You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by bu...@apache.org on 2012/12/05 15:48:53 UTC

svn commit: r840827 - in /websites/production/cxf/content: cache/docs.pageCache cache/main.pageCache docs/jax-rs-oauth2.html faq.html

Author: buildbot
Date: Wed Dec  5 14:48:52 2012
New Revision: 840827

Log:
Production update by buildbot for cxf

Modified:
    websites/production/cxf/content/cache/docs.pageCache
    websites/production/cxf/content/cache/main.pageCache
    websites/production/cxf/content/docs/jax-rs-oauth2.html
    websites/production/cxf/content/faq.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/cxf/content/cache/main.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/jax-rs-oauth2.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-oauth2.html (original)
+++ websites/production/cxf/content/docs/jax-rs-oauth2.html Wed Dec  5 14:48:52 2012
@@ -125,7 +125,7 @@ Apache CXF -- JAX-RS OAuth2
 
 
 <div>
-<ul><li><a shape="rect" href="#JAX-RSOAuth2-Introduction">Introduction</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Mavendependencies">Maven dependencies</a></li><li><a shape="rect" href="#JAX-RSOAuth2-DevelopingOAuth2Servers">Developing OAuth2 Servers</a></li><ul><li><a shape="rect" href="#JAX-RSOAuth2-AuthorizationService">Authorization Service</a></li><li><a shape="rect" href="#JAX-RSOAuth2-AccessTokenService">AccessTokenService</a></li><ul><li><a shape="rect" href="#JAX-RSOAuth2-AccessTokenTypes">Access Token Types</a></li><ul><li><a shape="rect" href="#JAX-RSOAuth2-Bearer">Bearer</a></li><li><a shape="rect" href="#JAX-RSOAuth2-MAC">MAC</a></li></ul><li><a shape="rect" href="#JAX-RSOAuth2-AccessTokenValidationService">AccessTokenValidationService</a></li></ul><li><a shape="rect" href="#JAX-RSOAuth2-SupportedGrants">Supported Grants</a></li><ul><li><a shape="rect" href="#JAX-RSOAuth2-AuthorizationCode">Authorization Code</a></li><li><a shape="rect" href="#JAX-RSOAuth2-
 Implicit">Implicit</a></li><li><a shape="rect" href="#JAX-RSOAuth2-ClientCredentials">Client Credentials</a></li><li><a shape="rect" href="#JAX-RSOAuth2-ResourceOwnerPasswordCredentials">Resource Owner Password Credentials</a></li><li><a shape="rect" href="#JAX-RSOAuth2-RefreshToken">Refresh Token</a></li><li><a shape="rect" href="#JAX-RSOAuth2-CustomGrants">Custom Grants</a></li></ul><li><a shape="rect" href="#JAX-RSOAuth2-WritingOAuthDataProvider">Writing OAuthDataProvider</a></li><li><a shape="rect" href="#JAX-RSOAuth2-OAuthServerJAXRSendpoints">OAuth Server JAX-RS endpoints</a></li></ul><li><a shape="rect" href="#JAX-RSOAuth2-UserSessionAuthenticity">User Session Authenticity</a></li><li><a shape="rect" href="#JAX-RSOAuth2-ProtectingresourceswithOAuthfilters">Protecting resources with OAuth filters</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Howtogettheuserloginname">How to get the user login name</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Clientsidesupport">Cli
 ent-side support</a></li><li><a shape="rect" href="#JAX-RSOAuth2-OAuth2withouttheExplicitAuthorization">OAuth2 without the Explicit Authorization</a></li><li><a shape="rect" href="#JAX-RSOAuth2-OAuthWithoutaBrowser">OAuth Without a Browser</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Reportingerrordetails">Reporting error details</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Designconsiderations">Design considerations</a></li><ul><li><a shape="rect" href="#JAX-RSOAuth2-ControllingtheAccesstoResourceServer">Controlling the Access to Resource Server</a></li><ul><li><a shape="rect" href="#JAX-RSOAuth2-Sharingthesameaccesspathbetweenendusersandclients">Sharing the same access path between end users and clients</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Providingdifferentaccesspointstoendusersandclients">Providing different access points to end users and clients</a></li></ul><li><a shape="rect" href="#JAX-RSOAuth2-SingleSignOn">Single Sign On</a></li></ul><li><a shape="
