You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by bu...@apache.org on 2013/10/01 14:48:15 UTC
svn commit: r880659 - in /websites/production/cxf/content:
cache/docs.pageCache docs/jax-rs-basics.html docs/jax-rs-oauth2.html
Author: buildbot
Date: Tue Oct 1 12:48:15 2013
New Revision: 880659
Log:
Production update by buildbot for cxf
Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/jax-rs-basics.html
websites/production/cxf/content/docs/jax-rs-oauth2.html
Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.
Modified: websites/production/cxf/content/docs/jax-rs-basics.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-basics.html (original)
+++ websites/production/cxf/content/docs/jax-rs-basics.html Tue Oct 1 12:48:15 2013
@@ -133,7 +133,7 @@ Apache CXF -- JAX-RS Basics
<div id="ConfluenceContent"><p><span style="font-size:2em;font-weight:bold"> JAX-RS : Understanding the Basics </span></p>
<div>
-<ul><li><a shape="rect" href="#JAX-RSBasics-WhatisNewinJAXRS2.0">What is New in JAX-RS 2.0</a></li><ul><li><a shape="rect" href="#JAX-RSBasics-ClientAPI">Client API</a></li><ul><li><a shape="rect" href="#JAX-RSBasics-AsynchronousAPI">Asynchronous API</a></li><li><a shape="rect" href="#JAX-RSBasics-Responseinterfaceupdates">Response interface updates</a></li></ul><li><a shape="rect" href="#JAX-RSBasics-Filters">Filters</a></li><li><a shape="rect" href="#JAX-RSBasics-Interceptors">Interceptors</a></li><li><a shape="rect" href="#JAX-RSBasics-DynamicFeatures">Dynamic Features</a></li><li><a shape="rect" href="#JAX-RSBasics-Exceptions">Exceptions</a></li><li><a shape="rect" href="#JAX-RSBasics-Suspendedinvocations">Suspended invocations</a></li><li><a shape="rect" href="#JAX-RSBasics-Parameterconverters">Parameter converters</a></li><li><a shape="rect" href="#JAX-RSBasics-Beanparameters">Bean parameters</a></li><li><a shape="rect" href="#JAX-RSBasics-Updatestothematchingalgorithm">Update
s to the matching algorithm</a></li><li><a shape="rect" href="#JAX-RSBasics-Injectionintosubresources">Injection into subresources</a></li></ul><li><a shape="rect" href="#JAX-RSBasics-Resourceclass">Resource class</a></li><li><a shape="rect" href="#JAX-RSBasics-@Path">@Path</a></li><li><a shape="rect" href="#JAX-RSBasics-HTTPMethod">HTTP Method</a></li><li><a shape="rect" href="#JAX-RSBasics-Returntypes">Return types</a></li><li><a shape="rect" href="#JAX-RSBasics-Exceptionhandling">Exception handling</a></li><ul><li><a shape="rect" href="#JAX-RSBasics-CustomizingdefaultWebApplicationExceptionmapper">Customizing default WebApplicationException mapper</a></li></ul><li><a shape="rect" href="#JAX-RSBasics-DealingwithParameters">Dealing with Parameters</a></li><ul><li><a shape="rect" href="#JAX-RSBasics-Parameterbeans">Parameter beans</a></li></ul><li><a shape="rect" href="#JAX-RSBasics-Resourcelifecycles">Resource lifecycles</a></li><li><a shape="rect" href="#JAX-RSBasics-Overviewofthe
selectionalgorithm.">Overview of the selection algorithm.</a></li><ul><li><a shape="rect" href="#JAX-RSBasics-Selectingbetweenmultipleresourceclasses">Selecting between multiple resource classes</a></li><li><a shape="rect" href="#JAX-RSBasics-Selectingbetweenmultipleresourcemethods">Selecting between multiple resource methods</a></li><li><a shape="rect" href="#JAX-RSBasics-Resourcemethodsandmediatypes">Resource methods and media types</a></li><li><a shape="rect" href="#JAX-RSBasics-Customselectionbetweenmultipleresources">Custom selection between multiple resources</a></li></ul><li><a shape="rect" href="#JAX-RSBasics-Contextannotations">Context annotations</a></li><ul><li><a shape="rect" href="#JAX-RSBasics-CustomContexts">Custom Contexts</a></li></ul><li><a shape="rect" href="#JAX-RSBasics-URIcalculationusingUriInfoandUriBuilder">URI calculation using UriInfo and UriBuilder</a></li><li><a shape="rect" href="#JAX-RSBasics-Annotationinheritance">Annotation inheritance</a></li><li><a
