cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Łukasz Moreń <lukasz.mo...@gmail.com>
Subject Re: OAuth client and server demos
Date Thu, 19 Aug 2010 10:42:09 GMT
Yes, it helps.
For me it looks good to associate permissions and scope with access token.
I think I will do something similar in cxf.

Btw, I've updated resteasy recently and saw changes in oauth module.:)

Cheers,
Lukasz

2010/8/18 Sergey Beryozkin <sberyozkin@gmail.com>

> Hi Łukasz
>
> 2010/8/16 Łukasz Moreń <lukasz.moren@gmail.com>
>
> > Hi,
> >
> > I've made changes in demo according to your comments.
> >
>
> thanks.
>
>
> > I will do 'gsoc' tag on my branch to distinguish current gsoc work from
> > future changes, as today is 'firm pencil down' date.
> >
> > ok.
>
>
> > I would like to do additional changes in oauth module.
> >
>
> nice :-).
>
>
> > Access token should be connected with some kind of 'scope' that specifies
> > a range of  resources it allows to access or operations to invoke.
> >
> > For example in RestEasy implementation access token is associated with
> set
> > of principal roles.
> > If there is valid access token in the request, oauth filter set user
> roles
> > associated with token to ServletRequest and let pass it further.
> >
> > I'm wondering how it can be done in cxf. I would appreciate some help on
> > that.
> >
> >
> Believe it or not but I've changed all that as part of the work I've been
> doing recently.
> Specifically, I've removed the association of roles & principal with access
> tokens.
> Instead I've introduced permissions which is really what can be requested
> by
> a consumer and publicly
> shown to the end user, example, "Are you ok with letting 3rd party consumer
> "doSomething" with your resources" ?. where "doSometing" can be pretty much
> any expression like "updateYourAlbom", etc, while roles could be "user",
> etc.
>
> It is then a job of filters/login modules/etc to convert permissions into
> the actual roles, as well as retrieve an authenticated Principal.
>
> I've also added "scopes" which are URIs, which I 'borrowed' from the Google
> docs. Example, a consumer may request a permission to "doSomething" at
> http://bar. If authorized it can access http://bar, http://bar/1,
> http://bar/2
>
> Does it help ? Any comments ?
>
> cheers, Sergey
>
>
> Cheers,
> > Lukasz
> >
> > 2010/8/14 Łukasz Moreń <lukasz.moren@gmail.com>
> >
> > > Hi Sergey,
> > >
> > > Thanks for feedback. More comments below.
> > >
> > > 2010/8/13 Sergey Beryozkin <sberyozkin@gmail.com>
> > >
> > >> Hi Lucasz
> > >>
> > >>
> > >> 2010/8/13 Łukasz Moreń <lukasz.moren@gmail.com>
> > >>
> > >> > Hi Sergey,
> > >> >
> > >> > I've added some improvements to demo and protocol implementation.
> > >> > I hope this time build will be fine.
> > >> >
> > >> >
> > >> I've had no problems building this time. Thanks for sorting the build
> > >> issues
> > >> out.
> > >> The only minor hitch is that I had to add
> > >> <relativePath>../../pom.xml</relativePath>
> > >> to both oauth client & server demo modules in order to build them.
Not
> > >> sure
> > >> if I could've built them by running
> > >> 'mvn install' from  samples directly (in
> > distribution/target/.../samples)
> > >> given that we also have to use -Pspring3. Not a big issue - please
> > recheck
> > >> just in case...
> > >>
> > >
> > > Yes, I think I need to add relativePath to pom.
> > >
> > >
> > >>
> > >> So I've started server and client web apps and run the demo easily. So
> > >> it's
> > >> all nearly there, and IMHO the project is in a good shape, as far as
> > GSOC
> > >> is
> > >> concerned. Hopefully you can continue on preparing it to the move to
> the
> > >> trunk :-)
> > >>
> > >> Here're some comments to the existing demo - see if you could do
> > anything
> > >> till 16th, if not then it can be dealt with later on.
> > >>
> > >>
> > > I will try do to as much as possible till 16-th. There is still plenty
> to
> > > do as I see from your commnets and
> > > myself so missing things I will add later.
> > >
> > >
> > >
> > >> The client registration form requires a user to register a callback
> URI.
