You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by bu...@apache.org on 2012/04/12 18:48:24 UTC
svn commit: r812559 - in /websites/production/cxf/content:
cache/docs.pageCache docs/jax-rs-oauth2.html
Author: buildbot
Date: Thu Apr 12 16:48:23 2012
New Revision: 812559
Log:
Production update by buildbot for cxf
Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/jax-rs-oauth2.html
Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.
Modified: websites/production/cxf/content/docs/jax-rs-oauth2.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-oauth2.html (original)
+++ websites/production/cxf/content/docs/jax-rs-oauth2.html Thu Apr 12 16:48:23 2012
@@ -249,33 +249,38 @@ INFO: Setting an instance of <span class
<p>Note that a "/forms/oauthAuthorize.jsp" view handler will create an HTML view - this is a custom JSP handler and whatever HTML view is required can be created there, using the OAuthAuthorizationData bean for building the view. Most likely you will want to present a form asking the user to allow or deny the consumer accessing some of this user's resources. If OAuthAuthorizationData has a list of Permissions set then adding the information about the permissions is needed.</p>
-<p>Next the user makes a decision and selects a button allowing or denying the consumer accessing the resources. AuthorizationCodeGrantService does not need to know how a user has been asked to make the decision: </p>
+<p>Next the user makes a decision and selects a button allowing or denying the consumer accessing the resources. The form data are submitted to AuthorizationCodeGrantService: </p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
Address: http://localhost:8080/services/social/authorize/decision
+Encoding: ISO-8859-1
Http-Method: POST
Content-Type: application/x-www-form-urlencoded
Headers: {
Authorization=[Basic YmFycnlAc29jaWFsLmNvbToxMjM0],
-Cookie=[JSESSIONID=eovucah9rwqp],
-Referer=[http://localhost:8080/services/social/authorize?oauth_token=6dfd5e52-236c-4939-8df8-a53212f7d2a2],
-User-Agent=[Mozilla/5.0 (X11; Linux x86_64; rv:2.0) Gecko/20100101 Firefox/4.0]}
+Content-Type=[application/x-www-form-urlencoded],
+...
+}
--------------------------------------
-09-Nov-2011 16:41:58 org.apache.cxf.jaxrs.utils.FormUtils logRequestParametersIfNeeded
-INFO: session_authenticity_token=e52b5033-9bf5-4b34-9d3a-39a7d5b7e686&oauthDecision=allow&oauth_token=6dfd5e52-236c-4939-8df8-a53212f7d2a2
+12-Apr-2012 15:36:29 org.apache.cxf.jaxrs.utils.FormUtils logRequestParametersIfNeeded
+INFO: updateCalendar-7_status=allow&readCalendar_status=allow&scope=updateCalendar-7+readCalendar&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fservices%2Freservations%2Freserve%2Fcomplete&session_authenticity_token=4f0005d9-565f-4309-8ffb-c13c72139ebe&oauthDecision=allow&state=1&client_id=123456789
</pre>
</div></div>
-<p>AuthorizationRequestService will use a session_authenticity_token to validate that the session is valid and will process the user decision next.<br clear="none">
-If it is set to "allow" then it will ask OAuthDataProvider to generate an authorization key (verifier) and return this verifier alongside with the request token key and the state if any by redirecting the current user back to the callback URI provided during the request token request:</p>
+<p>AuthorizationCodeGrantService will use a session_authenticity_token to validate that the session is valid and will process the user decision next. </p>
+
+<p>If the decision is "allow" then it will check the status of the individual scope values. It relies on the "scopename_status" convention, if the form has offered the user a chance to selectively enable individual scopes then name/value pairs such as "updateCalendar-7_status=allow" are submitted. If none of such pairs is coming back then it means the user has approved all the default and additional (if any) scopes.</p>
+
+<p>Next it will ask OAuthDataProvider to generate an authorization code grant and return it alongside with the state if any by redirecting the current user back to the redirect URI:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
Response-Code: 303
Headers: {
-Location=[http://localhost:8080/services/reservations/reserve/complete?oauth_token=6dfd5e52-236c-4939-8df8-a53212f7d2a2&oauth_verifier=00bd8fa7-4233-42a2-8957-0a0a22c684ba]
-}
+ Location=[http://localhost:8080/services/reservations/reserve/complete?state=1&code=5c993144b910bccd5977131f7d2629ab],
+ Date=[Thu, 12 Apr 2012 14:36:29 GMT],
+ Content-Length=[0]}
</pre>
</div></div>
@@ -283,85 +288,91 @@ Location=[http://localhost:8080/services
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
-Address: http:<span class="code-comment">//localhost:8080/services/reservations/reserve/complete?oauth_token=6dfd5e52-236c-4939-8df8-a53212f7d2a2&oauth_verifier=00bd8fa7-4233-42a2-8957-0a0a22c684ba
