cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r852831 - in /websites/production/cxf/content: cache/docs.pageCache docs/jaxrs-oauth2-assertions.html
Date Sun, 03 Mar 2013 19:48:11 GMT
Author: buildbot
Date: Sun Mar  3 19:48:10 2013
New Revision: 852831

Log:
Production update by buildbot for cxf

Modified:
    websites/production/cxf/content/cache/docs.pageCache
    websites/production/cxf/content/docs/jaxrs-oauth2-assertions.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/jaxrs-oauth2-assertions.html
==============================================================================
--- websites/production/cxf/content/docs/jaxrs-oauth2-assertions.html (original)
+++ websites/production/cxf/content/docs/jaxrs-oauth2-assertions.html Sun Mar  3 19:48:10
2013
@@ -125,7 +125,7 @@ Apache CXF -- JAXRS OAuth2 Assertions
 
 
 <div>
-<ul><li><a shape="rect" href="#JAXRSOAuth2Assertions-Introduction">Introduction</a></li><li><a
shape="rect" href="#JAXRSOAuth2Assertions-SAML2Bearer">SAML2 Bearer</a></li><ul><li><a
shape="rect" href="#JAXRSOAuth2Assertions-AccessTokenGrant">Access Token Grant</a></li><ul><li><a
shape="rect" href="#JAXRSOAuth2Assertions-Clientcode">Client code</a></li><li><a
shape="rect" href="#JAXRSOAuth2Assertions-AccessTokenService">Access Token Service</a></li></ul><li><a
shape="rect" href="#JAXRSOAuth2Assertions-AuthenticationToken">Authentication Token</a></li></ul></ul></div>
+<ul><li><a shape="rect" href="#JAXRSOAuth2Assertions-Introduction">Introduction</a></li><li><a
shape="rect" href="#JAXRSOAuth2Assertions-SAML2Bearer">SAML2 Bearer</a></li><ul><li><a
shape="rect" href="#JAXRSOAuth2Assertions-AccessTokenGrant">Access Token Grant</a></li><ul><li><a
shape="rect" href="#JAXRSOAuth2Assertions-Clientcode">Client code</a></li><li><a
shape="rect" href="#JAXRSOAuth2Assertions-AccessTokenService">Access Token Service</a></li></ul><li><a
shape="rect" href="#JAXRSOAuth2Assertions-AuthenticationToken">Authentication Token</a></li><ul><li><a
shape="rect" href="#JAXRSOAuth2Assertions-ClientCode">Client Code</a></li><li><a
shape="rect" href="#JAXRSOAuth2Assertions-AccessTokenService">Access Token Service</a></li></ul></ul><li><a
shape="rect" href="#JAXRSOAuth2Assertions-ClientActingonBehalfofItself">Client Acting on
Behalf of Itself</a></li></ul></div>
 
 <h1><a shape="rect" name="JAXRSOAuth2Assertions-Introduction"></a>Introduction</h1>
 