> > >> But
> > >> I understand that a callback URI is only provided by a client, when
> > >> requesting a temp/request token ? That said, requiring what I'd call a
> > >> 'connect' or "reply-to" URI registered during the (secure) client
> > >> registration process may help with enforcing that the actual callback
> > URI
> > >> provided by the client *matches* the one provided at the registration,
> > >> using
> > >> a startsWith function. I've seen it in the Facebook docs and I also
> did
> > >> something similar in my own project - is this the idea ?
> > >>
> > > If yes - then please check it's a startsWith check that is used - but
> > also
> > >
> > > consider making providing a callback URI optional at the client
> > >> registration
> > >
> > > time
> > >
> > >
> > > Yes, i used it for that reason. It can be jus passed with request token
> > > request. All current OAuth 1.0 servers I've seen need to preregister
> > > callback URI,
> > > and as you said they check if both uri matches.
> > > There is also possibility to pass 'oob' (out of band) value as callback
> > URI
> > > which means has been established via other means,
> > > so then server use preregistered value. However I think this option is
> > used
> > > in case of native apps.
> > >  .
> > >
> > >> The other thing is that a client key is also generated. This is
> probably
> > >> correct but I'm wondering would it make sense to let the consumer
> > register
> > >> its own key but the authorization server to only generate the shared
> > >> secret.
> > >> Consumer might also want to optionally provide its description such as
> > >> "OAuth 1.0 client" as in the demo, etc.  This might make it a bit
> > simpler
> > >> for a client (i.e, it will only have to manage a shared secret).
> > >>
> > >
> > > Yes I think it makes sense. So far consumer key is just hash from
> > > application name and user who registers consumer.
> > >
> > >
> > >
> > >> In a client webapp a PLAINTEXT option is offered - is it OAuth 2.0
> like
> > >> thing where HTTPS is assumed ? I'd just consider removing this option
> > and
> > >> have only hmac-sha1 left.
> > >>
> > >
> > > I think it's something similar, however there is no signatures in OAuth
> > 2.0
> > > and  access_token is assumed to be short lived,
> > > ideally one per request, issuing new tokens is done by refresh_token
> > > parameter.
> > >
> > >
> > >> This is probably it so far. I'm not very excited about JSPs being used
> > in
> > >> the demo :-) but I guess it is not too bad and shows something that
> many
> > >> people would consider doing in practice.
> > >>
> > >
> > > I was not sure about using JSP's neither:), but I wanted to show
> > basically
> > > how oauth could be added to existing apps
> > >  and hadn't other idea how to replace them.
> > >
> > >
> > >>
> > >> Overall it is a really good effort toward helping CXF users to
> > >> start/experiment with OAuth.
> > >>
> > >
> > >
> > > Cheers,
> > > Lukasz
> > >
> > >
> > >
> > >>
> > >> Thanks
> > >>
> > >> Sergey
> > >>
> > >>
> > >> Cheers,
> > >> > Lukasz
> > >> >
> > >> > 2010/8/13 Sergey Beryozkin <sberyozkin@gmail.com>
> > >> >
> > >> > > Hi Łukasz
> > >> > >
> > >> > > I can see the merges flowing :-), I'll be reviewing your work
> > tonight;
> > >> > >
> > >> > > to the list : we've exchanged few private emails to do with build
> > >> issues
> > >> > I
> > >> > > was encountering and Łukasz
> > >> > >  addressed them fast; we also agreed that for the initial phase
> > making
> > >> a
> > >> > > demo easy to understand and build upon was the main goal...
> > >> > >
> > >> > > cheers, Sergey
> > >> > >
> > >> > > 2010/8/5 Sergey Beryozkin <sberyozkin@gmail.com>
> > >> > >
> > >> > > > Hi Łukasz
> > >> > > >
> > >> > > > can you please fix checkstyle errors in the demo...