+Address: http:<span class="code-comment">//localhost:8080/services/reservations/reserve/complete?state=1&code=5c993144b910bccd5977131f7d2629ab
</span>Http-Method: GET
-Content-Type:
Headers: {
-Authorization=[Basic YmFycnlAc29jaWFsLmNvbToxMjM0],
-Cookie=[JSESSIONID=eovucah9rwqp],
-Referer=[http:<span class="code-comment">//localhost:8080/services/social/authorize?oauth_token=6dfd5e52-236c-4939-8df8-a53212f7d2a2],
-</span>User-Agent=[Mozilla/5.0 (X11; Linux x86_64; rv:2.0) Gecko/20100101 Firefox/4.0]}
+Accept=[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8],
+Authorization=[Basic YmFycnlAcmVzdGF1cmFudC5jb206NTY3OA==],
+Cookie=[JSESSIONID=1c289vha0cxfe],
+}
</pre>
</div></div>
-<p>If a user decision was set to "deny" then no verifier will be sent back to the consumer.</p>
+<p>If a user decision was set to "deny" then the error will be returned to the client.</p>
-<p>Assuming the decision was "allow", the consumer has now received back the request token and its verifier and is ready to exchange this pair for an access token.</p>
+<p>Assuming the decision was "allow", the consumer has now received back the authorization code grant and is ready to exchange it for a new access token.</p>
<h2><a shape="rect" name="JAX-RSOAuth2-AccessTokenService"></a>AccessTokenService </h2>
-<p>The role of AccessTokenService is to exchange an authorized request token for a new access token which will be used by the consumer to access the end user's resources. <br clear="none">
+<p>The role of AccessTokenService is to exchange a token grant for a new access token which will be used by the consumer to access the end user's resources. <br clear="none">
Here is an example request log:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
Address: http://localhost:8080/services/oauth/token
Http-Method: POST
+
Headers: {
-Accept=[application/x-www-form-urlencoded],
-Authorization=[OAuth oauth_signature_method=<span class="code-quote">"HMAC-SHA1"</span>,
- oauth_consumer_key=<span class="code-quote">"123456789"</span>,
- oauth_token=<span class="code-quote">"6dfd5e52-236c-4939-8df8-a53212f7d2a2"</span>,
- oauth_verifier=<span class="code-quote">"00bd8fa7-4233-42a2-8957-0a0a22c684ba"</span>,
- oauth_timestamp=<span class="code-quote">"1320760259"</span>,
- oauth_nonce=<span class="code-quote">"16237669362301"</span>,
- oauth_version=<span class="code-quote">"1.0"</span>,
- oauth_signature=<span class="code-quote">"dU%2BhXPNFfFpX2sC74IOxzTjdVrY%3D"</span>]
+Accept=[application/json],
+Authorization=[Basic MTIzNDU2Nzg5Ojk4NzY1NDMyMQ==],
+Content-Type=[application/x-www-form-urlencoded]
}
+Payload:
+
+grant_type=authorization_code&code=5c993144b910bccd5977131f7d2629ab&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fservices%2Freservations%2Freserve%2Fcomplete
</pre>
</div></div>
-<p>This request is very similar to a temporarily token request. Note that the request token key is also included and this token key and its secret pair, as well as the consumer key and secret pair are used to calculate the signature.</p>
+<p>This request contains a client_id and client_secret (Authorization header), the grant_type, the grant value (code)<br clear="none">
+plus the redirect URI the authorization grant was returned to which is needed for the additional validation.<br clear="none">
+Note that the alternative client authentication methods are also possible, in this case the token service will expect a mapping between the client credentials and the client_id representing the client registration available.</p>
+
+<p>After validating the request, the service will find a matching <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AccessTokenGrantHandler.java">AccessTokenGrantHandler</a> and request to create a <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ServerAccessToken.java">ServerAccessToken</a> which is a server-side representation of the access token.<br clear="none">
+The grant handlers, such as <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java">AuthorizationCodeGrantHandler</a> may delegate the creation of the actual access token to data providers, which may use the available utility classes such as <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/bearer/BearerAccessToken.java">BearerAccessToken</a> shipped with CXF or depend on other 3rd party libraries to create the tokens.</p>
-<p>AccessTokenService validates the signature, asks OAuthDataProvider to remove a RequestToken identified by the "oauth_token" and compares the "oauth_verifier" value against the one stored in this RequestToken.</p>
+<p>The data providers are also do not strictly required to persist the data such as access tokens, instead the token key may an encrypted bag capturing all the relevant information.</p>
