cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r880659 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-basics.html docs/jax-rs-oauth2.html
Date Tue, 01 Oct 2013 12:48:15 GMT
Author: buildbot
Date: Tue Oct  1 12:48:15 2013
New Revision: 880659

Log:
Production update by buildbot for cxf

Modified:
    websites/production/cxf/content/cache/docs.pageCache
    websites/production/cxf/content/docs/jax-rs-basics.html
    websites/production/cxf/content/docs/jax-rs-oauth2.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/jax-rs-basics.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-basics.html (original)
+++ websites/production/cxf/content/docs/jax-rs-basics.html Tue Oct  1 12:48:15 2013
@@ -133,7 +133,7 @@ Apache CXF -- JAX-RS Basics
 <div id="ConfluenceContent"><p><span style="font-size:2em;font-weight:bold">
JAX-RS : Understanding the Basics </span></p>
 
 <div>
-<ul><li><a shape="rect" href="#JAX-RSBasics-WhatisNewinJAXRS2.0">What is
New in JAX-RS 2.0</a></li><ul><li><a shape="rect" href="#JAX-RSBasics-ClientAPI">Client
API</a></li><ul><li><a shape="rect" href="#JAX-RSBasics-AsynchronousAPI">Asynchronous
API</a></li><li><a shape="rect" href="#JAX-RSBasics-Responseinterfaceupdates">Response
interface updates</a></li></ul><li><a shape="rect" href="#JAX-RSBasics-Filters">Filters</a></li><li><a
shape="rect" href="#JAX-RSBasics-Interceptors">Interceptors</a></li><li><a
shape="rect" href="#JAX-RSBasics-DynamicFeatures">Dynamic Features</a></li><li><a
shape="rect" href="#JAX-RSBasics-Exceptions">Exceptions</a></li><li><a
shape="rect" href="#JAX-RSBasics-Suspendedinvocations">Suspended invocations</a></li><li><a
shape="rect" href="#JAX-RSBasics-Parameterconverters">Parameter converters</a></li><li><a
shape="rect" href="#JAX-RSBasics-Beanparameters">Bean parameters</a></li><li><a
shape="rect" href="#JAX-RSBasics-Updatestothematchingalgorithm">Update
 s to the matching algorithm</a></li><li><a shape="rect" href="#JAX-RSBasics-Injectionintosubresources">Injection
into subresources</a></li></ul><li><a shape="rect" href="#JAX-RSBasics-Resourceclass">Resource
class</a></li><li><a shape="rect" href="#JAX-RSBasics-@Path">@Path</a></li><li><a
shape="rect" href="#JAX-RSBasics-HTTPMethod">HTTP Method</a></li><li><a
shape="rect" href="#JAX-RSBasics-Returntypes">Return types</a></li><li><a
shape="rect" href="#JAX-RSBasics-Exceptionhandling">Exception handling</a></li><ul><li><a
shape="rect" href="#JAX-RSBasics-CustomizingdefaultWebApplicationExceptionmapper">Customizing
default WebApplicationException mapper</a></li></ul><li><a shape="rect"
href="#JAX-RSBasics-DealingwithParameters">Dealing with Parameters</a></li><ul><li><a
shape="rect" href="#JAX-RSBasics-Parameterbeans">Parameter beans</a></li></ul><li><a
shape="rect" href="#JAX-RSBasics-Resourcelifecycles">Resource lifecycles</a></li><li><a
shape="rect" href="#JAX-RSBasics-Overviewofthe
 selectionalgorithm.">Overview of the selection algorithm.</a></li><ul><li><a
shape="rect" href="#JAX-RSBasics-Selectingbetweenmultipleresourceclasses">Selecting between
multiple resource classes</a></li><li><a shape="rect" href="#JAX-RSBasics-Selectingbetweenmultipleresourcemethods">Selecting
between multiple resource methods</a></li><li><a shape="rect" href="#JAX-RSBasics-Resourcemethodsandmediatypes">Resource
methods and media types</a></li><li><a shape="rect" href="#JAX-RSBasics-Customselectionbetweenmultipleresources">Custom
selection between multiple resources</a></li></ul><li><a shape="rect"
href="#JAX-RSBasics-Contextannotations">Context annotations</a></li><ul><li><a
shape="rect" href="#JAX-RSBasics-CustomContexts">Custom Contexts</a></li></ul><li><a
shape="rect" href="#JAX-RSBasics-URIcalculationusingUriInfoandUriBuilder">URI calculation
using UriInfo and UriBuilder</a></li><li><a shape="rect" href="#JAX-RSBasics-Annotationinheritance">Annotation
inheritance</a></li><li><a 
 shape="rect" href="#JAX-RSBasics-Subresourcelocators.">Sub-resource locators.</a></li><ul><li><a
shape="rect" href="#JAX-RSBasics-Staticresolutionofsubresources">Static resolution of subresources</a></li></ul><li><a
shape="rect" href="#JAX-RSBasics-MessageBodyProviders">Message Body Providers</a></li><ul><li><a
shape="rect" href="#JAX-RSBasics-CustomMessageBodyProviders">Custom Message Body Providers</a></li><li><a
