cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r919902 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-oauth2.html
Date Wed, 20 Aug 2014 12:46:52 GMT
Author: buildbot
Date: Wed Aug 20 12:46:52 2014
New Revision: 919902

Log:
Production update by buildbot for cxf

Modified:
    websites/production/cxf/content/cache/docs.pageCache
    websites/production/cxf/content/docs/jax-rs-oauth2.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/jax-rs-oauth2.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-oauth2.html (original)
+++ websites/production/cxf/content/docs/jax-rs-oauth2.html Wed Aug 20 12:46:52 2014
@@ -118,11 +118,11 @@ Apache CXF -- JAX-RS OAuth2
            <!-- Content -->
            <div class="wiki-content">
 <div id="ConfluenceContent"><h1 id="JAX-RSOAuth2-JAX-RS:OAuth2">JAX-RS: OAuth2</h1><p><style
type="text/css">/*<![CDATA[*/
-div.rbtoc1408383989827 {padding: 0px;}
-div.rbtoc1408383989827 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1408383989827 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1408538785810 {padding: 0px;}
+div.rbtoc1408538785810 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1408538785810 li {margin-left: 0px;padding-left: 0px;}
 
-/*]]>*/</style></p><div class="toc-macro rbtoc1408383989827">
+/*]]>*/</style></p><div class="toc-macro rbtoc1408538785810">
 <ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSOAuth2-JAX-RS:OAuth2">JAX-RS:
OAuth2</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Introduction">Introduction</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-Mavendependencies">Maven dependencies</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-ClientRegistration">Client Registration</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-DevelopingOAuth2Servers">Developing OAuth2 Servers</a>
 <ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSOAuth2-AuthorizationService">Authorization
Service</a>
 <ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSOAuth2-EndUserNameinAuthorizationForm">EndUser
Name in Authorization Form</a></li><li><a shape="rect" href="#JAX-RSOAuth2-PublicClients(Devices)">Public
Clients (Devices)</a>
@@ -342,7 +342,7 @@ Authorization: MAC id=&quot;5b5c8e677413
                    mac=&quot;W7bdMZbv9UWOTadASIQHagZyirA=&quot;
                    ts=&quot;12345678&quot; 
 ]]></script>
-</div></div><p>where 'ts' attribute is used to pass a timestamp value.</p><h4
id="JAX-RSOAuth2-Encryptedtokens">Encrypted tokens</h4><p>Typically, the tokens
are persisted in the storage. The alternative approach is to completely encrypt the token
state and return the encrypted representation back to a client: the processing time to do
with the encryption and decryption might increase but the server wins on avoiding the DB /
storage lookups.&#160;&#160; &#160;</p><p>CXF 3.0.0-milestone2 introduces
the utility support for encrypting the state of BearerAccessToken and RefreshToken.</p><p>The
tokens can be encrypted and decrypted with symmetric (secret) keys or certificates (public
and private keys) and the combination of certificates and secret keys.</p><p><a
shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/ModelEncryptionSupport.java">ModelEncryptionSupport</a>
c
 an be used to encrypt the tokens using the custom serialization format. <a shape="rect"
class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/EncryptionUtils.java">EncryptionUtils</a>
can be used directly if the alternative serialization format is preferred. &#160;</p><p>Note
that ServerAuthorizationGrant and Client can also be encrypted.</p><h5 id="JAX-RSOAuth2-UsingSecretKeys">Using
Secret Keys</h5><p>The simplest strategy is to encrypt and decrypt the tokens
with the symmetric/secret keys. Every new token can be encrypted with a unique secret key
or all of them can be encrypted with a single secret key. The utilities provide few methods
for creating secret keys with the default and advanced properties, in addition there are many
examples around on how to create the keys with the specific properties.</p><p>For
example, see <a shape="rect" class="external-link" href="http://svn.
 apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/utils/EncryptingDataProvider.java">EncryptingDataProvider</a>:</p><p>&#160;</p><div
class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent
pdl">
+</div></div><p>where 'ts' attribute is used to pass a timestamp value.</p><h4
id="JAX-RSOAuth2-Encryptedtokens">Encrypted tokens</h4><p>Typically, the tokens
are persisted in the storage. The alternative approach is to completely encrypt the token
state and return the encrypted representation back to a client: the processing time to do
with the encryption and decryption might increase but the server wins on avoiding the DB /
storage lookups.&#160;&#160; &#160;</p><p>CXF 3.0.0-milestone2 introduces
the utility support for encrypting the state of BearerAccessToken and RefreshToken.</p><p>The
tokens can be encrypted and decrypted with symmetric (secret) keys or certificates (public
and private keys) and the combination of certificates and secret keys.</p><p><a
shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/ModelEncryptionSupport.java">ModelEncryptionSupport</a>
c
 an be used to encrypt the tokens using the custom serialization format. <a shape="rect"
class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/EncryptionUtils.java">EncryptionUtils</a>
can be used directly if the alternative serialization format is preferred. &#160;</p><p>Note
that ServerAuthorizationGrant and Client can also be encrypted.</p><h5 id="JAX-RSOAuth2-UsingSecretKeys">Using
Secret Keys</h5><p>The simplest strategy is to encrypt and decrypt the tokens
with the symmetric/secret keys. Every new token can be encrypted with a unique secret key
or all of them can be encrypted with a single secret key. The utilities provide few methods
for creating secret keys with the default and advanced properties, in addition there are many
examples around on how to create the keys with the specific properties.</p><p>For
example, see org.apache.cxf.rs.security.oauth2.grants.code.DefaultEn
 cryptingCodeDataProvider and&#160;org.apache.cxf.rs.security.oauth2.provider.DefaultEncryptingOAuthDataProvider
which are shipped starting from CXF 3.0.2.</p><p>Here is a typical code demonstrating
how the encryption/decryption works:</p><p>&#160;</p><div class="code
panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
 <script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[SecretKey
key = EncryptionUtils.getSecretKey();
 
