Author: buildbot
Date: Thu Apr 12 16:48:23 2012
New Revision: 812559
Log:
Production update by buildbot for cxf
Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/jax-rs-oauth2.html
Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.
Modified: websites/production/cxf/content/docs/jax-rs-oauth2.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-oauth2.html (original)
+++ websites/production/cxf/content/docs/jax-rs-oauth2.html Thu Apr 12 16:48:23
2012
@@ -249,33 +249,38 @@ INFO: Setting an instance of <span class
<p>Note that a "/forms/oauthAuthorize.jsp" view handler will create an HTML
view - this is a custom JSP handler and whatever HTML view is required can be
created there, using the OAuthAuthorizationData bean for building the view.
Most likely you will want to present a form asking the user to allow or deny
the consumer accessing some of this user's resources. If OAuthAuthorizationData
has a list of Permissions set then adding the information about the permissions
is needed.</p>
-<p>Next the user makes a decision and selects a button allowing or denying the
consumer accessing the resources. AuthorizationCodeGrantService does not need
to know how a user has been asked to make the decision: </p>
+<p>Next the user makes a decision and selects a button allowing or denying the
consumer accessing the resources. The form data are submitted to
AuthorizationCodeGrantService: </p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent
panelContent">
<pre class="code-xml">
Address: http://localhost:8080/services/social/authorize/decision
+Encoding: ISO-8859-1
Http-Method: POST
Content-Type: application/x-www-form-urlencoded
Headers: {
Authorization=[Basic YmFycnlAc29jaWFsLmNvbToxMjM0],
-Cookie=[JSESSIONID=eovucah9rwqp],
-Referer=[http://localhost:8080/services/social/authorize?oauth_token=6dfd5e52-236c-4939-8df8-a53212f7d2a2],
-User-Agent=[Mozilla/5.0 (X11; Linux x86_64; rv:2.0) Gecko/20100101
Firefox/4.0]}
+Content-Type=[application/x-www-form-urlencoded],
+...
+}
--------------------------------------
-09-Nov-2011 16:41:58 org.apache.cxf.jaxrs.utils.FormUtils
logRequestParametersIfNeeded
-INFO:
session_authenticity_token=e52b5033-9bf5-4b34-9d3a-39a7d5b7e686&oauthDecision=allow&oauth_token=6dfd5e52-236c-4939-8df8-a53212f7d2a2
+12-Apr-2012 15:36:29 org.apache.cxf.jaxrs.utils.FormUtils
logRequestParametersIfNeeded
+INFO:
updateCalendar-7_status=allow&readCalendar_status=allow&scope=updateCalendar-7+readCalendar&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fservices%2Freservations%2Freserve%2Fcomplete&session_authenticity_token=4f0005d9-565f-4309-8ffb-c13c72139ebe&oauthDecision=allow&state=1&client_id=123456789
</pre>
</div></div>
-<p>AuthorizationRequestService will use a session_authenticity_token to
validate that the session is valid and will process the user decision next.<br
clear="none">
-If it is set to "allow" then it will ask OAuthDataProvider to generate an
authorization key (verifier) and return this verifier alongside with the
request token key and the state if any by redirecting the current user back to
the callback URI provided during the request token request:</p>
+<p>AuthorizationCodeGrantService will use a session_authenticity_token to
validate that the session is valid and will process the user decision next. </p>
+
+<p>If the decision is "allow" then it will check the status of the individual
scope values. It relies on the "scopename_status" convention, if the form has
offered the user a chance to selectively enable individual scopes then
name/value pairs such as "updateCalendar-7_status=allow" are submitted. If none
of such pairs is coming back then it means the user has approved all the
default and additional (if any) scopes.</p>
+
+<p>Next it will ask OAuthDataProvider to generate an authorization code grant
and return it alongside with the state if any by redirecting the current user
back to the redirect URI:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent
panelContent">
<pre class="code-xml">
Response-Code: 303
Headers: {
-Location=[http://localhost:8080/services/reservations/reserve/complete?oauth_token=6dfd5e52-236c-4939-8df8-a53212f7d2a2&oauth_verifier=00bd8fa7-4233-42a2-8957-0a0a22c684ba]
-}
+
