Author: buildbot
Date: Thu Jul 19 16:47:50 2012
New Revision: 826334
Log:
Production update by buildbot for cxf
Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/jax-rs-oauth.html
websites/production/cxf/content/docs/jax-rs-oauth2.html
Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.
Modified: websites/production/cxf/content/docs/jax-rs-oauth.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-oauth.html (original)
+++ websites/production/cxf/content/docs/jax-rs-oauth.html Thu Jul 19 16:47:50
2012
@@ -125,7 +125,7 @@ Apache CXF -- JAX-RS OAuth
<div>
-<ul><li><a shape="rect"
href="#JAX-RSOAuth-Introduction">Introduction</a></li><li><a shape="rect"
href="#JAX-RSOAuth-Mavendependencies">Maven dependencies</a></li><li><a
shape="rect" href="#JAX-RSOAuth-DevelopingOAuth1.0Servers">Developing OAuth 1.0
Servers</a></li><ul><li><a shape="rect"
href="#JAX-RSOAuth-RequestTokenService">RequestTokenService</a></li><li><a
shape="rect"
href="#JAX-RSOAuth-AuthorizationRequestService">AuthorizationRequestService</a></li><li><a
shape="rect"
href="#JAX-RSOAuth-AccessTokenService">AccessTokenService</a></li><li><a
shape="rect" href="#JAX-RSOAuth-WritingOAuthDataProvider">Writing
OAuthDataProvider</a></li><li><a shape="rect"
href="#JAX-RSOAuth-OAuthServerJAXRSendpoints">OAuth Server JAX-RS
endpoints</a></li></ul><li><a shape="rect"
href="#JAX-RSOAuth-ProtectingresourceswithOAuthfilters">Protecting resources
with OAuth filters</a></li><li><a shape="rect"
href="#JAX-RSOAuth-Howtogettheuserloginname">How to get the user login
name</a></li><li><
a shape="rect" href="#JAX-RSOAuth-Clientsidesupport">Client-side
support</a></li><li><a shape="rect" href="#JAX-RSOAuth-2legOAuthFlow">2-leg
OAuth Flow</a></li><ul><li><a shape="rect"
href="#JAX-RSOAuth-ClientrequestsPreAuthorizedRequestToken">Client requests
PreAuthorized RequestToken</a></li><li><a shape="rect"
href="#JAX-RSOAuth-SignaturewithConsumerKeyandSecret">Signature with Consumer
Key and Secret</a></li><li><a shape="rect"
href="#JAX-RSOAuth-OnlyConsumerKeyandSecretinAuthorizationheader">Only Consumer
Key and Secret in Authorization header</a></li></ul><li><a shape="rect"
href="#JAX-RSOAuth-OAuthWithoutaBrowser">OAuth Without a Browser</a></li><li><a
shape="rect" href="#JAX-RSOAuth-Designconsiderations">Design
considerations</a></li><ul><li><a shape="rect"
href="#JAX-RSOAuth-ControllingtheAccesstoResourceServer">Controlling the Access
to Resource Server</a></li><ul><li><a shape="rect"
href="#JAX-RSOAuth-Sharingthesameaccesspathbetweenendusersandconsumers">Sharing
th
e same access path between end users and consumers</a></li><li><a shape="rect"
href="#JAX-RSOAuth-Providingdifferentaccesspointstoendusersandconsumers">Providing
different access points to end users and consumers</a></li></ul><li><a
shape="rect" href="#JAX-RSOAuth-SingleSignOn">Single Sign
On</a></li></ul><li><a shape="rect" href="#JAX-RSOAuth-WhatIsNext">What Is
Next</a></li></ul></div>
+<ul><li><a shape="rect"
href="#JAX-RSOAuth-Introduction">Introduction</a></li><li><a shape="rect"
href="#JAX-RSOAuth-Mavendependencies">Maven dependencies</a></li><li><a
shape="rect" href="#JAX-RSOAuth-DevelopingOAuth1.0Servers">Developing OAuth 1.0
Servers</a></li><ul><li><a shape="rect"
href="#JAX-RSOAuth-RequestTokenService">RequestTokenService</a></li><li><a
shape="rect"
href="#JAX-RSOAuth-AuthorizationRequestService">AuthorizationRequestService</a></li><ul><li><a
shape="rect" href="#JAX-RSOAuth-OOBcallbacks">OOB
callbacks</a></li></ul><li><a shape="rect"
href="#JAX-RSOAuth-AccessTokenService">AccessTokenService</a></li><li><a
shape="rect" href="#JAX-RSOAuth-WritingOAuthDataProvider">Writing
OAuthDataProvider</a></li><li><a shape="rect"
href="#JAX-RSOAuth-OAuthServerJAXRSendpoints">OAuth Server JAX-RS
endpoints</a></li></ul><li><a shape="rect"
href="#JAX-RSOAuth-ProtectingresourceswithOAuthfilters">Protecting resources
with OAuth filters</a></li><li><a shape="rect" href=
"#JAX-RSOAuth-Howtogettheuserloginname">How to get the user login
