You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by bu...@apache.org on 2015/12/22 16:47:49 UTC
svn commit: r976162 - in /websites/production/cxf/content:
cache/docs.pageCache docs/jax-rs-oauth2.html
docs/jaxrs-services-configuration.html
Author: buildbot
Date: Tue Dec 22 15:47:49 2015
New Revision: 976162
Log:
Production update by buildbot for cxf
Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/jax-rs-oauth2.html
websites/production/cxf/content/docs/jaxrs-services-configuration.html
Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.
Modified: websites/production/cxf/content/docs/jax-rs-oauth2.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-oauth2.html (original)
+++ websites/production/cxf/content/docs/jax-rs-oauth2.html Tue Dec 22 15:47:49 2015
@@ -118,11 +118,11 @@ Apache CXF -- JAX-RS OAuth2
<!-- Content -->
<div class="wiki-content">
<div id="ConfluenceContent"><h1 id="JAX-RSOAuth2-JAX-RS:OAuth2">JAX-RS: OAuth2</h1><p><style type="text/css">/*<![CDATA[*/
-div.rbtoc1448541991917 {padding: 0px;}
-div.rbtoc1448541991917 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1448541991917 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1450799223255 {padding: 0px;}
+div.rbtoc1450799223255 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1450799223255 li {margin-left: 0px;padding-left: 0px;}
-/*]]>*/</style></p><div class="toc-macro rbtoc1448541991917">
+/*]]>*/</style></p><div class="toc-macro rbtoc1450799223255">
<ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSOAuth2-JAX-RS:OAuth2">JAX-RS: OAuth2</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Introduction">Introduction</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Mavendependencies">Maven dependencies</a></li><li><a shape="rect" href="#JAX-RSOAuth2-ClientRegistration">Client Registration</a></li><li><a shape="rect" href="#JAX-RSOAuth2-DevelopingOAuth2Servers">Developing OAuth2 Servers</a>
<ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSOAuth2-AuthorizationService">Authorization Service</a>
<ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSOAuth2-HowtocreateAuthorizationView">How to create Authorization View</a></li><li><a shape="rect" href="#JAX-RSOAuth2-EndUserNameinAuthorizationForm">EndUser Name in Authorization Form</a></li><li><a shape="rect" href="#JAX-RSOAuth2-PublicClients(Devices)">Public Clients (Devices)</a>
@@ -143,7 +143,7 @@ div.rbtoc1448541991917 li {margin-left:
<ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSOAuth2-Keepingthestateinthesession">Keeping the state in the session</a></li><li><a shape="rect" href="#JAX-RSOAuth2-MultipleFactorVerification">Multiple Factor Verification</a></li></ul>
</li><li><a shape="rect" href="#JAX-RSOAuth2-CustomizingEndUserSubjectinitialization">Customizing End User Subject initialization</a></li><li><a shape="rect" href="#JAX-RSOAuth2-ProtectingresourceswithOAuthfilters">Protecting resources with OAuth filters</a>
<ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSOAuth2-OAuth2tokensandSOAPendpoints">OAuth2 tokens and SOAP endpoints</a></li></ul>
-</li><li><a shape="rect" href="#JAX-RSOAuth2-Howtogettheuserloginname">How to get the user login name</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Client-sidesupport">Client-side support</a>
+</li><li><a shape="rect" href="#JAX-RSOAuth2-Scope-basedaccesscontrol">Scope-based access control</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Howtogettheuserloginname">How to get the user login name</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Client-sidesupport">Client-side support</a>
<ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSOAuth2-AdvancedOAuth2clientapplications">Advanced OAuth2 client applications</a></li><li><a shape="rect" href="#JAX-RSOAuth2-OAuth2clientapplicationswithcode-grantfilters">OAuth2 client applications with code-grant filters</a></li><li><a shape="rect" href="#JAX-RSOAuth2-OAuth2clientauthenticatorsfornon-dynamicclients">OAuth2 client authenticators for non-dynamic clients</a></li></ul>
</li><li><a shape="rect" href="#JAX-RSOAuth2-OAuth2withouttheExplicitAuthorization">OAuth2 without the Explicit Authorization</a></li><li><a shape="rect" href="#JAX-RSOAuth2-OAuthWithoutaBrowser">OAuth Without a Browser</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Reportingerrordetails">Reporting error details</a></li><li><a shape="rect" href="#JAX-RSOAuth2-OAuth2andJOSE">OAuth2 and JOSE</a></li><li><a shape="rect" href="#JAX-RSOAuth2-OAuth2andOIDC">OAuth2 and OIDC</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Designconsiderations">Design considerations</a>
<ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSOAuth2-ControllingtheAccesstoResourceServer">Controlling the Access to Resource Server</a>
@@ -475,7 +475,15 @@ Headers:
</jaxrs:providers>
</jaxrs:server>
</pre>
-</div></div><h2 id="JAX-RSOAuth2-OAuth2tokensandSOAPendpoints">OAuth2 tokens and SOAP endpoints</h2><p>If you use HTTP Authorization header or WS-Security Binary token to pass OAuth2 tokens to SOAP endpoints then <a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestInterceptor.java;h=173fed36fc78db69c0d4afaee5d5f482dd4e05fd;hb=HEAD">OAuthRequestInterceptor</a> can be used to validate such tokens. It is OAuthRequestFilter running as CXF interceptor which will work OOB for tokens passed with Authorization header and it can be easily extended to support WS-Security binary tokens</p><h1 id="JAX-RSOAuth2-Howtogettheuserloginname">How to get the user login name</h1><p>When one writes a custom server application which needs to participate in OAuth2 flows, the major question which needs to be addressed is how one can access a user login nam
e that was used during the end-user authorizing the third-party client. This username will help to uniquely identify the resources that the 3rd party client is now attempting to access. The following code shows one way of how this can be done:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+</div></div><h2 id="JAX-RSOAuth2-OAuth2tokensandSOAPendpoints">OAuth2 tokens and SOAP endpoints</h2><p>If you use HTTP Authorization header or WS-Security Binary token to pass OAuth2 tokens to SOAP endpoints then <a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestInterceptor.java;h=173fed36fc78db69c0d4afaee5d5f482dd4e05fd;hb=HEAD">OAuthRequestInterceptor</a> can be used to validate such tokens. It is OAuthRequestFilter running as CXF interceptor which will work OOB for tokens passed with Authorization header and it can be easily extended to support WS-Security binary tokens</p><h1 id="JAX-RSOAuth2-Scope-basedaccesscontrol">Scope-based access control</h1><p>OAuthRequestFilter can be configured to do a lot of security checks as described above. </p><p>Additionally, starting from CXF 3.1.5 it is also possible to control which se
rvice methods can be invoked</p><p>with a new <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/Scopes.java" rel="nofollow">Scopes</a> annotation and <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthScopesFilter.java" rel="nofollow">OAuthScopesFilter</a> (it needs to be registered alongside OAuthRequestFilter).</p><p>For example:</p><pre>@Path("calendar")
+public class CalendarResource {
+
+
+ @PUT
+ @Path("{id}")<br clear="none"> @Scopes("update-calendar")<br clear="none"> @ConfidentialClient<br clear="none"> public void updateCalendar(@PathParam("id") long id, Calendar c) {
+ // update the calendar for a user identified by 'id'
+ }
+}<br clear="none"> </pre><p>In this example a client will only be able to invoke the updateCalendar method if its access token contains an "update-calendar" scope and</p><p>it is a <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/ConfidentialClient.java" rel="nofollow">ConfidentialClient</a>. As mentioned earlier, OAuthRequestFilter may be configured with the 'requestScopes' property but using the Scopes annotation can offer a more typed and fine-grained</p><p>access control.</p><h1 id="JAX-RSOAuth2-Howtogettheuserloginname">How to get the user login name</h1><p>When one writes a custom server application which needs to participate in OAuth2 flows, the major question which needs to be addressed is how one can access a user login name that was used during the end-user authorizing the third-party client. This username will help to uniquely identify the r
esources that the 3rd party client is now attempting to access. The following code shows one way of how this can be done:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">
import org.apache.cxf.rs.security.oauth2.utils.OAuthContextUtils;
Modified: websites/production/cxf/content/docs/jaxrs-services-configuration.html
==============================================================================
--- websites/production/cxf/content/docs/jaxrs-services-configuration.html (original)
+++ websites/production/cxf/content/docs/jaxrs-services-configuration.html Tue Dec 22 15:47:49 2015