shape="rect" href="#JAX-RSBasics-Subresourcelocators.">Sub-resource locators.</a></li><ul><li><a shape="rect" href="#JAX-RSBasics-Staticresolutionofsubresources">Static resolution of subresources</a></li></ul><li><a shape="rect" href="#JAX-RSBasics-MessageBodyProviders">Message Body Providers</a></li><ul><li><a shape="rect" href="#JAX-RSBasics-CustomMessageBodyProviders">Custom Message Body Providers</a></li><li><a shape="rect" href="#JAX-RSBasics-Registeringcustomproviders">Registering custom providers</a></li></ul><li><a shape="rect" href="#JAX-RSBasics-Customizingmediatypesformessagebodyproviders">Customizing media types for message body providers</a></li><li><a shape="rect" href="#JAX-RSBasics-AdvancedHTTP">Advanced HTTP</a></li></ul></div>
+<ul><li><a shape="rect" href="#JAX-RSBasics-WhatisNewinJAXRS2.0">What is New in JAX-RS 2.0</a></li><ul><li><a shape="rect" href="#JAX-RSBasics-ClientAPI">Client API</a></li><ul><li><a shape="rect" href="#JAX-RSBasics-AsynchronousAPI">Asynchronous API</a></li><li><a shape="rect" href="#JAX-RSBasics-Responseinterfaceupdates">Response interface updates</a></li></ul><li><a shape="rect" href="#JAX-RSBasics-Filters">Filters</a></li><li><a shape="rect" href="#JAX-RSBasics-Interceptors">Interceptors</a></li><li><a shape="rect" href="#JAX-RSBasics-DynamicFeatures">Dynamic Features</a></li><li><a shape="rect" href="#JAX-RSBasics-Exceptions">Exceptions</a></li><li><a shape="rect" href="#JAX-RSBasics-Suspendedinvocations">Suspended invocations</a></li><li><a shape="rect" href="#JAX-RSBasics-Parameterconverters">Parameter converters</a></li><li><a shape="rect" href="#JAX-RSBasics-Beanparameters">Bean parameters</a></li><li><a shape="rect" href="#JAX-RSBasics-Updatestothematchingalgorithm">Update
s to the matching algorithm</a></li><li><a shape="rect" href="#JAX-RSBasics-Injectionintosubresources">Injection into subresources</a></li></ul><li><a shape="rect" href="#JAX-RSBasics-Resourceclass">Resource class</a></li><li><a shape="rect" href="#JAX-RSBasics-@Path">@Path</a></li><li><a shape="rect" href="#JAX-RSBasics-HTTPMethod">HTTP Method</a></li><li><a shape="rect" href="#JAX-RSBasics-Returntypes">Return types</a></li><li><a shape="rect" href="#JAX-RSBasics-Exceptionhandling">Exception handling</a></li><ul><li><a shape="rect" href="#JAX-RSBasics-MappingexceptionsthrownfromCXFinterceptors">Mapping exceptions thrown from CXF interceptors</a></li><li><a shape="rect" href="#JAX-RSBasics-CustomizingdefaultWebApplicationExceptionmapper">Customizing default WebApplicationException mapper</a></li></ul><li><a shape="rect" href="#JAX-RSBasics-DealingwithParameters">Dealing with Parameters</a></li><ul><li><a shape="rect" href="#JAX-RSBasics-Parameterbeans">Parameter beans</a></li></ul><
li><a shape="rect" href="#JAX-RSBasics-Resourcelifecycles">Resource lifecycles</a></li><li><a shape="rect" href="#JAX-RSBasics-Overviewoftheselectionalgorithm.">Overview of the selection algorithm.</a></li><ul><li><a shape="rect" href="#JAX-RSBasics-Selectingbetweenmultipleresourceclasses">Selecting between multiple resource classes</a></li><li><a shape="rect" href="#JAX-RSBasics-Selectingbetweenmultipleresourcemethods">Selecting between multiple resource methods</a></li><li><a shape="rect" href="#JAX-RSBasics-Resourcemethodsandmediatypes">Resource methods and media types</a></li><li><a shape="rect" href="#JAX-RSBasics-Customselectionbetweenmultipleresources">Custom selection between multiple resources</a></li></ul><li><a shape="rect" href="#JAX-RSBasics-Contextannotations">Context annotations</a></li><ul><li><a shape="rect" href="#JAX-RSBasics-CustomContexts">Custom Contexts</a></li></ul><li><a shape="rect" href="#JAX-RSBasics-URIcalculationusingUriInfoandUriBuilder">URI calculatio