-<p>Note that if the "oauth_verifier" is missing then AccessTokenService will check that RequestToken has been preauthorized and that its UserSubject property is initialized. If both conditions are met then the access token request is allowed to continue. </p>
+<p>Now that the token has been created, it is mapped by the service to a <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ClientAccessToken.java">client representation</a> and is returned back as a JSON payload:</p>
-<p>Next it asks the data provider to create a new <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/AccessToken.java">AccessToken</a> based on this RequestToken. The resulting access token key and secret pair is returned back to a consumer:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
Response-Code: 200
-Content-Type: application/x-www-form-urlencoded
-Headers: {Date=[Tue, 08 Nov 2011 13:50:59 GMT]}
-Payload: oauth_token=abc15aca-2073-4bde-b1be-1a02dc7ccafe&oauth_token_secret=859dfe9e-ca4c-4b36-9e60-044434ab636c
+Content-Type: application/json
+Headers: {
+ Cache-Control=[no-store],
+ Pragma=[no-cache],
+ Date=[Thu, 12 Apr 2012 14:36:29 GMT]
+}
+
+Payload:
+
+{<span class="code-quote">"access_token"</span>:<span class="code-quote">"5b5c8e677413277c4bb8b740d522b378"</span>, <span class="code-quote">"token_type"</span>:<span class="code-quote">"bearer"</span>}
+
</pre>
</div></div>
<p>The consumer will use this access token to access the current user's resources in order to complete the original user's request, for example, the request to access a user's calendar may look like this:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
-Address: http://localhost:8080/services/user/calendar
+Address: http://localhost:8080/services/thirdPartyAccess/calendar
Http-Method: GET
-Headers: {
-Accept=[application/XML],
-Authorization=[OAuth oauth_signature_method=<span class="code-quote">"HMAC-SHA1"</span>,
- oauth_consumer_key=<span class="code-quote">"123456789"</span>,
- oauth_token=<span class="code-quote">"abc15aca-2073-4bde-b1be-1a02dc7ccafe"</span>,
- oauth_version=<span class="code-quote">"1.0"</span>,
- oauth_signature=<span class="code-quote">"dU%2BhXPNFfFpX2sC74IOxzTjdVrY%3D"</span>]
+Headers:
+{
+ Authorization=[Bearer 5b5c8e677413277c4bb8b740d522b378],
+ Accept=[application/xml]
}
</pre>
</div></div>
-<p>Note that the access token is set and the access token key and secret pair, as well as the consumer key and secret pair are used to create a signature.</p>
+<p>Note that the access token key is passed as the Bearer scheme value. Other token types such as MAC ones, etc, can be represented differently.</p>
<h2><a shape="rect" name="JAX-RSOAuth2-WritingOAuthDataProvider"></a>Writing OAuthDataProvider</h2>
-<p>Using CXF OAuth service implementations will help a lot with setting up an OAuth server. As you can see from the above sections, these services rely on a custom <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/provider/OAuthDataProvider.java">OAuthDataProvider</a> implementation.</p>
+<p>Using CXF OAuth service implementations will help a lot with setting up an OAuth server. As you can see from the above sections, these services rely on a custom <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthDataProvider.java">OAuthDataProvider</a> implementation.</p>
-<p>The main task of OAuthDataProvider is to persist request and access tokens and generate authorization/verifier keys. The way it's done is really application-specific. Consider starting with a basic memory based implementation and then move on to keeping the data in some DB.</p>
+<p>The main task of OAuthDataProvider is to persist and generate access tokens. Additionally, as noted above, AuthorizationCodeDataProvider needs to persist and remove the code grant registrations. The way it's done is really application-specific. Consider starting with a basic memory based implementation and then move on to keeping the data in some DB.</p>
-<p>Note that OAuthDataProvider supports retrieving <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/Client.java">Client</a> instances but it has no methods for creating or removing Clients. The reason for it is that the process of registering third-party consumers is very specific to a particular OAuth application, so CXF does not offer a registration support service and hence OAuthDataProvider has no Client create/update methods. You will likely need to do something like this:</p>
+<p>Note that OAuthDataProvider supports retrieving <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Client.java">Client</a> instances but it has no methods for creating or removing Clients. The reason for it is that the process of registering third-party consumers is very specific to a particular OAuth2 application, so CXF does not offer a registration support service and hence OAuthDataProvider has no Client create/update methods. You will likely need to do something like this:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