shape="rect" href="#JAX-RSBasics-Registeringcustomproviders">Registering custom providers</a></li></ul><li><a
shape="rect" href="#JAX-RSBasics-Customizingmediatypesformessagebodyproviders">Customizing
media types for message body providers</a></li><li><a shape="rect" href="#JAX-RSBasics-AdvancedHTTP">Advanced
HTTP</a></li></ul></div>
+<ul><li><a shape="rect" href="#JAX-RSBasics-WhatisNewinJAXRS2.0">What is
New in JAX-RS 2.0</a></li><ul><li><a shape="rect" href="#JAX-RSBasics-ClientAPI">Client
API</a></li><ul><li><a shape="rect" href="#JAX-RSBasics-AsynchronousAPI">Asynchronous
API</a></li><li><a shape="rect" href="#JAX-RSBasics-Responseinterfaceupdates">Response
interface updates</a></li></ul><li><a shape="rect" href="#JAX-RSBasics-Filters">Filters</a></li><li><a
shape="rect" href="#JAX-RSBasics-Interceptors">Interceptors</a></li><li><a
shape="rect" href="#JAX-RSBasics-DynamicFeatures">Dynamic Features</a></li><li><a
shape="rect" href="#JAX-RSBasics-Exceptions">Exceptions</a></li><li><a
shape="rect" href="#JAX-RSBasics-Suspendedinvocations">Suspended invocations</a></li><li><a
shape="rect" href="#JAX-RSBasics-Parameterconverters">Parameter converters</a></li><li><a
shape="rect" href="#JAX-RSBasics-Beanparameters">Bean parameters</a></li><li><a
shape="rect" href="#JAX-RSBasics-Updatestothematchingalgorithm">Update
 s to the matching algorithm</a></li><li><a shape="rect" href="#JAX-RSBasics-Injectionintosubresources">Injection
into subresources</a></li></ul><li><a shape="rect" href="#JAX-RSBasics-Resourceclass">Resource
class</a></li><li><a shape="rect" href="#JAX-RSBasics-@Path">@Path</a></li><li><a
shape="rect" href="#JAX-RSBasics-HTTPMethod">HTTP Method</a></li><li><a
shape="rect" href="#JAX-RSBasics-Returntypes">Return types</a></li><li><a
shape="rect" href="#JAX-RSBasics-Exceptionhandling">Exception handling</a></li><ul><li><a
shape="rect" href="#JAX-RSBasics-MappingexceptionsthrownfromCXFinterceptors">Mapping exceptions
thrown from CXF interceptors</a></li><li><a shape="rect" href="#JAX-RSBasics-CustomizingdefaultWebApplicationExceptionmapper">Customizing
default WebApplicationException mapper</a></li></ul><li><a shape="rect"
href="#JAX-RSBasics-DealingwithParameters">Dealing with Parameters</a></li><ul><li><a
shape="rect" href="#JAX-RSBasics-Parameterbeans">Parameter beans</a></li></ul><
 li><a shape="rect" href="#JAX-RSBasics-Resourcelifecycles">Resource lifecycles</a></li><li><a
shape="rect" href="#JAX-RSBasics-Overviewoftheselectionalgorithm.">Overview of the selection
algorithm.</a></li><ul><li><a shape="rect" href="#JAX-RSBasics-Selectingbetweenmultipleresourceclasses">Selecting
between multiple resource classes</a></li><li><a shape="rect" href="#JAX-RSBasics-Selectingbetweenmultipleresourcemethods">Selecting
between multiple resource methods</a></li><li><a shape="rect" href="#JAX-RSBasics-Resourcemethodsandmediatypes">Resource
methods and media types</a></li><li><a shape="rect" href="#JAX-RSBasics-Customselectionbetweenmultipleresources">Custom
selection between multiple resources</a></li></ul><li><a shape="rect"
href="#JAX-RSBasics-Contextannotations">Context annotations</a></li><ul><li><a
shape="rect" href="#JAX-RSBasics-CustomContexts">Custom Contexts</a></li></ul><li><a
shape="rect" href="#JAX-RSBasics-URIcalculationusingUriInfoandUriBuilder">URI calculatio
 n using UriInfo and UriBuilder</a></li><li><a shape="rect" href="#JAX-RSBasics-Annotationinheritance">Annotation
inheritance</a></li><li><a shape="rect" href="#JAX-RSBasics-Subresourcelocators.">Sub-resource
locators.</a></li><ul><li><a shape="rect" href="#JAX-RSBasics-Staticresolutionofsubresources">Static
resolution of subresources</a></li></ul><li><a shape="rect" href="#JAX-RSBasics-MessageBodyProviders">Message
Body Providers</a></li><ul><li><a shape="rect" href="#JAX-RSBasics-CustomMessageBodyProviders">Custom
Message Body Providers</a></li><li><a shape="rect" href="#JAX-RSBasics-Registeringcustomproviders">Registering
custom providers</a></li></ul><li><a shape="rect" href="#JAX-RSBasics-Customizingmediatypesformessagebodyproviders">Customizing
media types for message body providers</a></li><li><a shape="rect" href="#JAX-RSBasics-AdvancedHTTP">Advanced
HTTP</a></li></ul></div>
 