> > >> > > > Re the callback uri : I think one of the providers on the
server
> > is
> > >> > > > configured with the callback URI
> > >> > > >
> > >> > > > thanks, Sergey
> > >> > > >
> > >> > > >
> > >> > > > 2010/8/2 Łukasz Moreń <lukasz.moren@gmail.com>
> > >> > > >
> > >> > > > >
> > >> > > >> > Please update the demo so that the consume
> > >> > > >>
> > >> > > >> registers itself, plus supplies a callback itself with
a
> request
> > >> token
> > >> > > >> >  request
> > >> > > >>
> > >> > > >>
> > >> > > >> callback url is passed in this request, however this
request is
> > >> done
> > >> > in
> > >> > > >> backend through URLConnection so it's not visible at
UI.
> > >> > > >>
> > >> > > >> Cheers, Lukasz
> > >> > > >>
> > >> > > >> W dniu 2 sierpnia 2010 13:36 użytkownik Łukasz Moreń
<
> > >> > > >> lukasz.moren@gmail.com
> > >> > > >> > napisał:
> > >> > > >>
> > >> > > >> > Hi,
> > >> > > >> > I've committed changes I've made:
> > >> > > >> > - added possibility to register new OAuth client
applications
> > at
> > >> > OAuth
> > >> > > >> > server
> > >> > > >> > - OAuth demos moved to distribution\src\main\samples\
> > >> > > >> > - added README to OAuth demos
> > >> > > >> > - fixes in pom.xml files
> > >> > > >> >
> > >> > > >> >  - fix the checkstyle errors and move the demo
to the
> > >> > > >> >
> > >> > > >> > ""distribution/src/main/release/samples/"" area
and also add
> > >> Readme;
> > >> > > >> after
> > >> > > >> >
> > >> > > >> > building the distribution (mvn install in trunk/distribution)
> > you
> > >> > can
> > >> > > >> >> easily
> > >> > > >> >
> > >> > > >> > verify the demo can be run by locating in the target.
> > >> > > >> >
> > >> > > >> >
> > >> > > >> > fixed that, and added readme
> > >> > > >> >
> > >> > > >> >
> > >> > > >> >> - add the oauth dependency in the parent pom
so that the
> > >> rs/oauth
> > >> > > >> module
> > >> > > >> >> can
> > >> > > >> >
> > >> > > >> > depend on it without specifying a version and have
the demo
> > >> client
> > >> > > >> module
> > >> > > >> >
> > >> > > >> > depending on rt/rs/oauth module instead (similarly
to the
> > server
> > >> > one)
> > >> > > >> >
> > >> > > >> >
> > >> > > >> > done, hovewer demo client don't need to depend
on rt/rs/oauth
> > as
> > >> it
> > >> > > >> doesn't
> > >> > > >> > use cxf functionality, just on oauth libraries
> > >> > > >> >
> > >> > > >> >
> > >> > > >> >> - during the main build please use the Spring
version CXF
> > >> depends
> > >> > > upon
> > >> > > >> and
> > >> > > >> >
> > >> > > >> > use its -Pspring3 profile to build for the deployment
into
> GAE
> > >> > > >> >
> > >> > > >> >
> > >> > > >> > changed, both client and server demos needs to
be build with
> > >> > -Pspring3
> > >> > > >> for
> > >> > > >> > local jetty run and GAE as well.
> > >> > > >> > Otherwise I would need use different spring config
files for
> > >> spring
> > >> > > 2.5
> > >> > > >> and
> > >> > > >> > 3.0.x
> > >> > > >> >
> > >> > > >> > Cheers, Lukasz
> > >> > > >> >
> > >> > > >> > W dniu 29 lipca 2010 21:15 użytkownik Sergey Beryozkin
<
> > >> > > >> > sberyozkin@gmail.com> napisał:
> > >> > > >> >
> > >> > > >> > Hi
> > >> > > >> >>
> > >> > > >> >> 2010/7/29 Łukasz Moreń <lukasz.moren@gmail.com>
> > >> > > >> >>
> > >> > > >> >> > Hi,
> > >> > > >> >> >
> > >> > > >> >> > I'm still working on refactoring and changes
in demo you
> > >> > suggested.
> > >> > > >> >> > I will likely update it tomorrow.
> > >> > > >> >> >
> > >> > > >> >> > I'll likely ask for some modifications
but perhaps if you
> > >> could
> > >> > > start
> > >> > > >> >> with
> > >> > > >> >> > > updating the demo
> > >> > > >> >> >
> > >> > > >> >> > such that a consumer initiates its own
registration with
> the
> > >> > OAuth
> > >> > > >> >> server.