name</a></li><li><a shape="rect"
href="#JAX-RSOAuth-Clientsidesupport">Client-side support</a></li><li><a
shape="rect" href="#JAX-RSOAuth-2legOAuthFlow">2-leg OAuth
Flow</a></li><ul><li><a shape="rect"
href="#JAX-RSOAuth-ClientrequestsPreAuthorizedRequestToken">Client requests
PreAuthorized RequestToken</a></li><li><a shape="rect"
href="#JAX-RSOAuth-SignaturewithConsumerKeyandSecret">Signature with Consumer
Key and Secret</a></li><li><a shape="rect"
href="#JAX-RSOAuth-OnlyConsumerKeyandSecretinAuthorizationheader">Only Consumer
Key and Secret in Authorization header</a></li></ul><li><a shape="rect"
href="#JAX-RSOAuth-OAuthWithoutaBrowser">OAuth Without a Browser</a></li><li><a
shape="rect" href="#JAX-RSOAuth-Reportingtheerrordetails">Reporting the error
details</a></li><li><a shape="rect"
href="#JAX-RSOAuth-Designconsiderations">Design
considerations</a></li><ul><li><a shape="rect" href="#JAX-RSOAuth-Controlli
ngtheAccesstoResourceServer">Controlling the Access to Resource
Server</a></li><ul><li><a shape="rect"
href="#JAX-RSOAuth-Sharingthesameaccesspathbetweenendusersandconsumers">Sharing
the same access path between end users and consumers</a></li><li><a
shape="rect"
href="#JAX-RSOAuth-Providingdifferentaccesspointstoendusersandconsumers">Providing
different access points to end users and consumers</a></li></ul><li><a
shape="rect" href="#JAX-RSOAuth-SingleSignOn">Single Sign
On</a></li></ul><li><a shape="rect" href="#JAX-RSOAuth-WhatIsNext">What Is
Next</a></li></ul></div>
<h1><a shape="rect" name="JAX-RSOAuth-Introduction"></a>Introduction</h1>
@@ -354,6 +354,38 @@ Referer=[http:<span class="code-comment"
<p>Assuming the decision was "allow", the consumer has now received back the
request token and its verifier and is ready to exchange this pair for an access
token.</p>
+<h3><a shape="rect" name="JAX-RSOAuth-OOBcallbacks"></a>OOB callbacks</h3>
+
+<p>The OAuth 1.0 mentions so called "oob" (out-of-band) callbacks. If the
third-party client is not running as a web application or if it is known it can
not receive the redirect response from AuthorizationRequestService for whatever
reasons, then a callback URI can be set to "oob", when a request token is <br
clear="none">
+requested: </p>
+
+<div class="code panel" style="border-width: 1px;"><div class="codeContent
panelContent">
+<pre class="code-xml">
+Address: http://localhost:8080/services/oauth/initiate
+Encoding: ISO-8859-1
+Http-Method: POST
+Content-Type: */*
+Headers: {
+Accept=[application/x-www-form-urlencoded],
+
+Content-Length=[0],
+
+Authorization=[OAuth oauth_callback=<span class="code-quote">"oob"</span>,
+ oauth_nonce=<span
class="code-quote">"e365fa02-772e-4e33-900d-00a766ccadf8"</span>,
+ oauth_consumer_key=<span
class="code-quote">"123456789"</span>,
+ oauth_signature_method=<span
class="code-quote">"HMAC-SHA1"</span>,
+ oauth_timestamp=<span
class="code-quote">"1320748683"</span>,
+ oauth_version=<span class="code-quote">"1.0"</span>,
+ oauth_signature=<span
class="code-quote">"ztTQuqaJS7L6dNQwn%2Fqi1MdaqQQ%3D"</span>]
+}
+</pre>
+</div></div>
+
+<p>RequestTokenService will only accept the "oob" value if a client
callbackURI property has been set to "oob" during the client application
registration process. Specifically, RequestTokenService will expect that a <a
shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/Client.java";>Client</a>
bean will have its callbackURI property being set to "oob".</p>
+
+<p>When a callback URI is set to "oob", it means that a user decision response
needs to be presented directly to the current user - which will then make the
request token and verifier info somehow available to the client application. In
case of "oob", AuthorizationRequestService, instead of redirecting the user
back to the callback URI as shown earlier on, will simply return an instance of
<a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/OOBAuthorizationResponse.java";>OOBAuthorizationResponse</a>.
