cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r864656 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-oauth2.html
Date Thu, 06 Jun 2013 11:48:04 GMT
Author: buildbot
Date: Thu Jun  6 11:48:04 2013
New Revision: 864656

Log:
Production update by buildbot for cxf

Modified:
    websites/production/cxf/content/cache/docs.pageCache
    websites/production/cxf/content/docs/jax-rs-oauth2.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/jax-rs-oauth2.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-oauth2.html (original)
+++ websites/production/cxf/content/docs/jax-rs-oauth2.html Thu Jun  6 11:48:04 2013
@@ -125,7 +125,7 @@ Apache CXF -- JAX-RS OAuth2
 
 
 <div>
-<ul><li><a shape="rect" href="#JAX-RSOAuth2-Introduction">Introduction</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-Mavendependencies">Maven dependencies</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-ClientRegistration">Client Registration</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-DevelopingOAuth2Servers">Developing OAuth2 Servers</a></li><ul><li><a
shape="rect" href="#JAX-RSOAuth2-AuthorizationService">Authorization Service</a></li><ul><li><a
shape="rect" href="#JAX-RSOAuth2-EndUserNameinAuthorizationForm">EndUser Name in Authorization
Form</a></li><li><a shape="rect" href="#JAX-RSOAuth2-PublicClients%28Devices%29andOOBResponse">Public
Clients (Devices) and OOB Response</a></li></ul><li><a shape="rect"
href="#JAX-RSOAuth2-AccessTokenService">AccessTokenService</a></li><ul><li><a
shape="rect" href="#JAX-RSOAuth2-AccessTokenTypes">Access Token Types</a></li><ul><li><a
shape="rect" href="#JAX-RSOAuth2-Bearer">Bearer</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-MA
 C">MAC</a></li><li><a shape="rect" href="#JAX-RSOAuth2-CustomandEncryptedtokens">Custom
and Encrypted tokens</a></li></ul><li><a shape="rect" href="#JAX-RSOAuth2-AccessTokenValidationService">AccessTokenValidationService</a></li></ul><li><a
shape="rect" href="#JAX-RSOAuth2-SupportedGrants">Supported Grants</a></li><ul><li><a
shape="rect" href="#JAX-RSOAuth2-AuthorizationCode">Authorization Code</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-Implicit">Implicit</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-ClientCredentials">Client Credentials</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-ResourceOwnerPasswordCredentials">Resource Owner Password
Credentials</a></li><li><a shape="rect" href="#JAX-RSOAuth2-RefreshToken">Refresh
Token</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Assertions">Assertions</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-CustomGrants">Custom Grants</a></li></ul><li><a
shape="rect" href="#JAX-RSOAuth2-PreAuthorizedaccesstokens">PreAuthorized acc
 ess tokens</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Preregisteredscopes">Pre-registered
scopes</a></li><li><a shape="rect" href="#JAX-RSOAuth2-WritingOAuthDataProvider">Writing
OAuthDataProvider</a></li><li><a shape="rect" href="#JAX-RSOAuth2-OAuthServerJAXRSendpoints">OAuth
Server JAX-RS endpoints</a></li></ul><li><a shape="rect" href="#JAX-RSOAuth2-ThirdPartyClientAuthentication">Third
Party Client Authentication</a></li><li><a shape="rect" href="#JAX-RSOAuth2-UserSessionAuthenticity">User
Session Authenticity</a></li><li><a shape="rect" href="#JAX-RSOAuth2-CustomizingEndUserSubjectinitialization">Customizing
End User Subject initialization</a></li><li><a shape="rect" href="#JAX-RSOAuth2-ProtectingresourceswithOAuthfilters">Protecting
resources with OAuth filters</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Howtogettheuserloginname">How
to get the user login name</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Clientsidesupport">Client-side
support</a></li><li><a
  shape="rect" href="#JAX-RSOAuth2-OAuth2withouttheExplicitAuthorization">OAuth2 without
the Explicit Authorization</a></li><li><a shape="rect" href="#JAX-RSOAuth2-OAuthWithoutaBrowser">OAuth
Without a Browser</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Reportingerrordetails">Reporting
error details</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Designconsiderations">Design
considerations</a></li><ul><li><a shape="rect" href="#JAX-RSOAuth2-ControllingtheAccesstoResourceServer">Controlling
the Access to Resource Server</a></li><ul><li><a shape="rect" href="#JAX-RSOAuth2-Sharingthesameaccesspathbetweenendusersandclients">Sharing