> > >> > > >> >> >
> > >> > > >> >> >
> > >> > > >> >> > I'm going to put high effort on my GSoC
project next
> weeks.
> > I
> > >> > would
> > >> > > >> >> really
> > >> > > >> >> > appreciate,
> > >> > > >> >> > if you would have some more modifications
> > requests/directions
> > >> > which
> > >> > > >> >> project
> > >> > > >> >> > should go, as you have limited time next
week
> > >> > > >> >> > and current changes will not take long.
> > >> > > >> >> >
> > >> > > >> >> > From what I'm seeing, I need to cover
spec with code,
> > simplify
> > >> > > >> >> > configuration
> > >> > > >> >> > and do more testing.
> > >> > > >> >> >
> > >> > > >> >> >
> > >> > > >> >> I have to sign off now...Please update the
demo so that the
> > >> > consumer
> > >> > > >> >> registers itself, plus supplies a callback
itself with a
> > request
> > >> > > token
> > >> > > >> >> request, add README and it would let users
start
> > experimenting.
> > >> > IMHO
> > >> > > >> the
> > >> > > >> >> initial phase can be considered complete once
there's a demo
> > >> there
> > >> > > >> which
> > >> > > >> >> can
> > >> > > >> >> show users what they need to do.
> > >> > > >> >>
> > >> > > >> >> We can then discuss things further
> > >> > > >> >>
> > >> > > >> >> cheers, Sergey
> > >> > > >> >>
> > >> > > >> >>
> > >> > > >> >>
> > >> > > >> >> > Cheers,
> > >> > > >> >> > Lukasz
> > >> > > >> >> >
> > >> > > >> >> > 2010/7/29 Daniel Kulp <dkulp@apache.org>
> > >> > > >> >> >
> > >> > > >> >> > >
> > >> > > >> >> > > You probably just need to change
your deps to:
> > >> > > >> >> > >
> > >> > > >> >> > > geronimo-servlet_3.0_spec
> > >> > > >> >> > >
> > >> > > >> >> > >
> > >> > > >> >> > > Dan
> > >> > > >> >> > >
> > >> > > >> >> > >
> > >> > > >> >> > > On Thursday 29 July 2010 3:35:57
pm Sergey Beryozkin
> > wrote:
> > >> > > >> >> > > > Hi Lucasz
> > >> > > >> >> > > >
> > >> > > >> >> > > > I can't build the oauth sandbox
project, seeing
> > >> > > >> >> > > > [ERROR] FATAL ERROR
> > >> > > >> >> > > > [INFO]
> > >> > > >> >> > > >
> > >> > > >> >> >
> > >> > > >>
> > >> >
> > ------------------------------------------------------------------------
> > >> > > >> >> > > > [INFO] Error building POM (may
not be this project's
> > POM).
> > >> > > >> >> > > >
> > >> > > >> >> > > >
> > >> > > >> >> > > > Project ID: org.apache.cxf:cxf-rt-rs-oauth
> > >> > > >> >> > > > POM Location:
> > >> > > >> >> > > >
> > >> > > /home/sberyozkin/work/cxf/sandbox/oauth_1.0a/rt/rs/oauth/pom.xml
> > >> > > >> >> > > > Validation Messages:
> > >> > > >> >> > > >
> > >> > > >> >> > > >     [0]  'dependencies.dependency.version'
is missing
> > for
> > >> > > >> >> > > >
> org.apache.geronimo.specs:geronimo-servlet_2.5_spec:jar
> > >> > > >> >> > > >
> > >> > > >> >> > > >
> > >> > > >> >> > > > Reason: Failed to validate POM
for project
> > >> > > >> >> > org.apache.cxf:cxf-rt-rs-oauth
> > >> > > >> >> > > > at
> > >> > > >>
> /home/sberyozkin/work/cxf/sandbox/oauth_1.0a/rt/rs/oauth/pom.xml
> > >> > > >> >> > > >
> > >> > > >> >> > > > so I can not review the latest
merge, sorry. I
> could've
> > >> tried
> > >> > > to
> > >> > > >> fix
> > >> > > >> >> > this
> > >> > > >> >> > > > issue but I'm not sure if you're
finished with the
> > >> > refactoring
> > >> > > >> just
> > >> > > >> >> > yet.
