You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Marcello Ribeiro <ma...@contmatic.com.br> on 2014/02/17 13:43:51 UTC
Re: [** POSSÍVEL SPAM 6.6 **] Re: CXF - 2.7.8 - JAX-RS: OAuth2 X JAX-WS Protection
Good morning.
I´ve created Oauth2 Services as described in
https://cxf.apache.org/docs/jax-rs-oauth2.html , to be my complete
Oauth2 infrastructure, given tokens, authorization and the stuffs .
OK, but my point is how to make my JAX-WS Services (My Business WS
endpoints) being intecepted, and protected and authorized for this brand
new Oauth2 infrastructure? What is the glue.
I already put an interceptor for one of the endpoints as you can see
bellow, but i got none effects.
Do i explain myself?
Thank you.
Best Regards,
Marcello Ribeiro
Em 16/02/2014 18:12, Sergey Beryozkin escreveu:
> Hi
> On 16/01/14 19:58, Marcello Ribeiro wrote:
>> Hi Sergey, thank you for helping and for the nice blog...
>>
>> I am sorry to say it is still nebulous in my mind...
>> What i did was to add a new interceptor targeting my OauthFilter like
>> this:
>>
>> My <jaxrs:server id="oauthServer" address="/oauth"> shares the same
>> web application which my webservices share. Should i create a diferent
>> web application for the Oauth2 Infraestructure??
>>
>> <jaxws:inInterceptors>
>> <ref bean="oauthFilter" />
>> </jaxws:inInterceptors>
>>
>> But it seems to produce no effects... Client´s requests are not been
>> intercepted or no 403 response are sent back...
>
> How do obtain an OAuth2 token, where is it coming from ?
>
> Cheers, Sergey
>
>> Would you have any git endpoint containing that POC
>>
>> Thank you
>>
>> Att,
>> Marcello Ribeiro
>>
>>
>>
>> Em 14/02/2014 11:54, Sergey Beryozkin escreveu:
>>> Hi, please see comments below
>>>
>>> On 14/02/14 12:50, Marcello Ribeiro wrote:
>>>> Hi,
>>>> I have a couple of Webservice done and working properly using CXF
>>>> 2.7.8
>>>> in the already known fashion:
>>>>
>>>>
>>>> <jaxws:endpoint xmlns:tns="http://blablabla.hello.com.br/"
>>>> id="blablablawsservice" implementor="br.com.hello.BlaBlaBla"
>>>> wsdlLocation="wsdl/blablablawsservice.wsdl"
>>>> endpointName="tns:BlaBlaBlaPort"
>>>> serviceName="tns:BlaBlaBlaServiceService"
>>>> address="/BlaBlaBlaPort">
>>>> <jaxws:features>
>>>> <bean class="org.apache.cxf.feature.LoggingFeature" />
>>>> </jaxws:features>
>>>> </jaxws:endpoint>
>>>>
>>>>
>>>>
>>>> Now, what i need is to protect these services/urls using JAX-RS:
>>>> OAuth2
>>>> and i have followed the instruction in CXF documentation:
>>>> https://cxf.apache.org/docs/jax-rs-oauth2.html
>>>> Based on this documentation, i have now:
>>>>
>>>> 1 - An Authorization Service;
>>>> |
>>>> <bean id="authorizationService"
>>>> class="org.apache.cxf.rs.security.oauth2.services.AuthorizationCodeGrantService">
>>>>
>>>>
>>>>
>>>> <property name="dataProvider" ref="oauthProvider"/>
>>>> </bean>|
>>>>
>>>> |
>>>> |
>>>>
>>>>
>>>> 2 - An Access Token Service;
>>>>
>>>> <bean id="oauthProvider"
>>>> class="br.com.hello.utils.cxf.security.oauth.SocialRideDataProvider" />
>>>>
>>>>
>>>> <bean id="accessTokenService"
>>>> class="org.apache.cxf.rs.security.oauth2.services.AccessTokenService">
>>>> <property name="dataProvider" ref="oauthProvider" />
>>>> </bean>
>>>>
>>>> <bean id="accessTokenValidateService"
>>>> class="org.apache.cxf.rs.security.oauth2.services.AccessTokenValidatorService">
>>>>
>>>>
>>>>
>>>> <property name="dataProvider" ref="oauthProvider" />
>>>> </bean>
>>>>
>>>> <jaxrs:server id="oauthServer" address="/oauth">
>>>> <jaxrs:serviceBeans>
>>>> <ref bean="accessTokenService" />
>>>> <ref bean="accessTokenValidateService" />
>>>> </jaxrs:serviceBeans>
>>>> </jaxrs:server>
>>>>
>>>>
>>>> 3 - A Request Filter
>>>>
>>>> <bean id="oauthFilter"
>>>> class="org.apache.cxf.rs.security.oauth2.filters.OAuthRequestFilter">
>>>> <property name="dataProvider" ref="oauthProvider" />
>>>> </bean>
>>>
>>> I'm assuming you have a WS client that would like to use an OAuth2
>>> token to access the JAXWS endpoint, right ?
>>>
>>> Typically you'd have OAuth2 RS (your applications) and AS
>>> (Authorization/Access token) not collocated, though for simple cases
>>> it is good enough for a start;
>>>
>>> So, unless you already use CXF OAuth2 services to actually issue the
>>> OAuth2 tokens, just remove all of the above and then simply follow the
>>> few steps I happened to blog about few days ago - will update the docs
>>> shortly:
>>>
>>> http://sberyozkin.blogspot.ie/2014/02/use-oauth2-tokens-to-protect-cxf-soap.html
>>>
>>>
>>>
>>> Basically, all you need to do is to add a simple custom WS
>>> interceptor, you are right. If you have a remote OAuth2 AS then for a
>>> start you can use a basic access token validator client (HTTP-based)
>>> registered with your interceptor
>>>
>>> This interceptor will only work in CXF 2.7.11-SNAPSHOT
>>>
>>> Let me know if you have more questions
>>>
>>> Sergey
>>>
>>>
>>>
>>>>
>>>>
>>>> So my point is:
>>>> How do i protect my JAX-WS webservices using this JAX-RS: OAuth2
>>>> Request
>>>> Filter? What is the glue between them?
>>>> For example: i have a url
>>>> "http://localhost:8080/myProject/services/MyService?wsdl" how do it
>>>> make
>>>> it under this Oauth Protection Structure??
>>>> Is that by interceptors, maybe?
>>>>
>>>> Thank you.
>>>>
>>>> Att,
>>>> Marcello Ribeirop
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>
>
>
Re: [** POSSÍVEL SPAM 6.6 **] Re: [** POSSÍVEL SPAM 6.6 **] Re: CXF - 2.7.8 - JAX-RS: OAuth2 X JAX-WS Protection
Posted by Marcello Ribeiro <ma...@contmatic.com.br>.
Yes, we really covered that...
Thank you for covering it.
Best Regards,
Marcello Ribeiro
Em 21/02/2014 12:32, Sergey Beryozkin escreveu:
> On 17/01/14 14:23, Marcello Ribeiro wrote:
>> OK, about your second comment, what is a good way to authenticate users
>> in this case?
>> I understand the flow should be:
>>
>> 1 - User ask to client for a Server resource URL.
>> 2 - Client tries reaching Service URL.
>> 3 - The interceptor sees the client is not authorized yet, so it some
>> way returns a redirect to Authorization Server.
>> 4 - Client redirects to authorization server passing clientID +
>> clientSecret in order to get a "Request Token".
>> 5 - Authorizaton Server is required to have an authenticated user,
>> right? Otherwise it cannot authorize ClientId "123456" to talk in the
>> name of user "whoever". (Make sense?)
>> 6 - Once an authenticated user is required, so Client will receive back
>> some authentication challenge.
>> 7 - So now Client answers with a pair username/password.
>> 8 - Authentication Server matches it.
>> 9 - Once authenticated, user will be able to say "Yes, i authorize this
>> app(client) to work in my name"; (User is gonna be ask to kind of yes/no
>> question)
>> 10 - Once it is done Client will receive back a "Request Token".
>> 11 - With "Request Token" in hands, User will exchange it by an "Access
>> Token";
>> 12 With "Access Token" in hands, user will be able to request for the
>> resource itself.
>>
>> Does it sound non-sense to you to authenticate the user?
>>
> No, not really. You are actually talking about OAuth1 there.
> But in the end of the day, and lets talk about OAuth2 here, it's not
> important where the token came in from, what is important is that the
> JAX-WS client gets it somehow ( ex, as I suggested in the prev email).
> And no, CXF has no support neither for JAX-RS not JAX-WS endpoints
> redirecting to OAuth2 servers, the process of obtaining the token is
> *orthogonal* to the process of using the token and invoking on the
> endpoint, if the client has no token all it gets is 401
>
> I think we've really covered this case now in depth :-)
>
> Sergey
>
>> Att,
>> Marcello Ribeiro
>>
>> Em 21/02/2014 10:15, Sergey Beryozkin escreveu:
>>> Hi
>>> On 20/01/14 11:46, Marcello Ribeiro wrote:
>>>> Hi Sergey,
>>>> So that is the new status:
>>>>
>>>> 1 - I´ve updated my pom to pull CXF 2.7.11-Snapshot and so
>>>> OAuthRequestInterceptor is now available.
>>>> 2 - A added this interceptor to one of my endpoint.
>>>> 3 - I called this enpoint as usually and now i get a Not Authorized
>>>> Exception which makes my client to receive a http 500 directly,
>>>> which in
>>>> my first point of view is not acceptable, because i think my client
>>>> should get at least a http 401, once he is trying to accessed the
>>>> endpoint directly with no token, and not having passed for all Oauth2
>>>> flow.
>>>>
>>>> Now i am dealing with:
>>>> 1 - Trying understand how to sent 401 back to my client instead of
>>>> 500;
>>>
>>> This is a SOAP path so 500 is returned, you can register a custom out
>>> fault interceptor and make sure it is 401.
>>>
>>>> 2 - Going deep inside the docs i understood that i do need also (of
>>>> course) to have my user authenticated and new fashion for this is
>>>> using
>>>> WSS4JInInterceptor (using UsernameToken) which implements those new
>>>> Specs. I got problems here and i already raised my hand in another
>>>> post
>>>> to this list. I´ve been using JAAS for a long time and i have to
>>>> confess
>>>> the earth has not stopped rotating all those past years. :)
>>>>
>>>> Any comments on this "saga"?
>>>
>>> I don't think using WS-Security UserName token is appropriate when the
>>> client has OAuth2 tokens.
>>>
>>> Cheers, Sergey
>>>
>>>
>>>>
>>>> Att,
>>>> Marcello Ribeiro
>>>>
>>>>
>>>>
>>>> Em 19/02/2014 14:05, Sergey Beryozkin escreveu:
>>>>> So, did you get any luck at all or I have confused you ?
>>>>> Basically, the OAuth2 server is there to get the tokens issued, which
>>>>> is completely orthogonal to the process of clients invoking on the
>>>>> JAX-RS or in this case, JAX-WS endpoints.
>>>>>
>>>>> The client need to get the token first, can be done out of band,
>>>>> depends on the flow, next you use it to invoke on the endpoint and at
>>>>> this point of time the filter (or in you case interceptor) will
>>>>> enforce the token is valid by contacting the OAuth2 server if needed
>>>>> or validate it locally by using the data provider directly
>>>>>
>>>>> HTH
>>>>> Sergey
>>>>>
>>>>> On 17/02/14 15:43, Sergey Beryozkin wrote:
>>>>>> Hi
>>>>>> On 17/02/14 12:43, Marcello Ribeiro wrote:
>>>>>>> Good morning.
>>>>>>>
>>>>>>> I´ve created Oauth2 Services as described in
>>>>>>> https://cxf.apache.org/docs/jax-rs-oauth2.html , to be my complete
>>>>>>> Oauth2 infrastructure, given tokens, authorization and the stuffs .
>>>>>>> OK, but my point is how to make my JAX-WS Services (My Business WS
>>>>>>> endpoints) being intecepted, and protected and authorized for this
>>>>>>> brand
>>>>>>> new Oauth2 infrastructure? What is the glue.
>>>>>> You have to register OAuthRequestInterceptor. not
>>>>>> OAuthRequestFilter,
>>>>>> and it has to be 2.7.11-SNAPSHOT
>>>>>>
>>>>>>> I already put an interceptor for one of the endpoints as you can
>>>>>>> see
>>>>>>> bellow, but i got none effects.
>>>>>>>
>>>>>> So you have added OAuthRequestInterceptor to your JAX-WS endpoint
>>>>>> and
>>>>>> this interceptor does let the request which has no OAuth token
>>>>>> attached
>>>>>> to it through ?
>>>>>>
>>>>>> Thanks, Sergey
>>>>>>
>>>>>>> Do i explain myself?
>>>>>>> Thank you.
>>>>>>>
>>>>>>> Best Regards,
>>>>>>> Marcello Ribeiro
>>>>>>>
>>>>>>>
>>>>>>> Em 16/02/2014 18:12, Sergey Beryozkin escreveu:
>>>>>>>> Hi
>>>>>>>> On 16/01/14 19:58, Marcello Ribeiro wrote:
>>>>>>>>> Hi Sergey, thank you for helping and for the nice blog...
>>>>>>>>>
>>>>>>>>> I am sorry to say it is still nebulous in my mind...