@@ -242,7 +242,203 @@ ClientAccessToken at = OAuthClientUtils.
 </div></div>
 
 
-<h2><a shape="rect" name="JAXRSOAuth2Assertions-AuthenticationToken"></a>Authentication
Token</h2></div>
+<h2><a shape="rect" name="JAXRSOAuth2Assertions-AuthenticationToken"></a>Authentication
Token</h2>
+
+<p>As noted in the introduction, SAML2 Bearer assertions may also act as client authentication
credentials, when requesting an access token, irrespectively of the actual grant type. For
example: </p>
+
+<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
+<pre class="code-java">
+POST /token HTTP/1.1
+Content-Type: application/x-www-form-urlencoded
+
+grant_type=authorization_code
+&amp;code=12345678
+&amp;client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Asaml2-bearer
+&amp;client_assertion=Base64UrlEncoded-SAML2-Bearer-Assertion
+</pre>
+</div></div>
+
+<p>Note "client_assertion_type" with a value "urn:ietf:params:oauth:client-assertion-type:saml2-bearer"
indicates that the type of assertion used as an authentication token is "urn:ietf:params:oauth:client-assertion-type:saml2-bearer",
while the "client_assertion" parameter carries the actual value of the token.   </p>
+
+<h3><a shape="rect" name="JAXRSOAuth2Assertions-ClientCode"></a>Client
Code</h3>
+
+<p>The following example shows how to use SAML2 Bearer assertion as an authentication
token:</p>
+
+<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
+<pre class="code-java">
+<span class="code-keyword">import</span> org.apache.cxf.jaxrs.client.WebClient;
+<span class="code-keyword">import</span> org.apache.cxf.rs.security.common.CryptoLoader;
+<span class="code-keyword">import</span> org.apache.cxf.rs.security.oauth2.client.OAuthClientUtils;
+<span class="code-keyword">import</span> org.apache.cxf.rs.security.oauth2.common.AccessTokenGrant;
+<span class="code-keyword">import</span> org.apache.cxf.rs.security.oauth2.common.ClientAccessToken;
+<span class="code-keyword">import</span> org.apache.cxf.rs.security.oauth2.grants.saml.Saml2BearerGrant;
+<span class="code-keyword">import</span> org.apache.cxf.rs.security.oauth2.saml.Base64Utility;
+<span class="code-keyword">import</span> org.apache.cxf.rs.security.oauth2.saml.Constants;
+<span class="code-keyword">import</span> org.apache.cxf.rs.security.saml.SAMLUtils;
+<span class="code-keyword">import</span> org.apache.cxf.rs.security.saml.SAMLUtils.SelfSignInfo;
+<span class="code-keyword">import</span> org.apache.ws.security.components.crypto.Crypto;
+
+<span class="code-comment">//1: create web client
+</span><span class="code-object">String</span> address = <span class="code-quote">"https:<span
class="code-comment">//localhost:8080/oauth2/token"</span>;
+</span>WebClient wc = WebClient.create(address);
+wc.type(MediaType.APPLICATION_FORM_URLENCODED).accept(MediaType.APPLICATION_JSON);
+
+<span class="code-comment">//2. Create and self-sign SAML assertion        
+</span>Crypto crypto = <span class="code-keyword">new</span> CryptoLoader().loadCrypto(CRYPTO_RESOURCE_PROPERTIES);
+SelfSignInfo signInfo = <span class="code-keyword">new</span> SelfSignInfo(crypto,
<span class="code-quote">"alice"</span>, <span class="code-quote">"password"</span>);

+        
+<span class="code-object">String</span> assertion =  SAMLUtils.createAssertion(<span
class="code-keyword">new</span> SamlCallbackHandler(),
+                                              signInfo).assertionToString();
+
+<span class="code-comment">// 3. Base64Url-encode it
+</span><span class="code-object">String</span> encodedAssertion = Base64UrlUtility.encode(assertion);
+        
+Map&lt;<span class="code-object">String</span>, <span class="code-object">String</span>&gt;
extraParams = <span class="code-keyword">new</span> HashMap&lt;<span class="code-object">String</span>,
<span class="code-object">String</span>&gt;();
+extraParams.put(Constants.CLIENT_AUTH_ASSERTION_TYPE, Constants.CLIENT_AUTH_SAML2_BEARER);
+extraParams.put(Constants.CLIENT_AUTH_ASSERTION_PARAM, encodedAssertion);
+
+<span class="code-comment">// Use whatever token grant is required 
+</span>AccessTokenGrant accessTokenGrant = ...
+       
+ClientAccessToken at = OAuthClientUtils.getAccessToken(wc, 
+                                                       accessTokenGrant,
+                                                       extraParams);
+</pre>
+</div></div>
+
+<p>The above code is similar to the example when SAML2 Bearer assertion is used as
a grant except that this time the assertion is Base64Url-encoded in the code - note steps
2 and likely 3 will not be required when the assertion came from IP.<br clear="none">
+Next, the encoded assertion is used as part of the token request payload, note that it does
not matter what grant type is actually used.</p>
+
+<p>A different approach to dealing with the assertion directly in the client code is
to use org.apache.cxf.rs.security.oauth2.auth.saml.Saml2BearerAuthOutInterceptor interceptor
which will add the assertion to the existing form payload, for example:</p>
+
+<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
+<pre class="code-java">
+JAXRSClientFactoryBean bean = <span class="code-keyword">new</span> JAXRSClientFactoryBean();
+
+Map&lt;<span class="code-object">String</span>, <span class="code-object">Object</span>&gt;
properties = <span class="code-keyword">new</span> HashMap&lt;<span class="code-object">String</span>,
<span class="code-object">Object</span>&gt;();
+properties.put(<span class="code-quote">"ws-security.callback-handler"</span>,

+               <span class="code-quote">"org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"</span>);
+properties.put(<span class="code-quote">"ws-security.saml-callback-handler"</span>,

