Author: buildbot
Date: Thu Jun 1 16:47:40 2017
New Revision: 1013280
Log:
Production update by buildbot for cxf
Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/jax-rs-oauth.html
Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.
Modified: websites/production/cxf/content/docs/jax-rs-oauth.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-oauth.html (original)
+++ websites/production/cxf/content/docs/jax-rs-oauth.html Thu Jun 1 16:47:40
2017
@@ -121,11 +121,11 @@ Apache CXF -- JAX-RS OAuth
 </p><p> </p><p><style type="text/css">/*<![CDATA[*/
-div.rbtoc1496332023959 {padding: 0px;}
-div.rbtoc1496332023959 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1496332023959 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1496335624724 {padding: 0px;}
+div.rbtoc1496335624724 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1496335624724 li {margin-left: 0px;padding-left: 0px;}
-/*]]>*/</style></p><div class="toc-macro rbtoc1496332023959">
+/*]]>*/</style></p><div class="toc-macro rbtoc1496335624724">
<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSOAuth-Introduction">Introduction</a></li><li><a shape="rect"
href="#JAX-RSOAuth-Mavendependencies">Maven dependencies</a></li><li><a
shape="rect" href="#JAX-RSOAuth-DevelopingOAuth1.0Servers">Developing OAuth 1.0
Servers</a>
<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSOAuth-RequestTokenService">RequestTokenService</a></li><li><a
shape="rect"
href="#JAX-RSOAuth-AuthorizationRequestService">AuthorizationRequestService</a>
<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSOAuth-OOBcallbacks">OOB callbacks</a></li></ul>
@@ -163,18 +163,18 @@ Authorization=[OAuth oauth_callback="htt
oauth_signature="ztTQuqaJS7L6dNQwn%2Fqi1MdaqQQ%3D"]
}
</pre>
-</div></div><p>It is an empty POST request which includes an Authorization
OAuth header. The value of the header has a consumer key (obtained during the
third-party registration), callback URI pointing to where
AuthorizationRequestService will return an authorized token and a signature
which was calculated using a consumer key and secret pair as <a shape="rect"
class="external-link" href="http://tools.ietf.org/html/rfc5849#section-3.4.2";
rel="nofollow">described in the specification</a>.</p><p>First
RequestTokenService validates the signature and then it retrieves a <a
shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/Client.java";>Client</a>
instance from OAuthDataProvider using a consumer key.</p><p>Before asking
OAuthDataProvider to generate a request token, it attempts to validate a
callback URI against a <a shape="rect" class="external-link"
href="http://svn.apa
che.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/Client.java">Client</a>'s
application URI.</p><p>Finally it delegates to OAuthDataProvider to create a
request token, passing to it a populated <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/RequestTokenRegistration.java";>RequestTokenRegistration</a>
bean.</p><p>This bean references a Client instance, callback URI and a state.
State is something that a consumer may also include during the request token
request using a "state" parameter and will be returned back to the consumer
alongside the verifier after the request token has been authorized. For
example, it may represent a key that a consumer will use to retrieve the state
of the request that it was processing when requesting a token. For OAuth 1.0<br
clear="none"> consumers, the request token it
self may represent a good enough key for such purposes, but "state" may need
to be used too and will become more useful for OAuth 2.0.</p><p>The bean also
includes "issuedAt" and "lifetime" values which represent the time a new token
is about to be created and a configurable time in milliseconds that this token
will 'live' for. OAuthDataProvider will be free to reset those values if needed
before actually creating a request token.</p><p>Finally, one more property that
may be set on this bean instance: list of scopes. List of scopes represents
optional permissions that the consumer may need to access the resources. These
can be provided by an "x_oauth_scope" ("scope" in OAuth 2.0) request parameter,
for example,</p><div class="code panel pdl" style="border-width: 1px;"><div
class="codeContent panelContent pdl">
+</div></div><p>It is an empty POST request which includes an Authorization
OAuth header. The value of the header has a consumer key (obtained during the
third-party registration), callback URI pointing to where
AuthorizationRequestService will return an authorized token and a signature
which was calculated using a consumer key and secret pair as <a shape="rect"
class="external-link" href="http://tools.ietf.org/html/rfc5849#section-3.4.2";
rel="nofollow">described in the specification</a>.</p><p>First
RequestTokenService validates the signature and then it retrieves a <a
shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/Client.java";>Client</a>
instance from OAuthDataProvider using a consumer key.</p><p>Before asking
OAuthDataProvider to generate a request token, it attempts to validate a
callback URI against a <a shape="rect" class="external-link"
href="https://github
.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/Client.java"
rel="nofollow">Client</a>'s application URI.</p><p>Finally it delegates to