>>>>>>>>> What i did was to add a new interceptor targeting my OauthFilter
>>>>>>>>> like
>>>>>>>>> this:
>>>>>>>>>
>>>>>>>>> My <jaxrs:server id="oauthServer" address="/oauth"> shares the
>>>>>>>>> same
>>>>>>>>> web application which my webservices share. Should i create a
>>>>>>>>> diferent
>>>>>>>>> web application for the Oauth2 Infraestructure??
>>>>>>>>>
>>>>>>>>> <jaxws:inInterceptors>
>>>>>>>>> <ref bean="oauthFilter" />
>>>>>>>>> </jaxws:inInterceptors>
>>>>>>>>>
>>>>>>>>> But it seems to produce no effects... Client´s requests are not
>>>>>>>>> been
>>>>>>>>> intercepted or no 403 response are sent back...
>>>>>>>>
>>>>>>>> How do obtain an OAuth2 token, where is it coming from ?
>>>>>>>>
>>>>>>>> Cheers, Sergey
>>>>>>>>
>>>>>>>>> Would you have any git endpoint containing that POC
>>>>>>>>>
>>>>>>>>> Thank you
>>>>>>>>>
>>>>>>>>> Att,
>>>>>>>>> Marcello Ribeiro
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Em 14/02/2014 11:54, Sergey Beryozkin escreveu:
>>>>>>>>>> Hi, please see comments below
>>>>>>>>>>
>>>>>>>>>> On 14/02/14 12:50, Marcello Ribeiro wrote:
>>>>>>>>>>> Hi,
>>>>>>>>>>> I have a couple of Webservice done and working properly
>>>>>>>>>>> using CXF
>>>>>>>>>>> 2.7.8
>>>>>>>>>>> in the already known fashion:
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> <jaxws:endpoint xmlns:tns="http://blablabla.hello.com.br/"
>>>>>>>>>>> id="blablablawsservice"
>>>>>>>>>>> implementor="br.com.hello.BlaBlaBla"
>>>>>>>>>>> wsdlLocation="wsdl/blablablawsservice.wsdl"
>>>>>>>>>>> endpointName="tns:BlaBlaBlaPort"
>>>>>>>>>>> serviceName="tns:BlaBlaBlaServiceService"
>>>>>>>>>>> address="/BlaBlaBlaPort">
>>>>>>>>>>> <jaxws:features>
>>>>>>>>>>> <bean
>>>>>>>>>>> class="org.apache.cxf.feature.LoggingFeature" />
>>>>>>>>>>> </jaxws:features>
>>>>>>>>>>> </jaxws:endpoint>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Now, what i need is to protect these services/urls using
>>>>>>>>>>> JAX-RS:
>>>>>>>>>>> OAuth2
>>>>>>>>>>> and i have followed the instruction in CXF documentation:
>>>>>>>>>>> https://cxf.apache.org/docs/jax-rs-oauth2.html
>>>>>>>>>>> Based on this documentation, i have now:
>>>>>>>>>>>
>>>>>>>>>>> 1 - An Authorization Service;
>>>>>>>>>>> |
>>>>>>>>>>> <bean id="authorizationService"
>>>>>>>>>>> class="org.apache.cxf.rs.security.oauth2.services.AuthorizationCodeGrantService">
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> <property name="dataProvider" ref="oauthProvider"/>
>>>>>>>>>>> </bean>|
>>>>>>>>>>>
>>>>>>>>>>> |
>>>>>>>>>>> |
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> 2 - An Access Token Service;
>>>>>>>>>>>
>>>>>>>>>>> <bean id="oauthProvider"
>>>>>>>>>>> class="br.com.hello.utils.cxf.security.oauth.SocialRideDataProvider"
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> />
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> <bean id="accessTokenService"
>>>>>>>>>>> class="org.apache.cxf.rs.security.oauth2.services.AccessTokenService">
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> <property name="dataProvider" ref="oauthProvider" />
>>>>>>>>>>> </bean>
>>>>>>>>>>>
>>>>>>>>>>> <bean id="accessTokenValidateService"
>>>>>>>>>>> class="org.apache.cxf.rs.security.oauth2.services.AccessTokenValidatorService">
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> <property name="dataProvider" ref="oauthProvider" />
>>>>>>>>>>> </bean>
>>>>>>>>>>>
>>>>>>>>>>> <jaxrs:server id="oauthServer" address="/oauth">
>>>>>>>>>>> <jaxrs:serviceBeans>
>>>>>>>>>>> <ref bean="accessTokenService" />
>>>>>>>>>>> <ref bean="accessTokenValidateService" />
>>>>>>>>>>> </jaxrs:serviceBeans>
>>>>>>>>>>> </jaxrs:server>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> 3 - A Request Filter
>>>>>>>>>>>
>>>>>>>>>>> <bean id="oauthFilter"
>>>>>>>>>>> class="org.apache.cxf.rs.security.oauth2.filters.OAuthRequestFilter">
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> <property name="dataProvider" ref="oauthProvider" />
>>>>>>>>>>> </bean>
>>>>>>>>>>
>>>>>>>>>> I'm assuming you have a WS client that would like to use an
>>>>>>>>>> OAuth2
>>>>>>>>>> token to access the JAXWS endpoint, right ?
>>>>>>>>>>
>>>>>>>>>> Typically you'd have OAuth2 RS (your applications) and AS
>>>>>>>>>> (Authorization/Access token) not collocated, though for simple
>>>>>>>>>> cases
>>>>>>>>>> it is good enough for a start;
>>>>>>>>>>
>>>>>>>>>> So, unless you already use CXF OAuth2 services to actually
>>>>>>>>>> issue the
>>>>>>>>>> OAuth2 tokens, just remove all of the above and then simply
>>>>>>>>>> follow the
>>>>>>>>>> few steps I happened to blog about few days ago - will update
>>>>>>>>>> the
>>>>>>>>>> docs
>>>>>>>>>> shortly:
>>>>>>>>>>
>>>>>>>>>> http://sberyozkin.blogspot.ie/2014/02/use-oauth2-tokens-to-protect-cxf-soap.html
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Basically, all you need to do is to add a simple custom WS
>>>>>>>>>> interceptor, you are right. If you have a remote OAuth2 AS then
>>>>>>>>>> for a
>>>>>>>>>> start you can use a basic access token validator client
>>>>>>>>>> (HTTP-based)
>>>>>>>>>> registered with your interceptor
>>>>>>>>>>
>>>>>>>>>> This interceptor will only work in CXF 2.7.11-SNAPSHOT
>>>>>>>>>>
>>>>>>>>>> Let me know if you have more questions
>>>>>>>>>>
>>>>>>>>>> Sergey
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> So my point is:
>>>>>>>>>>> How do i protect my JAX-WS webservices using this JAX-RS:
>>>>>>>>>>> OAuth2
>>>>>>>>>>> Request
>>>>>>>>>>> Filter? What is the glue between them?
>>>>>>>>>>> For example: i have a url
>>>>>>>>>>> "http://localhost:8080/myProject/services/MyService?wsdl" how
>>>>>>>>>>> do it
>>>>>>>>>>> make
>>>>>>>>>>> it under this Oauth Protection Structure??
>>>>>>>>>>> Is that by interceptors, maybe?
>>>>>>>>>>>
>>>>>>>>>>> Thank you.
>>>>>>>>>>>
>>>>>>>>>>> Att,
>>>>>>>>>>> Marcello Ribeirop
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>>
>>
>
>
Re: [** POSSÍVEL SPAM 6.6 **] Re: CXF - 2.7.8 - JAX-RS: OAuth2 X JAX-WS Protection
Posted by Sergey Beryozkin <sb...@gmail.com>.
On 17/01/14 14:23, Marcello Ribeiro wrote:
> OK, about your second comment, what is a good way to authenticate users
> in this case?
> I understand the flow should be:
>
> 1 - User ask to client for a Server resource URL.
> 2 - Client tries reaching Service URL.
> 3 - The interceptor sees the client is not authorized yet, so it some
> way returns a redirect to Authorization Server.
> 4 - Client redirects to authorization server passing clientID +
> clientSecret in order to get a "Request Token".
> 5 - Authorizaton Server is required to have an authenticated user,
> right? Otherwise it cannot authorize ClientId "123456" to talk in the
> name of user "whoever". (Make sense?)
> 6 - Once an authenticated user is required, so Client will receive back
> some authentication challenge.
> 7 - So now Client answers with a pair username/password.
> 8 - Authentication Server matches it.
> 9 - Once authenticated, user will be able to say "Yes, i authorize this
> app(client) to work in my name"; (User is gonna be ask to kind of yes/no
> question)
> 10 - Once it is done Client will receive back a "Request Token".
> 11 - With "Request Token" in hands, User will exchange it by an "Access
> Token";
> 12 With "Access Token" in hands, user will be able to request for the
> resource itself.
>
> Does it sound non-sense to you to authenticate the user?
>
No, not really. You are actually talking about OAuth1 there.
But in the end of the day, and lets talk about OAuth2 here, it's not
important where the token came in from, what is important is that the
JAX-WS client gets it somehow ( ex, as I suggested in the prev email).
And no, CXF has no support neither for JAX-RS not JAX-WS endpoints
redirecting to OAuth2 servers, the process of obtaining the token is
*orthogonal* to the process of using the token and invoking on the
endpoint, if the client has no token all it gets is 401
I think we've really covered this case now in depth :-)
Sergey
> Att,
> Marcello Ribeiro
>
> Em 21/02/2014 10:15, Sergey Beryozkin escreveu:
>> Hi
>> On 20/01/14 11:46, Marcello Ribeiro wrote:
>>> Hi Sergey,
>>> So that is the new status:
>>>
>>> 1 - I´ve updated my pom to pull CXF 2.7.11-Snapshot and so
>>> OAuthRequestInterceptor is now available.
>>> 2 - A added this interceptor to one of my endpoint.
>>> 3 - I called this enpoint as usually and now i get a Not Authorized
>>> Exception which makes my client to receive a http 500 directly, which in
>>> my first point of view is not acceptable, because i think my client
>>> should get at least a http 401, once he is trying to accessed the
>>> endpoint directly with no token, and not having passed for all Oauth2
>>> flow.
>>>
>>> Now i am dealing with:
>>> 1 - Trying understand how to sent 401 back to my client instead of 500;
>>
>> This is a SOAP path so 500 is returned, you can register a custom out
>> fault interceptor and make sure it is 401.
>>
>>> 2 - Going deep inside the docs i understood that i do need also (of
>>> course) to have my user authenticated and new fashion for this is using
>>> WSS4JInInterceptor (using UsernameToken) which implements those new
>>> Specs. I got problems here and i already raised my hand in another post
>>> to this list. I´ve been using JAAS for a long time and i have to confess
>>> the earth has not stopped rotating all those past years. :)
>>>
>>> Any comments on this "saga"?
>>
>> I don't think using WS-Security UserName token is appropriate when the
>> client has OAuth2 tokens.
>>
>> Cheers, Sergey
>>
>>
>>>
>>> Att,
>>> Marcello Ribeiro
>>>
>>>
>>>
>>> Em 19/02/2014 14:05, Sergey Beryozkin escreveu:
>>>> So, did you get any luck at all or I have confused you ?
>>>> Basically, the OAuth2 server is there to get the tokens issued, which
>>>> is completely orthogonal to the process of clients invoking on the
>>>> JAX-RS or in this case, JAX-WS endpoints.
>>>>
>>>> The client need to get the token first, can be done out of band,
>>>> depends on the flow, next you use it to invoke on the endpoint and at
>>>> this point of time the filter (or in you case interceptor) will
>>>> enforce the token is valid by contacting the OAuth2 server if needed
>>>> or validate it locally by using the data provider directly
>>>>
>>>> HTH
>>>> Sergey
>>>>
>>>> On 17/02/14 15:43, Sergey Beryozkin wrote:
>>>>> Hi
>>>>> On 17/02/14 12:43, Marcello Ribeiro wrote:
>>>>>> Good morning.
>>>>>>
>>>>>> I´ve created Oauth2 Services as described in
>>>>>> https://cxf.apache.org/docs/jax-rs-oauth2.html , to be my complete
>>>>>> Oauth2 infrastructure, given tokens, authorization and the stuffs .
>>>>>> OK, but my point is how to make my JAX-WS Services (My Business WS
>>>>>> endpoints) being intecepted, and protected and authorized for this
>>>>>> brand
>>>>>> new Oauth2 infrastructure? What is the glue.
>>>>> You have to register OAuthRequestInterceptor. not OAuthRequestFilter,
>>>>> and it has to be 2.7.11-SNAPSHOT
>>>>>
>>>>>> I already put an interceptor for one of the endpoints as you can see
>>>>>> bellow, but i got none effects.
>>>>>>
>>>>> So you have added OAuthRequestInterceptor to your JAX-WS endpoint and
>>>>> this interceptor does let the request which has no OAuth token
>>>>> attached
>>>>> to it through ?
>>>>>
>>>>> Thanks, Sergey
>>>>>
>>>>>> Do i explain myself?
>>>>>> Thank you.
>>>>>>
>>>>>> Best Regards,
>>>>>> Marcello Ribeiro
>>>>>>
>>>>>>
>>>>>> Em 16/02/2014 18:12, Sergey Beryozkin escreveu:
>>>>>>> Hi
>>>>>>> On 16/01/14 19:58, Marcello Ribeiro wrote:
>>>>>>>> Hi Sergey, thank you for helping and for the nice blog...
