You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by bu...@apache.org on 2021/09/30 22:58:56 UTC
svn commit: r1077042 [1/3] - in /websites/production/cxf/content:
cache/docs.pageCache docs/cxf-oauth-10.html docs/jax-rs-oauth.html
docs/springboot.html
Author: buildbot
Date: Thu Sep 30 22:58:56 2021
New Revision: 1077042
Log:
Production update by buildbot for cxf
Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/cxf-oauth-10.html
websites/production/cxf/content/docs/jax-rs-oauth.html
websites/production/cxf/content/docs/springboot.html
Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.
Modified: websites/production/cxf/content/docs/cxf-oauth-10.html
==============================================================================
--- websites/production/cxf/content/docs/cxf-oauth-10.html (original)
+++ websites/production/cxf/content/docs/cxf-oauth-10.html Thu Sep 30 22:58:56 2021
@@ -117,28 +117,8 @@ Apache CXF -- CXF OAuth 1.0
<td height="100%">
<!-- Content -->
<div class="wiki-content">
-<div id="ConfluenceContent"><h1 id="CXFOAuth1.0-CXFOAuth1.0extension">CXF OAuth 1.0 extension</h1>
-
-<p><strong>Note</strong>: This page describes the OAuth GSOC 2009 project led by Lucasz Moren. Please go to the <a shape="rect" href="jax-rs-oauth.html">JAX-RS OAuth</a> page for an up-to-date information. </p>
-
-<p>CXF OAuth 1.0 extension has been build during Google Summer of Code 2010 programme. It implements specification: <a shape="rect" class="external-link" href="http://tools.ietf.org/html/rfc5849" rel="nofollow">The OAuth 1.0 protocol (RFC 5849)</a>  and allows CXF users to build OAuth server</p>
-
-<p>and perform OAuth 1.0 authorization on their JAXRS services in a easy manner, by hiding complex OAuth flow. </p>
-
-<h3 id="CXFOAuth1.0-DownloadingCXFOAuth1.0module"><span style="color: rgb(0,51,102);"><strong>Downloading CXF OAuth 1.0 module</strong></span></h3>
-
-
-<h3 id="CXFOAuth1.0-OAuthServerbasicconfiguration">OAuth Server basic configuration</h3>
-
-<p>CXF, provides implementation for three endpoints from OAuth 1.0 specification:</p>
-<ul><li><strong>Temporary Credentials Endpoint</strong></li><li><strong>Authorization Endpoint</strong></li><li><strong>Token Credentials Endpoint</strong></li></ul>
-
-
-<p>which are usual JAX-RS resources. They allow client application to receive access token from the server required to access resources at that server.</p>
-
-<p>Configuration is exatcly this same as for every JAX-RS service:</p>
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">
+<div id="ConfluenceContent"><h1 id="CXFOAuth1.0-CXFOAuth1.0extension">CXF OAuth 1.0 extension</h1><div class="confluence-information-macro confluence-information-macro-warning"><span class="aui-icon aui-icon-small aui-iconfont-error confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>OAuth 1.0 support in CXF was dropped from the 3.5.0 release onwards</p></div></div><p><br clear="none"></p><p><strong>Note</strong>: This page describes the OAuth GSOC 2009 project led by Lucasz Moren. Please go to the <a shape="rect" href="jax-rs-oauth.html">JAX-RS OAuth</a> page for an up-to-date information.</p><p>CXF OAuth 1.0 extension has been build during Google Summer of Code 2010 programme. It implements specification: <a shape="rect" class="external-link" href="http://tools.ietf.org/html/rfc5849" rel="nofollow">The OAuth 1.0 protocol (RFC 5849)</a>  and allows CXF users to build OAuth server</p><p>and perform OAuth 1.0 authorizat
ion on their JAXRS services in a easy manner, by hiding complex OAuth flow. </p><h3 id="CXFOAuth1.0-DownloadingCXFOAuth1.0module"><span style="color: rgb(0,51,102);"><strong>Downloading CXF OAuth 1.0 module</strong></span></h3><h3 id="CXFOAuth1.0-OAuthServerbasicconfiguration">OAuth Server basic configuration</h3><p>CXF, provides implementation for three endpoints from OAuth 1.0 specification:</p><ul><li><strong>Temporary Credentials Endpoint</strong></li><li><strong>Authorization Endpoint</strong></li><li><strong>Token Credentials Endpoint</strong></li></ul><p>which are usual JAX-RS resources. They allow client application to receive access token from the server required to access resources at that server.</p><p>Configuration is exatcly this same as for every JAX-RS service:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<pre class="brush: java; gutter: false; theme: Default">
<!-- Publish OAuth endpoints-->
    <jaxrs:server id="oauthServer" address="/oauth/">
        <jaxrs:serviceBeans>
@@ -160,99 +140,28 @@ Apache CXF -- CXF OAuth 1.0
        <property name="resourcePath" value="/oAuthLogin.jsp"/>
    </bean>
</pre>