n using UriInfo and UriBuilder</a></li><li><a shape="rect" href="#JAX-RSBasics-Annotationinheritance">Annotation inheritance</a></li><li><a shape="rect" href="#JAX-RSBasics-Subresourcelocators.">Sub-resource locators.</a></li><ul><li><a shape="rect" href="#JAX-RSBasics-Staticresolutionofsubresources">Static resolution of subresources</a></li></ul><li><a shape="rect" href="#JAX-RSBasics-MessageBodyProviders">Message Body Providers</a></li><ul><li><a shape="rect" href="#JAX-RSBasics-CustomMessageBodyProviders">Custom Message Body Providers</a></li><li><a shape="rect" href="#JAX-RSBasics-Registeringcustomproviders">Registering custom providers</a></li></ul><li><a shape="rect" href="#JAX-RSBasics-Customizingmediatypesformessagebodyproviders">Customizing media types for message body providers</a></li><li><a shape="rect" href="#JAX-RSBasics-AdvancedHTTP">Advanced HTTP</a></li></ul></div>
<h1><a shape="rect" name="JAX-RSBasics-WhatisNewinJAXRS2.0"></a>What is New in JAX-RS 2.0</h1>
@@ -329,14 +329,21 @@ public BookExceptionMapper implements Ex
<p>Have a look please at <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/SecurityExceptionMapper.java">this exception mapper</a> which converts Spring Security exceptions into HTTP 403 error code for another example.</p>
-<p>Note that when no mappers are found for custom exceptions, they are propagated (wrapped in ServletException) to the underlying container as required by the specification. Thus one option for intercepting the exceptions is to register a custom servlet filter which will catch ServletExceptions and handle the causes. If no custom servlet filter which can handle ServletExceptions is available then most likely only 500 error status will be reported. </p>
+<p>Note that when no mappers are found for custom exceptions, they are propagated to the underlying container as required by the specification where they will typically be wrapped in ServlerException, eventually resulting in HTTP 500 status being returned by default. Thus one option for intercepting the exceptions is to register a custom servlet filter which will catch ServletExceptions and handle the causes.</p>
<p>This propagation can be disabled by registering a boolean jaxrs property 'org.apache.cxf.propagate.exception' with a false value. If such property is set and no exception mapper can be found for a given exception then it will be wrapped into an xml error response by the CXF <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/bindings/xml/src/main/java/org/apache/cxf/binding/xml/interceptor/XMLFaultOutInterceptor.java">XMLFaultOutInterceptor</a>. </p>
-<p><b>Note</b> that before CXF 2.3.2(-SNAPSHOT) and CXF 2.4.0(-SNAPSHOT) a property "org.apache.cxf.propogate.exception" has to be used if needed. However the property name now includes a more common 'propagate' word. </p>
-
<p>One can also register a custom CXF out fault interceptor which can handle all the exceptions by writing directly to the HttpServletResponse stream or XMLStreamWriter (as XMLFaultOutInterceptor does). For example, see this <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/CustomOutFaultInterceptor.java">test interceptor</a>.</p>
+<h2><a shape="rect" name="JAX-RSBasics-MappingexceptionsthrownfromCXFinterceptors"></a>Mapping exceptions thrown from CXF interceptors</h2>
+
+<p>Starting from CXF 2.7.8 it is also possible to use registered ExceptionMappers to map the exceptions thrown from CXF server in interceptors which are registered after JAXRSInInterceptor (Phase.UNMARSHAL) and out interceptors registered before JAXRSOutInterceptor (Phase.MARSHAL).<br clear="none">
+In earlier CXF versions such exceptions are only possible to handle with CXF fault in interceptors.</p>
+
+<p>In order to get the exceptions thrown from CXF in interceptors mapped, set a "map.cxf.interceptor.fault" contextual property to true - needed in CXF 2.7.8 to ensure existing in fault interceptors are not affected; the mapping is done by default starting from CXF 3.0.0.</p>