Location=[http://localhost:8080/services/reservations/reserve/complete?state=1&code=5c993144b910bccd5977131f7d2629ab],
+ Date=[Thu, 12 Apr 2012 14:36:29 GMT],
+ Content-Length=[0]}
</pre>
</div></div>
@@ -283,85 +288,91 @@ Location=[http://localhost:8080/services
<div class="code panel" style="border-width: 1px;"><div class="codeContent
panelContent">
<pre class="code-java">
-Address: http:<span
class="code-comment">//localhost:8080/services/reservations/reserve/complete?oauth_token=6dfd5e52-236c-4939-8df8-a53212f7d2a2&oauth_verifier=00bd8fa7-4233-42a2-8957-0a0a22c684ba
+Address: http:<span
class="code-comment">//localhost:8080/services/reservations/reserve/complete?state=1&code=5c993144b910bccd5977131f7d2629ab
</span>Http-Method: GET
-Content-Type:
Headers: {
-Authorization=[Basic YmFycnlAc29jaWFsLmNvbToxMjM0],
-Cookie=[JSESSIONID=eovucah9rwqp],
-Referer=[http:<span
class="code-comment">//localhost:8080/services/social/authorize?oauth_token=6dfd5e52-236c-4939-8df8-a53212f7d2a2],
-</span>User-Agent=[Mozilla/5.0 (X11; Linux x86_64; rv:2.0) Gecko/20100101
Firefox/4.0]}
+Accept=[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8],
+Authorization=[Basic YmFycnlAcmVzdGF1cmFudC5jb206NTY3OA==],
+Cookie=[JSESSIONID=1c289vha0cxfe],
+}
</pre>
</div></div>
-<p>If a user decision was set to "deny" then no verifier will be sent back to
the consumer.</p>
+<p>If a user decision was set to "deny" then the error will be returned to the
client.</p>
-<p>Assuming the decision was "allow", the consumer has now received back the
request token and its verifier and is ready to exchange this pair for an access
token.</p>
+<p>Assuming the decision was "allow", the consumer has now received back the
authorization code grant and is ready to exchange it for a new access token.</p>
<h2><a shape="rect"
name="JAX-RSOAuth2-AccessTokenService"></a>AccessTokenService </h2>
-<p>The role of AccessTokenService is to exchange an authorized request token
for a new access token which will be used by the consumer to access the end
user's resources. <br clear="none">
+<p>The role of AccessTokenService is to exchange a token grant for a new
access token which will be used by the consumer to access the end user's
resources. <br clear="none">
Here is an example request log:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent
panelContent">
<pre class="code-xml">
Address: http://localhost:8080/services/oauth/token
Http-Method: POST
+
Headers: {
-Accept=[application/x-www-form-urlencoded],
-Authorization=[OAuth oauth_signature_method=<span
class="code-quote">"HMAC-SHA1"</span>,
- oauth_consumer_key=<span
class="code-quote">"123456789"</span>,
- oauth_token=<span
class="code-quote">"6dfd5e52-236c-4939-8df8-a53212f7d2a2"</span>,
- oauth_verifier=<span
class="code-quote">"00bd8fa7-4233-42a2-8957-0a0a22c684ba"</span>,
- oauth_timestamp=<span
class="code-quote">"1320760259"</span>,
- oauth_nonce=<span
class="code-quote">"16237669362301"</span>,
- oauth_version=<span class="code-quote">"1.0"</span>,
- oauth_signature=<span
class="code-quote">"dU%2BhXPNFfFpX2sC74IOxzTjdVrY%3D"</span>]
+Accept=[application/json],
+Authorization=[Basic MTIzNDU2Nzg5Ojk4NzY1NDMyMQ==],
+Content-Type=[application/x-www-form-urlencoded]
}
+Payload:
+
+grant_type=authorization_code&code=5c993144b910bccd5977131f7d2629ab&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fservices%2Freservations%2Freserve%2Fcomplete
</pre>
</div></div>
-<p>This request is very similar to a temporarily token request. Note that the
request token key is also included and this token key and its secret pair, as
well as the consumer key and secret pair are used to calculate the
signature.</p>
+<p>This request contains a client_id and client_secret (Authorization header),
the grant_type, the grant value (code)<br clear="none">
+plus the redirect URI the authorization grant was returned to which is needed
for the additional validation.<br clear="none">
+Note that the alternative client authentication methods are also possible, in
this case the token service will expect a mapping between the client
credentials and the client_id representing the client registration
available.</p>
+
+<p>After validating the request, the service will find a matching <a
shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AccessTokenGrantHandler.java";>AccessTokenGrantHandler</a>