-</div></div>
-<p>OAuth Server requires to save and read an OAuth data (OAuth tokens, oauth_verifier, client identifier ...) from the persistence storage specific for the particural web application. </p>
-
-<p>To make that transparent to the developers, CXF uses:</p>
-
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">
+</div></div><p>OAuth Server requires to save and read an OAuth data (OAuth tokens, oauth_verifier, client identifier ...) from the persistence storage specific for the particural web application. </p><p>To make that transparent to the developers, CXF uses:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<pre class="brush: java; gutter: false; theme: Default">
org.apache.cxf.auth.oauth.provider.OAuthDataProvider
</pre>
-</div></div>
-<p>interface as an integration point between llibrary and the application. There is provided sample implementation of that interface that manages data stored in the memory:</p>
-
-
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">
+</div></div><p>interface as an integration point between llibrary and the application. There is provided sample implementation of that interface that manages data stored in the memory:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<pre class="brush: java; gutter: false; theme: Default">
org.apache.cxf.auth.oauth.provider.MemoryOauthDataProvider
</pre>
-</div></div>
-
-<p>that is located in core OAuth module and </p>
-
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">
+</div></div><p>that is located in core OAuth module and </p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<pre class="brush: java; gutter: false; theme: Default">
org.apache.cxf.auth.oauth.demo.server.oauth.SampleOAuthDataProvider
</pre>
-</div></div>
-<p>in OAuth demo server module.</p>
-
-<h2 id="CXFOAuth1.0-OAuthEndpointsexplained"><strong>OAuth Endpoints explained</strong></h2>
-
-<h5 id="CXFOAuth1.0-TemporaryCredentials"><a shape="rect" class="external-link" href="http://tools.ietf.org/html/rfc5849#section-2.1" rel="nofollow">Temporary Credentials</a></h5>
-
-<p>Client sends oauth required parameters in order to receive temporary request token. CXF handles request, validates it, reads required information about the client and</p>
-
-<p>save state(request token returned to the client in the response) required in the next OAuth request. CXF returns OAuth 1.0a specification compliant response.</p>
-
-<h5 id="CXFOAuth1.0-ResourceOwnerAuthorization"><a shape="rect" class="external-link" href="http://tools.ietf.org/html/rfc5849#section-2.2" rel="nofollow">Resource Owner Authorization</a></h5>
-
-<p>To assure more flexible authorization and access control to the server resources there were added two custom parameters, through which client specifies<br clear="none">
-what resources would like to access (scope), and how will be it accessing (permission):</p>
-<ul><li><strong>x_oauth_scope</strong> - specifies comma separated server uri's to which client wants to have access</li><li><strong>x_oauth_permission</strong> - specifies comma separated list of permissions to x_oauth_scope uri's which client wants to have (every permission is associated with role, ROLE_USER, ROLE_ADMIN, etc..)</li></ul>
-
-
-<p>i.e.:<br clear="none">
-After granting permissions by the user to server resources, CXF saves this data that will be required in later access control evaluation, generates oauth_verifier and returns it to the client. <span class="confluence-embedded-file-wrapper"><img class="confluence-embedded-image confluence-content-image-border" src="cxf-oauth-10.data/confirmation.png"></span></p>
-
-<p><strong>Examplar screen where server user allows/denies access for a scopes and permissions requested by a third party application</strong></p>
-
-<p>Location of above confirmation screen can be configured by registering dispatch provider as shown in OAuth Server basic configuration. CXF returns OAuth compliant errors in case of wrong client requests. </p>
-
-
-<h5 id="CXFOAuth1.0-TokenCredentials"><a shape="rect" class="external-link" href="http://tools.ietf.org/html/rfc5849#section-2.3" rel="nofollow">Token Credentials</a></h5>
-
-<p>Client sends request to the Authorization Server in order to exchange received in previous step <strong>oauth_verifier</strong> for an access token. Similarly in this step CXF handles request and return suitable response.<br clear="none">
-If the request is correct client receives an OAuth access token.<br clear="none">
-Access token give the rights to the user on the particular client to access previously authorized scopes with associated permissions.<br clear="none">