@@ -118,11 +118,11 @@ Apache CXF -- JAXRS Services Configurati
<!-- Content -->
<div class="wiki-content">
<div id="ConfluenceContent"><p> </p><p> </p><p> </p><p> <span class="inline-first-p" style="font-size:2em;font-weight:bold">JAX-RS : Services Configuration</span> </p><p> </p><p> </p><p> </p><p><style type="text/css">/*<![CDATA[*/
-div.rbtoc1444236412198 {padding: 0px;}
-div.rbtoc1444236412198 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1444236412198 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1450799221685 {padding: 0px;}
+div.rbtoc1450799221685 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1450799221685 li {margin-left: 0px;padding-left: 0px;}
-/*]]>*/</style></p><div class="toc-macro rbtoc1444236412198">
+/*]]>*/</style></p><div class="toc-macro rbtoc1450799221685">
<ul class="toc-indentation"><li><a shape="rect" href="#JAXRSServicesConfiguration-ConfiguringJAX-RSservicesprogrammatically">Configuring JAX-RS services programmatically</a></li><li><a shape="rect" href="#JAXRSServicesConfiguration-OSGI">OSGI</a>
<ul class="toc-indentation"><li><a shape="rect" href="#JAXRSServicesConfiguration-Blueprint">Blueprint</a></li><li><a shape="rect" href="#JAXRSServicesConfiguration-Spring">Spring</a></li></ul>
</li><li><a shape="rect" href="#JAXRSServicesConfiguration-SpringBoot">Spring Boot</a></li><li><a shape="rect" href="#JAXRSServicesConfiguration-ConfiguringJAX-RSendpointsprogrammaticallywithoutSpring">Configuring JAX-RS endpoints programmatically without Spring</a></li><li><a shape="rect" href="#JAXRSServicesConfiguration-BlueprintWeb">Blueprint Web</a>
@@ -203,57 +203,148 @@ sf.create();
</beans>
</pre>
-</div></div><h1 id="JAXRSServicesConfiguration-SpringBoot">Spring Boot</h1><p>Example:</p><p> </p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">import org.apache.cxf.Bus;
+</div></div><h1 id="JAXRSServicesConfiguration-SpringBoot">Spring Boot</h1><p>Example1:</p><p> </p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">package sample.rs.service;
+import org.apache.cxf.endpoint.Server;
import org.apache.cxf.jaxrs.JAXRSServerFactoryBean;
+import org.apache.cxf.jaxrs.spring.JaxRsConfig;
import org.apache.cxf.transport.servlet.CXFServlet;
-import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.SpringApplication;
-import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
-import org.springframework.boot.builder.SpringApplicationBuilder;
-import org.springframework.boot.context.embedded.EmbeddedServletContainerFactory;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.boot.context.embedded.ServletRegistrationBean;
-import org.springframework.boot.context.web.SpringBootServletInitializer;
import org.springframework.context.ApplicationContext;
import org.springframework.context.annotation.Bean;
-import org.springframework.context.annotation.Configuration;
-import org.springframework.context.annotation.ImportResource;
+import org.springframework.context.annotation.Import;
-@Configuration
-@EnableAutoConfiguration
-@ImportResource({ "classpath:META-INF/cxf/cxf.xml" })
-public class Application extends SpringBootServletInitializer {
+@SpringBootApplication
+@Import(JaxRsConfig.class)
+public class SampleRestApplication {
+ public static void main(String[] args) {
+ SpringApplication.run(SampleRestApplication.class, args);
+ }
+
+ @Bean
+ public ServletRegistrationBean servletRegistrationBean(ApplicationContext context) {
+ return new ServletRegistrationBean(new CXFServlet(), "/services/*");
+ }
+
+
+ @Bean
+ public Server rsServer() {
+ JAXRSServerFactoryBean endpoint = new JAXRSServerFactoryBean();
+ endpoint.setServiceBean(new HelloService());
+ endpoint.setAddress("/helloservice");
+ return endpoint.create();
+ }
+
+}</pre>
+</div></div><p> </p><p>Example2:</p><p> </p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">package sample.rs.service;
+import org.apache.cxf.jaxrs.spring.SpringComponentScanServer;
+import org.apache.cxf.transport.servlet.CXFServlet;
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.boot.context.embedded.ServletRegistrationBean;
+import org.springframework.context.ApplicationContext;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Import;
- @Autowired
- private ApplicationContext applicationContext;
+@SpringBootApplication
+@Import(SpringComponentScanServer.class)
+public class SampleScanRestApplication {
public static void main(String[] args) {
- SpringApplication.run(Application.class, args);
+ SpringApplication.run(SampleScanRestApplication.class, args);
