Author: buildbot
Date: Tue May 22 14:47:55 2012
New Revision: 818702
Log:
Production update by buildbot for cxf
Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/jax-rs-oauth2.html
Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.
Modified: websites/production/cxf/content/docs/jax-rs-oauth2.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-oauth2.html (original)
+++ websites/production/cxf/content/docs/jax-rs-oauth2.html Tue May 22 14:47:55
2012
@@ -125,7 +125,7 @@ Apache CXF -- JAX-RS OAuth2
<div>
-<ul><li><a shape="rect"
href="#JAX-RSOAuth2-Introduction">Introduction</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-Mavendependencies">Maven dependencies</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-DevelopingOAuth2Servers">Developing OAuth2
Servers</a></li><ul><li><a shape="rect"
href="#JAX-RSOAuth2-AuthorizationService">Authorization Service</a></li><li><a
shape="rect"
href="#JAX-RSOAuth2-AccessTokenService">AccessTokenService</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-WritingOAuthDataProvider">Writing
OAuthDataProvider</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-OAuthServerJAXRSendpoints">OAuth Server JAX-RS
endpoints</a></li></ul><li><a shape="rect"
href="#JAX-RSOAuth2-ProtectingresourceswithOAuthfilters">Protecting resources
with OAuth filters</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-Howtogettheuserloginname">How to get the user login
name</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-Clientsidesupport">Client-side support</a></li><li><a
shape="r
ect" href="#JAX-RSOAuth2-OAuth2withouttheExplicitAuthorization">OAuth2 without
the Explicit Authorization</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-OAuthWithoutaBrowser">OAuth Without a
Browser</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-Designconsiderations">Design
considerations</a></li><ul><li><a shape="rect"
href="#JAX-RSOAuth2-ControllingtheAccesstoResourceServer">Controlling the
Access to Resource Server</a></li><ul><li><a shape="rect"
href="#JAX-RSOAuth2-Sharingthesameaccesspathbetweenendusersandclients">Sharing
the same access path between end users and clients</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-Providingdifferentaccesspointstoendusersandclients">Providing
different access points to end users and clients</a></li></ul><li><a
shape="rect" href="#JAX-RSOAuth2-SingleSignOn">Single Sign
On</a></li></ul><li><a shape="rect" href="#JAX-RSOAuth2-WhatIsNext">What Is
Next</a></li></ul></div>
+<ul><li><a shape="rect"
href="#JAX-RSOAuth2-Introduction">Introduction</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-Mavendependencies">Maven dependencies</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-DevelopingOAuth2Servers">Developing OAuth2
Servers</a></li><ul><li><a shape="rect"
href="#JAX-RSOAuth2-AuthorizationService">Authorization Service</a></li><li><a
shape="rect"
href="#JAX-RSOAuth2-AccessTokenService">AccessTokenService</a></li><ul><li><a
shape="rect"
href="#JAX-RSOAuth2-AccessTokenValidationService">AccessTokenValidationService</a></li></ul><li><a
shape="rect" href="#JAX-RSOAuth2-WritingOAuthDataProvider">Writing
OAuthDataProvider</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-OAuthServerJAXRSendpoints">OAuth Server JAX-RS
endpoints</a></li></ul><li><a shape="rect"
href="#JAX-RSOAuth2-ProtectingresourceswithOAuthfilters">Protecting resources
with OAuth filters</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-Howtogettheuserloginname">How to get the user login
name</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-Clientsidesupport">Client-side support</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-OAuth2withouttheExplicitAuthorization">OAuth2
without the Explicit Authorization</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-OAuthWithoutaBrowser">OAuth Without a
Browser</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-Designconsiderations">Design
considerations</a></li><ul><li><a shape="rect"
href="#JAX-RSOAuth2-ControllingtheAccesstoResourceServer">Controlling the
Access to Resource Server</a></li><ul><li><a shape="rect"
href="#JAX-RSOAuth2-Sharingthesameaccesspathbetweenendusersandclients">Sharing
the same access path between end users and clients</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-Providingdifferentaccesspointstoendusersandclients">Providing
different access points to end users and clients</a></li></ul><li><a