-Client need to attach access token with every request to oauth protected resource. In this implementation access token, represented by a string consist information of:</p>
-
-<ul><li>client application </li><li>resource owner which provides credentials to authorize client to the server</li><li>list of scopes accepted by the resource owner</li><li>list of permissions (list of roles)</li></ul>
-
-
-<h2 id="CXFOAuth1.0-InterceptingOAuthauthenticatedrequests"><span style="color: rgb(0,51,102);">Intercepting OAuth authenticated requests</span></h2>
-
-<p>OAuthSecurityFilter</p>
-
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">
+</div></div><p>in OAuth demo server module.</p><h2 id="CXFOAuth1.0-OAuthEndpointsexplained"><strong>OAuth Endpoints explained</strong></h2><h5 id="CXFOAuth1.0-TemporaryCredentials"><a shape="rect" class="external-link" href="http://tools.ietf.org/html/rfc5849#section-2.1" rel="nofollow">Temporary Credentials</a></h5><p>Client sends oauth required parameters in order to receive temporary request token. CXF handles request, validates it, reads required information about the client and</p><p>save state(request token returned to the client in the response) required in the next OAuth request. CXF returns OAuth 1.0a specification compliant response.</p><h5 id="CXFOAuth1.0-ResourceOwnerAuthorization"><a shape="rect" class="external-link" href="http://tools.ietf.org/html/rfc5849#section-2.2" rel="nofollow">Resource Owner Authorization</a></h5><p>To assure more flexible authorization and access control to the server resources there were added two custom parameters, through which client
specifies<br clear="none">what resources would like to access (scope), and how will be it accessing (permission):</p><ul><li><strong>x_oauth_scope</strong> - specifies comma separated server uri's to which client wants to have access</li><li><strong>x_oauth_permission</strong> - specifies comma separated list of permissions to x_oauth_scope uri's which client wants to have (every permission is associated with role, ROLE_USER, ROLE_ADMIN, etc..)</li></ul><p>i.e.:<br clear="none">After granting permissions by the user to server resources, CXF saves this data that will be required in later access control evaluation, generates oauth_verifier and returns it to the client. <span class="confluence-embedded-file-wrapper"><img class="confluence-embedded-image confluence-content-image-border" src="cxf-oauth-10.data/confirmation.png"></span></p><p><strong>Examplar screen where server user allows/denies access for a scopes and permissions requested by a third party application</strong></p>
<p>Location of above confirmation screen can be configured by registering dispatch provider as shown in OAuth Server basic configuration. CXF returns OAuth compliant errors in case of wrong client requests. </p><h5 id="CXFOAuth1.0-TokenCredentials"><a shape="rect" class="external-link" href="http://tools.ietf.org/html/rfc5849#section-2.3" rel="nofollow">Token Credentials</a></h5><p>Client sends request to the Authorization Server in order to exchange received in previous step <strong>oauth_verifier</strong> for an access token. Similarly in this step CXF handles request and return suitable response.<br clear="none">If the request is correct client receives an OAuth access token.<br clear="none">Access token give the rights to the user on the particular client to access previously authorized scopes with associated permissions.<br clear="none">Client need to attach access token with every request to oauth protected resource. In this implementation access token
, represented by a string consist information of:</p><ul><li>client application </li><li>resource owner which provides credentials to authorize client to the server</li><li>list of scopes accepted by the resource owner</li><li>list of permissions (list of roles)</li></ul><h2 id="CXFOAuth1.0-InterceptingOAuthauthenticatedrequests"><span style="color: rgb(0,51,102);">Intercepting OAuth authenticated requests</span></h2><p>OAuthSecurityFilter</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<pre class="brush: java; gutter: false; theme: Default">
org.apache.cxf.auth.oauth.interceptors.OAuthSecurityFilter
</pre>
-</div></div>
-<p>intercepts OAuth authenticated request perform basic OAuth validation and check if requested scope is not greater than authorized by the resource owner.</p>
-
-<p>Initial http request is wrapped with overrided: getUserPrincipal and isUserInRole methods and passed further. OAuth security filter does not assure access control based on permissions associated with the scope. It needs to be done by developer or </p>
