cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sergey Beryozkin <sberyoz...@gmail.com>
Subject Re: CXF - 2.7.8 - JAX-RS: OAuth2 X JAX-WS Protection
Date Sun, 16 Feb 2014 21:12:40 GMT
Hi
On 16/01/14 19:58, Marcello Ribeiro wrote:
> Hi Sergey, thank you for helping and for the nice blog...
>
> I am sorry to say it is still  nebulous in my mind...
> What i did was to add a new interceptor targeting my OauthFilter like this:
>
> My    <jaxrs:server id="oauthServer" address="/oauth"> shares the same
> web application which my webservices share. Should i create a diferent
> web application for the Oauth2 Infraestructure??
>
>          <jaxws:inInterceptors>
>              <ref bean="oauthFilter" />
>          </jaxws:inInterceptors>
>
> But it seems to produce no effects... Client´s requests are not been
> intercepted or no 403 response are sent back...

How do obtain an OAuth2 token, where is it coming from ?

Cheers, Sergey

> Would you have any git endpoint containing that POC
>
> Thank you
>
> Att,
> Marcello Ribeiro
>
>
>
> Em 14/02/2014 11:54, Sergey Beryozkin escreveu:
>> Hi, please see comments below
>>
>> On 14/02/14 12:50, Marcello Ribeiro wrote:
>>> Hi,
>>> I have a couple of Webservice done and working properly using CXF 2.7.8
>>> in the already known fashion:
>>>
>>>
>>>      <jaxws:endpoint xmlns:tns="http://blablabla.hello.com.br/"
>>>          id="blablablawsservice" implementor="br.com.hello.BlaBlaBla"
>>>          wsdlLocation="wsdl/blablablawsservice.wsdl"
>>> endpointName="tns:BlaBlaBlaPort"
>>>          serviceName="tns:BlaBlaBlaServiceService"
>>> address="/BlaBlaBlaPort">
>>>          <jaxws:features>
>>>              <bean class="org.apache.cxf.feature.LoggingFeature" />
>>>          </jaxws:features>
>>>      </jaxws:endpoint>
>>>
>>>
>>>
>>> Now, what i need is to protect these services/urls using JAX-RS: OAuth2
>>> and i have followed the instruction in CXF documentation:
>>> https://cxf.apache.org/docs/jax-rs-oauth2.html
>>> Based on this documentation, i have now:
>>>
>>> 1 - An Authorization Service;
>>> |
>>>      <bean id="authorizationService"
>>> class="org.apache.cxf.rs.security.oauth2.services.AuthorizationCodeGrantService">
>>>
>>>
>>>        <property name="dataProvider" ref="oauthProvider"/>
>>>      </bean>|
>>>
>>> |
>>> |
>>>
>>>
>>> 2 - An Access Token Service;
>>>
>>>      <bean id="oauthProvider"
>>> class="br.com.hello.utils.cxf.security.oauth.SocialRideDataProvider" />
>>>
>>>      <bean id="accessTokenService"
>>> class="org.apache.cxf.rs.security.oauth2.services.AccessTokenService">
>>>          <property name="dataProvider" ref="oauthProvider" />
>>>      </bean>
>>>
>>>      <bean id="accessTokenValidateService"
>>> class="org.apache.cxf.rs.security.oauth2.services.AccessTokenValidatorService">
>>>
>>>
>>>          <property name="dataProvider" ref="oauthProvider" />
>>>      </bean>
>>>
>>>      <jaxrs:server id="oauthServer" address="/oauth">
>>>          <jaxrs:serviceBeans>
>>>              <ref bean="accessTokenService" />
>>>              <ref bean="accessTokenValidateService" />
>>>          </jaxrs:serviceBeans>
>>>      </jaxrs:server>
>>>
>>>
>>> 3 - A Request Filter
>>>
>>>      <bean id="oauthFilter"
>>> class="org.apache.cxf.rs.security.oauth2.filters.OAuthRequestFilter">
>>>          <property name="dataProvider" ref="oauthProvider" />
>>>      </bean>
>>
>> I'm assuming you have a WS client that would like to use an OAuth2
>> token to access the JAXWS endpoint, right ?
>>
>> Typically you'd have OAuth2 RS (your applications) and AS
>> (Authorization/Access token) not collocated, though for simple cases
>> it is good enough for a start;
>>
>> So, unless you already use CXF OAuth2 services to actually issue the
>> OAuth2 tokens, just remove all of the above and then simply follow the
>> few steps I happened to blog about few days ago - will update the docs
>> shortly:
>>
>> http://sberyozkin.blogspot.ie/2014/02/use-oauth2-tokens-to-protect-cxf-soap.html
>>
>>
>> Basically, all you need to do is to add a simple custom WS
>> interceptor, you are right. If you have a remote OAuth2 AS then for a
>> start you can use a basic access token validator client (HTTP-based)
>> registered with your interceptor
>>
>> This interceptor will only work in CXF 2.7.11-SNAPSHOT
>>
>> Let me know if you have more questions
>>
>> Sergey
>>
>>
>>
>>>
>>>
>>> So my point is:
>>> How do i protect my JAX-WS webservices using this JAX-RS: OAuth2 Request
>>> Filter? What is the glue between them?
>>> For example: i have a url
>>> "http://localhost:8080/myProject/services/MyService?wsdl" how do it make
>>> it under this Oauth Protection Structure??
>>> Is that by interceptors, maybe?
>>>
>>> Thank you.
>>>
>>> Att,
>>> Marcello Ribeirop
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>


-- 
Sergey Beryozkin

Talend Community Coders
http://coders.talend.com/

Blog: http://sberyozkin.blogspot.com

Mime
View raw message