+
+<p>In order to get the exceptions thrown from CXF out interceptors mapped, add org.apache.cxf.jaxrs.interceptor.JAXRSOutExceptionMapperInterceptor to the list of out interceptors.</p>
+
<h2><a shape="rect" name="JAX-RSBasics-CustomizingdefaultWebApplicationExceptionmapper"></a>Customizing default WebApplicationException mapper</h2>
<p>CXF ships a WebApplicationException mapper, org.apache.cxf.jaxrs.impl.WebApplicationExceptionMapper. By default it logs a stack trace at a warning level and returns Response available in the captured exception.<br clear="none">
Modified: websites/production/cxf/content/docs/jax-rs-oauth2.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-oauth2.html (original)
+++ websites/production/cxf/content/docs/jax-rs-oauth2.html Tue Oct 1 12:48:15 2013
@@ -134,7 +134,7 @@ Apache CXF -- JAX-RS OAuth2
<div>
-<ul><li><a shape="rect" href="#JAX-RSOAuth2-Introduction">Introduction</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Mavendependencies">Maven dependencies</a></li><li><a shape="rect" href="#JAX-RSOAuth2-ClientRegistration">Client Registration</a></li><li><a shape="rect" href="#JAX-RSOAuth2-DevelopingOAuth2Servers">Developing OAuth2 Servers</a></li><ul><li><a shape="rect" href="#JAX-RSOAuth2-AuthorizationService">Authorization Service</a></li><ul><li><a shape="rect" href="#JAX-RSOAuth2-EndUserNameinAuthorizationForm">EndUser Name in Authorization Form</a></li><li><a shape="rect" href="#JAX-RSOAuth2-PublicClients%28Devices%29andOOBResponse">Public Clients (Devices) and OOB Response</a></li></ul><li><a shape="rect" href="#JAX-RSOAuth2-AccessTokenService">AccessTokenService</a></li><ul><li><a shape="rect" href="#JAX-RSOAuth2-AccessTokenTypes">Access Token Types</a></li><ul><li><a shape="rect" href="#JAX-RSOAuth2-Bearer">Bearer</a></li><li><a shape="rect" href="#JAX-RSOAuth2-MAC">MAC</
a></li><li><a shape="rect" href="#JAX-RSOAuth2-CustomandEncryptedtokens">Custom and Encrypted tokens</a></li></ul><li><a shape="rect" href="#JAX-RSOAuth2-AccessTokenValidationService">AccessTokenValidationService</a></li></ul><li><a shape="rect" href="#JAX-RSOAuth2-TokenRevocationService">TokenRevocationService</a></li><li><a shape="rect" href="#JAX-RSOAuth2-SupportedGrants">Supported Grants</a></li><ul><li><a shape="rect" href="#JAX-RSOAuth2-AuthorizationCode">Authorization Code</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Implicit">Implicit</a></li><li><a shape="rect" href="#JAX-RSOAuth2-ClientCredentials">Client Credentials</a></li><li><a shape="rect" href="#JAX-RSOAuth2-ResourceOwnerPasswordCredentials">Resource Owner Password Credentials</a></li><li><a shape="rect" href="#JAX-RSOAuth2-RefreshToken">Refresh Token</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Assertions">Assertions</a></li><li><a shape="rect" href="#JAX-RSOAuth2-CustomGrants">Custom Grants</a></li></ul><li><
a shape="rect" href="#JAX-RSOAuth2-PreAuthorizedaccesstokens">PreAuthorized access tokens</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Preregisteredscopes">Pre-registered scopes</a></li><li><a shape="rect" href="#JAX-RSOAuth2-WritingOAuthDataProvider">Writing OAuthDataProvider</a></li><li><a shape="rect" href="#JAX-RSOAuth2-OAuthServerJAXRSendpoints">OAuth Server JAX-RS endpoints</a></li></ul><li><a shape="rect" href="#JAX-RSOAuth2-ThirdPartyClientAuthentication">Third Party Client Authentication</a></li><li><a shape="rect" href="#JAX-RSOAuth2-UserSessionAuthenticity">User Session Authenticity</a></li><li><a shape="rect" href="#JAX-RSOAuth2-CustomizingEndUserSubjectinitialization">Customizing End User Subject initialization</a></li><li><a shape="rect" href="#JAX-RSOAuth2-ProtectingresourceswithOAuthfilters">Protecting resources with OAuth filters</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Howtogettheuserloginname">How to get the user login name</a></li><li><a shape="rect" hr
