cxf.rs.security.oauth2.filters.OAuthRequestFilter"</span>&gt;</span>
+         <span class="code-tag">&lt;property name=<span class="code-quote">"tokenValidator"</span>
ref=<span class="code-quote">"tokenValidator"</span>/&gt;</span>
+     <span class="code-tag">&lt;/bean&gt;</span>
+
+<span class="code-tag">&lt;bean id=<span class="code-quote">"myApp"</span>
class=<span class="code-quote">"org.myapp.MyApp"</span>/&gt;</span>
+
+<span class="code-tag">&lt;jaxrs:server id=<span class="code-quote">"fromThirdPartyToMyApp"</span>
address=<span class="code-quote">"/thirdparty-to-myapp"</span>&gt;</span>
+   <span class="code-tag">&lt;jaxrs:serviceBeans&gt;</span>
+      <span class="code-tag">&lt;ref bean=<span class="code-quote">"myApp"</span>/&gt;</span>
+  <span class="code-tag">&lt;/jaxrs:serviceBeans&gt;</span>
+  <span class="code-tag">&lt;jaxrs:providers&gt;</span>
+      <span class="code-tag">&lt;ref bean=<span class="code-quote">"oauthFilter"</span>/&gt;</span>
+  <span class="code-tag">&lt;/jaxrs:providers&gt;</span>
+<span class="code-tag">&lt;/jaxrs:server&gt;</span>
+</pre>
+</div></div>
+
+
 <h1><a shape="rect" name="JAX-RSOAuth2-Howtogettheuserloginname"></a>How
to get the user login name</h1>
 
 <p>When one writes a custom server application which needs to participate in OAuth2
flows, the major question which needs to be addressed is<br clear="none">
@@ -554,9 +645,9 @@ in this example OAuthServiceExceptions a
 <h1><a shape="rect" name="JAX-RSOAuth2-OAuthWithoutaBrowser"></a>OAuth
Without a Browser</h1>
 
 <p>When an end user is accessing the 3rd party application and is authorizing it later
on, it's usually expected that the user is relying on a browser. <br clear="none">
-However, supporting other types of end users is easy enough. Writing the client code that
processes the redirection requests from the 3rd party application and AuthorizationRequestService
is simple with JAX-RS and additionally CXF can be configured to do auto-redirects on the client
side.</p>
+However, supporting other types of end users is easy enough. Writing the client code that
processes the redirection requests from the 3rd party application and AuthorizationCodeGrantService
is simple with JAX-RS and additionally CXF can be configured to do auto-redirects on the client
side.</p>
 
-<p>Also note that AuthorizationRequestService can return XML or JSON <a shape="rect"
class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/OAuthAuthorizationData.java">OAuthAuthorizationData</a>
representations. That makes it easy for a client code to get OAuthAuthorizationData and offer
a pop-up window or get the input from the command-line. Authorizing the third-party application
might even be automated in this case - which can lead to a complete 3-leg OAuth flow implemented
without a human user being involved.</p>
+<p>Also note that AuthorizationCodeGrantService can return XML or JSON <a shape="rect"
class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/OAuthAuthorizationData.java">OAuthAuthorizationData</a>
representations. That makes it easy for a client code to get OAuthAuthorizationData and offer
a pop-up window or get the input from the command-line. Authorizing the third-party application
might even be automated in this case - which can lead to a complete 3-leg OAuth flow implemented
without a human user being involved.</p>
 
 <h1><a shape="rect" name="JAX-RSOAuth2-Designconsiderations"></a>Design
considerations</h1>
 
@@ -570,11 +661,11 @@ However, supporting other types of end u
 
 <p>In the former case the way the authentication is managed is completely up to the
resource server application: basic authentication, two-way TLS, OpenId (more on it below),
you name it.</p>
 
-<p>In the latter case an OAuth filter must enforce that the 3rd party client has been
registered using the provided client key and that it has a valid access token which represents
the end user's approval.  It's kind of the authentication and the authorization check at the
same time.</p>
+<p>In the latter case an OAuth filter must enforce that the 3rd party client has been
registered using the provided client key and that it has a valid access token which represents
the end user's approval.</p>
 
 <p>Letting both parties access the resource server via the same URI(s) complicates
the life for the security filters but all the parties are only aware of the single resource
server URI which all of them will use.</p>
 
-<p>Providing different access points to end users and clients may significantly simplify
the authentication process - the possible downside is that multiple access points need to
be mantained by the resource server.</p>
+<p>Providing different access points to end users and clients may significantly simplify
the authentication process - the possible downside is that multiple access points need to
be maintained by the resource server.</p>
 
 <p>Both options are discussed next.</p>
 
@@ -649,7 +740,9 @@ For example, consider the following JAX-
 
 <h2><a shape="rect" name="JAX-RSOAuth2-SingleSignOn"></a>Single Sign On</h2>
 
-<p>When dealing with authenticating the end users, having an SSO solution in place
is very handy. This is because the end user interacts with both the third-party and its resource
server web applications and is also redirected from the client application to the resource
server and back again. OpenID or say a WebBrowser SSO profile can help - CXF may offer some
support in this area. </p>
+<p>When dealing with authenticating the end users, having an SSO solution in place
is very handy. This is because the end user interacts with both the third-party and its resource
server web applications and is also redirected from the client application to the resource
server and back again. Additionally, the end user may need to authenticate with Authorization
service if it is not collocated with the application endpoints. OpenID or say a WebBrowser
SSO profile can help. </p>
+
+<p>CXF 2.6.1 provides an initial support for a SAML2 SSO profile. This will make it
easier to minimize a number of sign ins to a single attempt and run OAuth2 Authorization servers
separately from the application endpoints. </p>
 
 <h1><a shape="rect" name="JAX-RSOAuth2-WhatIsNext"></a>What Is Next</h1>
 



Mime
View raw message