and request to create a <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ServerAccessToken.java";>ServerAccessToken</a>
which is a server-side representation of the access token.<br clear="none">
+The grant handlers, such as <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java";>AuthorizationCodeGrantHandler</a>
may delegate the creation of the actual access token to data providers, which
may use the available utility classes such as <a shape="rect"
class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/bearer/BearerAccessToken.java";>BearerAccessToken</a>
shipped with CXF or depend on other 3rd party libraries to create the
tokens.</p>
-<p>AccessTokenService validates the signature, asks OAuthDataProvider to
remove a RequestToken identified by the "oauth_token" and compares the
"oauth_verifier" value against the one stored in this RequestToken.</p>
+<p>The data providers are also do not strictly required to persist the data
such as access tokens, instead the token key may an encrypted bag capturing all
the relevant information.</p>
-<p>Note that if the "oauth_verifier" is missing then AccessTokenService will
check that RequestToken has been preauthorized and that its UserSubject
property is initialized. If both conditions are met then the access token
request is allowed to continue. </p>
+<p>Now that the token has been created, it is mapped by the service to a <a
shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ClientAccessToken.java";>client
representation</a> and is returned back as a JSON payload:</p>
-<p>Next it asks the data provider to create a new <a shape="rect"
class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/AccessToken.java";>AccessToken</a>
based on this RequestToken. The resulting access token key and secret pair is
returned back to a consumer:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent
panelContent">
<pre class="code-xml">
Response-Code: 200
-Content-Type: application/x-www-form-urlencoded
-Headers: {Date=[Tue, 08 Nov 2011 13:50:59 GMT]}
-Payload:
oauth_token=abc15aca-2073-4bde-b1be-1a02dc7ccafe&oauth_token_secret=859dfe9e-ca4c-4b36-9e60-044434ab636c
+Content-Type: application/json
+Headers: {
+ Cache-Control=[no-store],
+ Pragma=[no-cache],
+ Date=[Thu, 12 Apr 2012 14:36:29 GMT]
+}
+
+Payload:
+
+{<span class="code-quote">"access_token"</span>:<span
class="code-quote">"5b5c8e677413277c4bb8b740d522b378"</span>, <span
class="code-quote">"token_type"</span>:<span class="code-quote">"bearer"</span>}
+
</pre>
</div></div>
<p>The consumer will use this access token to access the current user's
resources in order to complete the original user's request, for example, the
request to access a user's calendar may look like this:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent
panelContent">
<pre class="code-xml">
-Address: http://localhost:8080/services/user/calendar
+Address: http://localhost:8080/services/thirdPartyAccess/calendar
Http-Method: GET
-Headers: {
-Accept=[application/XML],
-Authorization=[OAuth oauth_signature_method=<span
class="code-quote">"HMAC-SHA1"</span>,
- oauth_consumer_key=<span
class="code-quote">"123456789"</span>,
- oauth_token=<span
class="code-quote">"abc15aca-2073-4bde-b1be-1a02dc7ccafe"</span>,
- oauth_version=<span class="code-quote">"1.0"</span>,
- oauth_signature=<span
class="code-quote">"dU%2BhXPNFfFpX2sC74IOxzTjdVrY%3D"</span>]
+Headers:
+{
+ Authorization=[Bearer 5b5c8e677413277c4bb8b740d522b378],
+ Accept=[application/xml]
}
</pre>
</div></div>
-<p>Note that the access token is set and the access token key and secret pair,
as well as the consumer key and secret pair are used to create a signature.</p>
+<p>Note that the access token key is passed as the Bearer scheme value. Other
token types such as MAC ones, etc, can be represented differently.</p>
<h2><a shape="rect" name="JAX-RSOAuth2-WritingOAuthDataProvider"></a>Writing
OAuthDataProvider</h2>
-<p>Using CXF OAuth service implementations will help a lot with setting up an
OAuth server. As you can see from the above sections, these services rely on a
custom <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/provider/OAuthDataProvider.java";>OAuthDataProvider</a>
implementation.</p>