RequestDispatcherProvider will need to be used for redirecting this data to
the view handler exactly how it is done when a user is asked to authorize the
client application, with the view handler formatting the data and actually
returning it to the user </p>
+
+
<h2><a shape="rect"
name="JAX-RSOAuth-AccessTokenService"></a>AccessTokenService </h2>
<p>The role of AccessTokenService is to exchange an authorized request token
for a new access token which will be used by the consumer to access the end
user's resources. <br clear="none">
@@ -690,6 +722,26 @@ However, supporting other types of end u
<p>Also note that AuthorizationRequestService can return XML or JSON <a
shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/OAuthAuthorizationData.java";>OAuthAuthorizationData</a>
representations. That makes it easy for a client code to get
OAuthAuthorizationData and offer a pop-up window or get the input from the
command-line. Authorizing the third-party application might even be automated
in this case - which can lead to a complete 3-leg OAuth flow implemented
without a human user being involved.</p>
+<h1><a shape="rect" name="JAX-RSOAuth-Reportingtheerrordetails"></a>Reporting
the error details</h1>
+
+<p>CXF OAuth 1.0 services will report only HTTP status code in case of various
OAuth-related errors to minimize the information about the actual cause of the
failure and will log the details locally. If providing the extra error
information can help with debugging 3rd-party applications or if such
application can indeed recover from the failures based on such details, then
setting a contextual "report.failure.details" property to "true" will get the
error messages available in the response body. Some OAuth1.0 implementers have
chosen to return a custom "oauth_problem" HTTP header instead - this option can
be supported by additionally setting a contextual
"report.failure.details.as.header" property to "true", for example:</p>
+
+<div class="code panel" style="border-width: 1px;"><div class="codeContent
panelContent">
+<pre class="code-xml">
+<span class="code-tag"><jaxrs:server id=<span
class="code-quote">"oauthServer"</span> address=<span
class="code-quote">"/initiate"</span>></span>
+ <span class="code-tag"><jaxrs:serviceBeans></span>
+ <span class="code-tag"><bean class=<span
class="code-quote">"org.apache.cxf.rs.security.oauth.services.RequestTokenService"</span>/></span>
+ <span class="code-tag"></jaxrs:serviceBeans></span>
+ <span class="code-tag"><jaxrs:properties></span>
+ <span class="code-tag"><entry key=<span
class="code-quote">"report.failure.details"</span> value=<span
class="code-quote">"true"</span>/></span>
+ <span class="code-tag"><entry key=<span
class="code-quote">"report.failure.details.as.header"</span> value=<span
class="code-quote">"true"</span>/></span>
+ <span class="code-tag"></jaxrs:properties></span>
+<span class="code-tag"></jaxrs:server></span>
+
+</pre>
+</div></div>
+
+
<h1><a shape="rect" name="JAX-RSOAuth-Designconsiderations"></a>Design
considerations</h1>
<p>This section will talk about various design considerations one need to take
into account when deploying OAuth-based solutions.</p>
@@ -781,7 +833,7 @@ For example, consider the following JAX-
<h2><a shape="rect" name="JAX-RSOAuth-SingleSignOn"></a>Single Sign On</h2>
-<p>When dealing with authenticating the end users, having an SSO solution in
place is very handy. This is because the end user interacts with both the
third-party and its resource server web applications and is also redirected
from the consumer application to the resource server and back again. OpenID or
say a WebBrowser SSO profile can help - CXF may offer some support in this
area. </p>
+<p>When dealing with authenticating the end users, having an SSO solution in
place is very handy. This is because the end user interacts with both the
third-party and its resource server web applications and is also redirected
from the consumer application to the resource server and back again. OpenID or
say a <a shape="rect"
href="http://cxf.apache.org/docs/saml-web-sso.html";>WebBrowser SSO profile</a>
can help. </p>
<h1><a shape="rect" name="JAX-RSOAuth-WhatIsNext"></a>What Is Next</h1>
Modified: websites/production/cxf/content/docs/jax-rs-oauth2.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-oauth2.html (original)
+++ websites/production/cxf/content/docs/jax-rs-oauth2.html Thu Jul 19 16:47:50
2012
@@ -125,14 +125,15 @@ Apache CXF -- JAX-RS OAuth2
<div>
