You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by matteo <ma...@gmail.com> on 2016/03/10 14:05:22 UTC
How to manage resource owner login in CXF
I'm trying to figure out how to deal with resource owner login procedure in
CXF OAuth2 implementation. In the docs
(http://cxf.apache.org/docs/jax-rs-oauth2.html) it is stated that
/The client application asks the current user (the browser) to go to a new
address provided by the Location header and the follow-up request to
AuthorizationCodeGrantService will look like this:
/
/Note that the end user needs to authenticate./
Could you please explain how to deal with resource ownser login in order to
provide the required
header? What kind of cxf handler (if any) should be registered? Is it
possible to serve a custom login form in case the
AuthorizationCodeGrantService detects that the Authorization header is
missing?
Many thanks.
matteo
-----
matteo
--
View this message in context: http://cxf.547215.n5.nabble.com/How-to-manage-resource-owner-login-in-CXF-tp5766808.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: How to manage resource owner login in CXF
Posted by Sergey Beryozkin <sb...@gmail.com>.
As far as this interceptor is concerned, it can be configured with
custom callback handlers, I don't remember the name of the property
right now, but you can set whatever custom handlers are required.
Cheers, Sergey
On 11/03/16 17:26, matteo wrote:
> Ok, I narrowed down a little bit my question.
>
> I see that it is possible to leverage Jaas to populate the SecurityContext
> principal via the JAASAuthenticationFilter. Now the point is I would like to
> manage my users and passwords via datasources as explained in karaf
> documentation
> <https://karaf.apache.org/manual/latest/developers-guide/security-framework.html>
> . The point is that my users' passwords are stored in the database as
> encrypted tokens.
>
> So my previous question becomes: how to specify a
> javax.security.auth.callback.CallbackHandler to compute received password
> hash before jaas login?
>
> All other steps should be performed transparently by CXF
> JAASAuthenticationFilter, right?
>
> Thank you very much.
>
> matteo
>
>
>
> -----
> matteo
> --
> View this message in context: http://cxf.547215.n5.nabble.com/How-to-manage-resource-owner-login-in-CXF-tp5766808p5766839.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Re: How to manage resource owner login in CXF
Posted by matteo <ma...@gmail.com>.
Ok, I narrowed down a little bit my question.
I see that it is possible to leverage Jaas to populate the SecurityContext
principal via the JAASAuthenticationFilter. Now the point is I would like to
manage my users and passwords via datasources as explained in karaf
documentation
<https://karaf.apache.org/manual/latest/developers-guide/security-framework.html>
. The point is that my users' passwords are stored in the database as
encrypted tokens.
So my previous question becomes: how to specify a
javax.security.auth.callback.CallbackHandler to compute received password
hash before jaas login?
All other steps should be performed transparently by CXF
JAASAuthenticationFilter, right?
Thank you very much.
matteo
-----
matteo
--
View this message in context: http://cxf.547215.n5.nabble.com/How-to-manage-resource-owner-login-in-CXF-tp5766808p5766839.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: How to manage resource owner login in CXF
Posted by Sergey Beryozkin <sb...@gmail.com>.
Hi
On 11/03/16 14:52, matteo wrote:
> Thank you for your reply!
>
> In the end I simply registered a ExceptionMapper<NotAuthorizedException> and
> now I redirect the resource owner to our login page (implemented as a wab).
>
> The problem I'm still facing is that when the login wab performs the
> /authorize/ invocation again (this time with the expected basic
> authentication header in place), the authorization invocation fails because
> the securityContext.getUserPrincipal() returns null.
>
> What is the right way in CXF to correctly populate the SecurityContext with
> a sound user principal?
>
If you use the servlet security then the container will set up the
principal itself, otherwise you need to set a CXF filter, ex, JAX-RS 2.0
filter, which will parse the header and set up SecurityContext
Sergey
> Many thanks again,
> matte
>
>
>
> -----
> matteo
> --
> View this message in context: http://cxf.547215.n5.nabble.com/How-to-manage-resource-owner-login-in-CXF-tp5766808p5766837.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Re: How to manage resource owner login in CXF
Posted by matteo <ma...@gmail.com>.
Thank you for your reply!
In the end I simply registered a ExceptionMapper<NotAuthorizedException> and
now I redirect the resource owner to our login page (implemented as a wab).
The problem I'm still facing is that when the login wab performs the
/authorize/ invocation again (this time with the expected basic
authentication header in place), the authorization invocation fails because
the securityContext.getUserPrincipal() returns null.
What is the right way in CXF to correctly populate the SecurityContext with
a sound user principal?
Many thanks again,
matte
-----
matteo
--
View this message in context: http://cxf.547215.n5.nabble.com/How-to-manage-resource-owner-login-in-CXF-tp5766808p5766837.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: How to manage resource owner login in CXF
Posted by Sergey Beryozkin <sb...@gmail.com>.
Hi Matteo
I've copied those log statements while working with a demo shipped with
my company's distribution (you can see a link to that demo if you check
'CXF OAuth2' in Google).
In that demo, a custom security filter is protecting the demo OAuth2 web
client, it checks if "Authorization: Basic" is there, if not then it
will challenge a user and it is managed by the browser, so the first
time the user accesses a web client it is asked by the browser to
authenticate, and then after the user is redirected to OAuth2 and then
back to the client, the browser is remembering the user authenticating
and sets this header itself.
In many cases one would really need to have some SSO in place, so that a
user does not have to sign in into the web client(s) and OAuth2 server
separately. The demo also shows one option, SAML Web SSO with
Shibboleth. We also have 2 demos shipped with CXF, basic_oidc and
big_query, which show OpenIdConnect RP in action.
HTH, Sergey
On 10/03/16 14:05, matteo wrote:
> I'm trying to figure out how to deal with resource owner login procedure in
> CXF OAuth2 implementation. In the docs
> (http://cxf.apache.org/docs/jax-rs-oauth2.html) it is stated that
>
> /The client application asks the current user (the browser) to go to a new
> address provided by the Location header and the follow-up request to
> AuthorizationCodeGrantService will look like this:
> /
>
>
> /Note that the end user needs to authenticate./
>
> Could you please explain how to deal with resource ownser login in order to
> provide the required
>
> header? What kind of cxf handler (if any) should be registered? Is it
> possible to serve a custom login form in case the
> AuthorizationCodeGrantService detects that the Authorization header is
> missing?
>
> Many thanks.
>
> matteo
>
>
>
> -----
> matteo
> --
> View this message in context: http://cxf.547215.n5.nabble.com/How-to-manage-resource-owner-login-in-CXF-tp5766808.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/