Author: buildbot
Date: Wed Aug 20 12:46:52 2014
New Revision: 919902
Log:
Production update by buildbot for cxf
Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/jax-rs-oauth2.html
Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.
Modified: websites/production/cxf/content/docs/jax-rs-oauth2.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-oauth2.html (original)
+++ websites/production/cxf/content/docs/jax-rs-oauth2.html Wed Aug 20 12:46:52
2014
@@ -118,11 +118,11 @@ Apache CXF -- JAX-RS OAuth2
<!-- Content -->
<div class="wiki-content">
<div id="ConfluenceContent"><h1 id="JAX-RSOAuth2-JAX-RS:OAuth2">JAX-RS:
OAuth2</h1><p><style type="text/css">/*<![CDATA[*/
-div.rbtoc1408383989827 {padding: 0px;}
-div.rbtoc1408383989827 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1408383989827 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1408538785810 {padding: 0px;}
+div.rbtoc1408538785810 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1408538785810 li {margin-left: 0px;padding-left: 0px;}
-/*]]>*/</style></p><div class="toc-macro rbtoc1408383989827">
+/*]]>*/</style></p><div class="toc-macro rbtoc1408538785810">
<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSOAuth2-JAX-RS:OAuth2">JAX-RS: OAuth2</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-Introduction">Introduction</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-Mavendependencies">Maven dependencies</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-ClientRegistration">Client
Registration</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-DevelopingOAuth2Servers">Developing OAuth2 Servers</a>
<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSOAuth2-AuthorizationService">Authorization Service</a>
<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSOAuth2-EndUserNameinAuthorizationForm">EndUser Name in
Authorization Form</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-PublicClients(Devices)">Public Clients (Devices)</a>
@@ -342,7 +342,7 @@ Authorization: MAC id="5b5c8e677413
mac="W7bdMZbv9UWOTadASIQHagZyirA="
ts="12345678"
]]></script>
-</div></div><p>where 'ts' attribute is used to pass a timestamp value.</p><h4
id="JAX-RSOAuth2-Encryptedtokens">Encrypted tokens</h4><p>Typically, the tokens
are persisted in the storage. The alternative approach is to completely encrypt
the token state and return the encrypted representation back to a client: the
processing time to do with the encryption and decryption might increase but the
server wins on avoiding the DB / storage lookups.    </p><p>CXF
3.0.0-milestone2 introduces the utility support for encrypting the state of
BearerAccessToken and RefreshToken.</p><p>The tokens can be encrypted and
decrypted with symmetric (secret) keys or certificates (public and private
keys) and the combination of certificates and secret keys.</p><p><a
shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/ModelEncryptionSupport.java";>ModelEncryptionSupport</a>
c
an be used to encrypt the tokens using the custom serialization format. <a
shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/EncryptionUtils.java";>EncryptionUtils</a>
can be used directly if the alternative serialization format is preferred.
 </p><p>Note that ServerAuthorizationGrant and Client can also be
encrypted.</p><h5 id="JAX-RSOAuth2-UsingSecretKeys">Using Secret
Keys</h5><p>The simplest strategy is to encrypt and decrypt the tokens with the
symmetric/secret keys. Every new token can be encrypted with a unique secret
key or all of them can be encrypted with a single secret key. The utilities
provide few methods for creating secret keys with the default and advanced
properties, in addition there are many examples around on how to create the
keys with the specific properties.</p><p>For example, see <a shape="rect"
class="external-link" href="http://svn.
apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/utils/EncryptingDataProvider.java">EncryptingDataProvider</a>:</p><p> </p><div
class="code panel pdl" style="border-width: 1px;"><div class="codeContent
panelContent pdl">
+</div></div><p>where 'ts' attribute is used to pass a timestamp value.</p><h4
id="JAX-RSOAuth2-Encryptedtokens">Encrypted tokens</h4><p>Typically, the tokens
are persisted in the storage. The alternative approach is to completely encrypt
the token state and return the encrypted representation back to a client: the
processing time to do with the encryption and decryption might increase but the
server wins on avoiding the DB / storage lookups.    </p><p>CXF
3.0.0-milestone2 introduces the utility support for encrypting the state of
BearerAccessToken and RefreshToken.</p><p>The tokens can be encrypted and
decrypted with symmetric (secret) keys or certificates (public and private
keys) and the combination of certificates and secret keys.</p><p><a
shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/ModelEncryptionSupport.java";>ModelEncryptionSupport</a>
c
an be used to encrypt the tokens using the custom serialization format. <a
shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/EncryptionUtils.java";>EncryptionUtils</a>
can be used directly if the alternative serialization format is preferred.
