You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by bu...@apache.org on 2012/05/22 16:47:55 UTC
svn commit: r818702 - in /websites/production/cxf/content:
cache/docs.pageCache docs/jax-rs-oauth2.html
Author: buildbot
Date: Tue May 22 14:47:55 2012
New Revision: 818702
Log:
Production update by buildbot for cxf
Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/jax-rs-oauth2.html
Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.
Modified: websites/production/cxf/content/docs/jax-rs-oauth2.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-oauth2.html (original)
+++ websites/production/cxf/content/docs/jax-rs-oauth2.html Tue May 22 14:47:55 2012
@@ -125,7 +125,7 @@ Apache CXF -- JAX-RS OAuth2
<div>
-<ul><li><a shape="rect" href="#JAX-RSOAuth2-Introduction">Introduction</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Mavendependencies">Maven dependencies</a></li><li><a shape="rect" href="#JAX-RSOAuth2-DevelopingOAuth2Servers">Developing OAuth2 Servers</a></li><ul><li><a shape="rect" href="#JAX-RSOAuth2-AuthorizationService">Authorization Service</a></li><li><a shape="rect" href="#JAX-RSOAuth2-AccessTokenService">AccessTokenService</a></li><li><a shape="rect" href="#JAX-RSOAuth2-WritingOAuthDataProvider">Writing OAuthDataProvider</a></li><li><a shape="rect" href="#JAX-RSOAuth2-OAuthServerJAXRSendpoints">OAuth Server JAX-RS endpoints</a></li></ul><li><a shape="rect" href="#JAX-RSOAuth2-ProtectingresourceswithOAuthfilters">Protecting resources with OAuth filters</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Howtogettheuserloginname">How to get the user login name</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Clientsidesupport">Client-side support</a></li><li><a shape="r
ect" href="#JAX-RSOAuth2-OAuth2withouttheExplicitAuthorization">OAuth2 without the Explicit Authorization</a></li><li><a shape="rect" href="#JAX-RSOAuth2-OAuthWithoutaBrowser">OAuth Without a Browser</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Designconsiderations">Design considerations</a></li><ul><li><a shape="rect" href="#JAX-RSOAuth2-ControllingtheAccesstoResourceServer">Controlling the Access to Resource Server</a></li><ul><li><a shape="rect" href="#JAX-RSOAuth2-Sharingthesameaccesspathbetweenendusersandclients">Sharing the same access path between end users and clients</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Providingdifferentaccesspointstoendusersandclients">Providing different access points to end users and clients</a></li></ul><li><a shape="rect" href="#JAX-RSOAuth2-SingleSignOn">Single Sign On</a></li></ul><li><a shape="rect" href="#JAX-RSOAuth2-WhatIsNext">What Is Next</a></li></ul></div>
+<ul><li><a shape="rect" href="#JAX-RSOAuth2-Introduction">Introduction</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Mavendependencies">Maven dependencies</a></li><li><a shape="rect" href="#JAX-RSOAuth2-DevelopingOAuth2Servers">Developing OAuth2 Servers</a></li><ul><li><a shape="rect" href="#JAX-RSOAuth2-AuthorizationService">Authorization Service</a></li><li><a shape="rect" href="#JAX-RSOAuth2-AccessTokenService">AccessTokenService</a></li><ul><li><a shape="rect" href="#JAX-RSOAuth2-AccessTokenValidationService">AccessTokenValidationService</a></li></ul><li><a shape="rect" href="#JAX-RSOAuth2-WritingOAuthDataProvider">Writing OAuthDataProvider</a></li><li><a shape="rect" href="#JAX-RSOAuth2-OAuthServerJAXRSendpoints">OAuth Server JAX-RS endpoints</a></li></ul><li><a shape="rect" href="#JAX-RSOAuth2-ProtectingresourceswithOAuthfilters">Protecting resources with OAuth filters</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Howtogettheuserloginname">How to get the user login
name</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Clientsidesupport">Client-side support</a></li><li><a shape="rect" href="#JAX-RSOAuth2-OAuth2withouttheExplicitAuthorization">OAuth2 without the Explicit Authorization</a></li><li><a shape="rect" href="#JAX-RSOAuth2-OAuthWithoutaBrowser">OAuth Without a Browser</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Designconsiderations">Design considerations</a></li><ul><li><a shape="rect" href="#JAX-RSOAuth2-ControllingtheAccesstoResourceServer">Controlling the Access to Resource Server</a></li><ul><li><a shape="rect" href="#JAX-RSOAuth2-Sharingthesameaccesspathbetweenendusersandclients">Sharing the same access path between end users and clients</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Providingdifferentaccesspointstoendusersandclients">Providing different access points to end users and clients</a></li></ul><li><a shape="rect" href="#JAX-RSOAuth2-SingleSignOn">Single Sign On</a></li></ul><li><a shape="rect" href="#JAX-RS