OAuthDataProvider to create a request token, passing to it a populated <a
shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/RequestTokenRegistration.java";
rel="nofollow">RequestTokenRegistration</a> bean.</p><p>This bean references a
Client instance, callback URI and a state. State is something that a consumer
may also include during the request token request using a "state" parameter and
will be returned back to the consumer alongside the verifier after the request
token has been authorized. For example, it may represent a key that a consumer
will use to retrieve the state of the request that it was processing when
requesting a token. For OAuth 1.0<br clear="none"> c
onsumers, the request token itself may represent a good enough key for such
purposes, but "state" may need to be used too and will become more useful for
OAuth 2.0.</p><p>The bean also includes "issuedAt" and "lifetime" values which
represent the time a new token is about to be created and a configurable time
in milliseconds that this token will 'live' for. OAuthDataProvider will be free
to reset those values if needed before actually creating a request
token.</p><p>Finally, one more property that may be set on this bean instance:
list of scopes. List of scopes represents optional permissions that the
consumer may need to access the resources. These can be provided by an
"x_oauth_scope" ("scope" in OAuth 2.0) request parameter, for example,</p><div
class="code panel pdl" style="border-width: 1px;"><div class="codeContent
panelContent pdl">
<pre class="brush: xml; gutter: false; theme: Default"
style="font-size:12px;">Authorization=[OAuth ...,
x_oauth_scope="readCalendar updateCalendar"]
</pre>
-</div></div><p>It's expected that each of the x_oauth_scope values such as
"readCalendar" and "updateCalendar" are translated into <a shape="rect"
class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/Permission.java";>OAuthPermission</a>s
during the creation of a new request token. If no x_oauth_scope parameter is
provided then the OAuth data provider will likely assign a default
OAuthPermission instance to the new token.</p><p>After a new request token has
been created by OAuthDataProvider, RequestTokenService returns the token key
and secret pair to the consumer:</p><div class="code panel pdl"
style="border-width: 1px;"><div class="codeContent panelContent pdl">
+</div></div><p>It's expected that each of the x_oauth_scope values such as
"readCalendar" and "updateCalendar" are translated into <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/OAuthPermission.java";
rel="nofollow">OAuthPermission</a>s during the creation of a new request
token. If no x_oauth_scope parameter is provided then the OAuth data provider
will likely assign a default OAuthPermission instance to the new
token.</p><p>After a new request token has been created by OAuthDataProvider,
RequestTokenService returns the token key and secret pair to the
consumer:</p><div class="code panel pdl" style="border-width: 1px;"><div
class="codeContent panelContent pdl">
<pre class="brush: xml; gutter: false; theme: Default"
style="font-size:12px;">Response-Code: 200
Content-Type: application/x-www-form-urlencoded
Headers: {Date=[Tue, 08 Nov 2011 10:38:03 GMT]}
Payload:
oauth_callback_confirmed=true&oauth_token=6dfd5e52-236c-4939-8df8-a53212f7d2a2&oauth_token_secret=ca8273df-b9b0-43f9-9875-cfbb54ced550
</pre>
-</div></div><p>The consumer is now ready to redirect the current end user to
<a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AuthorizationRequestService.java";>AuthorizationRequestService</a>.</p><h2
id="JAX-RSOAuth-AuthorizationRequestService">AuthorizationRequestService</h2><p>The
main responsibility of AuthorizationRequestService is to present an end user
with a form asking the user to allow or deny the consumer accessing some of the
user resources.</p><p>Remember that a third-party consumer redirects the
current user to AuthorizationRequestService, for example, here is how a
redirection may happen:</p><div class="code panel pdl" style="border-width:
1px;"><div class="codeContent panelContent pdl">
+</div></div><p>The consumer is now ready to redirect the current end user to
<a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AuthorizationRequestService.java";
rel="nofollow">AuthorizationRequestService</a>.</p><h2
id="JAX-RSOAuth-AuthorizationRequestService">AuthorizationRequestService</h2><p>The
main responsibility of AuthorizationRequestService is to present an end user
with a form asking the user to allow or deny the consumer accessing some of the
user resources.</p><p>Remember that a third-party consumer redirects the
current user to <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AuthorizationRequestService.java";
rel="nofollow">AuthorizationRequestService</a>, for example, here is how a
redirection may happen:</p><div class="c
ode panel pdl" style="border-width: 1px;"><div class="codeContent panelContent
pdl">
<pre class="brush: xml; gutter: false; theme: Default"
style="font-size:12px;">Response-Code: 303
Headers:
{Location=[http://localhost:8080/services/social/authorize?oauth_token=f4415e16-56ea-465f-9df1-8bd769253a7d]}
</pre>
@@ -188,7 +188,7 @@ Referer=[http://localhost:8080/services/
...