+<p>Using CXF OAuth service implementations will help a lot with setting up an
OAuth server. As you can see from the above sections, these services rely on a
custom <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthDataProvider.java";>OAuthDataProvider</a>
implementation.</p>
-<p>The main task of OAuthDataProvider is to persist request and access tokens
and generate authorization/verifier keys. The way it's done is really
application-specific. Consider starting with a basic memory based
implementation and then move on to keeping the data in some DB.</p>
+<p>The main task of OAuthDataProvider is to persist and generate access
tokens. Additionally, as noted above, AuthorizationCodeDataProvider needs to
persist and remove the code grant registrations. The way it's done is really
application-specific. Consider starting with a basic memory based
implementation and then move on to keeping the data in some DB.</p>
-<p>Note that OAuthDataProvider supports retrieving <a shape="rect"
class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/Client.java";>Client</a>
instances but it has no methods for creating or removing Clients. The reason
for it is that the process of registering third-party consumers is very
specific to a particular OAuth application, so CXF does not offer a
registration support service and hence OAuthDataProvider has no Client
create/update methods. You will likely need to do something like this:</p>
+<p>Note that OAuthDataProvider supports retrieving <a shape="rect"
class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Client.java";>Client</a>
instances but it has no methods for creating or removing Clients. The reason
for it is that the process of registering third-party consumers is very
specific to a particular OAuth2 application, so CXF does not offer a
registration support service and hence OAuthDataProvider has no Client
create/update methods. You will likely need to do something like this:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent
panelContent">
<pre class="code-java">
@@ -376,65 +387,38 @@ Authorization=[OAuth oauth_signature_met
<p>CustomOAuthProvider will also remove all tokens associated with a given
Client in removeClient(String cliendId).</p>
-<p>When creating RequestToken or AccessToken tokens as well as authorization
keys, OAuthDataProvider will need to create unique identifiers.<br clear="none">
-The way it's done is application specific and custom implementations may also
use a utility <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/provider/MD5SequenceGenerator.java";>MD5SequenceGenerator</a>
shipped with CXF, for example:</p>
-<div class="code panel" style="border-width: 1px;"><div class="codeContent
panelContent">
-<pre class="code-java">
-<span class="code-keyword">public</span> <span
class="code-object">String</span> setRequestTokenVerifier(RequestToken
requestToken) <span class="code-keyword">throws</span> OAuthServiceException {
- requestToken.setVerifier(generateSequence());
- <span class="code-keyword">return</span> requestToken.getVerifier();
-}
-<span class="code-keyword">private</span> <span
class="code-object">String</span> generateSequence() <span
class="code-keyword">throws</span> OAuthServiceException {
- <span class="code-keyword">try</span> {
- <span class="code-keyword">return</span>
tokenGenerator.generate(UUID.randomUUID().toString().getBytes(<span
class="code-quote">"UTF-8"</span>));
- } <span class="code-keyword">catch</span> (Exception e) {
- <span class="code-keyword">throw</span> <span
class="code-keyword">new</span> OAuthServiceException(<span
class="code-quote">"Unable to generate the key"</span>, e.getCause());
- }
-}
-
-</pre>
-</div></div>
-
-<p>Generating tokens/keys and persisting them effectively is what
OAuthDataProvider all about.<br clear="none">
-Note that CXF will check that Request and Access tokens have not expired every
time it uses them and will ask OAuthDataProvider to remove the expired tokens,
but the custom OAuthDataProvider implementation may do its own checks too.</p>
-
-<p>Finally OAuthDataProvider may need to convert opaque scope values such as
"readCalendar" into a list of <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/OAuthPermission.java";>OAuthPermission</a>s.