OAuth2-WhatIsNext">What Is Next</a></li></ul></div>
<h1><a shape="rect" name="JAX-RSOAuth2-Introduction"></a>Introduction</h1>
@@ -366,6 +366,9 @@ Headers:
<p>Note that the access token key is passed as the Bearer scheme value. Other token types such as MAC ones, etc, can be represented differently.</p>
+<h3><a shape="rect" name="JAX-RSOAuth2-AccessTokenValidationService"></a>AccessTokenValidationService </h3>
+<p>The <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenValidationService.java">AccessTokenValidationService</a> is a CXF specific OAuth2 service for accepting the remote access token validation requests. Typically, OAuthRequestFilter (see on it below) may choose to impersonate itself as a third-party client and will ask AccessTokenValidationService to return the information relevant to the current access token, before setting up a security context. More on it below.</p>
+
<h2><a shape="rect" name="JAX-RSOAuth2-WritingOAuthDataProvider"></a>Writing OAuthDataProvider</h2>
<p>Using CXF OAuth service implementations will help a lot with setting up an OAuth server. As you can see from the above sections, these services rely on a custom <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthDataProvider.java">OAuthDataProvider</a> implementation.</p>
@@ -414,24 +417,48 @@ Most likely, you'd want to deploy Access
<p>AccessTokenService listens on a relative "/token" path. Given that jaxrs:server/@adress is "/oauth" and assuming a context name is "/services", the absolute address of AccessTokenService would be something like "http://localhost:8080/services/oauth/token". </p>
-<p>AuthorizationCodeGrantService is better to put where the main application endpoint is. It can be put alongside AccessTokenService - but the problem is that the end user is expected to authenticate itself with the resource server after it has been redirected by a third-party client to AuthorizationCodeGrantService. That would make it more complex for the OAuth server endpoint to manage both OAuth (third-party client) and the regular user authentication - that can be done, see more on it below in the Design considerations section, but the simpler option is to simply get AuthorizationCodeGrantService under the control of the security filter enforcing the end user authentication:</p>
+<p>If the remote token validation is supported then have AccessTokenValidationService added too:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
-<pre class="code-java">
-<bean id=<span class="code-quote">"authorizationService"</span> class=<span class="code-quote">"org.apache.cxf.rs.security.oauth2.services.AuthorizationCodeGrantService"</span>>
- <property name=<span class="code-quote">"dataProvider"</span> ref=<span class="code-quote">"oauthProvider"</span>/>
-</bean>
-
-<bean id=<span class="code-quote">"myApp"</span> class=<span class="code-quote">"org.myapp.MyApp"</span>>
- <property name=<span class="code-quote">"dataProvider"</span> ref=<span class="code-quote">"oauthProvider"</span>/>
-</bean>
-
-<jaxrs:server id=<span class="code-quote">"oauthServer"</span> address=<span class="code-quote">"/myapp"</span>>
- <jaxrs:serviceBeans>
- <ref bean=<span class="code-quote">"myApp"</span>/>
- <ref bean=<span class="code-quote">"authorizationService"</span>/>
- </jaxrs:serviceBeans>
-</jaxrs:server>
+<pre class="code-xml">
+<span class="code-tag"><span class="code-comment"><!-- implements OAuthDataProvider --></span></span>
+<span class="code-tag"><bean id=<span class="code-quote">"oauthProvider"</span> class=<span class="code-quote">"oauth.manager.OAuthManager"</span>/></span>
+
+<span class="code-tag"><bean id=<span class="code-quote">"accessTokenService"</span> class=<span class="code-quote">"org.apache.cxf.rs.security.oauth2.services.AccessTokenService"</span>></span>
+ <span class="code-tag"><property name=<span class="code-quote">"dataProvider"</span> ref=<span class="code-quote">"oauthProvider"</span>/></span>
