cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sergey Beryozkin <sberyoz...@gmail.com>
Subject Re: [** POSSÍVEL SPAM 6.6 **] Re: CXF - 2.7.8 - JAX-RS: OAuth2 X JAX-WS Protection
Date Fri, 21 Feb 2014 16:56:19 GMT
Finally, you can simply use the client utils
https://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-Client-sidesupport

So you'd do

// create a client which uses Basic Auth
WebClient accessTokenServiceClient = WebClient.create(address, "name", 
"password", null);

OAuthClientUtils.getAccessToken(accessTokenServiceClient, new 
ClientCredentialsGrant());

This will get you the token; make sure AccessTokenService is configured 
with the instance of ClientCredentialsGrantHandler and that your data 
provider has a client registered with the "name" id.

This all rather straightforward for basic cases though yes. many steps 
needs to be taken care of.

Please work with the documentation and I'm hoping you will be the 1st 
CXF user who will validate OAuth tokens can be used on the WS path :-)

Sergey


On 21/02/14 15:32, Sergey Beryozkin wrote:
> On 17/01/14 14:23, Marcello Ribeiro wrote:
>> OK, about your second comment, what is a good way to authenticate users
>> in this case?
>> I understand the flow should be:
>>
>> 1 - User ask to client for a Server resource URL.
>> 2 - Client tries reaching Service URL.
>> 3 - The interceptor sees the client is not authorized yet, so it some
>> way returns a redirect to Authorization Server.
>> 4 - Client redirects to authorization server passing clientID +
>> clientSecret in order to get a "Request Token".
>> 5 - Authorizaton Server is required to have an authenticated user,
>> right? Otherwise it cannot authorize ClientId "123456" to talk in the
>> name of user "whoever". (Make sense?)
>> 6 - Once an authenticated user is required, so Client will receive back
>> some authentication challenge.
>> 7 - So now Client answers with a pair username/password.
>> 8 - Authentication Server matches it.
>> 9 - Once authenticated, user will be able to say "Yes, i authorize this
>> app(client) to work in my name"; (User is gonna be ask to kind of yes/no
>> question)
>> 10 - Once it is done Client will receive back a "Request Token".
>> 11 - With "Request Token" in hands, User will exchange it by an "Access
>> Token";
>> 12 With "Access Token" in hands, user will be able to request for the
>> resource itself.
>>
>> Does it sound non-sense to you to authenticate the user?
>>
> No, not really. You are actually talking about OAuth1 there.
> But in the end of the day, and lets talk about OAuth2 here, it's not
> important where the token came in from, what is important is that the
> JAX-WS client gets it somehow ( ex, as I suggested in the prev email).
> And no, CXF has no support neither for JAX-RS not JAX-WS endpoints
> redirecting to OAuth2 servers, the process of obtaining the token is
> *orthogonal* to the process of using the token and invoking on the
> endpoint, if the client has no token all it gets is 401
>
> I think we've really covered this case now in depth :-)
>
>
>
>> Att,
>> Marcello Ribeiro
>>
>> Em 21/02/2014 10:15, Sergey Beryozkin escreveu:
>>> Hi
>>> On 20/01/14 11:46, Marcello Ribeiro wrote:
>>>> Hi Sergey,
>>>> So that is the new status:
>>>>
>>>> 1 - I´ve updated my pom to pull CXF 2.7.11-Snapshot and so
>>>> OAuthRequestInterceptor is now available.
>>>> 2 - A added this interceptor to one of my endpoint.
>>>> 3 - I called this enpoint as usually and now i get a Not Authorized
>>>> Exception which makes my client to receive a http 500 directly,
>>>> which in
>>>> my first point of view is not acceptable, because i think my client
>>>> should get at least a http 401, once he is trying  to accessed the
>>>> endpoint directly with no token, and not having passed for all Oauth2
>>>> flow.
>>>>
>>>> Now i am dealing with:
>>>> 1 - Trying understand how to sent 401 back to my client instead of 500;
>>>
>>> This is a SOAP path so 500 is returned, you can register a custom out
>>> fault interceptor and make sure it is 401.
>>>
>>>> 2 - Going deep inside the docs i understood that i do need also (of
>>>> course) to have my user authenticated and new fashion for this is using
>>>> WSS4JInInterceptor (using UsernameToken) which implements those new
>>>> Specs. I got problems here and i already raised my hand in another post