 <h1><a shape="rect" name="JAX-RSBasics-WhatisNewinJAXRS2.0"></a>What is
New in JAX-RS 2.0</h1>
 
@@ -329,14 +329,21 @@ public BookExceptionMapper implements Ex
 
 <p>Have a look please at <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/SecurityExceptionMapper.java">this
exception mapper</a> which converts Spring Security exceptions into HTTP 403 error code
for another example.</p>
 
-<p>Note that when no mappers are found for custom exceptions, they are propagated (wrapped
in ServletException) to the underlying container as required by the specification. Thus one
option for intercepting the exceptions is to register a custom servlet filter which will catch
ServletExceptions and handle the causes. If no custom servlet filter which can handle ServletExceptions
is available then most likely only 500 error status will be reported. </p>
+<p>Note that when no mappers are found for custom exceptions, they are propagated to
the underlying container as required by the specification where they will typically be wrapped
in ServlerException, eventually resulting in HTTP 500 status being returned by default. Thus
one option for intercepting the exceptions is to register a custom servlet filter which will
catch ServletExceptions and handle the causes.</p>
 
 <p>This propagation can be disabled by registering a boolean jaxrs property 'org.apache.cxf.propagate.exception'
with a false value. If such property is set and no exception mapper can be found for a given
exception then it will be wrapped into an xml error response by the CXF <a shape="rect"
class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/bindings/xml/src/main/java/org/apache/cxf/binding/xml/interceptor/XMLFaultOutInterceptor.java">XMLFaultOutInterceptor</a>.
</p>
 