the same access path between end users and clients</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-Providingdifferentaccesspointstoendusersandclients">Providing different
access points to end users and clients</a></li></ul><li><a shape="rect"
href="#JAX-RSOAuth2-SingleSignOn">Single Sign On</a></li></ul><li><a
shape="rect" href="#JAX-RSOAuth2-WhatI
 sNext">What Is Next</a></li></ul></div>
+<ul><li><a shape="rect" href="#JAX-RSOAuth2-Introduction">Introduction</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-Mavendependencies">Maven dependencies</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-ClientRegistration">Client Registration</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-DevelopingOAuth2Servers">Developing OAuth2 Servers</a></li><ul><li><a
shape="rect" href="#JAX-RSOAuth2-AuthorizationService">Authorization Service</a></li><ul><li><a
shape="rect" href="#JAX-RSOAuth2-EndUserNameinAuthorizationForm">EndUser Name in Authorization
Form</a></li><li><a shape="rect" href="#JAX-RSOAuth2-PublicClients%28Devices%29andOOBResponse">Public
Clients (Devices) and OOB Response</a></li></ul><li><a shape="rect"
href="#JAX-RSOAuth2-AccessTokenService">AccessTokenService</a></li><ul><li><a
shape="rect" href="#JAX-RSOAuth2-AccessTokenTypes">Access Token Types</a></li><ul><li><a
shape="rect" href="#JAX-RSOAuth2-Bearer">Bearer</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-MA
 C">MAC</a></li><li><a shape="rect" href="#JAX-RSOAuth2-CustomandEncryptedtokens">Custom
and Encrypted tokens</a></li></ul><li><a shape="rect" href="#JAX-RSOAuth2-AccessTokenValidationService">AccessTokenValidationService</a></li></ul><li><a
shape="rect" href="#JAX-RSOAuth2-TokenRevocationService">TokenRevocationService</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-SupportedGrants">Supported Grants</a></li><ul><li><a
shape="rect" href="#JAX-RSOAuth2-AuthorizationCode">Authorization Code</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-Implicit">Implicit</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-ClientCredentials">Client Credentials</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-ResourceOwnerPasswordCredentials">Resource Owner Password
Credentials</a></li><li><a shape="rect" href="#JAX-RSOAuth2-RefreshToken">Refresh
Token</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Assertions">Assertions</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-CustomGrants">Custom Grants</a
 ></li></ul><li><a shape="rect" href="#JAX-RSOAuth2-PreAuthorizedaccesstokens">PreAuthorized
access tokens</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Preregisteredscopes">Pre-registered
scopes</a></li><li><a shape="rect" href="#JAX-RSOAuth2-WritingOAuthDataProvider">Writing
OAuthDataProvider</a></li><li><a shape="rect" href="#JAX-RSOAuth2-OAuthServerJAXRSendpoints">OAuth
Server JAX-RS endpoints</a></li></ul><li><a shape="rect" href="#JAX-RSOAuth2-ThirdPartyClientAuthentication">Third
Party Client Authentication</a></li><li><a shape="rect" href="#JAX-RSOAuth2-UserSessionAuthenticity">User
Session Authenticity</a></li><li><a shape="rect" href="#JAX-RSOAuth2-CustomizingEndUserSubjectinitialization">Customizing
End User Subject initialization</a></li><li><a shape="rect" href="#JAX-RSOAuth2-ProtectingresourceswithOAuthfilters">Protecting
resources with OAuth filters</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Howtogettheuserloginname">How
to get the user login name</a></l
 i><li><a shape="rect" href="#JAX-RSOAuth2-Clientsidesupport">Client-side support</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-OAuth2withouttheExplicitAuthorization">OAuth2 without
the Explicit Authorization</a></li><li><a shape="rect" href="#JAX-RSOAuth2-OAuthWithoutaBrowser">OAuth
Without a Browser</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Reportingerrordetails">Reporting
error details</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Designconsiderations">Design
considerations</a></li><ul><li><a shape="rect" href="#JAX-RSOAuth2-ControllingtheAccesstoResourceServer">Controlling
the Access to Resource Server</a></li><ul><li><a shape="rect" href="#JAX-RSOAuth2-Sharingthesameaccesspathbetweenendusersandclients">Sharing
the same access path between end users and clients</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-Providingdifferentaccesspointstoendusersandclients">Providing different
access points to end users and clients</a></li></ul><li><a shape="rect"
href="#JAX-R
 SOAuth2-SingleSignOn">Single Sign On</a></li></ul></ul></div>
 