}
- // Replaces the need for web.xml
+
@Bean
public ServletRegistrationBean servletRegistrationBean(ApplicationContext context) {
- return new ServletRegistrationBean(new CXFServlet(), "/api/*");
+ return new ServletRegistrationBean(new CXFServlet(), "/services/helloservice/*");
}
+
+
@Bean
- public Server helloRestService() {
- Bus bus = (Bus) applicationContext.getBean(Bus.DEFAULT_BUS_ID);
- JAXRSServerFactoryBean endpoint = new EndpointImpl(bus, implementor);
- endpoint.setAddress("/hello");
- endpoint.setServiceBean(new HelloWorldRestImpl());
- return endpoint.create();
+ public HelloService helloService() {
+ return new HelloService();
}
- // Used when deploying to a standalone servlet container, i.e. tomcat
- @Override
- protected SpringApplicationBuilder configure(SpringApplicationBuilder application) {
- return application.sources(Application.class);
+}</pre>
+</div></div><p> </p><p>Example3:</p><p> </p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package sample.rs.service;
+import java.util.Collections;
+import java.util.Set;
+
+import javax.servlet.ServletConfig;
+import javax.ws.rs.ApplicationPath;
+import javax.ws.rs.core.Application;
+
+import org.apache.cxf.jaxrs.servlet.CXFNonSpringJaxrsServlet;
+import org.apache.cxf.jaxrs.spring.JaxRsConfig;
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.boot.context.embedded.ServletRegistrationBean;
+import org.springframework.context.ApplicationContext;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Import;
+
+@SpringBootApplication
+@Import(JaxRsConfig.class)
+public class SampleScanRestApplication2 {
+ public static void main(String[] args) {
+ SpringApplication.run(SampleScanRestApplication2.class, args);
+ }
+
+ @Bean
+ public ServletRegistrationBean servletRegistrationBean(ApplicationContext context) {
+ Application app = (Application)context.getBean("helloApp");
+ @SuppressWarnings("serial")
+ CXFNonSpringJaxrsServlet servlet = new CXFNonSpringJaxrsServlet(app) {
+ @Override
+ protected boolean isIgnoreApplicationPath(ServletConfig servletConfig) {
+ return false;
+ }
+
+ };
+ return new ServletRegistrationBean(servlet, "/*");
+ }
+
+
+ @Bean
+ public Application helloApp() {
+ return new JaxrsApplication();
}
-}</pre>
-</div></div><p>Please also check the classes in this <a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/spring;h=2c0dc8fef3aa4fdbd06cbedcd93e0f329739711b;hb=HEAD">package</a>.</p><p> </p><h1 id="JAXRSServicesConfiguration-ConfiguringJAX-RSendpointsprogrammaticallywithoutSpring">Configuring JAX-RS endpoints programmatically without Spring</h1><p>Note that even though no Spring is explicitly used in the previous section, it is still used by default to have various CXF components registered with the bus such as transport factories. If no Spring libraries are available on the classpath then please follow the following example :</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+ @ApplicationPath("/services/helloservice")
+ public static class JaxrsApplication extends Application {
+ public Set<Object> getSingletons() {
+ return Collections.<Object>singleton(new HelloService());
+ }
+ }
+
+}
+
+</pre>
+</div></div><p> </p><p> </p><p> </p><p>Please also check the classes in this <a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/spring;h=2c0dc8fef3aa4fdbd06cbedcd93e0f329739711b;hb=HEAD">package</a> and this <a shape="rect" class="external-link" href="https://github.com/apache/cxf/tree/master/distribution/src/main/release/samples/jax_rs/jaxrs_spring_boot" rel="nofollow">demo</a>.</p><p>(Here is a <a shape="rect" class="external-link" href="https://github.com/apache/cxf/tree/master/distribution/src/main/release/samples/jaxws_spring_boot" rel="nofollow">demo</a> for JAX-WS users).</p><p> </p><h1 id="JAXRSServicesConfiguration-ConfiguringJAX-RSendpointsprogrammaticallywithoutSpring">Configuring JAX-RS endpoints programmatically without Spring</h1><p>Note that even though no Spring is explicitly used in the previous section, it is still used by default to have var
ious CXF components registered with the bus such as transport factories. If no Spring libraries are available on the classpath then please follow the following example :</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">JAXRSServerFactoryBean sf = new JAXRSServerFactoryBean();
sf.setResourceClasses(CustomerService.class);
sf.setResourceProvider(CustomerService.class, new SingletonResourceProvider(new CustomerService()));