>>>> to this list. I´ve been using JAAS for a long time and i have to
>>>> confess
>>>> the earth has not stopped rotating all those past years. :)
>>>>
>>>> Any comments on this "saga"?
>>>
>>> I don't think using WS-Security UserName token is appropriate when the
>>> client has OAuth2 tokens.
>>>
>>> Cheers, Sergey
>>>
>>>
>>>>
>>>> Att,
>>>> Marcello Ribeiro
>>>>
>>>>
>>>>
>>>> Em 19/02/2014 14:05, Sergey Beryozkin escreveu:
>>>>> So, did you get any luck at all or I have confused you ?
>>>>> Basically, the OAuth2 server is there to get the tokens issued, which
>>>>> is completely orthogonal to the process of clients invoking on the
>>>>> JAX-RS or in this case, JAX-WS endpoints.
>>>>>
>>>>> The client need to get the token first, can be done out of band,
>>>>> depends on the flow, next you use it to invoke on the endpoint and at
>>>>> this point of time the filter (or in you case interceptor) will
>>>>> enforce the token is valid by contacting the OAuth2 server if needed
>>>>> or validate it locally by using the data provider directly
>>>>>
>>>>> HTH
>>>>> Sergey
>>>>>
>>>>> On 17/02/14 15:43, Sergey Beryozkin wrote:
>>>>>> Hi
>>>>>> On 17/02/14 12:43, Marcello Ribeiro wrote:
>>>>>>> Good morning.
>>>>>>>
>>>>>>> I´ve created Oauth2 Services as described in
>>>>>>> https://cxf.apache.org/docs/jax-rs-oauth2.html ,  to be my complete
>>>>>>> Oauth2 infrastructure, given tokens, authorization and the stuffs
.
>>>>>>> OK, but my point is how to make my JAX-WS Services (My Business
WS
>>>>>>> endpoints) being intecepted, and protected and authorized for
this
>>>>>>> brand
>>>>>>> new Oauth2 infrastructure? What is the glue.
>>>>>> You have to register OAuthRequestInterceptor. not OAuthRequestFilter,
>>>>>> and it has to be 2.7.11-SNAPSHOT
>>>>>>
>>>>>>> I already put an interceptor for one of the endpoints as you
can see
>>>>>>> bellow, but i got none effects.
>>>>>>>
>>>>>> So you have added OAuthRequestInterceptor to your JAX-WS endpoint
and
>>>>>> this interceptor does let the request which has no OAuth token
>>>>>> attached
>>>>>> to it through ?
>>>>>>
>>>>>> Thanks, Sergey
>>>>>>
>>>>>>> Do i explain myself?
>>>>>>> Thank you.
>>>>>>>
>>>>>>> Best Regards,
>>>>>>> Marcello Ribeiro
>>>>>>>
>>>>>>>
>>>>>>> Em 16/02/2014 18:12, Sergey Beryozkin escreveu:
>>>>>>>> Hi
>>>>>>>> On 16/01/14 19:58, Marcello Ribeiro wrote:
>>>>>>>>> Hi Sergey, thank you for helping and for the nice blog...
>>>>>>>>>
>>>>>>>>> I am sorry to say it is still  nebulous in my mind...
>>>>>>>>> What i did was to add a new interceptor targeting my
OauthFilter
>>>>>>>>> like
>>>>>>>>> this:
>>>>>>>>>
>>>>>>>>> My    <jaxrs:server id="oauthServer" address="/oauth">
shares the
>>>>>>>>> same
>>>>>>>>> web application which my webservices share. Should i
create a
>>>>>>>>> diferent
>>>>>>>>> web application for the Oauth2 Infraestructure??
>>>>>>>>>
>>>>>>>>>          <jaxws:inInterceptors>
>>>>>>>>>              <ref bean="oauthFilter" />
>>>>>>>>>          </jaxws:inInterceptors>
>>>>>>>>>
>>>>>>>>> But it seems to produce no effects... Client´s requests
are not
>>>>>>>>> been
>>>>>>>>> intercepted or no 403 response are sent back...
>>>>>>>>
>>>>>>>> How do obtain an OAuth2 token, where is it coming from ?
>>>>>>>>
>>>>>>>> Cheers, Sergey
>>>>>>>>
>>>>>>>>> Would you have any git endpoint containing that POC
>>>>>>>>>
>>>>>>>>> Thank you
>>>>>>>>>
>>>>>>>>> Att,
>>>>>>>>> Marcello Ribeiro
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Em 14/02/2014 11:54, Sergey Beryozkin escreveu:
>>>>>>>>>> Hi, please see comments below
>>>>>>>>>>
>>>>>>>>>> On 14/02/14 12:50, Marcello Ribeiro wrote:
>>>>>>>>>>> Hi,
>>>>>>>>>>> I have a couple of Webservice done and working
properly using
>>>>>>>>>>> CXF
>>>>>>>>>>> 2.7.8
>>>>>>>>>>> in the already known fashion:
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>      <jaxws:endpoint xmlns:tns="http://blablabla.hello.com.br/"
>>>>>>>>>>>          id="blablablawsservice"
>>>>>>>>>>> implementor="br.com.hello.BlaBlaBla"
>>>>>>>>>>> wsdlLocation="wsdl/blablablawsservice.wsdl"
>>>>>>>>>>> endpointName="tns:BlaBlaBlaPort"
>>>>>>>>>>>          serviceName="tns:BlaBlaBlaServiceService"
>>>>>>>>>>> address="/BlaBlaBlaPort">
>>>>>>>>>>>          <jaxws:features>
>>>>>>>>>>>              <bean