 <h1><a shape="rect" name="JAX-RSOAuth2-Introduction"></a>Introduction</h1>
 
@@ -535,6 +535,15 @@ Authorization: MAC id=<span class="code-
 <h3><a shape="rect" name="JAX-RSOAuth2-AccessTokenValidationService"></a>AccessTokenValidationService
</h3>
 <p>The  <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenValidationService.java">AccessTokenValidationService</a>
is a CXF specific OAuth2 service for accepting the remote access token validation requests.
Typically, OAuthRequestFilter (see on it below) may choose to impersonate itself as a third-party
client and will ask AccessTokenValidationService to return the information relevant to the
current access token, before setting up a security context. More on it below.</p>
 
+<h2><a shape="rect" name="JAX-RSOAuth2-TokenRevocationService"></a>TokenRevocationService</h2>
+
+<p><a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/TokenRevocationService.java">TokenRevocationService</a>
is a simple OAuth2 service supporting the clients wishing to revoke the access or refresh
tokens they own themselves, please see <a shape="rect" class="external-link" href="http://tools.ietf.org/html/draft-ietf-oauth-revocation-09"
rel="nofollow">OAuth2 Token Revocation Draft</a> for more information.</p>
+
+<p>TokenRevocationService and AccessTokenService share the same code which enforces
that the clients have been correctly authenticated.</p>
+
+<p>Note, OAuthDataProvider implementations processing a revocation request should simply
ignore the invalid tokens as recommended by the specification which will let TokenRevocationService
return HTTP 200 which is done to minimize a possible attack surface (specifically for bad
clients not to see if their requests failed or succeeded) and throw the exceptions only if
the token revocation feature is not currently supported.</p>
+
+
 <h2><a shape="rect" name="JAX-RSOAuth2-SupportedGrants"></a>Supported Grants</h2>
 
 <p>The following subsections briefly describe how the well-known grant types can be
supported on the server side. Please also check the "Client Side Support" section on how to
use the related <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenGrant.java">AccessTokenGrant</a>
implementations to request the access tokens.</p>
@@ -1094,11 +1103,6 @@ For example, consider the following JAX-
 <p>When dealing with authenticating the end users, having an SSO solution in place
is very handy. This is because the end user interacts with both the third-party and its resource
server web applications and is also redirected from the client application to the resource
server and back again. Additionally, the end user may need to authenticate with Authorization
service if it is not collocated with the application endpoints. OpenID or say a WebBrowser
SSO profile can help. </p>
 
 <p>CXF 2.6.1 provides an initial support for a <a shape="rect" href="http://cxf.apache.org/docs/saml-web-sso.html">SAML2
SSO profile</a>. This will make it easier to minimize a number of sign ins to a single
attempt and run OAuth2 Authorization servers separately from the application endpoints. </p>
-
-<h1><a shape="rect" name="JAX-RSOAuth2-WhatIsNext"></a>What Is Next</h1>
-
-<p>Fine tuning the current OAuth 2.0 implementation will be continued and the feedback
from the implementers will be welcomed.<br clear="none">
-OAuth 2.0 grants based on SAML2 or JWT assertions, OAuth 2.0 extensions - are all of interest
to CXF.</p>
 </div>
            </div>
            <!-- Content -->



Mime
View raw message