> > >> > > >> >> > > > I'll be travelling tomorrow
and I'll have some very
> > >> limited
> > >> > > time
> > >> > > >> >> during
> > >> > > >> >> > > the
> > >> > > >> >> > > > evenings next week but I'll
try to provide some
> feedback
> > >> at
> > >> > > least
> > >> > > >> >> > > >
> > >> > > >> >> > > > cheers, Sergey
> > >> > > >> >> > > >
> > >> > > >> >> > > >
> > >> > > >> >> > > > 2010/7/26 Sergey Beryozkin <sberyozkin@gmail.com>
> > >> > > >> >> > > >
> > >> > > >> >> > > > > Hi Łukasz
> > >> > > >> >> > > > >
> > >> > > >> >> > > > > 2010/7/26 Łukasz Moreń
<lukasz.moren@gmail.com>
> > >> > > >> >> > > > >
> > >> > > >> >> > > > > Hi Sergey,
> > >> > > >> >> > > > >
> > >> > > >> >> > > > >> I'm really sorry for
such commit, I know it
> shouldn't
> > >> > > happen.
> > >> > > >> I
> > >> > > >> >> > turned
> > >> > > >> >> > > > >> off checkstyle as i
couldn't configure it properly
> on
> > >> > > intellij
> > >> > > >> >> and
> > >> > > >> >> > it
> > >> > > >> >> > > > >> was annoying during
development.
> > >> > > >> >> > > > >> I will apply proper
changes ASAP.
> > >> > > >> >> > > > >>
> > >> > > >> >> > > > >> no worries at all,
I've broken the real builds with
> > >> > > checkstyle
> > >> > > >> >> > errors
> > >> > > >> >> > > so
> > >> > > >> >> > > > >
> > >> > > >> >> > > > > many times and it is the
CXF sandbox after :-)
> > >> > > >> >> > > > >
> > >> > > >> >> > > > >> According to the demo,
I built it as usual web-app,
> > if
> > >> it
> > >> > > >> worked,
> > >> > > >> >> > use
> > >> > > >> >> > > > >> this same sources to
deploy on GAE.
> > >> > > >> >> > > > >> However because of
GAE restrictions it always needs
> > >> minor
> > >> > > >> changes
> > >> > > >> >> > > > >> before deploy, i.e.
GAE can't read configuration
> > files
> > >> > such
> > >> > > >> as:
> > >> > > >> >> > > > >> cxf-extension-http.xml
> > >> > > >> >> > > > >> from jars, so I copied
it to WEB-INF folder.
> > >> > > >> >> > > > >> Commited to svn version
does not depend on GAE SDK
> > and
> > >> can
> > >> > > be
> > >> > > >> run
> > >> > > >> >> > > > >> locally with jetty:run.
> > >> > > >> >> > > > >>
> > >> > > >> >> > > > >> Yes, I warned about
server configuration part:). I
> > will
> > >> > take
> > >> > > >> care
> > >> > > >> >> to
> > >> > > >> >> > > > >> make it simpler.
> > >> > > >> >> > > > >
> > >> > > >> >> > > > > I do not think it is too
complicated - the
> > >> simplification
> > >> > can
> > >> > > >> be
> > >> > > >> >> done
> > >> > > >> >> > > > > once the whole flow is
sound...
> > >> > > >> >> > > > >
> > >> > > >> >> > > > >> So far, oauth consumer
properties are hardcoded and
> > >> > injected
> > >> > > >> into
> > >> > > >> >> > > > >> oauth provider, as
I think it is not oauth library
> > >> > > >> responsibility
> > >> > > >> >> to
> > >> > > >> >> > > > >> deal with consumer
registration.
> > >> > > >> >> > > > >> Hovewer for demo it
would be good to have something
> > >> like
> > >> > > that.
> > >> > > >> I
> > >> > > >> >> > would
> > >> > > >> >> > > > >> do registration form
at the server as it is done by
> > >> > current
> > >> > > >> big
> > >> > > >> >> > oauth
> > >> > > >> >> > > > >> implementations.