>>>>>>>>
>>>>>>>> I am sorry to say it is still nebulous in my mind...
>>>>>>>> What i did was to add a new interceptor targeting my OauthFilter
>>>>>>>> like
>>>>>>>> this:
>>>>>>>>
>>>>>>>> My <jaxrs:server id="oauthServer" address="/oauth"> shares the
>>>>>>>> same
>>>>>>>> web application which my webservices share. Should i create a
>>>>>>>> diferent
>>>>>>>> web application for the Oauth2 Infraestructure??
>>>>>>>>
>>>>>>>> <jaxws:inInterceptors>
>>>>>>>> <ref bean="oauthFilter" />
>>>>>>>> </jaxws:inInterceptors>
>>>>>>>>
>>>>>>>> But it seems to produce no effects... Client´s requests are not
>>>>>>>> been
>>>>>>>> intercepted or no 403 response are sent back...
>>>>>>>
>>>>>>> How do obtain an OAuth2 token, where is it coming from ?
>>>>>>>
>>>>>>> Cheers, Sergey
>>>>>>>
>>>>>>>> Would you have any git endpoint containing that POC
>>>>>>>>
>>>>>>>> Thank you
>>>>>>>>
>>>>>>>> Att,
>>>>>>>> Marcello Ribeiro
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Em 14/02/2014 11:54, Sergey Beryozkin escreveu:
>>>>>>>>> Hi, please see comments below
>>>>>>>>>
>>>>>>>>> On 14/02/14 12:50, Marcello Ribeiro wrote:
>>>>>>>>>> Hi,
>>>>>>>>>> I have a couple of Webservice done and working properly using CXF
>>>>>>>>>> 2.7.8
>>>>>>>>>> in the already known fashion:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> <jaxws:endpoint xmlns:tns="http://blablabla.hello.com.br/"
>>>>>>>>>> id="blablablawsservice"
>>>>>>>>>> implementor="br.com.hello.BlaBlaBla"
>>>>>>>>>> wsdlLocation="wsdl/blablablawsservice.wsdl"
>>>>>>>>>> endpointName="tns:BlaBlaBlaPort"
>>>>>>>>>> serviceName="tns:BlaBlaBlaServiceService"
>>>>>>>>>> address="/BlaBlaBlaPort">
>>>>>>>>>> <jaxws:features>
>>>>>>>>>> <bean
>>>>>>>>>> class="org.apache.cxf.feature.LoggingFeature" />
>>>>>>>>>> </jaxws:features>
>>>>>>>>>> </jaxws:endpoint>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Now, what i need is to protect these services/urls using JAX-RS:
>>>>>>>>>> OAuth2
>>>>>>>>>> and i have followed the instruction in CXF documentation:
>>>>>>>>>> https://cxf.apache.org/docs/jax-rs-oauth2.html
>>>>>>>>>> Based on this documentation, i have now:
>>>>>>>>>>
>>>>>>>>>> 1 - An Authorization Service;
>>>>>>>>>> |
>>>>>>>>>> <bean id="authorizationService"
>>>>>>>>>> class="org.apache.cxf.rs.security.oauth2.services.AuthorizationCodeGrantService">
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> <property name="dataProvider" ref="oauthProvider"/>
>>>>>>>>>> </bean>|
>>>>>>>>>>
>>>>>>>>>> |
>>>>>>>>>> |
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> 2 - An Access Token Service;
>>>>>>>>>>
>>>>>>>>>> <bean id="oauthProvider"
>>>>>>>>>> class="br.com.hello.utils.cxf.security.oauth.SocialRideDataProvider"
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> />
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> <bean id="accessTokenService"
>>>>>>>>>> class="org.apache.cxf.rs.security.oauth2.services.AccessTokenService">
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> <property name="dataProvider" ref="oauthProvider" />
>>>>>>>>>> </bean>
>>>>>>>>>>
>>>>>>>>>> <bean id="accessTokenValidateService"
>>>>>>>>>> class="org.apache.cxf.rs.security.oauth2.services.AccessTokenValidatorService">
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> <property name="dataProvider" ref="oauthProvider" />
>>>>>>>>>> </bean>
>>>>>>>>>>
>>>>>>>>>> <jaxrs:server id="oauthServer" address="/oauth">
>>>>>>>>>> <jaxrs:serviceBeans>
>>>>>>>>>> <ref bean="accessTokenService" />
>>>>>>>>>> <ref bean="accessTokenValidateService" />
>>>>>>>>>> </jaxrs:serviceBeans>
>>>>>>>>>> </jaxrs:server>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> 3 - A Request Filter
>>>>>>>>>>
>>>>>>>>>> <bean id="oauthFilter"
>>>>>>>>>> class="org.apache.cxf.rs.security.oauth2.filters.OAuthRequestFilter">
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> <property name="dataProvider" ref="oauthProvider" />
>>>>>>>>>> </bean>
>>>>>>>>>
>>>>>>>>> I'm assuming you have a WS client that would like to use an OAuth2
>>>>>>>>> token to access the JAXWS endpoint, right ?
>>>>>>>>>
>>>>>>>>> Typically you'd have OAuth2 RS (your applications) and AS
>>>>>>>>> (Authorization/Access token) not collocated, though for simple
>>>>>>>>> cases
>>>>>>>>> it is good enough for a start;
>>>>>>>>>
>>>>>>>>> So, unless you already use CXF OAuth2 services to actually
>>>>>>>>> issue the
>>>>>>>>> OAuth2 tokens, just remove all of the above and then simply
>>>>>>>>> follow the
>>>>>>>>> few steps I happened to blog about few days ago - will update the
>>>>>>>>> docs
>>>>>>>>> shortly:
>>>>>>>>>
>>>>>>>>> http://sberyozkin.blogspot.ie/2014/02/use-oauth2-tokens-to-protect-cxf-soap.html
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Basically, all you need to do is to add a simple custom WS
>>>>>>>>> interceptor, you are right. If you have a remote OAuth2 AS then
>>>>>>>>> for a
>>>>>>>>> start you can use a basic access token validator client
>>>>>>>>> (HTTP-based)
>>>>>>>>> registered with your interceptor
>>>>>>>>>
>>>>>>>>> This interceptor will only work in CXF 2.7.11-SNAPSHOT
>>>>>>>>>
>>>>>>>>> Let me know if you have more questions
>>>>>>>>>
>>>>>>>>> Sergey
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> So my point is:
>>>>>>>>>> How do i protect my JAX-WS webservices using this JAX-RS: OAuth2
>>>>>>>>>> Request
>>>>>>>>>> Filter? What is the glue between them?
>>>>>>>>>> For example: i have a url
>>>>>>>>>> "http://localhost:8080/myProject/services/MyService?wsdl" how
>>>>>>>>>> do it
>>>>>>>>>> make
>>>>>>>>>> it under this Oauth Protection Structure??
>>>>>>>>>> Is that by interceptors, maybe?
>>>>>>>>>>
>>>>>>>>>> Thank you.
>>>>>>>>>>
>>>>>>>>>> Att,
>>>>>>>>>> Marcello Ribeirop
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>
>>
>
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com
Re: [** POSSÍVEL SPAM 6.6 **] Re: CXF - 2.7.8 - JAX-RS: OAuth2 X JAX-WS Protection
Posted by Sergey Beryozkin <sb...@gmail.com>.
Finally, you can simply use the client utils
https://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-Client-sidesupport
So you'd do
// create a client which uses Basic Auth
WebClient accessTokenServiceClient = WebClient.create(address, "name",
"password", null);
OAuthClientUtils.getAccessToken(accessTokenServiceClient, new
ClientCredentialsGrant());
This will get you the token; make sure AccessTokenService is configured
with the instance of ClientCredentialsGrantHandler and that your data
provider has a client registered with the "name" id.
This all rather straightforward for basic cases though yes. many steps
needs to be taken care of.
Please work with the documentation and I'm hoping you will be the 1st
CXF user who will validate OAuth tokens can be used on the WS path :-)
Sergey
On 21/02/14 15:32, Sergey Beryozkin wrote:
> On 17/01/14 14:23, Marcello Ribeiro wrote:
>> OK, about your second comment, what is a good way to authenticate users
>> in this case?
>> I understand the flow should be:
>>
>> 1 - User ask to client for a Server resource URL.
>> 2 - Client tries reaching Service URL.
>> 3 - The interceptor sees the client is not authorized yet, so it some
>> way returns a redirect to Authorization Server.
>> 4 - Client redirects to authorization server passing clientID +
>> clientSecret in order to get a "Request Token".
>> 5 - Authorizaton Server is required to have an authenticated user,
>> right? Otherwise it cannot authorize ClientId "123456" to talk in the
>> name of user "whoever". (Make sense?)
>> 6 - Once an authenticated user is required, so Client will receive back
>> some authentication challenge.
>> 7 - So now Client answers with a pair username/password.
>> 8 - Authentication Server matches it.
>> 9 - Once authenticated, user will be able to say "Yes, i authorize this
>> app(client) to work in my name"; (User is gonna be ask to kind of yes/no
>> question)
>> 10 - Once it is done Client will receive back a "Request Token".
>> 11 - With "Request Token" in hands, User will exchange it by an "Access
>> Token";
>> 12 With "Access Token" in hands, user will be able to request for the
>> resource itself.
>>
>> Does it sound non-sense to you to authenticate the user?
>>
> No, not really. You are actually talking about OAuth1 there.
> But in the end of the day, and lets talk about OAuth2 here, it's not
> important where the token came in from, what is important is that the
> JAX-WS client gets it somehow ( ex, as I suggested in the prev email).
> And no, CXF has no support neither for JAX-RS not JAX-WS endpoints
> redirecting to OAuth2 servers, the process of obtaining the token is
> *orthogonal* to the process of using the token and invoking on the
> endpoint, if the client has no token all it gets is 401
>
> I think we've really covered this case now in depth :-)
>
>
>
>> Att,
>> Marcello Ribeiro
>>
>> Em 21/02/2014 10:15, Sergey Beryozkin escreveu:
>>> Hi
>>> On 20/01/14 11:46, Marcello Ribeiro wrote:
>>>> Hi Sergey,
>>>> So that is the new status:
>>>>
>>>> 1 - I´ve updated my pom to pull CXF 2.7.11-Snapshot and so
>>>> OAuthRequestInterceptor is now available.
>>>> 2 - A added this interceptor to one of my endpoint.
>>>> 3 - I called this enpoint as usually and now i get a Not Authorized
>>>> Exception which makes my client to receive a http 500 directly,
>>>> which in
>>>> my first point of view is not acceptable, because i think my client
>>>> should get at least a http 401, once he is trying to accessed the
>>>> endpoint directly with no token, and not having passed for all Oauth2
>>>> flow.
>>>>
>>>> Now i am dealing with:
>>>> 1 - Trying understand how to sent 401 back to my client instead of 500;
>>>
>>> This is a SOAP path so 500 is returned, you can register a custom out
>>> fault interceptor and make sure it is 401.
>>>
>>>> 2 - Going deep inside the docs i understood that i do need also (of
>>>> course) to have my user authenticated and new fashion for this is using
>>>> WSS4JInInterceptor (using UsernameToken) which implements those new
>>>> Specs. I got problems here and i already raised my hand in another post
>>>> to this list. I´ve been using JAAS for a long time and i have to
>>>> confess
>>>> the earth has not stopped rotating all those past years. :)
>>>>
>>>> Any comments on this "saga"?
>>>
>>> I don't think using WS-Security UserName token is appropriate when the
>>> client has OAuth2 tokens.
>>>
>>> Cheers, Sergey
>>>
>>>
>>>>
>>>> Att,
>>>> Marcello Ribeiro
>>>>
>>>>
>>>>
>>>> Em 19/02/2014 14:05, Sergey Beryozkin escreveu:
>>>>> So, did you get any luck at all or I have confused you ?
>>>>> Basically, the OAuth2 server is there to get the tokens issued, which
>>>>> is completely orthogonal to the process of clients invoking on the
>>>>> JAX-RS or in this case, JAX-WS endpoints.
>>>>>
>>>>> The client need to get the token first, can be done out of band,
>>>>> depends on the flow, next you use it to invoke on the endpoint and at
>>>>> this point of time the filter (or in you case interceptor) will
>>>>> enforce the token is valid by contacting the OAuth2 server if needed
>>>>> or validate it locally by using the data provider directly
>>>>>
>>>>> HTH
>>>>> Sergey
>>>>>
>>>>> On 17/02/14 15:43, Sergey Beryozkin wrote:
>>>>>> Hi
>>>>>> On 17/02/14 12:43, Marcello Ribeiro wrote:
>>>>>>> Good morning.
>>>>>>>
>>>>>>> I´ve created Oauth2 Services as described in
>>>>>>> https://cxf.apache.org/docs/jax-rs-oauth2.html , to be my complete
>>>>>>> Oauth2 infrastructure, given tokens, authorization and the stuffs .
>>>>>>> OK, but my point is how to make my JAX-WS Services (My Business WS
>>>>>>> endpoints) being intecepted, and protected and authorized for this
>>>>>>> brand
>>>>>>> new Oauth2 infrastructure? What is the glue.