@@ -376,65 +387,38 @@ Authorization=[OAuth oauth_signature_met
<p>CustomOAuthProvider will also remove all tokens associated with a given Client in removeClient(String cliendId).</p>
-<p>When creating RequestToken or AccessToken tokens as well as authorization keys, OAuthDataProvider will need to create unique identifiers.<br clear="none">
-The way it's done is application specific and custom implementations may also use a utility <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/provider/MD5SequenceGenerator.java">MD5SequenceGenerator</a> shipped with CXF, for example:</p>
-<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
-<pre class="code-java">
-<span class="code-keyword">public</span> <span class="code-object">String</span> setRequestTokenVerifier(RequestToken requestToken) <span class="code-keyword">throws</span> OAuthServiceException {
- requestToken.setVerifier(generateSequence());
- <span class="code-keyword">return</span> requestToken.getVerifier();
-}
-<span class="code-keyword">private</span> <span class="code-object">String</span> generateSequence() <span class="code-keyword">throws</span> OAuthServiceException {
- <span class="code-keyword">try</span> {
- <span class="code-keyword">return</span> tokenGenerator.generate(UUID.randomUUID().toString().getBytes(<span class="code-quote">"UTF-8"</span>));
- } <span class="code-keyword">catch</span> (Exception e) {
- <span class="code-keyword">throw</span> <span class="code-keyword">new</span> OAuthServiceException(<span class="code-quote">"Unable to generate the key"</span>, e.getCause());
- }
-}
-
-</pre>
-</div></div>
-
-<p>Generating tokens/keys and persisting them effectively is what OAuthDataProvider all about.<br clear="none">
-Note that CXF will check that Request and Access tokens have not expired every time it uses them and will ask OAuthDataProvider to remove the expired tokens, but the custom OAuthDataProvider implementation may do its own checks too.</p>
-
-<p>Finally OAuthDataProvider may need to convert opaque scope values such as "readCalendar" into a list of <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/OAuthPermission.java">OAuthPermission</a>s. AuthorizationRequestService and OAuth security filters will depend on it (assuming scopes are used in the first place). In the former case AuthorizationRequestService will use this list to populate <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/OAuthAuthorizationData.java">OAuthAuthorizationData</a> - the reason this bean only sees <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/Permission.java">Permission</a>s is
that the properties OAuthPermission keeps are of no interest to OAuthAuthorizationData handlers.</p>
+<p>Finally OAuthDataProvider may need to convert opaque scope values such as "readCalendar" into a list of <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthPermission.java">OAuthPermission</a>s. AuthorizationCodeGrantService and OAuth2 security filters will depend on it (assuming scopes are used in the first place). In the former case AuthorizationCodeGrantService will use this list to populate <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java">OAuthAuthorizationData</a> - the reason this bean only sees <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Permission.java">P
ermission</a>s is that some of the properties OAuthPermission keeps are of no interest to OAuthAuthorizationData handlers.</p>
<h2><a shape="rect" name="JAX-RSOAuth2-OAuthServerJAXRSendpoints"></a>OAuth Server JAX-RS endpoints </h2>
-<p>With CXF offering OAuth service implementations and a custom OAuthAuthorizationData provider in place, it is time to deploy the OAuth server. <br clear="none">
-Most likely, you'd want to deploy RequestTokenService and AccessTokenService as two root resources inside a single JAX-RS endpoint (or have one RequestTokenService and one AccessTokenService endpoint), for example:</p>
+<p>With CXF offering OAuth service implementations and a custom OAuthDataProvider provider in place, it is time to deploy the OAuth2 server. <br clear="none">
+Most likely, you'd want to deploy AccessTokenService as an independent JAX-RS endpoint, for example:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
<span class="code-tag"><span class="code-comment"><!-- implements OAuthDataProvider --></span></span>
<span class="code-tag"><bean id=<span class="code-quote">"oauthProvider"</span> class=<span class="code-quote">"oauth.manager.OAuthManager"</span>/></span>
-