 // create a new token, encrypt its state and return
@@ -366,7 +366,7 @@ ModelEncryptionSupport.decryptAccessToke
    // OAuthDataProvider methods
 }
 ]]></script>
-</div></div><p>CustomOAuthProvider will also remove all tokens associated
with a given Client in removeClient(String cliendId).</p><p>Finally OAuthDataProvider
may need to convert opaque scope values such as "readCalendar" into a list of <a shape="rect"
class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthPermission.java">OAuthPermission</a>s.
AuthorizationCodeGrantService and OAuth2 security filters will depend on it (assuming scopes
are used in the first place). In the former case AuthorizationCodeGrantService will use this
list to populate <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java">OAuthAuthorizationData</a>
- the reason this bean only sees <a shape="rect" class="external-link" href="http://svn.apache.org/repos
 /asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Permission.java">Permission</a>s
is that some of the properties OAuthPermission keeps are of no interest to OAuthAuthorizationData
handlers.</p><h3 id="JAX-RSOAuth2-DefaultProviders">Default Providers</h3><p>&#160;</p><p>Starting
from CXF 3.0.2 default Ehcache-based OAuthDataProvider and AuthorizationCodeDataProvider implementations
are shipped:</p><p>org.apache.cxf.rs.security.oauth2.grants.code.DefaultEHCacheCodeDataProvider
and&#160;org.apache.cxf.rs.security.oauth2.provider.DefaultEHCacheOAuthDataProvider.</p><p>Users
who are happy with using EHCache are encouraged to experiment with these default providers,
customize them if needed and provide the feedback.</p><h2 id="JAX-RSOAuth2-OAuthServerJAX-RSendpoints">OAuth
Server JAX-RS endpoints</h2><p>With CXF offering OAuth service implementations
and a custom OAuthDataProvider provider in place, it is time to deploy the OAuth2 se
 rver. <br clear="none"> Most likely, you'd want to deploy AccessTokenService as an
independent JAX-RS endpoint, for example:</p><div class="code panel pdl" style="border-width:
1px;"><div class="codeContent panelContent pdl">
+</div></div><p>CustomOAuthProvider will also remove all tokens associated
with a given Client in removeClient(String cliendId).</p><p>Finally OAuthDataProvider
may need to convert opaque scope values such as "readCalendar" into a list of <a shape="rect"
class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthPermission.java">OAuthPermission</a>s.
AuthorizationCodeGrantService and OAuth2 security filters will depend on it (assuming scopes
are used in the first place). In the former case AuthorizationCodeGrantService will use this
list to populate <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java">OAuthAuthorizationData</a>
- the reason this bean only sees <a shape="rect" class="external-link" href="http://svn.apache.org/repos
 /asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Permission.java">Permission</a>s
is that some of the properties OAuthPermission keeps are of no interest to OAuthAuthorizationData
handlers.</p><h3 id="JAX-RSOAuth2-DefaultProviders">Default Providers</h3><p>&#160;</p><p>Starting
from CXF 3.0.2 default Ehcache-based and encrypting&#160; OAuthDataProvider and AuthorizationCodeDataProvider
implementations are shipped.</p><p>org.apache.cxf.rs.security.oauth2.grants.code.DefaultEHCacheCodeDataProvider
and&#160;org.apache.cxf.rs.security.oauth2.provider.DefaultEHCacheOAuthDataProvider use
Ehcache to store grant, client, access and refresh token data.</p><p>org.apache.cxf.rs.security.oauth2.grants.code.DefaultEncryptingCodeDataProvider
and&#160;org.apache.cxf.rs.security.oauth2.provider.DefaultEncryptingOAuthDataProvider
use an auto-generated or provided Java symmetric SecretKey to store</p><p>grant,
access and refresh token data.</p><
 p>Users are encouraged to experiment with these default providers, customize them if needed
and provide the feedback.</p><p>Users implementing their own persistence strategy
may consider extending org.apache.cxf.rs.security.oauth2.grants.code.AbstractAuthorizationCodeDataProvider
or org.apache.cxf.rs.security.oauth2.provider.AbstractOAuthDataProvider - these classes might
help with taking care of some basic data initialization and check routines.</p><h2
id="JAX-RSOAuth2-OAuthServerJAX-RSendpoints">OAuth Server JAX-RS endpoints</h2><p>With
CXF offering OAuth service implementations and a custom OAuthDataProvider provider in place,
it is time to deploy the OAuth2 server. <br clear="none"> Most likely, you'd want to
deploy AccessTokenService as an independent JAX-RS endpoint, for example:</p><div
class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent
pdl">
 <script class="theme: Default; brush: xml; gutter: false" type="syntaxhighlighter"><![CDATA[&lt;!--
implements OAuthDataProvider --&gt;
 &lt;bean id=&quot;oauthProvider&quot; class=&quot;oauth.manager.OAuthManager&quot;/&gt;
      



Mime
View raw message