>>>>>> You have to register OAuthRequestInterceptor. not OAuthRequestFilter,
>>>>>> and it has to be 2.7.11-SNAPSHOT
>>>>>>
>>>>>>> I already put an interceptor for one of the endpoints as you can see
>>>>>>> bellow, but i got none effects.
>>>>>>>
>>>>>> So you have added OAuthRequestInterceptor to your JAX-WS endpoint and
>>>>>> this interceptor does let the request which has no OAuth token
>>>>>> attached
>>>>>> to it through ?
>>>>>>
>>>>>> Thanks, Sergey
>>>>>>
>>>>>>> Do i explain myself?
>>>>>>> Thank you.
>>>>>>>
>>>>>>> Best Regards,
>>>>>>> Marcello Ribeiro
>>>>>>>
>>>>>>>
>>>>>>> Em 16/02/2014 18:12, Sergey Beryozkin escreveu:
>>>>>>>> Hi
>>>>>>>> On 16/01/14 19:58, Marcello Ribeiro wrote:
>>>>>>>>> Hi Sergey, thank you for helping and for the nice blog...
>>>>>>>>>
>>>>>>>>> I am sorry to say it is still nebulous in my mind...
>>>>>>>>> What i did was to add a new interceptor targeting my OauthFilter
>>>>>>>>> like
>>>>>>>>> this:
>>>>>>>>>
>>>>>>>>> My <jaxrs:server id="oauthServer" address="/oauth"> shares the
>>>>>>>>> same
>>>>>>>>> web application which my webservices share. Should i create a
>>>>>>>>> diferent
>>>>>>>>> web application for the Oauth2 Infraestructure??
>>>>>>>>>
>>>>>>>>> <jaxws:inInterceptors>
>>>>>>>>> <ref bean="oauthFilter" />
>>>>>>>>> </jaxws:inInterceptors>
>>>>>>>>>
>>>>>>>>> But it seems to produce no effects... Client´s requests are not
>>>>>>>>> been
>>>>>>>>> intercepted or no 403 response are sent back...
>>>>>>>>
>>>>>>>> How do obtain an OAuth2 token, where is it coming from ?
>>>>>>>>
>>>>>>>> Cheers, Sergey
>>>>>>>>
>>>>>>>>> Would you have any git endpoint containing that POC
>>>>>>>>>
>>>>>>>>> Thank you
>>>>>>>>>
>>>>>>>>> Att,
>>>>>>>>> Marcello Ribeiro
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Em 14/02/2014 11:54, Sergey Beryozkin escreveu:
>>>>>>>>>> Hi, please see comments below
>>>>>>>>>>
>>>>>>>>>> On 14/02/14 12:50, Marcello Ribeiro wrote:
>>>>>>>>>>> Hi,
>>>>>>>>>>> I have a couple of Webservice done and working properly using
>>>>>>>>>>> CXF
>>>>>>>>>>> 2.7.8
>>>>>>>>>>> in the already known fashion:
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> <jaxws:endpoint xmlns:tns="http://blablabla.hello.com.br/"
>>>>>>>>>>> id="blablablawsservice"
>>>>>>>>>>> implementor="br.com.hello.BlaBlaBla"
>>>>>>>>>>> wsdlLocation="wsdl/blablablawsservice.wsdl"
>>>>>>>>>>> endpointName="tns:BlaBlaBlaPort"
>>>>>>>>>>> serviceName="tns:BlaBlaBlaServiceService"
>>>>>>>>>>> address="/BlaBlaBlaPort">
>>>>>>>>>>> <jaxws:features>
>>>>>>>>>>> <bean
>>>>>>>>>>> class="org.apache.cxf.feature.LoggingFeature" />
>>>>>>>>>>> </jaxws:features>
>>>>>>>>>>> </jaxws:endpoint>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Now, what i need is to protect these services/urls using JAX-RS:
>>>>>>>>>>> OAuth2
>>>>>>>>>>> and i have followed the instruction in CXF documentation:
>>>>>>>>>>> https://cxf.apache.org/docs/jax-rs-oauth2.html
>>>>>>>>>>> Based on this documentation, i have now:
>>>>>>>>>>>
>>>>>>>>>>> 1 - An Authorization Service;
>>>>>>>>>>> |
>>>>>>>>>>> <bean id="authorizationService"
>>>>>>>>>>> class="org.apache.cxf.rs.security.oauth2.services.AuthorizationCodeGrantService">
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> <property name="dataProvider" ref="oauthProvider"/>
>>>>>>>>>>> </bean>|
>>>>>>>>>>>
>>>>>>>>>>> |
>>>>>>>>>>> |
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> 2 - An Access Token Service;
>>>>>>>>>>>
>>>>>>>>>>> <bean id="oauthProvider"
>>>>>>>>>>> class="br.com.hello.utils.cxf.security.oauth.SocialRideDataProvider"
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> />
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> <bean id="accessTokenService"
>>>>>>>>>>> class="org.apache.cxf.rs.security.oauth2.services.AccessTokenService">
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> <property name="dataProvider" ref="oauthProvider" />
>>>>>>>>>>> </bean>
>>>>>>>>>>>
>>>>>>>>>>> <bean id="accessTokenValidateService"
>>>>>>>>>>> class="org.apache.cxf.rs.security.oauth2.services.AccessTokenValidatorService">
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> <property name="dataProvider" ref="oauthProvider" />
>>>>>>>>>>> </bean>
>>>>>>>>>>>
>>>>>>>>>>> <jaxrs:server id="oauthServer" address="/oauth">
>>>>>>>>>>> <jaxrs:serviceBeans>
>>>>>>>>>>> <ref bean="accessTokenService" />
>>>>>>>>>>> <ref bean="accessTokenValidateService" />
>>>>>>>>>>> </jaxrs:serviceBeans>
>>>>>>>>>>> </jaxrs:server>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> 3 - A Request Filter
>>>>>>>>>>>
>>>>>>>>>>> <bean id="oauthFilter"
>>>>>>>>>>> class="org.apache.cxf.rs.security.oauth2.filters.OAuthRequestFilter">
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> <property name="dataProvider" ref="oauthProvider" />
>>>>>>>>>>> </bean>
>>>>>>>>>>
>>>>>>>>>> I'm assuming you have a WS client that would like to use an
>>>>>>>>>> OAuth2
>>>>>>>>>> token to access the JAXWS endpoint, right ?
>>>>>>>>>>
>>>>>>>>>> Typically you'd have OAuth2 RS (your applications) and AS
>>>>>>>>>> (Authorization/Access token) not collocated, though for simple
>>>>>>>>>> cases
>>>>>>>>>> it is good enough for a start;
>>>>>>>>>>
>>>>>>>>>> So, unless you already use CXF OAuth2 services to actually
>>>>>>>>>> issue the
>>>>>>>>>> OAuth2 tokens, just remove all of the above and then simply
>>>>>>>>>> follow the
>>>>>>>>>> few steps I happened to blog about few days ago - will update the
>>>>>>>>>> docs
>>>>>>>>>> shortly:
>>>>>>>>>>
>>>>>>>>>> http://sberyozkin.blogspot.ie/2014/02/use-oauth2-tokens-to-protect-cxf-soap.html
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Basically, all you need to do is to add a simple custom WS
>>>>>>>>>> interceptor, you are right. If you have a remote OAuth2 AS then
>>>>>>>>>> for a
>>>>>>>>>> start you can use a basic access token validator client
>>>>>>>>>> (HTTP-based)
>>>>>>>>>> registered with your interceptor
>>>>>>>>>>
>>>>>>>>>> This interceptor will only work in CXF 2.7.11-SNAPSHOT
>>>>>>>>>>
>>>>>>>>>> Let me know if you have more questions
>>>>>>>>>>
>>>>>>>>>> Sergey
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> So my point is:
>>>>>>>>>>> How do i protect my JAX-WS webservices using this JAX-RS: OAuth2
>>>>>>>>>>> Request
>>>>>>>>>>> Filter? What is the glue between them?
>>>>>>>>>>> For example: i have a url
>>>>>>>>>>> "http://localhost:8080/myProject/services/MyService?wsdl" how
>>>>>>>>>>> do it
>>>>>>>>>>> make
>>>>>>>>>>> it under this Oauth Protection Structure??
>>>>>>>>>>> Is that by interceptors, maybe?
>>>>>>>>>>>
>>>>>>>>>>> Thank you.
>>>>>>>>>>>
>>>>>>>>>>> Att,
>>>>>>>>>>> Marcello Ribeirop
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>>
>>
>
Re: [** POSSÍVEL SPAM 6.6 **] Re: CXF - 2.7.8 - JAX-RS: OAuth2 X JAX-WS Protection
Posted by Marcello Ribeiro <ma...@contmatic.com.br>.
OK, about your second comment, what is a good way to authenticate users
in this case?
I understand the flow should be:
1 - User ask to client for a Server resource URL.
2 - Client tries reaching Service URL.
3 - The interceptor sees the client is not authorized yet, so it some
way returns a redirect to Authorization Server.
4 - Client redirects to authorization server passing clientID +
clientSecret in order to get a "Request Token".
5 - Authorizaton Server is required to have an authenticated user,
right? Otherwise it cannot authorize ClientId "123456" to talk in the
name of user "whoever". (Make sense?)
6 - Once an authenticated user is required, so Client will receive back
some authentication challenge.
7 - So now Client answers with a pair username/password.
8 - Authentication Server matches it.
9 - Once authenticated, user will be able to say "Yes, i authorize this
app(client) to work in my name"; (User is gonna be ask to kind of yes/no
question)
10 - Once it is done Client will receive back a "Request Token".
11 - With "Request Token" in hands, User will exchange it by an "Access
Token";
12 With "Access Token" in hands, user will be able to request for the
resource itself.
Does it sound non-sense to you to authenticate the user?
Att,
Marcello Ribeiro
Em 21/02/2014 10:15, Sergey Beryozkin escreveu:
> Hi
> On 20/01/14 11:46, Marcello Ribeiro wrote:
>> Hi Sergey,
>> So that is the new status:
>>
>> 1 - I´ve updated my pom to pull CXF 2.7.11-Snapshot and so
>> OAuthRequestInterceptor is now available.
>> 2 - A added this interceptor to one of my endpoint.
>> 3 - I called this enpoint as usually and now i get a Not Authorized
>> Exception which makes my client to receive a http 500 directly, which in
>> my first point of view is not acceptable, because i think my client
>> should get at least a http 401, once he is trying to accessed the
>> endpoint directly with no token, and not having passed for all Oauth2
>> flow.
>>
>> Now i am dealing with:
>> 1 - Trying understand how to sent 401 back to my client instead of 500;
>
> This is a SOAP path so 500 is returned, you can register a custom out
> fault interceptor and make sure it is 401.
>
>> 2 - Going deep inside the docs i understood that i do need also (of
>> course) to have my user authenticated and new fashion for this is using
>> WSS4JInInterceptor (using UsernameToken) which implements those new
>> Specs. I got problems here and i already raised my hand in another post
>> to this list. I´ve been using JAAS for a long time and i have to confess
>> the earth has not stopped rotating all those past years. :)
>>
>> Any comments on this "saga"?
>
> I don't think using WS-Security UserName token is appropriate when the
> client has OAuth2 tokens.
>
> Cheers, Sergey
>
>
>>
>> Att,
>> Marcello Ribeiro
>>
>>
>>
>> Em 19/02/2014 14:05, Sergey Beryozkin escreveu:
>>> So, did you get any luck at all or I have confused you ?
>>> Basically, the OAuth2 server is there to get the tokens issued, which
>>> is completely orthogonal to the process of clients invoking on the
>>> JAX-RS or in this case, JAX-WS endpoints.
>>>
>>> The client need to get the token first, can be done out of band,
>>> depends on the flow, next you use it to invoke on the endpoint and at
>>> this point of time the filter (or in you case interceptor) will
>>> enforce the token is valid by contacting the OAuth2 server if needed
>>> or validate it locally by using the data provider directly
>>>
>>> HTH
>>> Sergey
>>>
>>> On 17/02/14 15:43, Sergey Beryozkin wrote:
>>>> Hi
>>>> On 17/02/14 12:43, Marcello Ribeiro wrote:
>>>>> Good morning.
>>>>>
>>>>> I´ve created Oauth2 Services as described in
>>>>> https://cxf.apache.org/docs/jax-rs-oauth2.html , to be my complete
>>>>> Oauth2 infrastructure, given tokens, authorization and the stuffs .
>>>>> OK, but my point is how to make my JAX-WS Services (My Business WS
>>>>> endpoints) being intecepted, and protected and authorized for this
>>>>> brand
>>>>> new Oauth2 infrastructure? What is the glue.
>>>> You have to register OAuthRequestInterceptor. not OAuthRequestFilter,
>>>> and it has to be 2.7.11-SNAPSHOT
>>>>
>>>>> I already put an interceptor for one of the endpoints as you can see
>>>>> bellow, but i got none effects.
>>>>>
>>>> So you have added OAuthRequestInterceptor to your JAX-WS endpoint and
>>>> this interceptor does let the request which has no OAuth token
>>>> attached
>>>> to it through ?
>>>>
>>>> Thanks, Sergey
>>>>
>>>>> Do i explain myself?
>>>>> Thank you.