+               <span class="code-quote">"org.apache.cxf.systest.jaxrs.security.oauth2.SamlCallbackHandler2"</span>);
+properties.put(<span class="code-quote">"ws-security.signature.username"</span>,
<span class="code-quote">"alice"</span>);
+properties.put(<span class="code-quote">"ws-security.signature.properties"</span>,
CRYPTO_RESOURCE_PROPERTIES);
+properties.put(<span class="code-quote">"ws-security.self-sign-saml-assertion"</span>,
<span class="code-quote">"<span class="code-keyword">true</span>"</span>);
+bean.setProperties(properties);
+        
+bean.getOutInterceptors().add(<span class="code-keyword">new</span> Saml2BearerAuthOutInterceptor());
+        
+WebClient wc = bean.createWebClient();
+wc.type(MediaType.APPLICATION_FORM_URLENCODED).accept(MediaType.APPLICATION_JSON);
+
+<span class="code-comment">// Use whatever token grant is required 
+</span>AccessTokenGrant accessTokenGrant = ...
+       
+ClientAccessToken at = OAuthClientUtils.getAccessToken(wc, 
+                                                       accessTokenGrant);
+</pre>
+</div></div> 
+
+<h3><a shape="rect" name="JAXRSOAuth2Assertions-AccessTokenService"></a>Access
Token Service</h3>
+
+<p>Here is how one may configure Access Token Service:</p>
+
+<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
+<pre class="code-xml">
+<span class="code-tag">&lt;bean id=<span class="code-quote">"dataProvider"</span>
class=<span class="code-quote">"org.apache.cxf.systest.jaxrs.security.oauth2.OAuthDataProviderImpl"</span>/&gt;</span>
+<span class="code-tag">&lt;bean id=<span class="code-quote">"oauthJson"</span>
class=<span class="code-quote">"org.apache.cxf.rs.security.oauth2.provider.OAuthJSONProvider"</span>/&gt;</span>
+<span class="code-tag">&lt;bean id=<span class="code-quote">"samlAuthHandler"</span>
class=<span class="code-quote">"org.apache.cxf.rs.security.oauth2.auth.saml.Saml2BearerAuthHandler"</span>/&gt;</span>
+
+<span class="code-tag">&lt;bean id=<span class="code-quote">"serviceBean"</span>
class=<span class="code-quote">"org.apache.cxf.rs.security.oauth2.services.AccessTokenService"</span>&gt;</span>
+  <span class="code-tag">&lt;property name=<span class="code-quote">"dataProvider"</span>
ref=<span class="code-quote">"dataProvider"</span>/&gt;</span>
+  <span class="code-tag">&lt;property name=<span class="code-quote">"grantHandlers"</span>&gt;</span>
+     <span class="code-tag">&lt;list&gt;</span>
+       <span class="code-tag"><span class="code-comment">&lt;!-- list of
required grant handlers --&gt;</span></span>
+     <span class="code-tag">&lt;/list&gt;</span>
+  <span class="code-tag">&lt;/property&gt;</span>
+<span class="code-tag">&lt;/bean&gt;</span>
+
+&lt;jaxrs:server 
+       address=<span class="code-quote">"https://localhost:${testutil.ports.jaxrs-oauth2}/oauth2-auth"</span>&gt;

+       <span class="code-tag">&lt;jaxrs:serviceBeans&gt;</span>
+          <span class="code-tag">&lt;ref bean=<span class="code-quote">"serviceBean"</span>/&gt;</span>
+       <span class="code-tag">&lt;/jaxrs:serviceBeans&gt;</span>
+       <span class="code-tag">&lt;jaxrs:providers&gt;</span>
+          <span class="code-tag">&lt;ref bean=<span class="code-quote">"oauthJson"</span>/&gt;</span>
+          <span class="code-tag">&lt;ref bean=<span class="code-quote">"samlAuthHandler"</span>/&gt;</span>
+       <span class="code-tag">&lt;/jaxrs:providers&gt;</span>
+       
+       <span class="code-tag">&lt;jaxrs:properties&gt;</span>
+           &lt;entry key=<span class="code-quote">"ws-security.signature.properties"</span>