> > >> > > >> >> > > > >
> > >> > > >> >> > > > > I agree that conceptually
the registration of
> > consumers
> > >> is
> > >> > a
> > >> > > >> >> separate
> > >> > > >> >> > > > > issue. But it is part of
the solution that users
> will
> > be
> > >> > > >> >> eventually
> > >> > > >> >> > > > > offering so just showing
them that the consumers
> have
> > to
> > >> go
> > >> > > and
> > >> > > >> >> > > register
> > >> > > >> >> > > > > themselves with help people
with coming up with some
> > >> custom
> > >> > > >> >> > > registration
> > >> > > >> >> > > > > forms, etc. The registration
does not have to be
> done
> > at
> > >> > the
> > >> > > >> >> server
> > >> > > >> >> > > > > hosting the resource, it
is just important for the
> > OAuth
> > >> > > >> provider
> > >> > > >> >> be
> > >> > > >> >> > > > > able to get to the consumer
details. I'm fine with
> > >> assuming
> > >> > > at
> > >> > > >> the
> > >> > > >> >> > > > > moment that the registration
handler is collocated
> > with
> > >> the
> > >> > > >> >> > > > > endpoints/providers enforcing
OAuth flow.
> > >> > > >> >> > > > >
> > >> > > >> >> > > > > But the callback uri which
is being injected at the
> > >> moment
> > >> > > >> should
> > >> > > >> >> go
> > >> > > >> >> > > > > anyway given that it is
part of the actual flow,
> > >> > > specifically,
> > >> > > >> the
> > >> > > >> >> > > > > consumer provides it during
the request token
> request
> > >> > > >> >> > > > >
> > >> > > >> >> > > > >> Recently I've noticed
that Camel have done oauth
> > client
> > >> as
> > >> > > >> >> well:):
> > >> > > >> >> > > > >> http://camel.apache.org/tutorial-oauth.html
> > >> > > >> >> > > > >>
> > >> > > >> >> > > > >> Thanks much for review,
and hints.
> > >> > > >> >> > > > >
> > >> > > >> >> > > > > thanks for your effort
:-)
> > >> > > >> >> > > > >
> > >> > > >> >> > > > > Sergey
> > >> > > >> >> > > > >
> > >> > > >> >> > > > >> Cheers,
> > >> > > >> >> > > > >> Lukasz
> > >> > > >> >> > > > >>
> > >> > > >> >> > > > >> 2010/7/24 Sergey Beryozkin
<sberyozkin@gmail.com>:
> > >> > > >> >> > > > >> > Hi Łukasz
> > >> > > >> >> > > > >> >
> > >> > > >> >> > > > >> > Sorry for a delay,
 I should've come back earlier
> > to
> > >> > you.
> > >> > > >> >> > > > >> >
> > >> > > >> >> > > > >> > I've run the demo
hosted at the app engine and I
> > >> think
> > >> > > from
> > >> > > >> the
> > >> > > >> >> > > > >>
> > >> > > >> >> > > > >> education
> > >> > > >> >> > > > >>
> > >> > > >> >> > > > >> > point of view
it is a good demo and it is handy
> one
> > >> does
> > >> > > not
> > >> > > >> >> even
> > >> > > >> >> > > has
> > >> > > >> >> > > > >> > to build anything
in order to try it.
> > >> > > >> >> > > > >> >
> > >> > > >> >> > > > >> > I've had a problem
building the rt/rs/oauth tests
> -
> > >> > > there's
> > >> > > >> a
> > >> > > >> >> > bunch
> > >> > > >> >> > > of
> > >> > > >> >> > > > >> > CheckStyle errors.
Can you please build
> > >> > sandbox/oauth_1.0a
> > >> > > >> from
> > >> > > >> >> > the
> > >> > > >> >> > > > >>
> > >> > > >> >> > > > >> trunk,
> > >> > > >> >> > > > >>
> > >> > > >> >> > > > >> > just do 'mvn install
-Pfastinstall' and then do
> > 'mvn
> > >> > > >> install'
> > >> > > >> >> from
> > >> > > >> >> > > > >>
> > >> > > >> >> > > > >> rt/rs/ ?
> > >> > > >> >> > > > >>
> > >> > > >> >> > > > >> > One other thing,
please move the demo to
> > >> > > >> >> > > > >> > "distribution/src/main/release/samples/"
as well
> > add
> > >> > > Readme
> > >> > > >> to
> > >> > > >> >> it.