>>>>>
>>>>> Best Regards,
>>>>> Marcello Ribeiro
>>>>>
>>>>>
>>>>> Em 16/02/2014 18:12, Sergey Beryozkin escreveu:
>>>>>> Hi
>>>>>> On 16/01/14 19:58, Marcello Ribeiro wrote:
>>>>>>> Hi Sergey, thank you for helping and for the nice blog...
>>>>>>>
>>>>>>> I am sorry to say it is still nebulous in my mind...
>>>>>>> What i did was to add a new interceptor targeting my OauthFilter
>>>>>>> like
>>>>>>> this:
>>>>>>>
>>>>>>> My <jaxrs:server id="oauthServer" address="/oauth"> shares the
>>>>>>> same
>>>>>>> web application which my webservices share. Should i create a
>>>>>>> diferent
>>>>>>> web application for the Oauth2 Infraestructure??
>>>>>>>
>>>>>>> <jaxws:inInterceptors>
>>>>>>> <ref bean="oauthFilter" />
>>>>>>> </jaxws:inInterceptors>
>>>>>>>
>>>>>>> But it seems to produce no effects... Client´s requests are not
>>>>>>> been
>>>>>>> intercepted or no 403 response are sent back...
>>>>>>
>>>>>> How do obtain an OAuth2 token, where is it coming from ?
>>>>>>
>>>>>> Cheers, Sergey
>>>>>>
>>>>>>> Would you have any git endpoint containing that POC
>>>>>>>
>>>>>>> Thank you
>>>>>>>
>>>>>>> Att,
>>>>>>> Marcello Ribeiro
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Em 14/02/2014 11:54, Sergey Beryozkin escreveu:
>>>>>>>> Hi, please see comments below
>>>>>>>>
>>>>>>>> On 14/02/14 12:50, Marcello Ribeiro wrote:
>>>>>>>>> Hi,
>>>>>>>>> I have a couple of Webservice done and working properly using CXF
>>>>>>>>> 2.7.8
>>>>>>>>> in the already known fashion:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> <jaxws:endpoint xmlns:tns="http://blablabla.hello.com.br/"
>>>>>>>>> id="blablablawsservice"
>>>>>>>>> implementor="br.com.hello.BlaBlaBla"
>>>>>>>>> wsdlLocation="wsdl/blablablawsservice.wsdl"
>>>>>>>>> endpointName="tns:BlaBlaBlaPort"
>>>>>>>>> serviceName="tns:BlaBlaBlaServiceService"
>>>>>>>>> address="/BlaBlaBlaPort">
>>>>>>>>> <jaxws:features>
>>>>>>>>> <bean
>>>>>>>>> class="org.apache.cxf.feature.LoggingFeature" />
>>>>>>>>> </jaxws:features>
>>>>>>>>> </jaxws:endpoint>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Now, what i need is to protect these services/urls using JAX-RS:
>>>>>>>>> OAuth2
>>>>>>>>> and i have followed the instruction in CXF documentation:
>>>>>>>>> https://cxf.apache.org/docs/jax-rs-oauth2.html
>>>>>>>>> Based on this documentation, i have now:
>>>>>>>>>
>>>>>>>>> 1 - An Authorization Service;
>>>>>>>>> |
>>>>>>>>> <bean id="authorizationService"
>>>>>>>>> class="org.apache.cxf.rs.security.oauth2.services.AuthorizationCodeGrantService">
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> <property name="dataProvider" ref="oauthProvider"/>
>>>>>>>>> </bean>|
>>>>>>>>>
>>>>>>>>> |
>>>>>>>>> |
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> 2 - An Access Token Service;
>>>>>>>>>
>>>>>>>>> <bean id="oauthProvider"
>>>>>>>>> class="br.com.hello.utils.cxf.security.oauth.SocialRideDataProvider"
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> />
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> <bean id="accessTokenService"
>>>>>>>>> class="org.apache.cxf.rs.security.oauth2.services.AccessTokenService">
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> <property name="dataProvider" ref="oauthProvider" />
>>>>>>>>> </bean>
>>>>>>>>>
>>>>>>>>> <bean id="accessTokenValidateService"
>>>>>>>>> class="org.apache.cxf.rs.security.oauth2.services.AccessTokenValidatorService">
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> <property name="dataProvider" ref="oauthProvider" />
>>>>>>>>> </bean>
>>>>>>>>>
>>>>>>>>> <jaxrs:server id="oauthServer" address="/oauth">
>>>>>>>>> <jaxrs:serviceBeans>
>>>>>>>>> <ref bean="accessTokenService" />
>>>>>>>>> <ref bean="accessTokenValidateService" />
>>>>>>>>> </jaxrs:serviceBeans>
>>>>>>>>> </jaxrs:server>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> 3 - A Request Filter
>>>>>>>>>
>>>>>>>>> <bean id="oauthFilter"
>>>>>>>>> class="org.apache.cxf.rs.security.oauth2.filters.OAuthRequestFilter">
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> <property name="dataProvider" ref="oauthProvider" />
>>>>>>>>> </bean>
>>>>>>>>
>>>>>>>> I'm assuming you have a WS client that would like to use an OAuth2
>>>>>>>> token to access the JAXWS endpoint, right ?
>>>>>>>>
>>>>>>>> Typically you'd have OAuth2 RS (your applications) and AS
>>>>>>>> (Authorization/Access token) not collocated, though for simple
>>>>>>>> cases
>>>>>>>> it is good enough for a start;
>>>>>>>>
>>>>>>>> So, unless you already use CXF OAuth2 services to actually
>>>>>>>> issue the
>>>>>>>> OAuth2 tokens, just remove all of the above and then simply
>>>>>>>> follow the
>>>>>>>> few steps I happened to blog about few days ago - will update the
>>>>>>>> docs
>>>>>>>> shortly:
>>>>>>>>
>>>>>>>> http://sberyozkin.blogspot.ie/2014/02/use-oauth2-tokens-to-protect-cxf-soap.html
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Basically, all you need to do is to add a simple custom WS
>>>>>>>> interceptor, you are right. If you have a remote OAuth2 AS then
>>>>>>>> for a
>>>>>>>> start you can use a basic access token validator client
>>>>>>>> (HTTP-based)
>>>>>>>> registered with your interceptor
>>>>>>>>
>>>>>>>> This interceptor will only work in CXF 2.7.11-SNAPSHOT
>>>>>>>>
>>>>>>>> Let me know if you have more questions
>>>>>>>>
>>>>>>>> Sergey
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> So my point is:
>>>>>>>>> How do i protect my JAX-WS webservices using this JAX-RS: OAuth2
>>>>>>>>> Request
>>>>>>>>> Filter? What is the glue between them?
>>>>>>>>> For example: i have a url
>>>>>>>>> "http://localhost:8080/myProject/services/MyService?wsdl" how
>>>>>>>>> do it
>>>>>>>>> make
>>>>>>>>> it under this Oauth Protection Structure??
>>>>>>>>> Is that by interceptors, maybe?
>>>>>>>>>
>>>>>>>>> Thank you.
>>>>>>>>>
>>>>>>>>> Att,
>>>>>>>>> Marcello Ribeirop
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>
>
Re: CXF - 2.7.8 - JAX-RS: OAuth2 X JAX-WS Protection
Posted by Sergey Beryozkin <sb...@gmail.com>.
On 21/02/14 13:15, Sergey Beryozkin wrote:
> Hi
> On 20/01/14 11:46, Marcello Ribeiro wrote:
>> Hi Sergey,
>> So that is the new status:
>>
>> 1 - I´ve updated my pom to pull CXF 2.7.11-Snapshot and so
>> OAuthRequestInterceptor is now available.
>> 2 - A added this interceptor to one of my endpoint.
>> 3 - I called this enpoint as usually and now i get a Not Authorized
>> Exception which makes my client to receive a http 500 directly, which in
>> my first point of view is not acceptable, because i think my client
>> should get at least a http 401, once he is trying to accessed the
>> endpoint directly with no token, and not having passed for all Oauth2
>> flow.
>>
>> Now i am dealing with:
>> 1 - Trying understand how to sent 401 back to my client instead of 500;
>
> This is a SOAP path so 500 is returned, you can register a custom out
> fault interceptor and make sure it is 401.
>
>> 2 - Going deep inside the docs i understood that i do need also (of
>> course) to have my user authenticated and new fashion for this is using
>> WSS4JInInterceptor (using UsernameToken) which implements those new
>> Specs. I got problems here and i already raised my hand in another post
>> to this list. I´ve been using JAAS for a long time and i have to confess
>> the earth has not stopped rotating all those past years. :)
>>
>> Any comments on this "saga"?
>
> I don't think using WS-Security UserName token is appropriate when the
> client has OAuth2 tokens.
>
Let me clarify a bit more.
1. You need to obtain an OAuth2 token on the client side first: there
are many ways, the easiest option, for POC at least, is to use OAuth2
client credentials flow where basically you use the client name &
password as a 'grant' - you post to the OAuth2 server, get back the token
2. JAX-WS client now uses WS-Security BinaryToken to pass the OAuth2
token along
3. You configure WSS4JIntercptor to handle the binary token
4. Have the customized OAuth2 interceptor validating it, meaning you
will have the custom interceptor extending CXF OAuth2 interceptor and
extracting the binary token from CXF Message (put there by
WSS4JInInterceptor)
Sergey
> Cheers, Sergey
>
>
>>
>> Att,
>> Marcello Ribeiro
>>
>>
>>
>> Em 19/02/2014 14:05, Sergey Beryozkin escreveu:
>>> So, did you get any luck at all or I have confused you ?
>>> Basically, the OAuth2 server is there to get the tokens issued, which
>>> is completely orthogonal to the process of clients invoking on the
>>> JAX-RS or in this case, JAX-WS endpoints.
>>>
>>> The client need to get the token first, can be done out of band,
>>> depends on the flow, next you use it to invoke on the endpoint and at
>>> this point of time the filter (or in you case interceptor) will
>>> enforce the token is valid by contacting the OAuth2 server if needed
>>> or validate it locally by using the data provider directly
>>>
>>> HTH
>>> Sergey
>>>
>>> On 17/02/14 15:43, Sergey Beryozkin wrote:
>>>> Hi
>>>> On 17/02/14 12:43, Marcello Ribeiro wrote:
>>>>> Good morning.
>>>>>
>>>>> I´ve created Oauth2 Services as described in
>>>>> https://cxf.apache.org/docs/jax-rs-oauth2.html , to be my complete
>>>>> Oauth2 infrastructure, given tokens, authorization and the stuffs .
>>>>> OK, but my point is how to make my JAX-WS Services (My Business WS
>>>>> endpoints) being intecepted, and protected and authorized for this
>>>>> brand
>>>>> new Oauth2 infrastructure? What is the glue.
>>>> You have to register OAuthRequestInterceptor. not OAuthRequestFilter,
>>>> and it has to be 2.7.11-SNAPSHOT
>>>>
>>>>> I already put an interceptor for one of the endpoints as you can see
>>>>> bellow, but i got none effects.
>>>>>
>>>> So you have added OAuthRequestInterceptor to your JAX-WS endpoint and
>>>> this interceptor does let the request which has no OAuth token attached
>>>> to it through ?
>>>>
>>>> Thanks, Sergey
>>>>
>>>>> Do i explain myself?
>>>>> Thank you.
>>>>>
>>>>> Best Regards,
>>>>> Marcello Ribeiro
>>>>>
>>>>>
>>>>> Em 16/02/2014 18:12, Sergey Beryozkin escreveu:
>>>>>> Hi
>>>>>> On 16/01/14 19:58, Marcello Ribeiro wrote:
>>>>>>> Hi Sergey, thank you for helping and for the nice blog...
>>>>>>>
>>>>>>> I am sorry to say it is still nebulous in my mind...
>>>>>>> What i did was to add a new interceptor targeting my OauthFilter
>>>>>>> like
>>>>>>> this:
>>>>>>>
>>>>>>> My <jaxrs:server id="oauthServer" address="/oauth"> shares the
>>>>>>> same
>>>>>>> web application which my webservices share. Should i create a
>>>>>>> diferent
>>>>>>> web application for the Oauth2 Infraestructure??
>>>>>>>
>>>>>>> <jaxws:inInterceptors>
>>>>>>> <ref bean="oauthFilter" />
>>>>>>> </jaxws:inInterceptors>
>>>>>>>
>>>>>>> But it seems to produce no effects... Client´s requests are not been
>>>>>>> intercepted or no 403 response are sent back...
>>>>>>
>>>>>> How do obtain an OAuth2 token, where is it coming from ?