ef="#JAX-RSOAuth2-Clientsidesupport">Client-side support</a></li><li><a shape="rect" href="#JAX-RSOAuth2-OAuth2withouttheExplicitAuthorization">OAuth2 without the Explicit Authorization</a></li><li><a shape="rect" href="#JAX-RSOAuth2-OAuthWithoutaBrowser">OAuth Without a Browser</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Reportingerrordetails">Reporting error details</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Designconsiderations">Design considerations</a></li><ul><li><a shape="rect" href="#JAX-RSOAuth2-ControllingtheAccesstoResourceServer">Controlling the Access to Resource Server</a></li><ul><li><a shape="rect" href="#JAX-RSOAuth2-Sharingthesameaccesspathbetweenendusersandclients">Sharing the same access path between end users and clients</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Providingdifferentaccesspointstoendusersandclients">Providing different access points to end users and clients</a></li></ul><li><a shape="rect" href="#JAX-RSOAuth2-SingleSignOn">Single Sig
n On</a></li></ul></ul></div>
+<ul><li><a shape="rect" href="#JAX-RSOAuth2-Introduction">Introduction</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Mavendependencies">Maven dependencies</a></li><li><a shape="rect" href="#JAX-RSOAuth2-ClientRegistration">Client Registration</a></li><li><a shape="rect" href="#JAX-RSOAuth2-DevelopingOAuth2Servers">Developing OAuth2 Servers</a></li><ul><li><a shape="rect" href="#JAX-RSOAuth2-AuthorizationService">Authorization Service</a></li><ul><li><a shape="rect" href="#JAX-RSOAuth2-EndUserNameinAuthorizationForm">EndUser Name in Authorization Form</a></li><li><a shape="rect" href="#JAX-RSOAuth2-PublicClients%28Devices%29">Public Clients (Devices)</a></li><ul><li><a shape="rect" href="#JAX-RSOAuth2-OOBResponse">OOB Response</a></li><li><a shape="rect" href="#JAX-RSOAuth2-SecurecodeacquisitionwithredirectURI">Secure code acquisition with redirect URI</a></li></ul></ul><li><a shape="rect" href="#JAX-RSOAuth2-AccessTokenService">AccessTokenService</a></li><ul><li><a shape="rect" hr
ef="#JAX-RSOAuth2-AccessTokenTypes">Access Token Types</a></li><ul><li><a shape="rect" href="#JAX-RSOAuth2-Bearer">Bearer</a></li><li><a shape="rect" href="#JAX-RSOAuth2-MAC">MAC</a></li><li><a shape="rect" href="#JAX-RSOAuth2-CustomandEncryptedtokens">Custom and Encrypted tokens</a></li><li><a shape="rect" href="#JAX-RSOAuth2-SimpleTokensandAudience">Simple Tokens and Audience</a></li></ul><li><a shape="rect" href="#JAX-RSOAuth2-AccessTokenValidationService">AccessTokenValidationService</a></li></ul><li><a shape="rect" href="#JAX-RSOAuth2-TokenRevocationService">TokenRevocationService</a></li><li><a shape="rect" href="#JAX-RSOAuth2-SupportedGrants">Supported Grants</a></li><ul><li><a shape="rect" href="#JAX-RSOAuth2-AuthorizationCode">Authorization Code</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Implicit">Implicit</a></li><li><a shape="rect" href="#JAX-RSOAuth2-ClientCredentials">Client Credentials</a></li><li><a shape="rect" href="#JAX-RSOAuth2-ResourceOwnerPasswordCredential
s">Resource Owner Password Credentials</a></li><li><a shape="rect" href="#JAX-RSOAuth2-RefreshToken">Refresh Token</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Assertions">Assertions</a></li><li><a shape="rect" href="#JAX-RSOAuth2-CustomGrants">Custom Grants</a></li></ul><li><a shape="rect" href="#JAX-RSOAuth2-PreAuthorizedaccesstokens">PreAuthorized access tokens</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Preregisteredscopes">Pre-registered scopes</a></li><li><a shape="rect" href="#JAX-RSOAuth2-WritingOAuthDataProvider">Writing OAuthDataProvider</a></li><li><a shape="rect" href="#JAX-RSOAuth2-OAuthServerJAXRSendpoints">OAuth Server JAX-RS endpoints</a></li></ul><li><a shape="rect" href="#JAX-RSOAuth2-ThirdPartyClientAuthentication">Third Party Client Authentication</a></li><li><a shape="rect" href="#JAX-RSOAuth2-UserSessionAuthenticity">User Session Authenticity</a></li><li><a shape="rect" href="#JAX-RSOAuth2-CustomizingEndUserSubjectinitialization">Customizing End User Sub