> > >> > > >> >> > > > >> >
> > >> > > >> >> > > > >> > Also I can not
build the demo too, the client
> build
> > >> > fails
> > >> > > >> with
> > >> > > >> >> the
> > >> > > >> >> > > > >>
> > >> > > >> >> > > > >> following
> > >> > > >> >> > > > >>
> > >> > > >> >> > > > >> > dependency missing
> > >> > > >> >> > > > >> > 1) net.oauth.core:oauth-consumer:jar:20100527
> > >> > > >> >> > > > >> >
> > >> > > >> >> > > > >> > But I'm seeing
an oauth repo in the rt/rs/oauth
> > pom,
> > >> > have
> > >> > > >> you
> > >> > > >> >> > built
> > >> > > >> >> > > it
> > >> > > >> >> > > > >>
> > >> > > >> >> > > > >> in
> > >> > > >> >> > > > >>
> > >> > > >> >> > > > >> > the GAE dev environment
?
> > >> > > >> >> > > > >> >
> > >> > > >> >> > > > >> > Can you please
spend a bit of time on cleaning
> the
> > >> build
> > >> > a
> > >> > > >> bit
> > >> > > >> >> :
> > >> > > >> >> > > > >> > - fix the checkstyle
errors and move the demo to
> > the
> > >> > > >> >> > > > >> > ""distribution/src/main/release/samples/""
area
> and
> > >> also
> > >> > > add
> > >> > > >> >> > Readme;
> > >> > > >> >> > > > >>
> > >> > > >> >> > > > >> after
> > >> > > >> >> > > > >>
> > >> > > >> >> > > > >> > building the distribution
(mvn install in
> > >> > > >> trunk/distribution)
> > >> > > >> >> you
> > >> > > >> >> > > can
> > >> > > >> >> > > > >>
> > >> > > >> >> > > > >> easily
> > >> > > >> >> > > > >>
> > >> > > >> >> > > > >> > verify the demo
can be run by locating in the
> > target.
> > >> > > >> >> > > > >> > - add the oauth
dependency in the parent pom so
> > that
> > >> the
> > >> > > >> >> rs/oauth
> > >> > > >> >> > > > >> > module
> > >> > > >> >> > > > >>
> > >> > > >> >> > > > >> can
> > >> > > >> >> > > > >>
> > >> > > >> >> > > > >> > depend on it without
specifying a version and
> have
> > >> the
> > >> > > demo
> > >> > > >> >> client
> > >> > > >> >> > > > >>
> > >> > > >> >> > > > >> module
> > >> > > >> >> > > > >>
> > >> > > >> >> > > > >> > depending on rt/rs/oauth
module instead
> (similarly
> > to
> > >> > the
> > >> > > >> >> server
> > >> > > >> >> > > one)
> > >> > > >> >> > > > >> > - during the main
build please use the Spring
> > version
> > >> > CXF
> > >> > > >> >> depends
> > >> > > >> >> > > upon
> > >> > > >> >> > > > >>
> > >> > > >> >> > > > >> and
> > >> > > >> >> > > > >>
> > >> > > >> >> > > > >> > use its -Pspring3
profile to build for the
> > deployment
> > >> > into
> > >> > > >> GAE
> > >> > > >> >> > > > >> >
> > >> > > >> >> > > > >> > As far as the
demo is concerned. I looked at the
> > >> server
> > >> > > part
> > >> > > >> >> and
> > >> > > >> >> > it
> > >> > > >> >> > > > >>
> > >> > > >> >> > > > >> looks
> > >> > > >> >> > > > >>
> > >> > > >> >> > > > >> > complicated enough
:-) but I think it makes sense
> > to
> > >> me.
> > >> > > >> I'll
> > >> > > >> >> > likely
> > >> > > >> >> > > > >> > ask
> > >> > > >> >> > > > >>
> > >> > > >> >> > > > >> for
> > >> > > >> >> > > > >>
> > >> > > >> >> > > > >> > some modifications
but perhaps if you could start
> > >> with
> > >> > > >> updating
> > >> > > >> >> > the
> > >> > > >> >> > > > >> > demo such that
a consumer initiates its own
> > >> registration
> > >> > > >> with
> > >> > > >> >> the
> > >> > > >> >> > > > >> > OAuth
> > >> > > >> >> > > > >>
> > >> > > >> >> > > > >> server :
> > >> > > >> >> > > > >> > I can see at the
moment an oauth provider is
> > injected
> > >> > with
> > >> > > >> some
> > >> > > >> >> > > sample
> > >> > > >> >> > > > >> > consumer properties.