>>>>>>
>>>>>> Cheers, Sergey
>>>>>>
>>>>>>> Would you have any git endpoint containing that POC
>>>>>>>
>>>>>>> Thank you
>>>>>>>
>>>>>>> Att,
>>>>>>> Marcello Ribeiro
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Em 14/02/2014 11:54, Sergey Beryozkin escreveu:
>>>>>>>> Hi, please see comments below
>>>>>>>>
>>>>>>>> On 14/02/14 12:50, Marcello Ribeiro wrote:
>>>>>>>>> Hi,
>>>>>>>>> I have a couple of Webservice done and working properly using CXF
>>>>>>>>> 2.7.8
>>>>>>>>> in the already known fashion:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> <jaxws:endpoint xmlns:tns="http://blablabla.hello.com.br/"
>>>>>>>>> id="blablablawsservice"
>>>>>>>>> implementor="br.com.hello.BlaBlaBla"
>>>>>>>>> wsdlLocation="wsdl/blablablawsservice.wsdl"
>>>>>>>>> endpointName="tns:BlaBlaBlaPort"
>>>>>>>>> serviceName="tns:BlaBlaBlaServiceService"
>>>>>>>>> address="/BlaBlaBlaPort">
>>>>>>>>> <jaxws:features>
>>>>>>>>> <bean
>>>>>>>>> class="org.apache.cxf.feature.LoggingFeature" />
>>>>>>>>> </jaxws:features>
>>>>>>>>> </jaxws:endpoint>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Now, what i need is to protect these services/urls using JAX-RS:
>>>>>>>>> OAuth2
>>>>>>>>> and i have followed the instruction in CXF documentation:
>>>>>>>>> https://cxf.apache.org/docs/jax-rs-oauth2.html
>>>>>>>>> Based on this documentation, i have now:
>>>>>>>>>
>>>>>>>>> 1 - An Authorization Service;
>>>>>>>>> |
>>>>>>>>> <bean id="authorizationService"
>>>>>>>>> class="org.apache.cxf.rs.security.oauth2.services.AuthorizationCodeGrantService">
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> <property name="dataProvider" ref="oauthProvider"/>
>>>>>>>>> </bean>|
>>>>>>>>>
>>>>>>>>> |
>>>>>>>>> |
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> 2 - An Access Token Service;
>>>>>>>>>
>>>>>>>>> <bean id="oauthProvider"
>>>>>>>>> class="br.com.hello.utils.cxf.security.oauth.SocialRideDataProvider"
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> />
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> <bean id="accessTokenService"
>>>>>>>>> class="org.apache.cxf.rs.security.oauth2.services.AccessTokenService">
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> <property name="dataProvider" ref="oauthProvider" />
>>>>>>>>> </bean>
>>>>>>>>>
>>>>>>>>> <bean id="accessTokenValidateService"
>>>>>>>>> class="org.apache.cxf.rs.security.oauth2.services.AccessTokenValidatorService">
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> <property name="dataProvider" ref="oauthProvider" />
>>>>>>>>> </bean>
>>>>>>>>>
>>>>>>>>> <jaxrs:server id="oauthServer" address="/oauth">
>>>>>>>>> <jaxrs:serviceBeans>
>>>>>>>>> <ref bean="accessTokenService" />
>>>>>>>>> <ref bean="accessTokenValidateService" />
>>>>>>>>> </jaxrs:serviceBeans>
>>>>>>>>> </jaxrs:server>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> 3 - A Request Filter
>>>>>>>>>
>>>>>>>>> <bean id="oauthFilter"
>>>>>>>>> class="org.apache.cxf.rs.security.oauth2.filters.OAuthRequestFilter">
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> <property name="dataProvider" ref="oauthProvider" />
>>>>>>>>> </bean>
>>>>>>>>
>>>>>>>> I'm assuming you have a WS client that would like to use an OAuth2
>>>>>>>> token to access the JAXWS endpoint, right ?
>>>>>>>>
>>>>>>>> Typically you'd have OAuth2 RS (your applications) and AS
>>>>>>>> (Authorization/Access token) not collocated, though for simple
>>>>>>>> cases
>>>>>>>> it is good enough for a start;
>>>>>>>>
>>>>>>>> So, unless you already use CXF OAuth2 services to actually issue
>>>>>>>> the
>>>>>>>> OAuth2 tokens, just remove all of the above and then simply
>>>>>>>> follow the
>>>>>>>> few steps I happened to blog about few days ago - will update the
>>>>>>>> docs
>>>>>>>> shortly:
>>>>>>>>
>>>>>>>> http://sberyozkin.blogspot.ie/2014/02/use-oauth2-tokens-to-protect-cxf-soap.html
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Basically, all you need to do is to add a simple custom WS
>>>>>>>> interceptor, you are right. If you have a remote OAuth2 AS then
>>>>>>>> for a
>>>>>>>> start you can use a basic access token validator client
>>>>>>>> (HTTP-based)
>>>>>>>> registered with your interceptor
>>>>>>>>
>>>>>>>> This interceptor will only work in CXF 2.7.11-SNAPSHOT
>>>>>>>>
>>>>>>>> Let me know if you have more questions
>>>>>>>>
>>>>>>>> Sergey
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> So my point is:
>>>>>>>>> How do i protect my JAX-WS webservices using this JAX-RS: OAuth2
>>>>>>>>> Request
>>>>>>>>> Filter? What is the glue between them?
>>>>>>>>> For example: i have a url
>>>>>>>>> "http://localhost:8080/myProject/services/MyService?wsdl" how
>>>>>>>>> do it
>>>>>>>>> make
>>>>>>>>> it under this Oauth Protection Structure??
>>>>>>>>> Is that by interceptors, maybe?
>>>>>>>>>
>>>>>>>>> Thank you.
>>>>>>>>>
>>>>>>>>> Att,
>>>>>>>>> Marcello Ribeirop
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>
>
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com
Re: CXF - 2.7.8 - JAX-RS: OAuth2 X JAX-WS Protection
Posted by Sergey Beryozkin <sb...@gmail.com>.
Hi
On 20/01/14 11:46, Marcello Ribeiro wrote:
> Hi Sergey,
> So that is the new status:
>
> 1 - I´ve updated my pom to pull CXF 2.7.11-Snapshot and so
> OAuthRequestInterceptor is now available.
> 2 - A added this interceptor to one of my endpoint.
> 3 - I called this enpoint as usually and now i get a Not Authorized
> Exception which makes my client to receive a http 500 directly, which in
> my first point of view is not acceptable, because i think my client
> should get at least a http 401, once he is trying to accessed the
> endpoint directly with no token, and not having passed for all Oauth2 flow.
>
> Now i am dealing with:
> 1 - Trying understand how to sent 401 back to my client instead of 500;
This is a SOAP path so 500 is returned, you can register a custom out
fault interceptor and make sure it is 401.
> 2 - Going deep inside the docs i understood that i do need also (of
> course) to have my user authenticated and new fashion for this is using
> WSS4JInInterceptor (using UsernameToken) which implements those new
> Specs. I got problems here and i already raised my hand in another post
> to this list. I´ve been using JAAS for a long time and i have to confess
> the earth has not stopped rotating all those past years. :)
>
> Any comments on this "saga"?
I don't think using WS-Security UserName token is appropriate when the
client has OAuth2 tokens.
Cheers, Sergey
>
> Att,
> Marcello Ribeiro
>
>
>
> Em 19/02/2014 14:05, Sergey Beryozkin escreveu:
>> So, did you get any luck at all or I have confused you ?
>> Basically, the OAuth2 server is there to get the tokens issued, which
>> is completely orthogonal to the process of clients invoking on the
>> JAX-RS or in this case, JAX-WS endpoints.
>>
>> The client need to get the token first, can be done out of band,
>> depends on the flow, next you use it to invoke on the endpoint and at
>> this point of time the filter (or in you case interceptor) will
>> enforce the token is valid by contacting the OAuth2 server if needed
>> or validate it locally by using the data provider directly
>>
>> HTH
>> Sergey
>>
>> On 17/02/14 15:43, Sergey Beryozkin wrote:
>>> Hi
>>> On 17/02/14 12:43, Marcello Ribeiro wrote:
>>>> Good morning.
>>>>
>>>> I´ve created Oauth2 Services as described in
>>>> https://cxf.apache.org/docs/jax-rs-oauth2.html , to be my complete
>>>> Oauth2 infrastructure, given tokens, authorization and the stuffs .
>>>> OK, but my point is how to make my JAX-WS Services (My Business WS
>>>> endpoints) being intecepted, and protected and authorized for this
>>>> brand
>>>> new Oauth2 infrastructure? What is the glue.
>>> You have to register OAuthRequestInterceptor. not OAuthRequestFilter,
>>> and it has to be 2.7.11-SNAPSHOT
>>>
>>>> I already put an interceptor for one of the endpoints as you can see
>>>> bellow, but i got none effects.
>>>>
>>> So you have added OAuthRequestInterceptor to your JAX-WS endpoint and
>>> this interceptor does let the request which has no OAuth token attached
>>> to it through ?
>>>
>>> Thanks, Sergey
>>>
>>>> Do i explain myself?
>>>> Thank you.
>>>>
>>>> Best Regards,
>>>> Marcello Ribeiro
>>>>
>>>>
>>>> Em 16/02/2014 18:12, Sergey Beryozkin escreveu:
>>>>> Hi
>>>>> On 16/01/14 19:58, Marcello Ribeiro wrote:
>>>>>> Hi Sergey, thank you for helping and for the nice blog...
>>>>>>
>>>>>> I am sorry to say it is still nebulous in my mind...
>>>>>> What i did was to add a new interceptor targeting my OauthFilter like
>>>>>> this:
>>>>>>
>>>>>> My <jaxrs:server id="oauthServer" address="/oauth"> shares the
>>>>>> same
>>>>>> web application which my webservices share. Should i create a
>>>>>> diferent
>>>>>> web application for the Oauth2 Infraestructure??
>>>>>>
>>>>>> <jaxws:inInterceptors>
>>>>>> <ref bean="oauthFilter" />
>>>>>> </jaxws:inInterceptors>
>>>>>>
>>>>>> But it seems to produce no effects... Client´s requests are not been
>>>>>> intercepted or no 403 response are sent back...
>>>>>
>>>>> How do obtain an OAuth2 token, where is it coming from ?
>>>>>
>>>>> Cheers, Sergey
>>>>>
>>>>>> Would you have any git endpoint containing that POC
>>>>>>
>>>>>> Thank you
>>>>>>
>>>>>> Att,
>>>>>> Marcello Ribeiro
>>>>>>
>>>>>>
>>>>>>
>>>>>> Em 14/02/2014 11:54, Sergey Beryozkin escreveu:
>>>>>>> Hi, please see comments below
>>>>>>>
>>>>>>> On 14/02/14 12:50, Marcello Ribeiro wrote:
>>>>>>>> Hi,
>>>>>>>> I have a couple of Webservice done and working properly using CXF
>>>>>>>> 2.7.8
>>>>>>>> in the already known fashion:
>>>>>>>>
>>>>>>>>
>>>>>>>> <jaxws:endpoint xmlns:tns="http://blablabla.hello.com.br/"
>>>>>>>> id="blablablawsservice"
>>>>>>>> implementor="br.com.hello.BlaBlaBla"
>>>>>>>> wsdlLocation="wsdl/blablablawsservice.wsdl"
>>>>>>>> endpointName="tns:BlaBlaBlaPort"
>>>>>>>> serviceName="tns:BlaBlaBlaServiceService"
>>>>>>>> address="/BlaBlaBlaPort">
>>>>>>>> <jaxws:features>
>>>>>>>> <bean class="org.apache.cxf.feature.LoggingFeature" />
>>>>>>>> </jaxws:features>
>>>>>>>> </jaxws:endpoint>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Now, what i need is to protect these services/urls using JAX-RS:
>>>>>>>> OAuth2
>>>>>>>> and i have followed the instruction in CXF documentation:
>>>>>>>> https://cxf.apache.org/docs/jax-rs-oauth2.html
>>>>>>>> Based on this documentation, i have now:
>>>>>>>>
>>>>>>>> 1 - An Authorization Service;
>>>>>>>> |
>>>>>>>> <bean id="authorizationService"
>>>>>>>> class="org.apache.cxf.rs.security.oauth2.services.AuthorizationCodeGrantService">
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> <property name="dataProvider" ref="oauthProvider"/>
>>>>>>>> </bean>|
>>>>>>>>
>>>>>>>> |
>>>>>>>> |
>>>>>>>>
>>>>>>>>
>>>>>>>> 2 - An Access Token Service;
>>>>>>>>
>>>>>>>> <bean id="oauthProvider"
>>>>>>>> class="br.com.hello.utils.cxf.security.oauth.SocialRideDataProvider"
>>>>>>>>
>>>>>>>> />
>>>>>>>>
>>>>>>>>
>>>>>>>> <bean id="accessTokenService"
>>>>>>>> class="org.apache.cxf.rs.security.oauth2.services.AccessTokenService">
>>>>>>>>
>>>>>>>>
>>>>>>>> <property name="dataProvider" ref="oauthProvider" />
>>>>>>>> </bean>
>>>>>>>>
>>>>>>>> <bean id="accessTokenValidateService"
>>>>>>>> class="org.apache.cxf.rs.security.oauth2.services.AccessTokenValidatorService">
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> <property name="dataProvider" ref="oauthProvider" />
>>>>>>>> </bean>
>>>>>>>>
>>>>>>>> <jaxrs:server id="oauthServer" address="/oauth">
>>>>>>>> <jaxrs:serviceBeans>
>>>>>>>> <ref bean="accessTokenService" />
>>>>>>>> <ref bean="accessTokenValidateService" />
>>>>>>>> </jaxrs:serviceBeans>
>>>>>>>> </jaxrs:server>
>>>>>>>>
>>>>>>>>
>>>>>>>> 3 - A Request Filter
>>>>>>>>
>>>>>>>> <bean id="oauthFilter"
>>>>>>>> class="org.apache.cxf.rs.security.oauth2.filters.OAuthRequestFilter">
>>>>>>>>
>>>>>>>> <property name="dataProvider" ref="oauthProvider" />
>>>>>>>> </bean>
>>>>>>>
>>>>>>> I'm assuming you have a WS client that would like to use an OAuth2
>>>>>>> token to access the JAXWS endpoint, right ?