 </p><p>Note that ServerAuthorizationGrant and Client can also be
encrypted.</p><h5 id="JAX-RSOAuth2-UsingSecretKeys">Using Secret
Keys</h5><p>The simplest strategy is to encrypt and decrypt the tokens with the
symmetric/secret keys. Every new token can be encrypted with a unique secret
key or all of them can be encrypted with a single secret key. The utilities
provide few methods for creating secret keys with the default and advanced
properties, in addition there are many examples around on how to create the
keys with the specific properties.</p><p>For example, see
org.apache.cxf.rs.security.oauth2.grants.code.DefaultEn
cryptingCodeDataProvider
and org.apache.cxf.rs.security.oauth2.provider.DefaultEncryptingOAuthDataProvider
which are shipped starting from CXF 3.0.2.</p><p>Here is a typical code
demonstrating how the encryption/decryption works:</p><p> </p><div
class="code panel pdl" style="border-width: 1px;"><div class="codeContent
panelContent pdl">
<script class="theme: Default; brush: java; gutter: false"
type="syntaxhighlighter"><![CDATA[SecretKey key =
EncryptionUtils.getSecretKey();
// create a new token, encrypt its state and return
@@ -366,7 +366,7 @@ ModelEncryptionSupport.decryptAccessToke
// OAuthDataProvider methods
}
]]></script>
-</div></div><p>CustomOAuthProvider will also remove all tokens associated with
a given Client in removeClient(String cliendId).</p><p>Finally
OAuthDataProvider may need to convert opaque scope values such as
"readCalendar" into a list of <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthPermission.java";>OAuthPermission</a>s.
AuthorizationCodeGrantService and OAuth2 security filters will depend on it
(assuming scopes are used in the first place). In the former case
AuthorizationCodeGrantService will use this list to populate <a shape="rect"
class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java";>OAuthAuthorizationData</a>
- the reason this bean only sees <a shape="rect" class="external-link"
href="http://svn.apache.org/repos
/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Permission.java">Permission</a>s
is that some of the properties OAuthPermission keeps are of no interest to
OAuthAuthorizationData handlers.</p><h3
id="JAX-RSOAuth2-DefaultProviders">Default
Providers</h3><p> </p><p>Starting from CXF 3.0.2 default Ehcache-based
OAuthDataProvider and AuthorizationCodeDataProvider implementations are
shipped:</p><p>org.apache.cxf.rs.security.oauth2.grants.code.DefaultEHCacheCodeDataProvider
and org.apache.cxf.rs.security.oauth2.provider.DefaultEHCacheOAuthDataProvider.</p><p>Users
who are happy with using EHCache are encouraged to experiment with these
default providers, customize them if needed and provide the feedback.</p><h2
id="JAX-RSOAuth2-OAuthServerJAX-RSendpoints">OAuth Server JAX-RS
endpoints</h2><p>With CXF offering OAuth service implementations and a custom
OAuthDataProvider provider in place, it is time to deploy the OAuth2 se
rver. <br clear="none"> Most likely, you'd want to deploy AccessTokenService
as an independent JAX-RS endpoint, for example:</p><div class="code panel pdl"
style="border-width: 1px;"><div class="codeContent panelContent pdl">
+</div></div><p>CustomOAuthProvider will also remove all tokens associated with
a given Client in removeClient(String cliendId).</p><p>Finally
OAuthDataProvider may need to convert opaque scope values such as
"readCalendar" into a list of <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthPermission.java";>OAuthPermission</a>s.
AuthorizationCodeGrantService and OAuth2 security filters will depend on it
(assuming scopes are used in the first place). In the former case
AuthorizationCodeGrantService will use this list to populate <a shape="rect"
class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java";>OAuthAuthorizationData</a>
- the reason this bean only sees <a shape="rect" class="external-link"
href="http://svn.apache.org/repos
/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/Permission.java">Permission</a>s
is that some of the properties OAuthPermission keeps are of no interest to
OAuthAuthorizationData handlers.</p><h3
id="JAX-RSOAuth2-DefaultProviders">Default
Providers</h3><p> </p><p>Starting from CXF 3.0.2 default Ehcache-based and
encrypting  OAuthDataProvider and AuthorizationCodeDataProvider
implementations are
shipped.</p><p>org.apache.cxf.rs.security.oauth2.grants.code.DefaultEHCacheCodeDataProvider
and org.apache.cxf.rs.security.oauth2.provider.DefaultEHCacheOAuthDataProvider
use Ehcache to store grant, client, access and refresh token
data.</p><p>org.apache.cxf.rs.security.oauth2.grants.code.DefaultEncryptingCodeDataProvider
and org.apache.cxf.rs.security.oauth2.provider.DefaultEncryptingOAuthDataProvider
use an auto-generated or provided Java symmetric SecretKey to
store</p><p>grant, access and refresh token data.</p><
p>Users are encouraged to experiment with these default providers, customize
them if needed and provide the feedback.</p><p>Users implementing their own
persistence strategy may consider extending
org.apache.cxf.rs.security.oauth2.grants.code.AbstractAuthorizationCodeDataProvider
or org.apache.cxf.rs.security.oauth2.provider.AbstractOAuthDataProvider -
these classes might help with taking care of some basic data initialization and
check routines.</p><h2 id="JAX-RSOAuth2-OAuthServerJAX-RSendpoints">OAuth
Server JAX-RS endpoints</h2><p>With CXF offering OAuth service implementations
and a custom OAuthDataProvider provider in place, it is time to deploy the
OAuth2 server. <br clear="none"> Most likely, you'd want to deploy
AccessTokenService as an independent JAX-RS endpoint, for example:</p><div
class="code panel pdl" style="border-width: 1px;"><div class="codeContent
panelContent pdl">
<script class="theme: Default; brush: xml; gutter: false"
type="syntaxhighlighter"><