shape="rect" href="#JAX-RSOAuth2-SingleSignOn">Single Sign
On</a></li></ul><li><a shape="rect" href="#JAX-RS
OAuth2-WhatIsNext">What Is Next</a></li></ul></div>
<h1><a shape="rect" name="JAX-RSOAuth2-Introduction"></a>Introduction</h1>
@@ -366,6 +366,9 @@ Headers:
<p>Note that the access token key is passed as the Bearer scheme value. Other
token types such as MAC ones, etc, can be represented differently.</p>
+<h3><a shape="rect"
name="JAX-RSOAuth2-AccessTokenValidationService"></a>AccessTokenValidationService
</h3>
+<p>The <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenValidationService.java";>AccessTokenValidationService</a>
is a CXF specific OAuth2 service for accepting the remote access token
validation requests. Typically, OAuthRequestFilter (see on it below) may choose
to impersonate itself as a third-party client and will ask
AccessTokenValidationService to return the information relevant to the current
access token, before setting up a security context. More on it below.</p>
+
<h2><a shape="rect" name="JAX-RSOAuth2-WritingOAuthDataProvider"></a>Writing
OAuthDataProvider</h2>
<p>Using CXF OAuth service implementations will help a lot with setting up an
OAuth server. As you can see from the above sections, these services rely on a
custom <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthDataProvider.java";>OAuthDataProvider</a>
implementation.</p>
@@ -414,24 +417,48 @@ Most likely, you'd want to deploy Access
<p>AccessTokenService listens on a relative "/token" path. Given that
jaxrs:server/@adress is "/oauth" and assuming a context name is "/services",
the absolute address of AccessTokenService would be something like
"http://localhost:8080/services/oauth/token";. </p>
-<p>AuthorizationCodeGrantService is better to put where the main application
endpoint is. It can be put alongside AccessTokenService - but the problem is
that the end user is expected to authenticate itself with the resource server
after it has been redirected by a third-party client to
AuthorizationCodeGrantService. That would make it more complex for the OAuth
server endpoint to manage both OAuth (third-party client) and the regular user
authentication - that can be done, see more on it below in the Design
considerations section, but the simpler option is to simply get
AuthorizationCodeGrantService under the control of the security filter
enforcing the end user authentication:</p>
+<p>If the remote token validation is supported then have
AccessTokenValidationService added too:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent
panelContent">
-<pre class="code-java">
-<bean id=<span class="code-quote">"authorizationService"</span> class=<span
class="code-quote">"org.apache.cxf.rs.security.oauth2.services.AuthorizationCodeGrantService"</span>>
- <property name=<span class="code-quote">"dataProvider"</span> ref=<span
class="code-quote">"oauthProvider"</span>/>
-</bean>
-
-<bean id=<span class="code-quote">"myApp"</span> class=<span
class="code-quote">"org.myapp.MyApp"</span>>
- <property name=<span class="code-quote">"dataProvider"</span> ref=<span
class="code-quote">"oauthProvider"</span>/>
-</bean>
-
-<jaxrs:server id=<span class="code-quote">"oauthServer"</span>
address=<span class="code-quote">"/myapp"</span>>
- <jaxrs:serviceBeans>
- <ref bean=<span class="code-quote">"myApp"</span>/>
- <ref bean=<span class="code-quote">"authorizationService"</span>/>
- </jaxrs:serviceBeans>
-</jaxrs:server>
+<pre class="code-xml">
+<span class="code-tag"><span class="code-comment"><!-- implements
OAuthDataProvider --></span></span>
+<span class="code-tag"><bean id=<span
class="code-quote">"oauthProvider"</span> class=<span
class="code-quote">"oauth.manager.OAuthManager"</span>/></span>
+
+<span class="code-tag"><bean id=<span
class="code-quote">"accessTokenService"</span> class=<span
class="code-quote">"org.apache.cxf.rs.security.oauth2.services.AccessTokenService"</span>></span>
+ <span class="code-tag"><property name=<span
class="code-quote">"dataProvider"</span> ref=<span
class="code-quote">"oauthProvider"</span>/></span>
+<span class="code-tag"></bean></span>
+<span class="code-tag"><bean id=<span
class="code-quote">"accessTokenValidateService"</span> class=<span
class="code-quote">"org.apache.cxf.rs.security.oauth2.services.AccessTokenValidateService"</span>></span>
+ <span class="code-tag"><property name=<span
class="code-quote">"dataProvider"</span> ref=<span
class="code-quote">"oauthProvider"</span>/></span>