>>>>>>>>>>> class="org.apache.cxf.feature.LoggingFeature"
/>
>>>>>>>>>>>          </jaxws:features>
>>>>>>>>>>>      </jaxws:endpoint>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Now, what i need is to protect these services/urls
using JAX-RS:
>>>>>>>>>>> OAuth2
>>>>>>>>>>> and i have followed the instruction in CXF documentation:
>>>>>>>>>>> https://cxf.apache.org/docs/jax-rs-oauth2.html
>>>>>>>>>>> Based on this documentation, i have now:
>>>>>>>>>>>
>>>>>>>>>>> 1 - An Authorization Service;
>>>>>>>>>>> |
>>>>>>>>>>>      <bean id="authorizationService"
>>>>>>>>>>> class="org.apache.cxf.rs.security.oauth2.services.AuthorizationCodeGrantService">
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>        <property name="dataProvider" ref="oauthProvider"/>
>>>>>>>>>>>      </bean>|
>>>>>>>>>>>
>>>>>>>>>>> |
>>>>>>>>>>> |
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> 2 - An Access Token Service;
>>>>>>>>>>>
>>>>>>>>>>>      <bean id="oauthProvider"
>>>>>>>>>>> class="br.com.hello.utils.cxf.security.oauth.SocialRideDataProvider"
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> />
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>      <bean id="accessTokenService"
>>>>>>>>>>> class="org.apache.cxf.rs.security.oauth2.services.AccessTokenService">
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>          <property name="dataProvider" ref="oauthProvider"
/>
>>>>>>>>>>>      </bean>
>>>>>>>>>>>
>>>>>>>>>>>      <bean id="accessTokenValidateService"
>>>>>>>>>>> class="org.apache.cxf.rs.security.oauth2.services.AccessTokenValidatorService">
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>          <property name="dataProvider" ref="oauthProvider"
/>
>>>>>>>>>>>      </bean>
>>>>>>>>>>>
>>>>>>>>>>>      <jaxrs:server id="oauthServer" address="/oauth">
>>>>>>>>>>>          <jaxrs:serviceBeans>
>>>>>>>>>>>              <ref bean="accessTokenService"
/>
>>>>>>>>>>>              <ref bean="accessTokenValidateService"
/>
>>>>>>>>>>>          </jaxrs:serviceBeans>
>>>>>>>>>>>      </jaxrs:server>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> 3 - A Request Filter
>>>>>>>>>>>
>>>>>>>>>>>      <bean id="oauthFilter"
>>>>>>>>>>> class="org.apache.cxf.rs.security.oauth2.filters.OAuthRequestFilter">
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>          <property name="dataProvider" ref="oauthProvider"
/>
>>>>>>>>>>>      </bean>
>>>>>>>>>>
>>>>>>>>>> I'm assuming you have a WS client that would like
to use an
>>>>>>>>>> OAuth2
>>>>>>>>>> token to access the JAXWS endpoint, right ?
>>>>>>>>>>
>>>>>>>>>> Typically you'd have OAuth2 RS (your applications)
and AS
>>>>>>>>>> (Authorization/Access token) not collocated, though
for simple
>>>>>>>>>> cases
>>>>>>>>>> it is good enough for a start;
>>>>>>>>>>
>>>>>>>>>> So, unless you already use CXF OAuth2 services to
actually
>>>>>>>>>> issue the
>>>>>>>>>> OAuth2 tokens, just remove all of the above and then
simply
>>>>>>>>>> follow the
>>>>>>>>>> few steps I happened to blog about few days ago -
will update the
>>>>>>>>>> docs
>>>>>>>>>> shortly:
>>>>>>>>>>
>>>>>>>>>> http://sberyozkin.blogspot.ie/2014/02/use-oauth2-tokens-to-protect-cxf-soap.html
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Basically, all you need to do is to add a simple
custom WS
>>>>>>>>>> interceptor, you are right. If you have a remote
OAuth2 AS then
>>>>>>>>>> for a
>>>>>>>>>> start you can use a basic access token validator
client
>>>>>>>>>> (HTTP-based)
>>>>>>>>>> registered with your interceptor
>>>>>>>>>>
>>>>>>>>>> This interceptor will only work in CXF 2.7.11-SNAPSHOT
>>>>>>>>>>
>>>>>>>>>> Let me know if you have more questions
>>>>>>>>>>
>>>>>>>>>> Sergey
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> So my point is:
>>>>>>>>>>> How do i protect my JAX-WS webservices using
this JAX-RS: OAuth2
>>>>>>>>>>> Request
>>>>>>>>>>> Filter? What is the glue between them?
>>>>>>>>>>> For example: i have a url
>>>>>>>>>>> "http://localhost:8080/myProject/services/MyService?wsdl"
how
>>>>>>>>>>> do it
>>>>>>>>>>> make
>>>>>>>>>>> it under this Oauth Protection Structure??
>>>>>>>>>>> Is that by interceptors, maybe?
>>>>>>>>>>>
>>>>>>>>>>> Thank you.
>>>>>>>>>>>
>>>>>>>>>>> Att,
>>>>>>>>>>> Marcello Ribeirop
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>>
>>
>

Mime
View raw message