+                  value=<span class="code-quote">"org/apache/cxf/systest/jaxrs/security/alice.properties"</span>/&gt;
+       <span class="code-tag">&lt;/jaxrs:properties&gt;</span>
+        
+<span class="code-tag">&lt;/jaxrs:server&gt;</span>
+</pre>
+</div></div>
+
+<h1><a shape="rect" name="JAXRSOAuth2Assertions-ClientActingonBehalfofItself"></a>Client
Acting on Behalf of Itself</h1>
+
+<p>In the <a shape="rect" class="external-link" href="http://tools.ietf.org/html/draft-ietf-oauth-assertions-10#section-6.2"
rel="nofollow">Client Acting on Behalf of Itself</a> use either org.apache.cxf.rs.security.oauth2.grants.saml.Saml2BearerClientCredentialsGrant
:</p>
+
+<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
+<pre class="code-java">
+<span class="code-keyword">import</span> org.apache.cxf.jaxrs.client.WebClient;
+<span class="code-keyword">import</span> org.apache.cxf.rs.security.common.CryptoLoader;
+<span class="code-keyword">import</span> org.apache.cxf.rs.security.oauth2.client.OAuthClientUtils;
+<span class="code-keyword">import</span> org.apache.cxf.rs.security.oauth2.common.AccessTokenGrant;
+<span class="code-keyword">import</span> org.apache.cxf.rs.security.oauth2.common.ClientAccessToken;
+<span class="code-keyword">import</span> org.apache.cxf.rs.security.oauth2.grants.saml.Saml2BearerClientCredentialsGrant;
+<span class="code-keyword">import</span> org.apache.cxf.rs.security.saml.SAMLUtils;
+<span class="code-keyword">import</span> org.apache.cxf.rs.security.saml.SAMLUtils.SelfSignInfo;
+<span class="code-keyword">import</span> org.apache.ws.security.components.crypto.Crypto;
+
+<span class="code-comment">//1: create web client
+</span><span class="code-object">String</span> address = <span class="code-quote">"https:<span
class="code-comment">//localhost:8080/oauth2/token"</span>;
+</span>WebClient wc = WebClient.create(address);
+wc.type(MediaType.APPLICATION_FORM_URLENCODED).accept(MediaType.APPLICATION_JSON);
+
+<span class="code-comment">//2. Create and self-sign SAML assertion        
+</span>Crypto crypto = <span class="code-keyword">new</span> CryptoLoader().loadCrypto(CRYPTO_RESOURCE_PROPERTIES);
+SelfSignInfo signInfo = <span class="code-keyword">new</span> SelfSignInfo(crypto,
<span class="code-quote">"alice"</span>, <span class="code-quote">"password"</span>);

+        
+<span class="code-object">String</span> assertion =  SAMLUtils.createAssertion(<span
class="code-keyword">new</span> SamlCallbackHandler(),
+                                              signInfo).assertionToString();
+
+AccessTokenGrant accessTokenGrant = <span class="code-keyword">new</span> Saml2BearerClientCredentialsGrant(assertion);
+       
+ClientAccessToken at = OAuthClientUtils.getAccessToken(wc, 
+                                                       accessTokenGrant,
+                                                       extraParams);
+</pre>
+</div></div>
+
+<p>or ClientCredentialsGrant in combination with Saml2BearerAuthOutInterceptor:</p>
+
+<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
+<pre class="code-java">
+JAXRSClientFactoryBean bean = <span class="code-keyword">new</span> JAXRSClientFactoryBean();
+
+Map&lt;<span class="code-object">String</span>, <span class="code-object">Object</span>&gt;
properties = <span class="code-keyword">new</span> HashMap&lt;<span class="code-object">String</span>,
<span class="code-object">Object</span>&gt;();
+properties.put(<span class="code-quote">"ws-security.callback-handler"</span>,

+               <span class="code-quote">"org.apache.cxf.systest.jaxrs.security.saml.KeystorePasswordCallback"</span>);
+properties.put(<span class="code-quote">"ws-security.saml-callback-handler"</span>,

+               <span class="code-quote">"org.apache.cxf.systest.jaxrs.security.oauth2.SamlCallbackHandler2"</span>);
+properties.put(<span class="code-quote">"ws-security.signature.username"</span>,
<span class="code-quote">"alice"</span>);
+properties.put(<span class="code-quote">"ws-security.signature.properties"</span>,
CRYPTO_RESOURCE_PROPERTIES);
+properties.put(<span class="code-quote">"ws-security.self-sign-saml-assertion"</span>,
<span class="code-quote">"<span class="code-keyword">true</span>"</span>);
+bean.setProperties(properties);
+        
+bean.getOutInterceptors().add(<span class="code-keyword">new</span> Saml2BearerAuthOutInterceptor());
+        
+WebClient wc = bean.createWebClient();
+wc.type(MediaType.APPLICATION_FORM_URLENCODED).accept(MediaType.APPLICATION_JSON);
+
+<span class="code-comment">// Use whatever token grant is required 
+</span>AccessTokenGrant accessTokenGrant = <span class="code-keyword">new</span>
ClientCredentialsGrant();
+       
+ClientAccessToken at = OAuthClientUtils.getAccessToken(wc, accessTokenGrant);
+</pre>
+</div></div> </div>
            </div>
            <!-- Content -->
          </td>



Mime
View raw message