-<p><b>Note</b> that before CXF 2.3.2(-SNAPSHOT) and CXF 2.4.0(-SNAPSHOT)
a property "org.apache.cxf.propogate.exception" has to be used if needed. However the property
name now includes a more common 'propagate' word. </p>
-
 <p>One can also register a custom CXF out fault interceptor which can handle all the
exceptions by writing directly to the HttpServletResponse stream or XMLStreamWriter (as XMLFaultOutInterceptor
does). For example, see this <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/CustomOutFaultInterceptor.java">test
interceptor</a>.</p>
 
+<h2><a shape="rect" name="JAX-RSBasics-MappingexceptionsthrownfromCXFinterceptors"></a>Mapping
exceptions thrown from CXF interceptors</h2>
+
+<p>Starting from CXF 2.7.8 it is also possible to use registered ExceptionMappers to
map the exceptions thrown from CXF server in interceptors which are registered after JAXRSInInterceptor
(Phase.UNMARSHAL) and out interceptors registered before JAXRSOutInterceptor (Phase.MARSHAL).<br
clear="none">
+In earlier CXF versions such exceptions are only possible to handle with CXF fault in interceptors.</p>
+
+<p>In order to get the exceptions thrown from CXF in interceptors mapped, set a "map.cxf.interceptor.fault"
contextual property to true - needed in CXF 2.7.8 to ensure existing in fault interceptors
are not affected; the mapping is done by default starting from CXF 3.0.0.</p>
+
+<p>In order to get the exceptions thrown from CXF out interceptors mapped, add org.apache.cxf.jaxrs.interceptor.JAXRSOutExceptionMapperInterceptor
to the list of out interceptors.</p>
+
 <h2><a shape="rect" name="JAX-RSBasics-CustomizingdefaultWebApplicationExceptionmapper"></a>Customizing
default WebApplicationException mapper</h2>
 
 <p>CXF ships a WebApplicationException mapper, org.apache.cxf.jaxrs.impl.WebApplicationExceptionMapper.
By default it logs a stack trace at a warning level and returns Response available in the
captured exception.<br clear="none">

Modified: websites/production/cxf/content/docs/jax-rs-oauth2.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-oauth2.html (original)
+++ websites/production/cxf/content/docs/jax-rs-oauth2.html Tue Oct  1 12:48:15 2013
@@ -134,7 +134,7 @@ Apache CXF -- JAX-RS OAuth2
 