AuthorizationRequestService and OAuth security filters will depend on it
(assuming scopes are used in the first place). In the former case
AuthorizationRequestService will use this list to populate <a shape="rect"
class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/OAuthAuthorizationData.java";>OAuthAuthorizationData</a>
- the reason this bean only sees <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/Permission.java";>Permission</a>s
is
that the properties OAuthPermission keeps are of no interest to
OAuthAuthorizationData handlers.</p>
+<p>Finally OAuthDataProvider may need to convert opaque scope values such as
"readCalendar" into a list of <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthPermission.java";>OAuthPermission</a>s.
AuthorizationCodeGrantService and OAuth2 security filters will depend on it
(assuming scopes are used in the first place). In the former case
AuthorizationCodeGrantService will use this list to populate <a shape="rect"
class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java";>OAuthAuthorizationData</a>
- the reason this bean only sees <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Permission.java";>P
ermission</a>s is that some of the properties OAuthPermission keeps are of no
interest to OAuthAuthorizationData handlers.</p>
<h2><a shape="rect" name="JAX-RSOAuth2-OAuthServerJAXRSendpoints"></a>OAuth
Server JAX-RS endpoints </h2>
-<p>With CXF offering OAuth service implementations and a custom
OAuthAuthorizationData provider in place, it is time to deploy the OAuth
server. <br clear="none">
-Most likely, you'd want to deploy RequestTokenService and AccessTokenService
as two root resources inside a single JAX-RS endpoint (or have one
RequestTokenService and one AccessTokenService endpoint), for example:</p>
+<p>With CXF offering OAuth service implementations and a custom
OAuthDataProvider provider in place, it is time to deploy the OAuth2 server.
<br clear="none">
+Most likely, you'd want to deploy AccessTokenService as an independent JAX-RS
endpoint, for example:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent
panelContent">
<pre class="code-xml">
<span class="code-tag"><span class="code-comment"><!-- implements
OAuthDataProvider --></span></span>
<span class="code-tag"><bean id=<span
class="code-quote">"oauthProvider"</span> class=<span
class="code-quote">"oauth.manager.OAuthManager"</span>/></span>
-
-<span class="code-tag"><bean id=<span
class="code-quote">"requestTokenService"</span> class=<span
class="code-quote">"org.apache.cxf.rs.security.oauth.services.RequestTokenService"</span>></span>
- <span class="code-tag"><property name=<span
class="code-quote">"dataProvider"</span> ref=<span
class="code-quote">"oauthProvider"</span>/></span>
-<span class="code-tag"></bean></span>
-<span class="code-tag"><bean id=<span
class="code-quote">"accessTokenService"</span> class=<span
class="code-quote">"org.apache.cxf.rs.security.oauth.services.AccessTokenService"</span>></span>
+<span class="code-tag"><bean id=<span
class="code-quote">"accessTokenService"</span> class=<span
class="code-quote">"org.apache.cxf.rs.security.oauth2.services.AccessTokenService"</span>></span>
<span class="code-tag"><property name=<span
class="code-quote">"dataProvider"</span> ref=<span
class="code-quote">"oauthProvider"</span>/></span>
<span class="code-tag"></bean></span>
<span class="code-tag"><jaxrs:server id=<span
class="code-quote">"oauthServer"</span> address=<span
class="code-quote">"/oauth"</span>></span>
<span class="code-tag"><jaxrs:serviceBeans></span>
- <span class="code-tag"><ref bean=<span
class="code-quote">"requestTokenService"</span>/></span>