+<span class="code-tag"></bean></span>
+<span class="code-tag"><bean id=<span class="code-quote">"accessTokenValidateService"</span> class=<span class="code-quote">"org.apache.cxf.rs.security.oauth2.services.AccessTokenValidateService"</span>></span>
+ <span class="code-tag"><property name=<span class="code-quote">"dataProvider"</span> ref=<span class="code-quote">"oauthProvider"</span>/></span>
+<span class="code-tag"></bean></span>
+
+
+<span class="code-tag"><jaxrs:server id=<span class="code-quote">"oauthServer"</span> address=<span class="code-quote">"/oauth"</span>></span>
+ <span class="code-tag"><jaxrs:serviceBeans></span>
+ <span class="code-tag"><ref bean=<span class="code-quote">"accessTokenService"</span>/></span>
+ <span class="code-tag"><ref bean=<span class="code-quote">"accessTokenValidateService"</span>/></span>
+ <span class="code-tag"></jaxrs:serviceBeans></span>
+<span class="code-tag"></jaxrs:server></span>
+</pre>
+</div></div>
+
+<p>The absolute address of AccessTokenValidateService would be something like "http://localhost:8080/services/oauth/validate". </p>
+
+<p>AuthorizationCodeGrantService is easier to put where the application endpoints are. It can be put alongside AccessTokenService, but ideally an SSO based authentication solution will be also be deployed, for the end user to avoid signing in separately several times (see more in it below). Here is an example of AuthorizationCodeGrantService being collocated with the application endpoint:</p>
+
+<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
+<pre class="code-xml">
+<span class="code-tag"><bean id=<span class="code-quote">"authorizationService"</span> class=<span class="code-quote">"org.apache.cxf.rs.security.oauth2.services.AuthorizationCodeGrantService"</span>></span>
+ <span class="code-tag"><property name=<span class="code-quote">"dataProvider"</span> ref=<span class="code-quote">"oauthProvider"</span>/></span>
+<span class="code-tag"></bean></span>
+
+<span class="code-tag"><bean id=<span class="code-quote">"myApp"</span> class=<span class="code-quote">"org.myapp.MyApp"</span>/></span>
+
+<span class="code-tag"><jaxrs:server id=<span class="code-quote">"appServer"</span> address=<span class="code-quote">"/myapp"</span>></span>
+ <span class="code-tag"><jaxrs:serviceBeans></span>
+ <span class="code-tag"><ref bean=<span class="code-quote">"myApp"</span>/></span>
+ <span class="code-tag"><ref bean=<span class="code-quote">"authorizationService"</span>/></span>
+ <span class="code-tag"></jaxrs:serviceBeans></span>
+<span class="code-tag"></jaxrs:server></span>
</pre>
</div></div>
@@ -469,6 +496,70 @@ Headers:
<p>This SecurityContext will not necessarily be important for some of OAuth2 applications. Most of the security checks will be done by OAuth2 filters and security filters protecting the main application path the end users themselves use. Only if you would like to share the same JAX-RS resource code and access URIs between end users and clients then it can become handy. More on it below. </p>
+<p>Here is one example of how OAuthRequestFilter can be configured:</p>
+
+<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
+<pre class="code-xml">
+<span class="code-tag"><bean id=<span class="code-quote">"oauthProvider"</span> class=<span class="code-quote">"oauth.manager.OAuthManager"</span>/></span>
+<span class="code-tag"><bean id=<span class="code-quote">"oauthFiler"</span> class=<span class="code-quote">"org.apache.cxf.rs.security.oauth2.filters.OAuthRequestFilter"</span>></span>
+ <span class="code-tag"><property name=<span class="code-quote">"dataProvider"</span> ref=<span class="code-quote">"oauthProvider"</span>/></span>
+<span class="code-tag"></bean></span>
+
+<span class="code-tag"><bean id=<span class="code-quote">"myApp"</span> class=<span class="code-quote">"org.myapp.MyApp"</span>/></span>
+
+<span class="code-tag"><jaxrs:server id=<span class="code-quote">"fromThirdPartyToMyApp"</span> address=<span class="code-quote">"/thirdparty-to-myapp"</span>></span>
+ <span class="code-tag"><jaxrs:serviceBeans></span>
+ <span class="code-tag"><ref bean=<span class="code-quote">"myApp"</span>/></span>
+ <span class="code-tag"></jaxrs:serviceBeans></span>