 
 <div>
-<ul><li><a shape="rect" href="#JAX-RSOAuth2-Introduction">Introduction</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-Mavendependencies">Maven dependencies</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-ClientRegistration">Client Registration</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-DevelopingOAuth2Servers">Developing OAuth2 Servers</a></li><ul><li><a
shape="rect" href="#JAX-RSOAuth2-AuthorizationService">Authorization Service</a></li><ul><li><a
shape="rect" href="#JAX-RSOAuth2-EndUserNameinAuthorizationForm">EndUser Name in Authorization
Form</a></li><li><a shape="rect" href="#JAX-RSOAuth2-PublicClients%28Devices%29andOOBResponse">Public
Clients (Devices) and OOB Response</a></li></ul><li><a shape="rect"
href="#JAX-RSOAuth2-AccessTokenService">AccessTokenService</a></li><ul><li><a
shape="rect" href="#JAX-RSOAuth2-AccessTokenTypes">Access Token Types</a></li><ul><li><a
shape="rect" href="#JAX-RSOAuth2-Bearer">Bearer</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-MAC">MAC</
 a></li><li><a shape="rect" href="#JAX-RSOAuth2-CustomandEncryptedtokens">Custom
and Encrypted tokens</a></li></ul><li><a shape="rect" href="#JAX-RSOAuth2-AccessTokenValidationService">AccessTokenValidationService</a></li></ul><li><a
shape="rect" href="#JAX-RSOAuth2-TokenRevocationService">TokenRevocationService</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-SupportedGrants">Supported Grants</a></li><ul><li><a
shape="rect" href="#JAX-RSOAuth2-AuthorizationCode">Authorization Code</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-Implicit">Implicit</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-ClientCredentials">Client Credentials</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-ResourceOwnerPasswordCredentials">Resource Owner Password
Credentials</a></li><li><a shape="rect" href="#JAX-RSOAuth2-RefreshToken">Refresh
Token</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Assertions">Assertions</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-CustomGrants">Custom Grants</a></li></ul><li><
 a shape="rect" href="#JAX-RSOAuth2-PreAuthorizedaccesstokens">PreAuthorized access tokens</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-Preregisteredscopes">Pre-registered scopes</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-WritingOAuthDataProvider">Writing OAuthDataProvider</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-OAuthServerJAXRSendpoints">OAuth Server JAX-RS endpoints</a></li></ul><li><a
shape="rect" href="#JAX-RSOAuth2-ThirdPartyClientAuthentication">Third Party Client Authentication</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-UserSessionAuthenticity">User Session Authenticity</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-CustomizingEndUserSubjectinitialization">Customizing End
User Subject initialization</a></li><li><a shape="rect" href="#JAX-RSOAuth2-ProtectingresourceswithOAuthfilters">Protecting
resources with OAuth filters</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Howtogettheuserloginname">How
to get the user login name</a></li><li><a shape="rect" hr
 ef="#JAX-RSOAuth2-Clientsidesupport">Client-side support</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-OAuth2withouttheExplicitAuthorization">OAuth2 without
the Explicit Authorization</a></li><li><a shape="rect" href="#JAX-RSOAuth2-OAuthWithoutaBrowser">OAuth
Without a Browser</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Reportingerrordetails">Reporting
error details</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Designconsiderations">Design
considerations</a></li><ul><li><a shape="rect" href="#JAX-RSOAuth2-ControllingtheAccesstoResourceServer">Controlling
the Access to Resource Server</a></li><ul><li><a shape="rect" href="#JAX-RSOAuth2-Sharingthesameaccesspathbetweenendusersandclients">Sharing
the same access path between end users and clients</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-Providingdifferentaccesspointstoendusersandclients">Providing different
access points to end users and clients</a></li></ul><li><a shape="rect"
href="#JAX-RSOAuth2-SingleSignOn">Single Sig
 n On</a></li></ul></ul></div>
+<ul><li><a shape="rect" href="#JAX-RSOAuth2-Introduction">Introduction</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-Mavendependencies">Maven dependencies</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-ClientRegistration">Client Registration</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-DevelopingOAuth2Servers">Developing OAuth2 Servers</a></li><ul><li><a
shape="rect" href="#JAX-RSOAuth2-AuthorizationService">Authorization Service</a></li><ul><li><a
shape="rect" href="#JAX-RSOAuth2-EndUserNameinAuthorizationForm">EndUser Name in Authorization
Form</a></li><li><a shape="rect" href="#JAX-RSOAuth2-PublicClients%28Devices%29">Public
Clients (Devices)</a></li><ul><li><a shape="rect" href="#JAX-RSOAuth2-OOBResponse">OOB
Response</a></li><li><a shape="rect" href="#JAX-RSOAuth2-SecurecodeacquisitionwithredirectURI">Secure
code acquisition with redirect URI</a></li></ul></ul><li><a
shape="rect" href="#JAX-RSOAuth2-AccessTokenService">AccessTokenService</a></li><ul><li><a
shape="rect" hr
 ef="#JAX-RSOAuth2-AccessTokenTypes">Access Token Types</a></li><ul><li><a
shape="rect" href="#JAX-RSOAuth2-Bearer">Bearer</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-MAC">MAC</a></li><li><a shape="rect" href="#JAX-RSOAuth2-CustomandEncryptedtokens">Custom
and Encrypted tokens</a></li><li><a shape="rect" href="#JAX-RSOAuth2-SimpleTokensandAudience">Simple
Tokens and Audience</a></li></ul><li><a shape="rect" href="#JAX-RSOAuth2-AccessTokenValidationService">AccessTokenValidationService</a></li></ul><li><a
shape="rect" href="#JAX-RSOAuth2-TokenRevocationService">TokenRevocationService</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-SupportedGrants">Supported Grants</a></li><ul><li><a
shape="rect" href="#JAX-RSOAuth2-AuthorizationCode">Authorization Code</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-Implicit">Implicit</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-ClientCredentials">Client Credentials</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-ResourceOwnerPasswordCredential
 s">Resource Owner Password Credentials</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-RefreshToken">Refresh Token</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-Assertions">Assertions</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-CustomGrants">Custom Grants</a></li></ul><li><a
shape="rect" href="#JAX-RSOAuth2-PreAuthorizedaccesstokens">PreAuthorized access tokens</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-Preregisteredscopes">Pre-registered scopes</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-WritingOAuthDataProvider">Writing OAuthDataProvider</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-OAuthServerJAXRSendpoints">OAuth Server JAX-RS endpoints</a></li></ul><li><a
shape="rect" href="#JAX-RSOAuth2-ThirdPartyClientAuthentication">Third Party Client Authentication</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-UserSessionAuthenticity">User Session Authenticity</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-CustomizingEndUserSubjectinitialization">Customizing End
User Sub
 ject initialization</a></li><li><a shape="rect" href="#JAX-RSOAuth2-ProtectingresourceswithOAuthfilters">Protecting
resources with OAuth filters</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Howtogettheuserloginname">How
to get the user login name</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Clientsidesupport">Client-side
support</a></li><li><a shape="rect" href="#JAX-RSOAuth2-OAuth2withouttheExplicitAuthorization">OAuth2
without the Explicit Authorization</a></li><li><a shape="rect" href="#JAX-RSOAuth2-OAuthWithoutaBrowser">OAuth
Without a Browser</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Reportingerrordetails">Reporting
error details</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Designconsiderations">Design
considerations</a></li><ul><li><a shape="rect" href="#JAX-RSOAuth2-ControllingtheAccesstoResourceServer">Controlling
the Access to Resource Server</a></li><ul><li><a shape="rect" href="#JAX-RSOAuth2-Sharingthesameaccesspathbetweenendusersandclients">Sharing
the sam
 e access path between end users and clients</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-Providingdifferentaccesspointstoendusersandclients">Providing different
access points to end users and clients</a></li></ul><li><a shape="rect"
href="#JAX-RSOAuth2-SingleSignOn">Single Sign On</a></li></ul></ul></div>
 