ject initialization</a></li><li><a shape="rect" href="#JAX-RSOAuth2-ProtectingresourceswithOAuthfilters">Protecting resources with OAuth filters</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Howtogettheuserloginname">How to get the user login name</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Clientsidesupport">Client-side support</a></li><li><a shape="rect" href="#JAX-RSOAuth2-OAuth2withouttheExplicitAuthorization">OAuth2 without the Explicit Authorization</a></li><li><a shape="rect" href="#JAX-RSOAuth2-OAuthWithoutaBrowser">OAuth Without a Browser</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Reportingerrordetails">Reporting error details</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Designconsiderations">Design considerations</a></li><ul><li><a shape="rect" href="#JAX-RSOAuth2-ControllingtheAccesstoResourceServer">Controlling the Access to Resource Server</a></li><ul><li><a shape="rect" href="#JAX-RSOAuth2-Sharingthesameaccesspathbetweenendusersandclients">Sharing the sam
e access path between end users and clients</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Providingdifferentaccesspointstoendusersandclients">Providing different access points to end users and clients</a></li></ul><li><a shape="rect" href="#JAX-RSOAuth2-SingleSignOn">Single Sign On</a></li></ul></ul></div>
<h1><a shape="rect" name="JAX-RSOAuth2-Introduction"></a>Introduction</h1>
@@ -323,13 +323,17 @@ Cookie=[JSESSIONID=1c289vha0cxfe],
<p>You may want to display a resource owner/end user name in the authorization form this user will be facing, you can get org.apache.cxf.rs.security.oauth2.provider.ResourceOwnerNameProvider registered with either AuthorizationCodeGrantService or ImplicitGrantService.<br clear="none">
org.apache.cxf.rs.security.oauth2.provider.DefaultResourceOwnerNameProvider, if registered, will return an actual login name, the custom implementations may choose to return a complete user name instead, etc. </p>
-<h3><a shape="rect" name="JAX-RSOAuth2-PublicClients%28Devices%29andOOBResponse"></a>Public Clients (Devices) and OOB Response</h3>
+<h3><a shape="rect" name="JAX-RSOAuth2-PublicClients%28Devices%29"></a>Public Clients (Devices) </h3>
-<p>Starting from CXF 2.7.6, the authorization code can be returned out-of-band (OOB), see <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OOBAuthorizationResponse.java">OOBAuthorizationResponse</a> bean. By default, it is returned directly to the end user, unless a custom <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OOBResponseDeliverer.java">OOBResponseDeliverer</a> is registered with AuthorizationCodeGrantService which may deliver it to the client via some custom back channel. </p>
+<p>CXF 2.7.7 provides an initial support for public clients (such as various mobile devices).</p>
-<p>Authorization service will only return the code OOB if a Client has been registered as a public client with no client secret and redirect URI and the service itself has a "canSupportPublicClients" property enabled. The same property will also have to be enabled on AccessTokenService (described in the next section) for a public client without a secret be able to exchange a code grant for an access token.</p>
+<p>Client can be 'public' if it has been registered as a public client with no client secret the service itself has a "canSupportPublicClients" property enabled. The same property will also have to be enabled on AccessTokenService (described in the next section) for a public client without a secret be able to exchange a code grant for an access token.</p>