+<span class="code-tag"></bean></span>
+
+
+<span class="code-tag"><jaxrs:server id=<span
class="code-quote">"oauthServer"</span> address=<span
class="code-quote">"/oauth"</span>></span>
+ <span class="code-tag"><jaxrs:serviceBeans></span>
+ <span class="code-tag"><ref bean=<span
class="code-quote">"accessTokenService"</span>/></span>
+ <span class="code-tag"><ref bean=<span
class="code-quote">"accessTokenValidateService"</span>/></span>
+ <span class="code-tag"></jaxrs:serviceBeans></span>
+<span class="code-tag"></jaxrs:server></span>
+</pre>
+</div></div>
+
+<p>The absolute address of AccessTokenValidateService would be something like
"http://localhost:8080/services/oauth/validate";. </p>
+
+<p>AuthorizationCodeGrantService is easier to put where the application
endpoints are. It can be put alongside AccessTokenService, but ideally an SSO
based authentication solution will be also be deployed, for the end user to
avoid signing in separately several times (see more in it below). Here is an
example of AuthorizationCodeGrantService being collocated with the application
endpoint:</p>
+
+<div class="code panel" style="border-width: 1px;"><div class="codeContent
panelContent">
+<pre class="code-xml">
+<span class="code-tag"><bean id=<span
class="code-quote">"authorizationService"</span> class=<span
class="code-quote">"org.apache.cxf.rs.security.oauth2.services.AuthorizationCodeGrantService"</span>></span>
+ <span class="code-tag"><property name=<span
class="code-quote">"dataProvider"</span> ref=<span
class="code-quote">"oauthProvider"</span>/></span>
+<span class="code-tag"></bean></span>
+
+<span class="code-tag"><bean id=<span class="code-quote">"myApp"</span>
class=<span class="code-quote">"org.myapp.MyApp"</span>/></span>
+
+<span class="code-tag"><jaxrs:server id=<span
class="code-quote">"appServer"</span> address=<span
class="code-quote">"/myapp"</span>></span>
+ <span class="code-tag"><jaxrs:serviceBeans></span>
+ <span class="code-tag"><ref bean=<span
class="code-quote">"myApp"</span>/></span>
+ <span class="code-tag"><ref bean=<span
class="code-quote">"authorizationService"</span>/></span>
+ <span class="code-tag"></jaxrs:serviceBeans></span>
+<span class="code-tag"></jaxrs:server></span>
</pre>
</div></div>
@@ -469,6 +496,70 @@ Headers:
<p>This SecurityContext will not necessarily be important for some of OAuth2
applications. Most of the security checks will be done by OAuth2 filters and
security filters protecting the main application path the end users themselves
use. Only if you would like to share the same JAX-RS resource code and access
URIs between end users and clients then it can become handy. More on it below.
</p>
+<p>Here is one example of how OAuthRequestFilter can be configured:</p>
+
+<div class="code panel" style="border-width: 1px;"><div class="codeContent
panelContent">
+<pre class="code-xml">
+<span class="code-tag"><bean id=<span
class="code-quote">"oauthProvider"</span> class=<span
class="code-quote">"oauth.manager.OAuthManager"</span>/></span>
+<span class="code-tag"><bean id=<span
class="code-quote">"oauthFiler"</span> class=<span
class="code-quote">"org.apache.cxf.rs.security.oauth2.filters.OAuthRequestFilter"</span>></span>
+ <span class="code-tag"><property name=<span
class="code-quote">"dataProvider"</span> ref=<span
class="code-quote">"oauthProvider"</span>/></span>
+<span class="code-tag"></bean></span>
+
+<span class="code-tag"><bean id=<span class="code-quote">"myApp"</span>
class=<span class="code-quote">"org.myapp.MyApp"</span>/></span>
+
+<span class="code-tag"><jaxrs:server id=<span
class="code-quote">"fromThirdPartyToMyApp"</span> address=<span
class="code-quote">"/thirdparty-to-myapp"</span>></span>
+ <span class="code-tag"><jaxrs:serviceBeans></span>
+ <span class="code-tag"><ref bean=<span
class="code-quote">"myApp"</span>/></span>
+ <span class="code-tag"></jaxrs:serviceBeans></span>
+ <span class="code-tag"><jaxrs:providers></span>
+ <span class="code-tag"><ref bean=<span
class="code-quote">"oauthFilter"</span>/></span>
+ <span class="code-tag"></jaxrs:providers></span>
+
+<span class="code-tag"></jaxrs:server></span>
+</pre>
+</div></div>
+
+<p>It will rely on an instance of OAuthDataProvider to get the information
about the current access token and will validate it.<br clear="none">
+This option works OK for when it is easy to get the same OAuthDataProvider
shared between this filter, as well as Authorization and AccessToken services.