-<span class="code-tag"><bean id=<span class="code-quote">"requestTokenService"</span> class=<span class="code-quote">"org.apache.cxf.rs.security.oauth.services.RequestTokenService"</span>></span>
- <span class="code-tag"><property name=<span class="code-quote">"dataProvider"</span> ref=<span class="code-quote">"oauthProvider"</span>/></span>
-<span class="code-tag"></bean></span>
-<span class="code-tag"><bean id=<span class="code-quote">"accessTokenService"</span> class=<span class="code-quote">"org.apache.cxf.rs.security.oauth.services.AccessTokenService"</span>></span>
+<span class="code-tag"><bean id=<span class="code-quote">"accessTokenService"</span> class=<span class="code-quote">"org.apache.cxf.rs.security.oauth2.services.AccessTokenService"</span>></span>
<span class="code-tag"><property name=<span class="code-quote">"dataProvider"</span> ref=<span class="code-quote">"oauthProvider"</span>/></span>
<span class="code-tag"></bean></span>
<span class="code-tag"><jaxrs:server id=<span class="code-quote">"oauthServer"</span> address=<span class="code-quote">"/oauth"</span>></span>
<span class="code-tag"><jaxrs:serviceBeans></span>
- <span class="code-tag"><ref bean=<span class="code-quote">"requestTokenService"</span>/></span>
<span class="code-tag"><ref bean=<span class="code-quote">"accessTokenService"</span>/></span>
<span class="code-tag"></jaxrs:serviceBeans></span>
<span class="code-tag"></jaxrs:server></span>
</pre>
</div></div>
-<p>RequestTokenService listens on a relative "/initiate" path, AccessTokenService - on "/token". Giving the that jaxrs:server/@adress is "/oauth" and assuming a context name is "/services", the absolute address of RequestTokenService would be something like "http://localhost:8080/services/oauth/initiate" and that of AccessTokenService - "http://localhost:8080/services/oauth/token". </p>
+<p>AccessTokenService listens on a relative "/token" path. Given that jaxrs:server/@adress is "/oauth" and assuming a context name is "/services", the absolute address of AccessTokenService would be something like "http://localhost:8080/services/oauth/token". </p>
-<p>AuthorizationRequestService is better to put where the main application endpoint is. It can be put alongside RequestTokenService and AccessTokenService - but the problem is that the end user is expected to authenticate itself with the resource server after it has been redirected by a third-party consumer to AuthorizationRequestService. That would make it more complex for the OAuth server endpoint to manage both OAuth (third-party consumer) and the regular user authentication - that can be done, see more on it below in the Design considerations section, but the simpler option is to simply get AuthorizationRequestService under the control of the security filter enforcing the end user authentication:</p>
+<p>AuthorizationCodeGrantService is better to put where the main application endpoint is. It can be put alongside AccessTokenService - but the problem is that the end user is expected to authenticate itself with the resource server after it has been redirected by a third-party consumer to AuthorizationCodeGrantService. That would make it more complex for the OAuth server endpoint to manage both OAuth (third-party consumer) and the regular user authentication - that can be done, see more on it below in the Design considerations section, but the simpler option is to simply get AuthorizationCodeGrantService under the control of the security filter enforcing the end user authentication:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
-<bean id=<span class="code-quote">"authorizationService"</span> class=<span class="code-quote">"org.apache.cxf.rs.security.oauth.services.AuthorizationRequestService"</span>>
+<bean id=<span class="code-quote">"authorizationService"</span> class=<span class="code-quote">"org.apache.cxf.rs.security.oauth2.services.AuthorizationCodeGrantService"</span>>
<property name=<span class="code-quote">"dataProvider"</span> ref=<span class="code-quote">"oauthProvider"</span>/>
</bean>
@@ -451,7 +435,7 @@ Most likely, you'd want to deploy Reques
</pre>
</div></div>
-<p>AuthorizationRequestService listens on a relative "/authorize" path so in this case its absolute address will be something like "http://localhost:8080/services/myapp/authorize". This address and those of RequestTokenService and AccessTokenService will be used by third-party consumers.</p>
+<p>AuthorizationCodeGrantService listens on a relative "/authorize" path so in this case its absolute address will be something like "http://localhost:8080/services/myapp/authorize". This address and that of AccessTokenService will be used by third-party consumers.</p>
<h1><a shape="rect" name="JAX-RSOAuth2-ProtectingresourceswithOAuthfilters"></a>Protecting resources with OAuth filters</h1>