 rect" href="#JAX-RSOAuth2-WhatIsNext">What Is Next</a></li></ul></div>
+<ul><li><a shape="rect" href="#JAX-RSOAuth2-Introduction">Introduction</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Mavendependencies">Maven dependencies</a></li><li><a shape="rect" href="#JAX-RSOAuth2-DevelopingOAuth2Servers">Developing OAuth2 Servers</a></li><ul><li><a shape="rect" href="#JAX-RSOAuth2-AuthorizationService">Authorization Service</a></li><li><a shape="rect" href="#JAX-RSOAuth2-AccessTokenService">AccessTokenService</a></li><ul><li><a shape="rect" href="#JAX-RSOAuth2-AccessTokenTypes">Access Token Types</a></li><ul><li><a shape="rect" href="#JAX-RSOAuth2-Bearer">Bearer</a></li><li><a shape="rect" href="#JAX-RSOAuth2-MAC">MAC</a></li><li><a shape="rect" href="#JAX-RSOAuth2-CustomandEncryptedtokens">Custom and Encrypted tokens</a></li></ul><li><a shape="rect" href="#JAX-RSOAuth2-AccessTokenValidationService">AccessTokenValidationService</a></li></ul><li><a shape="rect" href="#JAX-RSOAuth2-SupportedGrants">Supported Grants</a></li><ul><li><a shape="rect" href
 ="#JAX-RSOAuth2-AuthorizationCode">Authorization Code</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Implicit">Implicit</a></li><li><a shape="rect" href="#JAX-RSOAuth2-ClientCredentials">Client Credentials</a></li><li><a shape="rect" href="#JAX-RSOAuth2-ResourceOwnerPasswordCredentials">Resource Owner Password Credentials</a></li><li><a shape="rect" href="#JAX-RSOAuth2-RefreshToken">Refresh Token</a></li><li><a shape="rect" href="#JAX-RSOAuth2-CustomGrants">Custom Grants</a></li></ul><li><a shape="rect" href="#JAX-RSOAuth2-PreAuthorizedaccesstokens">PreAuthorized access tokens</a></li><li><a shape="rect" href="#JAX-RSOAuth2-WritingOAuthDataProvider">Writing OAuthDataProvider</a></li><li><a shape="rect" href="#JAX-RSOAuth2-OAuthServerJAXRSendpoints">OAuth Server JAX-RS endpoints</a></li></ul><li><a shape="rect" href="#JAX-RSOAuth2-UserSessionAuthenticity">User Session Authenticity</a></li><li><a shape="rect" href="#JAX-RSOAuth2-ProtectingresourceswithOAuthfilters">Protecting
  resources with OAuth filters</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Howtogettheuserloginname">How to get the user login name</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Clientsidesupport">Client-side support</a></li><li><a shape="rect" href="#JAX-RSOAuth2-OAuth2withouttheExplicitAuthorization">OAuth2 without the Explicit Authorization</a></li><li><a shape="rect" href="#JAX-RSOAuth2-OAuthWithoutaBrowser">OAuth Without a Browser</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Reportingerrordetails">Reporting error details</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Designconsiderations">Design considerations</a></li><ul><li><a shape="rect" href="#JAX-RSOAuth2-ControllingtheAccesstoResourceServer">Controlling the Access to Resource Server</a></li><ul><li><a shape="rect" href="#JAX-RSOAuth2-Sharingthesameaccesspathbetweenendusersandclients">Sharing the same access path between end users and clients</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Providingdiffer
 entaccesspointstoendusersandclients">Providing different access points to end users and clients</a></li></ul><li><a shape="rect" href="#JAX-RSOAuth2-SingleSignOn">Single Sign On</a></li></ul><li><a shape="rect" href="#JAX-RSOAuth2-WhatIsNext">What Is Next</a></li></ul></div>
 
 <h1><a shape="rect" name="JAX-RSOAuth2-Introduction"></a>Introduction</h1>
 
@@ -369,7 +369,7 @@ Headers: 
 
 <h3><a shape="rect" name="JAX-RSOAuth2-AccessTokenTypes"></a>Access Token Types</h3>
 
-<p>As mentioned above, AccessTokenService can work with whatever token is created by a given data provider. This section provides more information on how CXF may help with supporting Bearer and MAC tokens.</p>
+<p>As mentioned above, AccessTokenService can work with whatever token is created by a given data provider. This section provides more information on how CXF may help with supporting Bearer and MAC tokens. </p>
 