-<p>Having OOB responses supported is useful when a public client (typically a device which can not keep the client secrets) needs to get a code grant. what will happen is that a device owner will send a request to Authorization Service which may look like this:</p>
+<h4><a shape="rect" name="JAX-RSOAuth2-OOBResponse"></a>OOB Response</h4>
+
+<p>If a public client has not registered a redirect URI with the Authorization service then the authorization code can be returned out-of-band (OOB), see <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OOBAuthorizationResponse.java">OOBAuthorizationResponse</a> bean. By default, it is returned directly to the end user, unless a custom <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OOBResponseDeliverer.java">OOBResponseDeliverer</a> is registered with AuthorizationCodeGrantService which may deliver it to the client via some custom back channel. </p>
+
+<p>Having OOB responses supported is useful when a public client (typically a device which can not keep the client secrets and where no redirect URI is supported) needs to get a code grant. What will happen is that a device owner will send a request to Authorization Service which may look like this:</p>
<div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent panelContent">
<pre>GET
http://localhost:8080/services/social/authorize?client_id=mobileClient&response_type=code
@@ -338,6 +342,12 @@ http://localhost:8080/services/social/au
<p>Assuming the 'mobileClient' has been registered as public one with no secret and the service has been set up to support such clients, the end user will get a chance to authorize this client the same way it can do confidential clients, and after this user gets back a code (delivered directly in the response HTML page by default) the user will enter the code securely into the device which will then replace it for a time-scoped access token by contacting AccessTokenService. </p>
+<h4><a shape="rect" name="JAX-RSOAuth2-SecurecodeacquisitionwithredirectURI"></a>Secure code acquisition with redirect URI</h4>
+
+<p>The following <a shape="rect" class="external-link" href="http://tools.ietf.org/html/draft-sakimura-oauth-tcse-01" rel="nofollow">extension</a> is supported to help public clients with redirect URIs to accept the code securely.<br clear="none">
+Note this extension will likely introduce the HMAC calculation in the next drafts, but the current approach can already help. </p>
+
+
<h2><a shape="rect" name="JAX-RSOAuth2-AccessTokenService"></a>AccessTokenService </h2>
<p>The role of AccessTokenService is to exchange a token grant for a new access token which will be used by the client to access the end user's resources. <br clear="none">
@@ -541,6 +551,11 @@ Authorization: MAC id="5b5c8e677413277c4
<p>The cost of encrypting and decrypting will add up to the processing time - however the provider will not be actually responsible for storing the access token details which can start making a difference with a high number of clients.</p>
+<h4><a shape="rect" name="JAX-RSOAuth2-SimpleTokensandAudience"></a>Simple Tokens and Audience</h4>
+
+<p>Starting from CXF 2.7.7 an <a shape="rect" class="external-link" href="http://tools.ietf.org/html/draft-tschofenig-oauth-audience-00" rel="nofollow">audience</a> parameter is supported during the client token requests.</p>
+
+
<h3><a shape="rect" name="JAX-RSOAuth2-AccessTokenValidationService"></a>AccessTokenValidationService </h3>
<p>The <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenValidationService.java">AccessTokenValidationService</a> is a CXF specific OAuth2 service for accepting the remote access token validation requests. Typically, OAuthRequestFilter (see on it below) may choose to impersonate itself as a third-party client and will ask AccessTokenValidationService to return the information relevant to the current access token, before setting up a security context. More on it below.</p>