OAuthDataProvider can also be implemented such that it manages the information
in the distributed manner so the above configuration option may scale well for
more sophisticated deployments.</p>
+
+<p>When one has Authorization and AccessToken service not collocated with the
application endpoints, the following may work better:</p>
+
+<div class="code panel" style="border-width: 1px;"><div class="codeContent
panelContent">
+<pre class="code-xml">
+
+ <span class="code-tag"><bean id=<span
class="code-quote">"tvServiceClientFactory"</span> class=<span
class="code-quote">"org.apache.cxf.jaxrs.client.JAXRSClientFactoryBean"</span>></span>
+ <span class="code-tag"><property name=<span
class="code-quote">"address"</span> value=<span
class="code-quote">"http://localhost:${http.port}/services/oauth/validate";</span>/></span>
+ <span class="code-tag"><property name=<span
class="code-quote">"headers"</span>></span>
+ <span class="code-tag"><map></span>
+ <span class="code-tag"><entry key=<span
class="code-quote">"Accept"</span> value=<span
class="code-quote">"application/xml"</span>/></span>
+ <span class="code-tag"></map></span>
+ <span class="code-tag"></property></span>
+ <span class="code-tag"></bean></span>
+
+ <span class="code-tag"><bean id=<span
class="code-quote">"tvServiceClient"</span> factory-bean=<span
class="code-quote">"tvServiceClientFactory"</span> factory-method=<span
class="code-quote">"createWebClient"</span>/></span>
+
+ <span class="code-tag"><bean id=<span
class="code-quote">"tokenValidator"</span> class=<span
class="code-quote">"org.apache.cxf.rs.security.oauth2.filters.AccessTokenValidatorClient"</span>></span>
+ <span class="code-tag"><property name=<span
class="code-quote">"tokenValidatorClient"</span> ref=<span
class="code-quote">"tvServiceClient"</span>/></span>
+ <span class="code-tag"></bean></span>
+
+ <span class="code-tag"><bean id=<span
class="code-quote">"oauthFiler"</span> class=<span
class="code-quote">"org.apache.cxf.rs.security.oauth2.filters.OAuthRequestFilter"</span>></span>
+ <span class="code-tag"><property name=<span
class="code-quote">"tokenValidator"</span> ref=<span
class="code-quote">"tokenValidator"</span>/></span>
+ <span class="code-tag"></bean></span>
+
+<span class="code-tag"><bean id=<span class="code-quote">"myApp"</span>
class=<span class="code-quote">"org.myapp.MyApp"</span>/></span>
+
+<span class="code-tag"><jaxrs:server id=<span
class="code-quote">"fromThirdPartyToMyApp"</span> address=<span
class="code-quote">"/thirdparty-to-myapp"</span>></span>
+ <span class="code-tag"><jaxrs:serviceBeans></span>
+ <span class="code-tag"><ref bean=<span
class="code-quote">"myApp"</span>/></span>
+ <span class="code-tag"></jaxrs:serviceBeans></span>
+ <span class="code-tag"><jaxrs:providers></span>
+ <span class="code-tag"><ref bean=<span
class="code-quote">"oauthFilter"</span>/></span>
+ <span class="code-tag"></jaxrs:providers></span>
+<span class="code-tag"></jaxrs:server></span>
+</pre>
+</div></div>
+
+
<h1><a shape="rect" name="JAX-RSOAuth2-Howtogettheuserloginname"></a>How to
get the user login name</h1>
<p>When one writes a custom server application which needs to participate in
OAuth2 flows, the major question which needs to be addressed is<br clear="none">
@@ -554,9 +645,9 @@ in this example OAuthServiceExceptions a
<h1><a shape="rect" name="JAX-RSOAuth2-OAuthWithoutaBrowser"></a>OAuth Without
a Browser</h1>
<p>When an end user is accessing the 3rd party application and is authorizing
it later on, it's usually expected that the user is relying on a browser. <br
clear="none">
-However, supporting other types of end users is easy enough. Writing the
client code that processes the redirection requests from the 3rd party
application and AuthorizationRequestService is simple with JAX-RS and
additionally CXF can be configured to do auto-redirects on the client side.</p>
+However, supporting other types of end users is easy enough. Writing the
client code that processes the redirection requests from the 3rd party