>>>>>>>
>>>>>>> Typically you'd have OAuth2 RS (your applications) and AS
>>>>>>> (Authorization/Access token) not collocated, though for simple cases
>>>>>>> it is good enough for a start;
>>>>>>>
>>>>>>> So, unless you already use CXF OAuth2 services to actually issue the
>>>>>>> OAuth2 tokens, just remove all of the above and then simply
>>>>>>> follow the
>>>>>>> few steps I happened to blog about few days ago - will update the
>>>>>>> docs
>>>>>>> shortly:
>>>>>>>
>>>>>>> http://sberyozkin.blogspot.ie/2014/02/use-oauth2-tokens-to-protect-cxf-soap.html
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Basically, all you need to do is to add a simple custom WS
>>>>>>> interceptor, you are right. If you have a remote OAuth2 AS then
>>>>>>> for a
>>>>>>> start you can use a basic access token validator client (HTTP-based)
>>>>>>> registered with your interceptor
>>>>>>>
>>>>>>> This interceptor will only work in CXF 2.7.11-SNAPSHOT
>>>>>>>
>>>>>>> Let me know if you have more questions
>>>>>>>
>>>>>>> Sergey
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> So my point is:
>>>>>>>> How do i protect my JAX-WS webservices using this JAX-RS: OAuth2
>>>>>>>> Request
>>>>>>>> Filter? What is the glue between them?
>>>>>>>> For example: i have a url
>>>>>>>> "http://localhost:8080/myProject/services/MyService?wsdl" how do it
>>>>>>>> make
>>>>>>>> it under this Oauth Protection Structure??
>>>>>>>> Is that by interceptors, maybe?
>>>>>>>>
>>>>>>>> Thank you.
>>>>>>>>
>>>>>>>> Att,
>>>>>>>> Marcello Ribeirop
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>>
>>
>>
>
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com
Re: CXF - 2.7.8 - JAX-RS: OAuth2 X JAX-WS Protection
Posted by Marcello Ribeiro <ma...@contmatic.com.br>.
Hi Sergey,
So that is the new status:
1 - I´ve updated my pom to pull CXF 2.7.11-Snapshot and so
OAuthRequestInterceptor is now available.
2 - A added this interceptor to one of my endpoint.
3 - I called this enpoint as usually and now i get a Not Authorized
Exception which makes my client to receive a http 500 directly, which in
my first point of view is not acceptable, because i think my client
should get at least a http 401, once he is trying to accessed the
endpoint directly with no token, and not having passed for all Oauth2 flow.
Now i am dealing with:
1 - Trying understand how to sent 401 back to my client instead of 500;
2 - Going deep inside the docs i understood that i do need also (of
course) to have my user authenticated and new fashion for this is using
WSS4JInInterceptor (using UsernameToken) which implements those new
Specs. I got problems here and i already raised my hand in another post
to this list. I´ve been using JAAS for a long time and i have to confess
the earth has not stopped rotating all those past years. :)
Any comments on this "saga"?
Att,
Marcello Ribeiro
Em 19/02/2014 14:05, Sergey Beryozkin escreveu:
> So, did you get any luck at all or I have confused you ?
> Basically, the OAuth2 server is there to get the tokens issued, which
> is completely orthogonal to the process of clients invoking on the
> JAX-RS or in this case, JAX-WS endpoints.
>
> The client need to get the token first, can be done out of band,
> depends on the flow, next you use it to invoke on the endpoint and at
> this point of time the filter (or in you case interceptor) will
> enforce the token is valid by contacting the OAuth2 server if needed
> or validate it locally by using the data provider directly
>
> HTH
> Sergey
>
> On 17/02/14 15:43, Sergey Beryozkin wrote:
>> Hi
>> On 17/02/14 12:43, Marcello Ribeiro wrote:
>>> Good morning.
>>>
>>> I´ve created Oauth2 Services as described in
>>> https://cxf.apache.org/docs/jax-rs-oauth2.html , to be my complete
>>> Oauth2 infrastructure, given tokens, authorization and the stuffs .
>>> OK, but my point is how to make my JAX-WS Services (My Business WS
>>> endpoints) being intecepted, and protected and authorized for this
>>> brand
>>> new Oauth2 infrastructure? What is the glue.
>> You have to register OAuthRequestInterceptor. not OAuthRequestFilter,
>> and it has to be 2.7.11-SNAPSHOT
>>
>>> I already put an interceptor for one of the endpoints as you can see
>>> bellow, but i got none effects.
>>>
>> So you have added OAuthRequestInterceptor to your JAX-WS endpoint and
>> this interceptor does let the request which has no OAuth token attached
>> to it through ?
>>
>> Thanks, Sergey
>>
>>> Do i explain myself?
>>> Thank you.
>>>
>>> Best Regards,
>>> Marcello Ribeiro
>>>
>>>
>>> Em 16/02/2014 18:12, Sergey Beryozkin escreveu:
>>>> Hi
>>>> On 16/01/14 19:58, Marcello Ribeiro wrote:
>>>>> Hi Sergey, thank you for helping and for the nice blog...
>>>>>
>>>>> I am sorry to say it is still nebulous in my mind...
>>>>> What i did was to add a new interceptor targeting my OauthFilter like
>>>>> this:
>>>>>
>>>>> My <jaxrs:server id="oauthServer" address="/oauth"> shares the
>>>>> same
>>>>> web application which my webservices share. Should i create a
>>>>> diferent
>>>>> web application for the Oauth2 Infraestructure??
>>>>>
>>>>> <jaxws:inInterceptors>
>>>>> <ref bean="oauthFilter" />
>>>>> </jaxws:inInterceptors>
>>>>>
>>>>> But it seems to produce no effects... Client´s requests are not been
>>>>> intercepted or no 403 response are sent back...
>>>>
>>>> How do obtain an OAuth2 token, where is it coming from ?
>>>>
>>>> Cheers, Sergey
>>>>
>>>>> Would you have any git endpoint containing that POC
>>>>>
>>>>> Thank you
>>>>>
>>>>> Att,
>>>>> Marcello Ribeiro
>>>>>
>>>>>
>>>>>
>>>>> Em 14/02/2014 11:54, Sergey Beryozkin escreveu:
>>>>>> Hi, please see comments below
>>>>>>
>>>>>> On 14/02/14 12:50, Marcello Ribeiro wrote:
>>>>>>> Hi,
>>>>>>> I have a couple of Webservice done and working properly using CXF
>>>>>>> 2.7.8
>>>>>>> in the already known fashion:
>>>>>>>
>>>>>>>
>>>>>>> <jaxws:endpoint xmlns:tns="http://blablabla.hello.com.br/"
>>>>>>> id="blablablawsservice"
>>>>>>> implementor="br.com.hello.BlaBlaBla"
>>>>>>> wsdlLocation="wsdl/blablablawsservice.wsdl"
>>>>>>> endpointName="tns:BlaBlaBlaPort"
>>>>>>> serviceName="tns:BlaBlaBlaServiceService"
>>>>>>> address="/BlaBlaBlaPort">
>>>>>>> <jaxws:features>
>>>>>>> <bean class="org.apache.cxf.feature.LoggingFeature" />
>>>>>>> </jaxws:features>
>>>>>>> </jaxws:endpoint>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Now, what i need is to protect these services/urls using JAX-RS:
>>>>>>> OAuth2
>>>>>>> and i have followed the instruction in CXF documentation:
>>>>>>> https://cxf.apache.org/docs/jax-rs-oauth2.html
>>>>>>> Based on this documentation, i have now:
>>>>>>>
>>>>>>> 1 - An Authorization Service;
>>>>>>> |
>>>>>>> <bean id="authorizationService"
>>>>>>> class="org.apache.cxf.rs.security.oauth2.services.AuthorizationCodeGrantService">
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> <property name="dataProvider" ref="oauthProvider"/>
>>>>>>> </bean>|
>>>>>>>
>>>>>>> |
>>>>>>> |
>>>>>>>
>>>>>>>
>>>>>>> 2 - An Access Token Service;
>>>>>>>
>>>>>>> <bean id="oauthProvider"
>>>>>>> class="br.com.hello.utils.cxf.security.oauth.SocialRideDataProvider"
>>>>>>>
>>>>>>> />
>>>>>>>
>>>>>>>
>>>>>>> <bean id="accessTokenService"
>>>>>>> class="org.apache.cxf.rs.security.oauth2.services.AccessTokenService">
>>>>>>>
>>>>>>>
>>>>>>> <property name="dataProvider" ref="oauthProvider" />
>>>>>>> </bean>
>>>>>>>
>>>>>>> <bean id="accessTokenValidateService"
>>>>>>> class="org.apache.cxf.rs.security.oauth2.services.AccessTokenValidatorService">
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> <property name="dataProvider" ref="oauthProvider" />
>>>>>>> </bean>
>>>>>>>
>>>>>>> <jaxrs:server id="oauthServer" address="/oauth">
>>>>>>> <jaxrs:serviceBeans>
>>>>>>> <ref bean="accessTokenService" />
>>>>>>> <ref bean="accessTokenValidateService" />
>>>>>>> </jaxrs:serviceBeans>
>>>>>>> </jaxrs:server>
>>>>>>>
>>>>>>>
>>>>>>> 3 - A Request Filter
>>>>>>>
>>>>>>> <bean id="oauthFilter"
>>>>>>> class="org.apache.cxf.rs.security.oauth2.filters.OAuthRequestFilter">
>>>>>>>
>>>>>>> <property name="dataProvider" ref="oauthProvider" />
>>>>>>> </bean>
>>>>>>
>>>>>> I'm assuming you have a WS client that would like to use an OAuth2
>>>>>> token to access the JAXWS endpoint, right ?
>>>>>>
>>>>>> Typically you'd have OAuth2 RS (your applications) and AS
>>>>>> (Authorization/Access token) not collocated, though for simple cases
>>>>>> it is good enough for a start;
>>>>>>
>>>>>> So, unless you already use CXF OAuth2 services to actually issue the
>>>>>> OAuth2 tokens, just remove all of the above and then simply
>>>>>> follow the
>>>>>> few steps I happened to blog about few days ago - will update the
>>>>>> docs
>>>>>> shortly:
>>>>>>
>>>>>> http://sberyozkin.blogspot.ie/2014/02/use-oauth2-tokens-to-protect-cxf-soap.html
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Basically, all you need to do is to add a simple custom WS
>>>>>> interceptor, you are right. If you have a remote OAuth2 AS then
>>>>>> for a
>>>>>> start you can use a basic access token validator client (HTTP-based)
>>>>>> registered with your interceptor
>>>>>>
>>>>>> This interceptor will only work in CXF 2.7.11-SNAPSHOT
>>>>>>
>>>>>> Let me know if you have more questions
>>>>>>
>>>>>> Sergey
>>>>>>
>>>>>>
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> So my point is:
>>>>>>> How do i protect my JAX-WS webservices using this JAX-RS: OAuth2
>>>>>>> Request
>>>>>>> Filter? What is the glue between them?
>>>>>>> For example: i have a url
>>>>>>> "http://localhost:8080/myProject/services/MyService?wsdl" how do it
>>>>>>> make
>>>>>>> it under this Oauth Protection Structure??
>>>>>>> Is that by interceptors, maybe?
>>>>>>>
>>>>>>> Thank you.
>>>>>>>
>>>>>>> Att,
>>>>>>> Marcello Ribeirop
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>
>>
>>
>
>
Re: CXF - 2.7.8 - JAX-RS: OAuth2 X JAX-WS Protection
Posted by Sergey Beryozkin <sb...@gmail.com>.
So, did you get any luck at all or I have confused you ?
Basically, the OAuth2 server is there to get the tokens issued, which is
completely orthogonal to the process of clients invoking on the JAX-RS
or in this case, JAX-WS endpoints.
The client need to get the token first, can be done out of band, depends
on the flow, next you use it to invoke on the endpoint and at this point
of time the filter (or in you case interceptor) will enforce the token
is valid by contacting the OAuth2 server if needed or validate it
locally by using the data provider directly
HTH
Sergey
On 17/02/14 15:43, Sergey Beryozkin wrote:
> Hi
> On 17/02/14 12:43, Marcello Ribeiro wrote:
>> Good morning.
>>
>> I´ve created Oauth2 Services as described in
>> https://cxf.apache.org/docs/jax-rs-oauth2.html , to be my complete
>> Oauth2 infrastructure, given tokens, authorization and the stuffs .
>> OK, but my point is how to make my JAX-WS Services (My Business WS
>> endpoints) being intecepted, and protected and authorized for this brand
>> new Oauth2 infrastructure? What is the glue.
> You have to register OAuthRequestInterceptor. not OAuthRequestFilter,
> and it has to be 2.7.11-SNAPSHOT
>
>> I already put an interceptor for one of the endpoints as you can see
>> bellow, but i got none effects.
>>
> So you have added OAuthRequestInterceptor to your JAX-WS endpoint and
> this interceptor does let the request which has no OAuth token attached
> to it through ?
>
> Thanks, Sergey
>
>> Do i explain myself?
>> Thank you.
>>
>> Best Regards,
>> Marcello Ribeiro
>>
>>
>> Em 16/02/2014 18:12, Sergey Beryozkin escreveu:
>>> Hi
>>> On 16/01/14 19:58, Marcello Ribeiro wrote:
>>>> Hi Sergey, thank you for helping and for the nice blog...