+ <span class="code-tag"><jaxrs:providers></span>
+ <span class="code-tag"><ref bean=<span class="code-quote">"oauthFilter"</span>/></span>
+ <span class="code-tag"></jaxrs:providers></span>
+
+<span class="code-tag"></jaxrs:server></span>
+</pre>
+</div></div>
+
+<p>It will rely on an instance of OAuthDataProvider to get the information about the current access token and will validate it.<br clear="none">
+This option works OK for when it is easy to get the same OAuthDataProvider shared between this filter, as well as Authorization and AccessToken services. OAuthDataProvider can also be implemented such that it manages the information in the distributed manner so the above configuration option may scale well for more sophisticated deployments.</p>
+
+<p>When one has Authorization and AccessToken service not collocated with the application endpoints, the following may work better:</p>
+
+<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
+<pre class="code-xml">
+
+ <span class="code-tag"><bean id=<span class="code-quote">"tvServiceClientFactory"</span> class=<span class="code-quote">"org.apache.cxf.jaxrs.client.JAXRSClientFactoryBean"</span>></span>
+ <span class="code-tag"><property name=<span class="code-quote">"address"</span> value=<span class="code-quote">"http://localhost:${http.port}/services/oauth/validate"</span>/></span>
+ <span class="code-tag"><property name=<span class="code-quote">"headers"</span>></span>
+ <span class="code-tag"><map></span>
+ <span class="code-tag"><entry key=<span class="code-quote">"Accept"</span> value=<span class="code-quote">"application/xml"</span>/></span>
+ <span class="code-tag"></map></span>
+ <span class="code-tag"></property></span>
+ <span class="code-tag"></bean></span>
+
+ <span class="code-tag"><bean id=<span class="code-quote">"tvServiceClient"</span> factory-bean=<span class="code-quote">"tvServiceClientFactory"</span> factory-method=<span class="code-quote">"createWebClient"</span>/></span>
+
+ <span class="code-tag"><bean id=<span class="code-quote">"tokenValidator"</span> class=<span class="code-quote">"org.apache.cxf.rs.security.oauth2.filters.AccessTokenValidatorClient"</span>></span>
+ <span class="code-tag"><property name=<span class="code-quote">"tokenValidatorClient"</span> ref=<span class="code-quote">"tvServiceClient"</span>/></span>
+ <span class="code-tag"></bean></span>
+
+ <span class="code-tag"><bean id=<span class="code-quote">"oauthFiler"</span> class=<span class="code-quote">"org.apache.cxf.rs.security.oauth2.filters.OAuthRequestFilter"</span>></span>
+ <span class="code-tag"><property name=<span class="code-quote">"tokenValidator"</span> ref=<span class="code-quote">"tokenValidator"</span>/></span>
+ <span class="code-tag"></bean></span>
+
+<span class="code-tag"><bean id=<span class="code-quote">"myApp"</span> class=<span class="code-quote">"org.myapp.MyApp"</span>/></span>
+
+<span class="code-tag"><jaxrs:server id=<span class="code-quote">"fromThirdPartyToMyApp"</span> address=<span class="code-quote">"/thirdparty-to-myapp"</span>></span>
+ <span class="code-tag"><jaxrs:serviceBeans></span>
+ <span class="code-tag"><ref bean=<span class="code-quote">"myApp"</span>/></span>
+ <span class="code-tag"></jaxrs:serviceBeans></span>
+ <span class="code-tag"><jaxrs:providers></span>
+ <span class="code-tag"><ref bean=<span class="code-quote">"oauthFilter"</span>/></span>
+ <span class="code-tag"></jaxrs:providers></span>
+<span class="code-tag"></jaxrs:server></span>
+</pre>
+</div></div>
+
+
<h1><a shape="rect" name="JAX-RSOAuth2-Howtogettheuserloginname"></a>How to get the user login name</h1>
<p>When one writes a custom server application which needs to participate in OAuth2 flows, the major question which needs to be addressed is<br clear="none">
@@ -554,9 +645,9 @@ in this example OAuthServiceExceptions a
<h1><a shape="rect" name="JAX-RSOAuth2-OAuthWithoutaBrowser"></a>OAuth Without a Browser</h1>
<p>When an end user is accessing the 3rd party application and is authorizing it later on, it's usually expected that the user is relying on a browser. <br clear="none">
-However, supporting other types of end users is easy enough. Writing the client code that processes the redirection requests from the 3rd party application and AuthorizationRequestService is simple with JAX-RS and additionally CXF can be configured to do auto-redirects on the client side.</p>