 <h4><a shape="rect" name="JAX-RSOAuth2-Bearer"></a>Bearer</h4>
 
@@ -498,6 +498,14 @@ Authorization: MAC id=<span class="code-
 
 <p>where 'ts' attribute is used to pass a timestamp value.</p>
 
+<h4><a shape="rect" name="JAX-RSOAuth2-CustomandEncryptedtokens"></a>Custom and Encrypted tokens</h4>
+
+<p>If needed, users can use their own custom token types, with the only restriction that the custom token type implementations have to extend org.apache.cxf.rs.security.oauth2.common.ServerAccessToken. </p>
+
+<p>CXF implementations of Bearer and Access token types can also be extended if required. For example, typically the access token data will be persisted in the database. One possible option is to experiment with actually encrypting the state of the token within the token id itself and returning it to the client and then decrypting it when OAuthDataProvider is requested to get ServerAccessToken representation of the current token identifier.</p>
+
+<p>The cost of encrypting and decrypting will add up to the processing time - however the provider will not be actually responsible for storing the access token details which can start making a difference with a high number of clients.</p>
+
 <h3><a shape="rect" name="JAX-RSOAuth2-AccessTokenValidationService"></a>AccessTokenValidationService </h3>
 <p>The  <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenValidationService.java">AccessTokenValidationService</a> is a CXF specific OAuth2 service for accepting the remote access token validation requests. Typically, OAuthRequestFilter (see on it below) may choose to impersonate itself as a third-party client and will ask AccessTokenValidationService to return the information relevant to the current access token, before setting up a security context. More on it below.</p>
 
@@ -552,6 +560,15 @@ The simplest approach is to register a C
 
 <p>Alternatively create a custom <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AccessTokenGrantHandler.java">AccessTokenGrantHandler</a> and register it with AccessTokenService. Additionally, consider providing a related <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenGrant.java">AccessTokenGrant</a> implementation for making it easy for the client code to request a new access token with this custom grant.  </p>
 
+<h2><a shape="rect" name="JAX-RSOAuth2-PreAuthorizedaccesstokens"></a>PreAuthorized access tokens </h2>
+
+<p>When working with the flows which require the end users/resource owners explicitly authorizing clients (for example, as in the case of redirection-based flows), using pre-authorized access tokens is one option to minimize the need for the end-user intervention. <br clear="none">
+OAuthDataProvider is always checked first if the pre-authorized access token for a given Client exists and if yes then it will be returned immediately, without starting the authorization process involving the end user (as required by some flows).</p>
+
+<p>Consider providing a user interface which will let the end users/resource owners to pre-authorize specific clients early. Note, a CXF service for supporting the users pre-authorizing the clients or revoking the tokens for some of the clients may be introduced in the future.  </p>
+
+<p>Also note that using a refresh token grant may further help with minimizing the end user involvement, in cases when the current access token has expired.</p>
+
 
 <h2><a shape="rect" name="JAX-RSOAuth2-WritingOAuthDataProvider"></a>Writing OAuthDataProvider</h2>
 

Modified: websites/production/cxf/content/faq.html
==============================================================================
--- websites/production/cxf/content/faq.html (original)
+++ websites/production/cxf/content/faq.html Wed Dec  5 14:48:52 2012
@@ -153,7 +153,7 @@ Apache CXF -- FAQ
 
 <h3><a shape="rect" name="FAQ-CanCXFrunwithJDK1.5%3F"></a>Can CXF run with JDK 1.5?</h3>
 
-<p>Yes.  Keep in mind though that Java 2 SE 5.0 with JDK 1.5 has reached end of life (<a shape="rect" class="external-link" href="http://www.oracle.com/technetwork/java/eol-135779.html" rel="nofollow">EOL</a>).</p>
+<p>Yes for CXF 2.6.x and older.  Keep in mind though that Java 2 SE 5.0 with JDK 1.5 has reached end of life (<a shape="rect" class="external-link" href="http://www.oracle.com/technetwork/java/eol-135779.html" rel="nofollow">EOL</a>). CXF 2.7.x no longer supports Java 5. In order to upgrade to 2.7.0, you must be using Java 6 (or newer).</p>
 
 
 <h3><a shape="rect" name="FAQ-CanCXFrunwithouttheSunreferenceSAAJimplementation%3F"></a>Can CXF run without the Sun reference SAAJ implementation?</h3>
@@ -295,7 +295,6 @@ headers.add(dummyHeader);
       address=<span class="code-quote">"/MyService"</span> /&gt; 
 </pre>
 </div></div>
-
 </div>
            </div>
            <!-- Content -->