Return-Path: X-Original-To: apmail-cxf-issues-archive@www.apache.org Delivered-To: apmail-cxf-issues-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 75068EF22 for ; Tue, 4 Dec 2012 22:04:58 +0000 (UTC) Received: (qmail 97632 invoked by uid 500); 4 Dec 2012 22:04:58 -0000 Delivered-To: apmail-cxf-issues-archive@cxf.apache.org Received: (qmail 97609 invoked by uid 500); 4 Dec 2012 22:04:58 -0000 Mailing-List: contact issues-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list issues@cxf.apache.org Received: (qmail 97600 invoked by uid 99); 4 Dec 2012 22:04:58 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 04 Dec 2012 22:04:58 +0000 Date: Tue, 4 Dec 2012 22:04:58 +0000 (UTC) From: "Sergey Beryozkin (JIRA)" To: issues@cxf.apache.org Message-ID: <610095971.60618.1354658698289.JavaMail.jiratomcat@arcas> In-Reply-To: <1689885640.54519.1354561918414.JavaMail.jiratomcat@arcas> Subject: [jira] [Resolved] (CXF-4671) [OAuth2] Add option to not have user intervention MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/CXF-4671?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sergey Beryozkin resolved CXF-4671. ----------------------------------- Resolution: Won't Fix Assignee: Sergey Beryozkin We've agreed to explore the pre-authorized token option > [OAuth2] Add option to not have user intervention > ------------------------------------------------- > > Key: CXF-4671 > URL: https://issues.apache.org/jira/browse/CXF-4671 > Project: CXF > Issue Type: Wish > Components: JAX-RS Security > Affects Versions: 2.7.0 > Reporter: Steven Tippetts > Assignee: Sergey Beryozkin > > I'm using the cxf oauth library as a cross domain, non-cookie way to protect my resource server endpoints. As such, I don't need the user to authorize access to any data. I know this isn't part of the OAuth 2 spec, but it would be very nice if there were a config setting that would skip the user authorization part. > Currently, I'm extending RedirectionBasedGrantService and overriding startAuthorization like this: > {code} > @Override > protected Response startAuthorization(MultivaluedMap params) { > super.startAuthorization(params); > HttpSession session = getMessageContext().getHttpServletRequest().getSession(); > String sessionToken = (String)session.getAttribute(OAuthConstants.SESSION_AUTHENTICITY_TOKEN); > params.add("session_authenticity_token", sessionToken); > params.add("oauthDecision", "allow"); > return super.completeAuthorization(params); > } > {code} > This works ok for me, but it would be nice if it were a part of the library. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira