cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marcello Ribeiro <marcellocard...@contmatic.com.br>
Subject Re: [** POSSÍVEL SPAM 6.6 **] Re: CXF - 2.7.8 - JAX-RS: OAuth2 X JAX-WS Protection
Date Fri, 17 Jan 2014 14:23:31 GMT
OK, about your second comment, what is a good way to authenticate users 
in this case?
I understand the flow should be:

1 - User ask to client for a Server resource URL.
2 - Client tries reaching Service URL.
3 - The interceptor sees the client is not authorized yet, so it some 
way returns a redirect to Authorization Server.
4 - Client redirects to authorization server passing clientID + 
clientSecret in order to get a "Request Token".
5 - Authorizaton Server is required to have an authenticated user, 
right? Otherwise it cannot authorize ClientId "123456" to talk in the 
name of user "whoever". (Make sense?)
6 - Once an authenticated user is required, so Client will receive back 
some authentication challenge.
7 - So now Client answers with a pair username/password.
8 - Authentication Server matches it.
9 - Once authenticated, user will be able to say "Yes, i authorize this 
app(client) to work in my name"; (User is gonna be ask to kind of yes/no 
question)
10 - Once it is done Client will receive back a "Request Token".
11 - With "Request Token" in hands, User will exchange it by an "Access 
Token";
12 With "Access Token" in hands, user will be able to request for the 
resource itself.

Does it sound non-sense to you to authenticate the user?

Att,
Marcello Ribeiro

Em 21/02/2014 10:15, Sergey Beryozkin escreveu:
> Hi
> On 20/01/14 11:46, Marcello Ribeiro wrote:
>> Hi Sergey,
>> So that is the new status:
>>
>> 1 - I´ve updated my pom to pull CXF 2.7.11-Snapshot and so
>> OAuthRequestInterceptor is now available.
>> 2 - A added this interceptor to one of my endpoint.
>> 3 - I called this enpoint as usually and now i get a Not Authorized
>> Exception which makes my client to receive a http 500 directly, which in
>> my first point of view is not acceptable, because i think my client
>> should get at least a http 401, once he is trying  to accessed the
>> endpoint directly with no token, and not having passed for all Oauth2 
>> flow.
>>
>> Now i am dealing with:
>> 1 - Trying understand how to sent 401 back to my client instead of 500;
>
> This is a SOAP path so 500 is returned, you can register a custom out 
> fault interceptor and make sure it is 401.
>
>> 2 - Going deep inside the docs i understood that i do need also (of
>> course) to have my user authenticated and new fashion for this is using
>> WSS4JInInterceptor (using UsernameToken) which implements those new
>> Specs. I got problems here and i already raised my hand in another post
>> to this list. I´ve been using JAAS for a long time and i have to confess
>> the earth has not stopped rotating all those past years. :)
>>
>> Any comments on this "saga"?
>
> I don't think using WS-Security UserName token is appropriate when the 
> client has OAuth2 tokens.
>
> Cheers, Sergey
>
>
>>
>> Att,
>> Marcello Ribeiro
>>
>>
>>
>> Em 19/02/2014 14:05, Sergey Beryozkin escreveu:
>>> So, did you get any luck at all or I have confused you ?
>>> Basically, the OAuth2 server is there to get the tokens issued, which
>>> is completely orthogonal to the process of clients invoking on the
>>> JAX-RS or in this case, JAX-WS endpoints.
>>>
>>> The client need to get the token first, can be done out of band,
>>> depends on the flow, next you use it to invoke on the endpoint and at
>>> this point of time the filter (or in you case interceptor) will
>>> enforce the token is valid by contacting the OAuth2 server if needed
>>> or validate it locally by using the data provider directly
>>>
>>> HTH
>>> Sergey
>>>
>>> On 17/02/14 15:43, Sergey Beryozkin wrote:
>>>> Hi
>>>> On 17/02/14 12:43, Marcello Ribeiro wrote:
>>>>> Good morning.
>>>>>
>>>>> I´ve created Oauth2 Services as described in
>>>>> https://cxf.apache.org/docs/jax-rs-oauth2.html ,  to be my complete
>>>>> Oauth2 infrastructure, given tokens, authorization and the stuffs .
>>>>> OK, but my point is how to make my JAX-WS Services (My Business WS
>>>>> endpoints) being intecepted, and protected and authorized for this
>>>>> brand
>>>>> new Oauth2 infrastructure? What is the glue.
>>>> You have to register OAuthRequestInterceptor. not OAuthRequestFilter,
>>>> and it has to be 2.7.11-SNAPSHOT
>>>>
>>>>> I already put an interceptor for one of the endpoints as you can see
>>>>> bellow, but i got none effects.
>>>>>
>>>> So you have added OAuthRequestInterceptor to your JAX-WS endpoint and
>>>> this interceptor does let the request which has no OAuth token 
>>>> attached
>>>> to it through ?
>>>>
>>>> Thanks, Sergey
>>>>
>>>>> Do i explain myself?
>>>>> Thank you.
>>>>>
>>>>> Best Regards,
>>>>> Marcello Ribeiro
>>>>>
>>>>>
>>>>> Em 16/02/2014 18:12, Sergey Beryozkin escreveu:
>>>>>> Hi
>>>>>> On 16/01/14 19:58, Marcello Ribeiro wrote:
>>>>>>> Hi Sergey, thank you for helping and for the nice blog...
>>>>>>>
>>>>>>> I am sorry to say it is still  nebulous in my mind...
>>>>>>> What i did was to add a new interceptor targeting my OauthFilter

>>>>>>> like
>>>>>>> this:
>>>>>>>
>>>>>>> My    <jaxrs:server id="oauthServer" address="/oauth">
shares the
>>>>>>> same
>>>>>>> web application which my webservices share. Should i create a
>>>>>>> diferent
>>>>>>> web application for the Oauth2 Infraestructure??
>>>>>>>
>>>>>>>          <jaxws:inInterceptors>
>>>>>>>              <ref bean="oauthFilter" />
>>>>>>>          </jaxws:inInterceptors>
>>>>>>>
>>>>>>> But it seems to produce no effects... Client´s requests are
not 
>>>>>>> been
>>>>>>> intercepted or no 403 response are sent back...
>>>>>>
>>>>>> How do obtain an OAuth2 token, where is it coming from ?
>>>>>>
>>>>>> Cheers, Sergey
>>>>>>
>>>>>>> Would you have any git endpoint containing that POC
>>>>>>>
>>>>>>> Thank you
>>>>>>>
>>>>>>> Att,
>>>>>>> Marcello Ribeiro
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Em 14/02/2014 11:54, Sergey Beryozkin escreveu:
>>>>>>>> Hi, please see comments below
>>>>>>>>
>>>>>>>> On 14/02/14 12:50, Marcello Ribeiro wrote:
>>>>>>>>> Hi,
>>>>>>>>> I have a couple of Webservice done and working properly
using CXF
>>>>>>>>> 2.7.8
>>>>>>>>> in the already known fashion:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>      <jaxws:endpoint xmlns:tns="http://blablabla.hello.com.br/"
>>>>>>>>>          id="blablablawsservice"
>>>>>>>>> implementor="br.com.hello.BlaBlaBla"
>>>>>>>>> wsdlLocation="wsdl/blablablawsservice.wsdl"
>>>>>>>>> endpointName="tns:BlaBlaBlaPort"
>>>>>>>>>          serviceName="tns:BlaBlaBlaServiceService"
>>>>>>>>> address="/BlaBlaBlaPort">
>>>>>>>>>          <jaxws:features>
>>>>>>>>>              <bean 
>>>>>>>>> class="org.apache.cxf.feature.LoggingFeature" />
>>>>>>>>>          </jaxws:features>
>>>>>>>>>      </jaxws:endpoint>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Now, what i need is to protect these services/urls using
JAX-RS:
>>>>>>>>> OAuth2
>>>>>>>>> and i have followed the instruction in CXF documentation:
>>>>>>>>> https://cxf.apache.org/docs/jax-rs-oauth2.html
>>>>>>>>> Based on this documentation, i have now:
>>>>>>>>>
>>>>>>>>> 1 - An Authorization Service;
>>>>>>>>> |
>>>>>>>>>      <bean id="authorizationService"
>>>>>>>>> class="org.apache.cxf.rs.security.oauth2.services.AuthorizationCodeGrantService">

>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>        <property name="dataProvider" ref="oauthProvider"/>
>>>>>>>>>      </bean>|
>>>>>>>>>
>>>>>>>>> |
>>>>>>>>> |
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> 2 - An Access Token Service;
>>>>>>>>>
>>>>>>>>>      <bean id="oauthProvider"
>>>>>>>>> class="br.com.hello.utils.cxf.security.oauth.SocialRideDataProvider"

>>>>>>>>>
>>>>>>>>>
>>>>>>>>> />
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>      <bean id="accessTokenService"
>>>>>>>>> class="org.apache.cxf.rs.security.oauth2.services.AccessTokenService">

>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>          <property name="dataProvider" ref="oauthProvider"
/>
>>>>>>>>>      </bean>
>>>>>>>>>
>>>>>>>>>      <bean id="accessTokenValidateService"
>>>>>>>>> class="org.apache.cxf.rs.security.oauth2.services.AccessTokenValidatorService">

>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>          <property name="dataProvider" ref="oauthProvider"
/>
>>>>>>>>>      </bean>
>>>>>>>>>
>>>>>>>>>      <jaxrs:server id="oauthServer" address="/oauth">
>>>>>>>>>          <jaxrs:serviceBeans>
>>>>>>>>>              <ref bean="accessTokenService" />
>>>>>>>>>              <ref bean="accessTokenValidateService"
/>
>>>>>>>>>          </jaxrs:serviceBeans>
>>>>>>>>>      </jaxrs:server>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> 3 - A Request Filter
>>>>>>>>>
>>>>>>>>>      <bean id="oauthFilter"
>>>>>>>>> class="org.apache.cxf.rs.security.oauth2.filters.OAuthRequestFilter">

>>>>>>>>>
>>>>>>>>>
>>>>>>>>>          <property name="dataProvider" ref="oauthProvider"
/>
>>>>>>>>>      </bean>
>>>>>>>>
>>>>>>>> I'm assuming you have a WS client that would like to use
an OAuth2
>>>>>>>> token to access the JAXWS endpoint, right ?
>>>>>>>>
>>>>>>>> Typically you'd have OAuth2 RS (your applications) and AS
>>>>>>>> (Authorization/Access token) not collocated, though for simple

>>>>>>>> cases
>>>>>>>> it is good enough for a start;
>>>>>>>>
>>>>>>>> So, unless you already use CXF OAuth2 services to actually

>>>>>>>> issue the
>>>>>>>> OAuth2 tokens, just remove all of the above and then simply
>>>>>>>> follow the
>>>>>>>> few steps I happened to blog about few days ago - will update
the
>>>>>>>> docs
>>>>>>>> shortly:
>>>>>>>>
>>>>>>>> http://sberyozkin.blogspot.ie/2014/02/use-oauth2-tokens-to-protect-cxf-soap.html

>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Basically, all you need to do is to add a simple custom WS
>>>>>>>> interceptor, you are right. If you have a remote OAuth2 AS
then
>>>>>>>> for a
>>>>>>>> start you can use a basic access token validator client 
>>>>>>>> (HTTP-based)
>>>>>>>> registered with your interceptor
>>>>>>>>
>>>>>>>> This interceptor will only work in CXF 2.7.11-SNAPSHOT
>>>>>>>>
>>>>>>>> Let me know if you have more questions
>>>>>>>>
>>>>>>>> Sergey
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> So my point is:
>>>>>>>>> How do i protect my JAX-WS webservices using this JAX-RS:
OAuth2
>>>>>>>>> Request
>>>>>>>>> Filter? What is the glue between them?
>>>>>>>>> For example: i have a url
>>>>>>>>> "http://localhost:8080/myProject/services/MyService?wsdl"
how 
>>>>>>>>> do it
>>>>>>>>> make
>>>>>>>>> it under this Oauth Protection Structure??
>>>>>>>>> Is that by interceptors, maybe?
>>>>>>>>>
>>>>>>>>> Thank you.
>>>>>>>>>
>>>>>>>>> Att,
>>>>>>>>> Marcello Ribeirop
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>
>


Mime
View raw message