+However, supporting other types of end users is easy enough. Writing the client code that processes the redirection requests from the 3rd party application and AuthorizationCodeGrantService is simple with JAX-RS and additionally CXF can be configured to do auto-redirects on the client side.</p>
-<p>Also note that AuthorizationRequestService can return XML or JSON <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/OAuthAuthorizationData.java">OAuthAuthorizationData</a> representations. That makes it easy for a client code to get OAuthAuthorizationData and offer a pop-up window or get the input from the command-line. Authorizing the third-party application might even be automated in this case - which can lead to a complete 3-leg OAuth flow implemented without a human user being involved.</p>
+<p>Also note that AuthorizationCodeGrantService can return XML or JSON <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/OAuthAuthorizationData.java">OAuthAuthorizationData</a> representations. That makes it easy for a client code to get OAuthAuthorizationData and offer a pop-up window or get the input from the command-line. Authorizing the third-party application might even be automated in this case - which can lead to a complete 3-leg OAuth flow implemented without a human user being involved.</p>
<h1><a shape="rect" name="JAX-RSOAuth2-Designconsiderations"></a>Design considerations</h1>
@@ -570,11 +661,11 @@ However, supporting other types of end u
<p>In the former case the way the authentication is managed is completely up to the resource server application: basic authentication, two-way TLS, OpenId (more on it below), you name it.</p>
-<p>In the latter case an OAuth filter must enforce that the 3rd party client has been registered using the provided client key and that it has a valid access token which represents the end user's approval. It's kind of the authentication and the authorization check at the same time.</p>
+<p>In the latter case an OAuth filter must enforce that the 3rd party client has been registered using the provided client key and that it has a valid access token which represents the end user's approval.</p>
<p>Letting both parties access the resource server via the same URI(s) complicates the life for the security filters but all the parties are only aware of the single resource server URI which all of them will use.</p>
-<p>Providing different access points to end users and clients may significantly simplify the authentication process - the possible downside is that multiple access points need to be mantained by the resource server.</p>
+<p>Providing different access points to end users and clients may significantly simplify the authentication process - the possible downside is that multiple access points need to be maintained by the resource server.</p>
<p>Both options are discussed next.</p>
@@ -649,7 +740,9 @@ For example, consider the following JAX-
<h2><a shape="rect" name="JAX-RSOAuth2-SingleSignOn"></a>Single Sign On</h2>
-<p>When dealing with authenticating the end users, having an SSO solution in place is very handy. This is because the end user interacts with both the third-party and its resource server web applications and is also redirected from the client application to the resource server and back again. OpenID or say a WebBrowser SSO profile can help - CXF may offer some support in this area. </p>
+<p>When dealing with authenticating the end users, having an SSO solution in place is very handy. This is because the end user interacts with both the third-party and its resource server web applications and is also redirected from the client application to the resource server and back again. Additionally, the end user may need to authenticate with Authorization service if it is not collocated with the application endpoints. OpenID or say a WebBrowser SSO profile can help. </p>
+
+<p>CXF 2.6.1 provides an initial support for a SAML2 SSO profile. This will make it easier to minimize a number of sign ins to a single attempt and run OAuth2 Authorization servers separately from the application endpoints. </p>
<h1><a shape="rect" name="JAX-RSOAuth2-WhatIsNext"></a>What Is Next</h1>