 <h1><a shape="rect" name="JAX-RSOAuth2-Introduction"></a>Introduction</h1>
 
@@ -323,13 +323,17 @@ Cookie=[JSESSIONID=1c289vha0cxfe],
 <p>You may want to display a resource owner/end user name in the authorization form
this user will be facing, you can get org.apache.cxf.rs.security.oauth2.provider.ResourceOwnerNameProvider
registered with either AuthorizationCodeGrantService or ImplicitGrantService.<br clear="none">
 org.apache.cxf.rs.security.oauth2.provider.DefaultResourceOwnerNameProvider, if registered,
will return an actual login name, the custom implementations may choose to return a  complete
user name instead, etc.   </p>
 
-<h3><a shape="rect" name="JAX-RSOAuth2-PublicClients%28Devices%29andOOBResponse"></a>Public
Clients (Devices) and OOB Response</h3>
+<h3><a shape="rect" name="JAX-RSOAuth2-PublicClients%28Devices%29"></a>Public
Clients (Devices) </h3>
 
-<p>Starting from CXF 2.7.6, the authorization code can be returned out-of-band (OOB),
see <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OOBAuthorizationResponse.java">OOBAuthorizationResponse</a>
bean. By default, it is returned directly to the end user, unless a custom <a shape="rect"
class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OOBResponseDeliverer.java">OOBResponseDeliverer</a>
is registered with AuthorizationCodeGrantService which may deliver it to the client via some
custom back channel. </p>
+<p>CXF 2.7.7 provides an initial support for public clients (such as various mobile
devices).</p>
 