-<ul><li><a shape="rect"
href="#JAX-RSOAuth2-Introduction">Introduction</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-Mavendependencies">Maven dependencies</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-DevelopingOAuth2Servers">Developing OAuth2
Servers</a></li><ul><li><a shape="rect"
href="#JAX-RSOAuth2-AuthorizationService">Authorization Service</a></li><li><a
shape="rect"
href="#JAX-RSOAuth2-AccessTokenService">AccessTokenService</a></li><ul><li><a
shape="rect"
href="#JAX-RSOAuth2-AccessTokenValidationService">AccessTokenValidationService</a></li></ul><li><a
shape="rect" href="#JAX-RSOAuth2-WritingOAuthDataProvider">Writing
OAuthDataProvider</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-OAuthServerJAXRSendpoints">OAuth Server JAX-RS
endpoints</a></li></ul><li><a shape="rect"
href="#JAX-RSOAuth2-ProtectingresourceswithOAuthfilters">Protecting resources
with OAuth filters</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-Howtogettheuserloginname">How to get the user login
name</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-Clientsidesupport">Client-side support</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-OAuth2withouttheExplicitAuthorization">OAuth2
without the Explicit Authorization</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-OAuthWithoutaBrowser">OAuth Without a
Browser</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-Designconsiderations">Design
considerations</a></li><ul><li><a shape="rect"
href="#JAX-RSOAuth2-ControllingtheAccesstoResourceServer">Controlling the
Access to Resource Server</a></li><ul><li><a shape="rect"
href="#JAX-RSOAuth2-Sharingthesameaccesspathbetweenendusersandclients">Sharing
the same access path between end users and clients</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-Providingdifferentaccesspointstoendusersandclients">Providing
different access points to end users and clients</a></li></ul><li><a
shape="rect" href="#JAX-RSOAuth2-SingleSignOn">Single Sign
On</a></li></ul><li><a shape="rect" href="#JAX-RS
OAuth2-WhatIsNext">What Is Next</a></li></ul></div>
+<ul><li><a shape="rect"
href="#JAX-RSOAuth2-Introduction">Introduction</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-Mavendependencies">Maven dependencies</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-DevelopingOAuth2Servers">Developing OAuth2
Servers</a></li><ul><li><a shape="rect"
href="#JAX-RSOAuth2-AuthorizationService">Authorization Service</a></li><li><a
shape="rect"
href="#JAX-RSOAuth2-AccessTokenService">AccessTokenService</a></li><ul><li><a
shape="rect"
href="#JAX-RSOAuth2-AccessTokenValidationService">AccessTokenValidationService</a></li></ul><li><a
shape="rect" href="#JAX-RSOAuth2-WritingOAuthDataProvider">Writing
OAuthDataProvider</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-OAuthServerJAXRSendpoints">OAuth Server JAX-RS
endpoints</a></li></ul><li><a shape="rect"
href="#JAX-RSOAuth2-ProtectingresourceswithOAuthfilters">Protecting resources
with OAuth filters</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-Howtogettheuserloginname">How to get the user login
name</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-Clientsidesupport">Client-side support</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-OAuth2withouttheExplicitAuthorization">OAuth2
without the Explicit Authorization</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-OAuthWithoutaBrowser">OAuth Without a
Browser</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-Reportingerrordetails">Reporting error
details</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-Designconsiderations">Design
considerations</a></li><ul><li><a shape="rect"
href="#JAX-RSOAuth2-ControllingtheAccesstoResourceServer">Controlling the
Access to Resource Server</a></li><ul><li><a shape="rect"
href="#JAX-RSOAuth2-Sharingthesameaccesspathbetweenendusersandclients">Sharing
the same access path between end users and clients</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-Providingdifferentaccesspointstoendusersandclients">Providing
different access points to end users and clients</a></li></ul><li><a
shape="rect"
href="#JAX-RSOAuth2-SingleSignOn">Single Sign On</a></li></ul><li><a
shape="rect" href="#JAX-RSOAuth2-WhatIsNext">What Is Next</a></li></ul></div>
<h1><a shape="rect" name="JAX-RSOAuth2-Introduction"></a>Introduction</h1>
<p>CXF 2.6.0 provides an initial implementation of <a shape="rect"
class="external-link" href="http://tools.ietf.org/html/draft-ietf-oauth-v2";