<span class="code-tag"><ref bean=<span
class="code-quote">"accessTokenService"</span>/></span>
<span class="code-tag"></jaxrs:serviceBeans></span>
<span class="code-tag"></jaxrs:server></span>
</pre>
</div></div>
-<p>RequestTokenService listens on a relative "/initiate" path,
AccessTokenService - on "/token". Giving the that jaxrs:server/@adress is
"/oauth" and assuming a context name is "/services", the absolute address of
RequestTokenService would be something like
"http://localhost:8080/services/oauth/initiate"; and that of AccessTokenService
- "http://localhost:8080/services/oauth/token";. </p>
+<p>AccessTokenService listens on a relative "/token" path. Given that
jaxrs:server/@adress is "/oauth" and assuming a context name is "/services",
the absolute address of AccessTokenService would be something like
"http://localhost:8080/services/oauth/token";. </p>
-<p>AuthorizationRequestService is better to put where the main application
endpoint is. It can be put alongside RequestTokenService and AccessTokenService
- but the problem is that the end user is expected to authenticate itself with
the resource server after it has been redirected by a third-party consumer to
AuthorizationRequestService. That would make it more complex for the OAuth
server endpoint to manage both OAuth (third-party consumer) and the regular
user authentication - that can be done, see more on it below in the Design
considerations section, but the simpler option is to simply get
AuthorizationRequestService under the control of the security filter enforcing
the end user authentication:</p>
+<p>AuthorizationCodeGrantService is better to put where the main application
endpoint is. It can be put alongside AccessTokenService - but the problem is
that the end user is expected to authenticate itself with the resource server
after it has been redirected by a third-party consumer to
AuthorizationCodeGrantService. That would make it more complex for the OAuth
server endpoint to manage both OAuth (third-party consumer) and the regular
user authentication - that can be done, see more on it below in the Design
considerations section, but the simpler option is to simply get
AuthorizationCodeGrantService under the control of the security filter
enforcing the end user authentication:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent
panelContent">
<pre class="code-java">
-<bean id=<span class="code-quote">"authorizationService"</span> class=<span
class="code-quote">"org.apache.cxf.rs.security.oauth.services.AuthorizationRequestService"</span>>
+<bean id=<span class="code-quote">"authorizationService"</span> class=<span
class="code-quote">"org.apache.cxf.rs.security.oauth2.services.AuthorizationCodeGrantService"</span>>
<property name=<span class="code-quote">"dataProvider"</span> ref=<span
class="code-quote">"oauthProvider"</span>/>
</bean>
@@ -451,7 +435,7 @@ Most likely, you'd want to deploy Reques
</pre>
</div></div>
-<p>AuthorizationRequestService listens on a relative "/authorize" path so in
this case its absolute address will be something like
"http://localhost:8080/services/myapp/authorize";. This address and those of
RequestTokenService and AccessTokenService will be used by third-party
consumers.</p>
+<p>AuthorizationCodeGrantService listens on a relative "/authorize" path so in
this case its absolute address will be something like
"http://localhost:8080/services/myapp/authorize";. This address and that of
AccessTokenService will be used by third-party consumers.</p>
<h1><a shape="rect"
name="JAX-RSOAuth2-ProtectingresourceswithOAuthfilters"></a>Protecting
resources with OAuth filters</h1>