>>>>
>>>> I am sorry to say it is still nebulous in my mind...
>>>> What i did was to add a new interceptor targeting my OauthFilter like
>>>> this:
>>>>
>>>> My <jaxrs:server id="oauthServer" address="/oauth"> shares the same
>>>> web application which my webservices share. Should i create a diferent
>>>> web application for the Oauth2 Infraestructure??
>>>>
>>>> <jaxws:inInterceptors>
>>>> <ref bean="oauthFilter" />
>>>> </jaxws:inInterceptors>
>>>>
>>>> But it seems to produce no effects... Client´s requests are not been
>>>> intercepted or no 403 response are sent back...
>>>
>>> How do obtain an OAuth2 token, where is it coming from ?
>>>
>>> Cheers, Sergey
>>>
>>>> Would you have any git endpoint containing that POC
>>>>
>>>> Thank you
>>>>
>>>> Att,
>>>> Marcello Ribeiro
>>>>
>>>>
>>>>
>>>> Em 14/02/2014 11:54, Sergey Beryozkin escreveu:
>>>>> Hi, please see comments below
>>>>>
>>>>> On 14/02/14 12:50, Marcello Ribeiro wrote:
>>>>>> Hi,
>>>>>> I have a couple of Webservice done and working properly using CXF
>>>>>> 2.7.8
>>>>>> in the already known fashion:
>>>>>>
>>>>>>
>>>>>> <jaxws:endpoint xmlns:tns="http://blablabla.hello.com.br/"
>>>>>> id="blablablawsservice" implementor="br.com.hello.BlaBlaBla"
>>>>>> wsdlLocation="wsdl/blablablawsservice.wsdl"
>>>>>> endpointName="tns:BlaBlaBlaPort"
>>>>>> serviceName="tns:BlaBlaBlaServiceService"
>>>>>> address="/BlaBlaBlaPort">
>>>>>> <jaxws:features>
>>>>>> <bean class="org.apache.cxf.feature.LoggingFeature" />
>>>>>> </jaxws:features>
>>>>>> </jaxws:endpoint>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Now, what i need is to protect these services/urls using JAX-RS:
>>>>>> OAuth2
>>>>>> and i have followed the instruction in CXF documentation:
>>>>>> https://cxf.apache.org/docs/jax-rs-oauth2.html
>>>>>> Based on this documentation, i have now:
>>>>>>
>>>>>> 1 - An Authorization Service;
>>>>>> |
>>>>>> <bean id="authorizationService"
>>>>>> class="org.apache.cxf.rs.security.oauth2.services.AuthorizationCodeGrantService">
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> <property name="dataProvider" ref="oauthProvider"/>
>>>>>> </bean>|
>>>>>>
>>>>>> |
>>>>>> |
>>>>>>
>>>>>>
>>>>>> 2 - An Access Token Service;
>>>>>>
>>>>>> <bean id="oauthProvider"
>>>>>> class="br.com.hello.utils.cxf.security.oauth.SocialRideDataProvider"
>>>>>> />
>>>>>>
>>>>>>
>>>>>> <bean id="accessTokenService"
>>>>>> class="org.apache.cxf.rs.security.oauth2.services.AccessTokenService">
>>>>>>
>>>>>> <property name="dataProvider" ref="oauthProvider" />
>>>>>> </bean>
>>>>>>
>>>>>> <bean id="accessTokenValidateService"
>>>>>> class="org.apache.cxf.rs.security.oauth2.services.AccessTokenValidatorService">
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> <property name="dataProvider" ref="oauthProvider" />
>>>>>> </bean>
>>>>>>
>>>>>> <jaxrs:server id="oauthServer" address="/oauth">
>>>>>> <jaxrs:serviceBeans>
>>>>>> <ref bean="accessTokenService" />
>>>>>> <ref bean="accessTokenValidateService" />
>>>>>> </jaxrs:serviceBeans>
>>>>>> </jaxrs:server>
>>>>>>
>>>>>>
>>>>>> 3 - A Request Filter
>>>>>>
>>>>>> <bean id="oauthFilter"
>>>>>> class="org.apache.cxf.rs.security.oauth2.filters.OAuthRequestFilter">
>>>>>> <property name="dataProvider" ref="oauthProvider" />
>>>>>> </bean>
>>>>>
>>>>> I'm assuming you have a WS client that would like to use an OAuth2
>>>>> token to access the JAXWS endpoint, right ?
>>>>>
>>>>> Typically you'd have OAuth2 RS (your applications) and AS
>>>>> (Authorization/Access token) not collocated, though for simple cases
>>>>> it is good enough for a start;
>>>>>
>>>>> So, unless you already use CXF OAuth2 services to actually issue the
>>>>> OAuth2 tokens, just remove all of the above and then simply follow the
>>>>> few steps I happened to blog about few days ago - will update the docs
>>>>> shortly:
>>>>>
>>>>> http://sberyozkin.blogspot.ie/2014/02/use-oauth2-tokens-to-protect-cxf-soap.html
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Basically, all you need to do is to add a simple custom WS
>>>>> interceptor, you are right. If you have a remote OAuth2 AS then for a
>>>>> start you can use a basic access token validator client (HTTP-based)
>>>>> registered with your interceptor
>>>>>
>>>>> This interceptor will only work in CXF 2.7.11-SNAPSHOT
>>>>>
>>>>> Let me know if you have more questions
>>>>>
>>>>> Sergey
>>>>>
>>>>>
>>>>>
>>>>>>
>>>>>>
>>>>>> So my point is:
>>>>>> How do i protect my JAX-WS webservices using this JAX-RS: OAuth2
>>>>>> Request
>>>>>> Filter? What is the glue between them?
>>>>>> For example: i have a url
>>>>>> "http://localhost:8080/myProject/services/MyService?wsdl" how do it
>>>>>> make
>>>>>> it under this Oauth Protection Structure??
>>>>>> Is that by interceptors, maybe?
>>>>>>
>>>>>> Thank you.
>>>>>>
>>>>>> Att,
>>>>>> Marcello Ribeirop
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>>
>>
>
>
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com
Re: [** POSSÍVEL SPAM 6.6 **] Re: CXF - 2.7.8 - JAX-RS: OAuth2 X JAX-WS Protection
Posted by Sergey Beryozkin <sb...@gmail.com>.
Hi
On 17/02/14 12:43, Marcello Ribeiro wrote:
> Good morning.
>
> I´ve created Oauth2 Services as described in
> https://cxf.apache.org/docs/jax-rs-oauth2.html , to be my complete
> Oauth2 infrastructure, given tokens, authorization and the stuffs .
> OK, but my point is how to make my JAX-WS Services (My Business WS
> endpoints) being intecepted, and protected and authorized for this brand
> new Oauth2 infrastructure? What is the glue.
You have to register OAuthRequestInterceptor. not OAuthRequestFilter,
and it has to be 2.7.11-SNAPSHOT
> I already put an interceptor for one of the endpoints as you can see
> bellow, but i got none effects.
>
So you have added OAuthRequestInterceptor to your JAX-WS endpoint and
this interceptor does let the request which has no OAuth token attached
to it through ?
Thanks, Sergey
> Do i explain myself?
> Thank you.
>
> Best Regards,
> Marcello Ribeiro
>
>
> Em 16/02/2014 18:12, Sergey Beryozkin escreveu:
>> Hi
>> On 16/01/14 19:58, Marcello Ribeiro wrote:
>>> Hi Sergey, thank you for helping and for the nice blog...
>>>
>>> I am sorry to say it is still nebulous in my mind...
>>> What i did was to add a new interceptor targeting my OauthFilter like
>>> this:
>>>
>>> My <jaxrs:server id="oauthServer" address="/oauth"> shares the same
>>> web application which my webservices share. Should i create a diferent
>>> web application for the Oauth2 Infraestructure??
>>>
>>> <jaxws:inInterceptors>
>>> <ref bean="oauthFilter" />
>>> </jaxws:inInterceptors>
>>>
>>> But it seems to produce no effects... Client´s requests are not been
>>> intercepted or no 403 response are sent back...
>>
>> How do obtain an OAuth2 token, where is it coming from ?
>>
>> Cheers, Sergey
>>
>>> Would you have any git endpoint containing that POC
>>>
>>> Thank you
>>>
>>> Att,
>>> Marcello Ribeiro
>>>
>>>
>>>
>>> Em 14/02/2014 11:54, Sergey Beryozkin escreveu:
>>>> Hi, please see comments below
>>>>
>>>> On 14/02/14 12:50, Marcello Ribeiro wrote:
>>>>> Hi,
>>>>> I have a couple of Webservice done and working properly using CXF
>>>>> 2.7.8
>>>>> in the already known fashion:
>>>>>
>>>>>
>>>>> <jaxws:endpoint xmlns:tns="http://blablabla.hello.com.br/"
>>>>> id="blablablawsservice" implementor="br.com.hello.BlaBlaBla"
>>>>> wsdlLocation="wsdl/blablablawsservice.wsdl"
>>>>> endpointName="tns:BlaBlaBlaPort"
>>>>> serviceName="tns:BlaBlaBlaServiceService"
>>>>> address="/BlaBlaBlaPort">
>>>>> <jaxws:features>
>>>>> <bean class="org.apache.cxf.feature.LoggingFeature" />
>>>>> </jaxws:features>
>>>>> </jaxws:endpoint>
>>>>>
>>>>>
>>>>>
>>>>> Now, what i need is to protect these services/urls using JAX-RS:
>>>>> OAuth2
>>>>> and i have followed the instruction in CXF documentation:
>>>>> https://cxf.apache.org/docs/jax-rs-oauth2.html
>>>>> Based on this documentation, i have now:
>>>>>
>>>>> 1 - An Authorization Service;
>>>>> |
>>>>> <bean id="authorizationService"
>>>>> class="org.apache.cxf.rs.security.oauth2.services.AuthorizationCodeGrantService">
>>>>>
>>>>>
>>>>>
>>>>> <property name="dataProvider" ref="oauthProvider"/>
>>>>> </bean>|
>>>>>
>>>>> |
>>>>> |
>>>>>
>>>>>
>>>>> 2 - An Access Token Service;
>>>>>
>>>>> <bean id="oauthProvider"
>>>>> class="br.com.hello.utils.cxf.security.oauth.SocialRideDataProvider" />
>>>>>
>>>>>
>>>>> <bean id="accessTokenService"
>>>>> class="org.apache.cxf.rs.security.oauth2.services.AccessTokenService">
>>>>> <property name="dataProvider" ref="oauthProvider" />
>>>>> </bean>
>>>>>
>>>>> <bean id="accessTokenValidateService"
>>>>> class="org.apache.cxf.rs.security.oauth2.services.AccessTokenValidatorService">
>>>>>
>>>>>
>>>>>
>>>>> <property name="dataProvider" ref="oauthProvider" />
>>>>> </bean>
>>>>>
>>>>> <jaxrs:server id="oauthServer" address="/oauth">
>>>>> <jaxrs:serviceBeans>
>>>>> <ref bean="accessTokenService" />
>>>>> <ref bean="accessTokenValidateService" />
>>>>> </jaxrs:serviceBeans>
>>>>> </jaxrs:server>
>>>>>
>>>>>
>>>>> 3 - A Request Filter
>>>>>
>>>>> <bean id="oauthFilter"
>>>>> class="org.apache.cxf.rs.security.oauth2.filters.OAuthRequestFilter">
>>>>> <property name="dataProvider" ref="oauthProvider" />
>>>>> </bean>
>>>>
>>>> I'm assuming you have a WS client that would like to use an OAuth2
>>>> token to access the JAXWS endpoint, right ?
>>>>
>>>> Typically you'd have OAuth2 RS (your applications) and AS
>>>> (Authorization/Access token) not collocated, though for simple cases
>>>> it is good enough for a start;
>>>>
>>>> So, unless you already use CXF OAuth2 services to actually issue the
>>>> OAuth2 tokens, just remove all of the above and then simply follow the
>>>> few steps I happened to blog about few days ago - will update the docs
>>>> shortly:
>>>>
>>>> http://sberyozkin.blogspot.ie/2014/02/use-oauth2-tokens-to-protect-cxf-soap.html
>>>>
>>>>
>>>>
>>>> Basically, all you need to do is to add a simple custom WS
>>>> interceptor, you are right. If you have a remote OAuth2 AS then for a
>>>> start you can use a basic access token validator client (HTTP-based)
>>>> registered with your interceptor
>>>>
>>>> This interceptor will only work in CXF 2.7.11-SNAPSHOT
>>>>
>>>> Let me know if you have more questions
>>>>
>>>> Sergey
>>>>
>>>>
>>>>
>>>>>
>>>>>
>>>>> So my point is:
>>>>> How do i protect my JAX-WS webservices using this JAX-RS: OAuth2
>>>>> Request
>>>>> Filter? What is the glue between them?
>>>>> For example: i have a url
>>>>> "http://localhost:8080/myProject/services/MyService?wsdl" how do it
>>>>> make
>>>>> it under this Oauth Protection Structure??
>>>>> Is that by interceptors, maybe?
>>>>>
>>>>> Thank you.
>>>>>
>>>>> Att,
>>>>> Marcello Ribeirop
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>
>>
>
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com