-<p>Authorization service will only return the code OOB if a Client has been registered
as a public client with no client secret and redirect URI and the service itself has a "canSupportPublicClients"
property enabled. The same property will also have to be enabled on AccessTokenService (described
in the next section) for a public client without a secret be able to exchange a code grant
for an access token.</p>
+<p>Client can be 'public' if it has been registered as a public client with no client
secret the service itself has a "canSupportPublicClients" property enabled. The same property
will also have to be enabled on AccessTokenService (described in the next section) for a public
client without a secret be able to exchange a code grant for an access token.</p>
 
-<p>Having OOB responses supported is useful when a public client (typically a device
which can not keep the client secrets) needs to get a code grant. what will happen is that
a device owner will send a request to Authorization Service which may look like this:</p>
+<h4><a shape="rect" name="JAX-RSOAuth2-OOBResponse"></a>OOB Response</h4>
+
+<p>If a public client has not registered a redirect URI with the Authorization service
then the authorization code can be returned out-of-band (OOB), see <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OOBAuthorizationResponse.java">OOBAuthorizationResponse</a>
bean. By default, it is returned directly to the end user, unless a custom <a shape="rect"
class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OOBResponseDeliverer.java">OOBResponseDeliverer</a>
is registered with AuthorizationCodeGrantService which may deliver it to the client via some
custom back channel. </p>
+
+<p>Having OOB responses supported is useful when a public client (typically a device
which can not keep the client secrets and where no redirect URI is supported) needs to get
a code grant. What will happen is that a device owner will send a request to Authorization
Service which may look like this:</p>
 <div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent
panelContent">
 <pre>GET
 http://localhost:8080/services/social/authorize?client_id=mobileClient&amp;response_type=code
  
@@ -338,6 +342,12 @@ http://localhost:8080/services/social/au
 
 <p>Assuming the 'mobileClient' has been registered as public one with no secret and
the service has been set up to support such clients, the end user will get a chance to authorize
this client the same way it can do confidential clients, and after this user gets back a code
(delivered directly in the response HTML page by default) the user will enter the code securely
into the device which will then replace it for a time-scoped access token by contacting AccessTokenService.
</p>
 
+<h4><a shape="rect" name="JAX-RSOAuth2-SecurecodeacquisitionwithredirectURI"></a>Secure
code acquisition with redirect URI</h4>
+
+<p>The following <a shape="rect" class="external-link" href="http://tools.ietf.org/html/draft-sakimura-oauth-tcse-01"
rel="nofollow">extension</a> is supported to help public clients with redirect URIs
to accept the code securely.<br clear="none">
+Note this extension will likely introduce the HMAC calculation in the next drafts, but the
current approach can already help.  </p>
+
+
 <h2><a shape="rect" name="JAX-RSOAuth2-AccessTokenService"></a>AccessTokenService
</h2>
 
 <p>The role of AccessTokenService is to exchange a token grant for a new access token
which will be used by the client to access the end user's resources. <br clear="none">
@@ -541,6 +551,11 @@ Authorization: MAC id="5b5c8e677413277c4
 
 <p>The cost of encrypting and decrypting will add up to the processing time - however
the provider will not be actually responsible for storing the access token details which can
start making a difference with a high number of clients.</p>
 
+<h4><a shape="rect" name="JAX-RSOAuth2-SimpleTokensandAudience"></a>Simple
Tokens and Audience</h4>
+
+<p>Starting from CXF 2.7.7 an <a shape="rect" class="external-link" href="http://tools.ietf.org/html/draft-tschofenig-oauth-audience-00"
rel="nofollow">audience</a> parameter is supported during the client token requests.</p>
+
+
 <h3><a shape="rect" name="JAX-RSOAuth2-AccessTokenValidationService"></a>AccessTokenValidationService
</h3>
 <p>The  <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenValidationService.java">AccessTokenValidationService</a>
is a CXF specific OAuth2 service for accepting the remote access token validation requests.
Typically, OAuthRequestFilter (see on it below) may choose to impersonate itself as a third-party
client and will ask AccessTokenValidationService to return the information relevant to the
current access token, before setting up a security context. More on it below.</p>
 



Mime
View raw message