application and AuthorizationCodeGrantService is simple with JAX-RS and
additionally CXF can be configured to do auto-redirects on the client side.</p>
-<p>Also note that AuthorizationRequestService can return XML or JSON <a
shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/OAuthAuthorizationData.java";>OAuthAuthorizationData</a>
representations. That makes it easy for a client code to get
OAuthAuthorizationData and offer a pop-up window or get the input from the
command-line. Authorizing the third-party application might even be automated
in this case - which can lead to a complete 3-leg OAuth flow implemented
without a human user being involved.</p>
+<p>Also note that AuthorizationCodeGrantService can return XML or JSON <a
shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/OAuthAuthorizationData.java";>OAuthAuthorizationData</a>
representations. That makes it easy for a client code to get
OAuthAuthorizationData and offer a pop-up window or get the input from the
command-line. Authorizing the third-party application might even be automated
in this case - which can lead to a complete 3-leg OAuth flow implemented
without a human user being involved.</p>
<h1><a shape="rect" name="JAX-RSOAuth2-Designconsiderations"></a>Design
considerations</h1>
@@ -570,11 +661,11 @@ However, supporting other types of end u
<p>In the former case the way the authentication is managed is completely up
to the resource server application: basic authentication, two-way TLS, OpenId
(more on it below), you name it.</p>
-<p>In the latter case an OAuth filter must enforce that the 3rd party client
has been registered using the provided client key and that it has a valid
access token which represents the end user's approval. It's kind of the
authentication and the authorization check at the same time.</p>
+<p>In the latter case an OAuth filter must enforce that the 3rd party client
has been registered using the provided client key and that it has a valid
access token which represents the end user's approval.</p>
<p>Letting both parties access the resource server via the same URI(s)
complicates the life for the security filters but all the parties are only
aware of the single resource server URI which all of them will use.</p>
-<p>Providing different access points to end users and clients may
significantly simplify the authentication process - the possible downside is
that multiple access points need to be mantained by the resource server.</p>
+<p>Providing different access points to end users and clients may
significantly simplify the authentication process - the possible downside is
that multiple access points need to be maintained by the resource server.</p>
<p>Both options are discussed next.</p>
@@ -649,7 +740,9 @@ For example, consider the following JAX-
<h2><a shape="rect" name="JAX-RSOAuth2-SingleSignOn"></a>Single Sign On</h2>
-<p>When dealing with authenticating the end users, having an SSO solution in
place is very handy. This is because the end user interacts with both the
third-party and its resource server web applications and is also redirected
from the client application to the resource server and back again. OpenID or
say a WebBrowser SSO profile can help - CXF may offer some support in this
area. </p>
+<p>When dealing with authenticating the end users, having an SSO solution in
place is very handy. This is because the end user interacts with both the
third-party and its resource server web applications and is also redirected
from the client application to the resource server and back again.
Additionally, the end user may need to authenticate with Authorization service
if it is not collocated with the application endpoints. OpenID or say a
WebBrowser SSO profile can help. </p>
+
+<p>CXF 2.6.1 provides an initial support for a SAML2 SSO profile. This will
make it easier to minimize a number of sign ins to a single attempt and run
OAuth2 Authorization servers separately from the application endpoints. </p>
<h1><a shape="rect" name="JAX-RSOAuth2-WhatIsNext"></a>What Is Next</h1>