I'm not sure what is the
> best
> > >> way
> > >> > to
> > >> > > do
> > >> > > >> it
> > >> > > >> >> :
> > >> > > >> >> > > may
> > >> > > >> >> > > > >> > be
> > >> > > >> >> > > > >>
> > >> > > >> >> > > > >> the
> > >> > > >> >> > > > >>
> > >> > > >> >> > > > >> > server can return
a registration form or the
> client
> > >> can
> > >> > > just
> > >> > > >> >> push
> > >> > > >> >> > > the
> > >> > > >> >> > > > >> > registration info
itself.
> > >> > > >> >> > > > >> >
> > >> > > >> >> > > > >> > Overall I think
it is a good progress indeed
> > >> especially
> > >> > > >> given
> > >> > > >> >> the
> > >> > > >> >> > > > >>
> > >> > > >> >> > > > >> complexity
> > >> > > >> >> > > > >>
> > >> > > >> >> > > > >> > of the whole effort.
> > >> > > >> >> > > > >> >
> > >> > > >> >> > > > >> >
> > >> > > >> >> > > > >> >
> > >> > > >> >> > > > >> > thanks, Sergey
> > >> > > >> >> > > > >> >
> > >> > > >> >> > > > >> > On Wed, Jul 14,
2010 at 10:14 PM, Łukasz Moreń <
> > >> > > >> >> > > lukasz.moren@gmail.com
> > >> > > >> >> > > > >> >
> > >> > > >> >> > > > >> >wrote:
> > >> > > >> >> > > > >> >> Hi all,
> > >> > > >> >> > > > >> >>
> > >> > > >> >> > > > >> >> I have managed
to create two sample OAuth
> > >> aplications:
> > >> > > >> >> > > > >> >> ordinary OAuth
1.0a client:
> > >> > > >> >> http://www.oauthclient.appspot.com
> > >> > > >> >> > > > >> >> and authorization
server that uses CXF OAuth
> > module:
> > >> > > >> >> > > > >> >> http://www.cxfoauthserver.appspot.com
> > >> > > >> >> > > > >> >>
> > >> > > >> >> > > > >> >> Both sample
applications and changes in oauth
> > >> library
> > >> > are
> > >> > > >> >> > commited
> > >> > > >> >> > > in
> > >> > > >> >> > > > >> >> sandbox.
> > >> > > >> >> > > > >> >>
> > >> > > >> >> > > > >> >> OAuth configuration
in sample authorization
> server
> > >> app
> > >> > > >> looks a
> > >> > > >> >> > bit
> > >> > > >> >> > > > >> >> awfully but
I think most of that can be hidden
> and
> > >> done
> > >> > > out
> > >> > > >> of
> > >> > > >> >> > > band.
> > >> > > >> >> > > > >> >> There is still
some areas in specification not
> > >> covered
> > >> > by
> > >> > > >> >> > > > >> >> implementation,
so I would like to take care of
> > that
> > >> in
> > >> > > >> next
> > >> > > >> >> > steps.
> > >> > > >> >> > > > >> >>
> > >> > > >> >> > > > >> >> Thanks in
advance for some feedback.
> > >> > > >> >> > > > >> >>
> > >> > > >> >> > > > >> >> Cheers,
> > >> > > >> >> > > > >> >> Lukasz
> > >> > > >> >> > >
> > >> > > >> >> > > --
> > >> > > >> >> > > Daniel Kulp
> > >> > > >> >> > > dkulp@apache.org
> > >> > > >> >> > > http://dankulp.com/blog
> > >> > > >> >> > >
> > >> > > >> >> >
> > >> > > >> >>
> > >> > > >> >
> > >> > > >> >
> > >> > > >>
> > >> > > >
> > >> > > >
> > >> > >
> > >> >
> > >>
> > >
> > >
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message