rel="nofollow">OAuth 2.0</a>. See also the <a shape="rect"
href="jax-rs-oauth.html" title="JAX-RS OAuth">JAX-RS OAuth</a> page for
information about OAuth 1.0.</p>
-<p>Authorization Code, Implicit and Client Credentials grants are currently
supported with other grant handlers to be added later.<br clear="none">
-Custom grant handlers can be registered.</p>
+<p>Authorization Code, Implicit, Client Credentials and Resource Owner
Password Credentials grants are currently supported with other grant handlers
to be added later.</p>
+
+<p>Custom grant handlers can be registered.</p>
<p>OAuth2 is a new protocol which offers a complex yet elegant solution toward
helping end users (resource owners) authorize third-party providers to access
their resources.</p>
@@ -649,6 +650,22 @@ However, supporting other types of end u
<p>Also note that AuthorizationCodeGrantService can return XML or JSON <a
shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/OAuthAuthorizationData.java";>OAuthAuthorizationData</a>
representations. That makes it easy for a client code to get
OAuthAuthorizationData and offer a pop-up window or get the input from the
command-line. Authorizing the third-party application might even be automated
in this case - which can lead to a complete 3-leg OAuth flow implemented
without a human user being involved.</p>
+<h1><a shape="rect" name="JAX-RSOAuth2-Reportingerrordetails"></a>Reporting
error details</h1>
+
+<p>This <a shape="rect" class="external-link"
href="http://tools.ietf.org/html/draft-ietf-oauth-v2-30#section-5.2";
rel="nofollow">section</a> lists all the error properties that can be returned
to the client application. CXF OAuth2 services will always report a required
'error' property but will omit the optional error properties by default (for
example, in case of access token grant handlers throwing <a shape="rect"
class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthServiceException.java";>OAuthServiceException</a>
initialized with <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthError.java";>OAuthError</a>
which may have the optional properties set).<br clear="none">
+When reporting the optional error properties is actually needed then setting a
'writeCustomErrors' property to 'true' will help:</p>
+
+<div class="code panel" style="border-width: 1px;"><div class="codeContent
panelContent">
+<pre class="code-xml">
+<span class="code-tag"><bean id=<span
class="code-quote">"oauthProvider"</span> class=<span
class="code-quote">"oauth2.manager.OAuthManager"</span>/></span>
+
+<span class="code-tag"><bean id=<span
class="code-quote">"accessTokenService"</span> class=<span
class="code-quote">"org.apache.cxf.rs.security.oauth2.services.AccessTokenService"</span>></span>
+ <span class="code-tag"><property name=<span
class="code-quote">"dataProvider"</span> ref=<span
class="code-quote">"oauthProvider"</span>/></span>
+ <span class="code-tag"><property name=<span
class="code-quote">"writeCustomErrors"</span> value=<span
class="code-quote">"true"</span>/></span>
+<span class="code-tag"></bean></span>
+</pre>
+</div></div>
+
<h1><a shape="rect" name="JAX-RSOAuth2-Designconsiderations"></a>Design
considerations</h1>
<p>This section will talk about various design considerations one need to take
into account when deploying OAuth-based solutions.</p>
@@ -742,7 +759,7 @@ For example, consider the following JAX-
<p>When dealing with authenticating the end users, having an SSO solution in
place is very handy. This is because the end user interacts with both the
third-party and its resource server web applications and is also redirected
from the client application to the resource server and back again.
Additionally, the end user may need to authenticate with Authorization service
if it is not collocated with the application endpoints. OpenID or say a
WebBrowser SSO profile can help. </p>
-<p>CXF 2.6.1 provides an initial support for a SAML2 SSO profile. This will
make it easier to minimize a number of sign ins to a single attempt and run
OAuth2 Authorization servers separately from the application endpoints. </p>
+<p>CXF 2.6.1 provides an initial support for a <a shape="rect"
href="http://cxf.apache.org/docs/saml-web-sso.html";>SAML2 SSO profile</a>. This
will make it easier to minimize a number of sign ins to a single attempt and
run OAuth2 Authorization servers separately from the application endpoints. </p>
<h1><a shape="rect" name="JAX-RSOAuth2-WhatIsNext"></a>What Is Next</h1>