-
-<p>by using: SpringOAuthAuthenticationFilter</p>
-
-<h2 id="CXFOAuth1.0-SpringSecurityIntegration"><span style="color: rgb(0,51,102);">Spring Security Integration</span></h2>
-
-
-<h3 id="CXFOAuth1.0-SpringOAuthAuthenticationFilter">SpringOAuthAuthenticationFilter</h3>
-
-<p>Spring Security extension provides integration of OAuth flow with security annotations like: @RolesAllowed or @Secured</p>
-
-<p>The only thing that needs to be done is adding</p>
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">
+</div></div><p>intercepts OAuth authenticated request perform basic OAuth validation and check if requested scope is not greater than authorized by the resource owner.</p><p>Initial http request is wrapped with overrided: getUserPrincipal and isUserInRole methods and passed further. OAuth security filter does not assure access control based on permissions associated with the scope. It needs to be done by developer or </p><p>by using: SpringOAuthAuthenticationFilter</p><h2 id="CXFOAuth1.0-SpringSecurityIntegration"><span style="color: rgb(0,51,102);">Spring Security Integration</span></h2><h3 id="CXFOAuth1.0-SpringOAuthAuthenticationFilter">SpringOAuthAuthenticationFilter</h3><p>Spring Security extension provides integration of OAuth flow with security annotations like: @RolesAllowed or @Secured</p><p>The only thing that needs to be done is adding</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<pre class="brush: java; gutter: false; theme: Default">
org.apache.cxf.auth.oauth.integration.spring.security.SpringOAuthAuthenticationFilter
</pre>
-</div></div>
-<p>configuration in web.xml file <strong>following</strong> OAuthSecurityFilter. SpringOAuthAuthenticationFilter initializes SpringSecurityContext and allows to benefit from Spring Security framework.<br clear="none">
-Sample JAX-RS service could looks like:</p>
-<div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">
+</div></div><p>configuration in web.xml file <strong>following</strong> OAuthSecurityFilter. SpringOAuthAuthenticationFilter initializes SpringSecurityContext and allows to benefit from Spring Security framework.<br clear="none">Sample JAX-RS service could looks like:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<pre class="brush: java; gutter: false; theme: Default">
@Path("/")
public class SampleResourceProvider {
@@ -265,19 +174,7 @@ public class SampleResourceProvider {
}
}
</pre>
-</div></div>
-
-<p>In above example <em>getInfo</em> resource can be invoked only by the client which attached access token that was authorized by the resource owner with<br clear="none">
-scope: /*, person/*, person/get/* or /person/get/$particular_name and with permission associated with role: ROLE_USER.</p>
-
-<h3 id="CXFOAuth1.0-SpringSecurityExceptionMapper">SpringSecurityExceptionMapper</h3>
-<p>This exception mapper converts Spring Security exceptions (i.e. AccessDeniedException) into http response that is compliant with OAuth 1.0 specification.</p>
-
-<h2 id="CXFOAuth1.0-OAuthDemoServer"><span style="color: rgb(0,51,102);">OAuth Demo Server</span></h2>
-<p>Sample implementation of an OAuth server, build with using CXF OAuth extension. Provides simple functionality for preregistering OAuth clients, viewing authorized clients and revoking access to the server.</p>
-
-<h2 id="CXFOAuth1.0-OAuthDemoClient"><span style="color: rgb(0,51,102);">OAuth Demo Client</span></h2>
-<p>OAuth 1.0 client web application that is able to make OAuth authenticated requests</p></div>
+</div></div><p>In above example <em>getInfo</em> resource can be invoked only by the client which attached access token that was authorized by the resource owner with<br clear="none">scope: /*, person/*, person/get/* or /person/get/$particular_name and with permission associated with role: ROLE_USER.</p><h3 id="CXFOAuth1.0-SpringSecurityExceptionMapper">SpringSecurityExceptionMapper</h3><p>This exception mapper converts Spring Security exceptions (i.e. AccessDeniedException) into http response that is compliant with OAuth 1.0 specification.</p><h2 id="CXFOAuth1.0-OAuthDemoServer"><span style="color: rgb(0,51,102);">OAuth Demo Server</span></h2><p>Sample implementation of an OAuth server, build with using CXF OAuth extension. Provides simple functionality for preregistering OAuth clients, viewing authorized clients and revoking access to the server.</p><h2 id="CXFOAuth1.0-OAuthDemoClient"><span style="color: rgb(0,51,102);">OAuth Demo Client</span></h2><p>OAuth 1.0 client web ap
plication that is able to make OAuth authenticated requests</p></div>
</div>
<!-- Content -->
</td>