}
</pre>
-</div></div><p>First, AuthorizationRequestService will retrieve <a
shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/RequestToken.java";>RequestToken</a>
(which extends the base <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/Token.java";>Token</a>
class) from OAuthDataProvider using the value provided by the "oauth_token"
query parameter.</p><p>Next it uses this token (which also links to Client) to
populate an instance of <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/OAuthAuthorizationData.java";>OAuthAuthorizationData</a>
bean and returns it. OAuthAuthorizationData contains application name and URI
properties, optional l
ist of <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/Permission.java";>Permission</a>s
and URIs.</p><p>Two other important OAuthAuthorizationData properties are
"oauthToken" and "authenticityToken", both are important for processing the
decision request coming from the authorization form. The former is a request
token key which will be used by AuthorizationRequestService to retrieve the
RequestToken again and the latter for validating that the current session has
not been hijacked - AuthorizationRequestService generates a random key, stores
it in a Servlet HTTPSession instance and expects the returned authenticityToken
value to match it - this is a recommended approach and it also implies that the
authenticityToken value is hidden from a user, for example, it's kept in a
'hidden' form field.</p><p>The helper "replyTo" property is an absolute URI
identifying th
e AuthorizationRequestService handler processing the user decision and can be
used by view handlers when building the forms or by other
OAuthAuthorizationData handlers.</p><p>So the populated OAuthAuthorizationData
is finally returned. Note that it's a JAXB XMLRootElement-annotated bean and
can be processed by registered JAXB or JSON providers given that
AuthorizationRequestService supports producing "application/xml" and
"application/json" (See the OAuth Without Browser section below for more). But
in this case we have the end user working with a browser so an HTML form is
what is really expected back.</p><p>AuthorizationRequestService supports
producing "text/html" and simply relies on a registered <a shape="rect"
href="http://cxf.apache.org/docs/jax-rs-redirection.html#JAX-RSRedirection-WithRequestDispatcherProvider";>RequestDispatcherProvider</a>
to set the OAuthAuthorizationData bean as an HttpServletRequest attribute and
redirect the response to a view handler (can be JSP or so
me other servlet) to actually build the form and return it to the user.
Alternatively, registering <a shape="rect"
href="http://cxf.apache.org/docs/jax-rs-advanced-xml.html#JAX-RSAdvancedXML-XSLTsupport";>XSLTJaxbProvider</a>
would also be a good option for creating HTML views.</p><p>Assuming
RequestDispatcherProvider is used, the following example log shows the initial
response from AuthorizationRequestService:</p><div class="code panel pdl"
style="border-width: 1px;"><div class="codeContent panelContent pdl">
+</div></div><p>First, <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/AuthorizationRequestService.java";
rel="nofollow">AuthorizationRequestService</a> will retrieve <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/RequestToken.java";
rel="nofollow">RequestToken</a> (which extends the base <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/Token.java";
rel="nofollow">Token</a> class) from OAuthDataProvider using the value
provided by the "oauth_token" query parameter.</p><p>Next it uses this token
(which also links to Client) to populate an instance of <a shape="rect"
class="external-link" href="https://github.com/a
pache/cxf/blob/master/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/OAuthAuthorizationData.java"
rel="nofollow">OAuthAuthorizationData</a> bean and returns it.
OAuthAuthorizationData contains application name and URI properties, optional
list of <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/Permission.java";
rel="nofollow">Permission</a>s and URIs.</p><p>Two other important
OAuthAuthorizationData properties are "oauthToken" and "authenticityToken",
both are important for processing the decision request coming from the
authorization form. The former is a request token key which will be used by
AuthorizationRequestService to retrieve the RequestToken again and the latter
for validating that the current session has not been hijacked -
AuthorizationRequestService generates a random key, stores it in a Servlet
HTTPSession ins
tance and expects the returned authenticityToken value to match it - this is a
recommended approach and it also implies that the authenticityToken value is
hidden from a user, for example, it's kept in a 'hidden' form field.</p><p>The
helper "replyTo" property is an absolute URI identifying the
AuthorizationRequestService handler processing the user decision and can be
used by view handlers when building the forms or by other
OAuthAuthorizationData handlers.</p><p>So the populated OAuthAuthorizationData
is finally returned. Note that it's a JAXB XMLRootElement-annotated bean and
can be processed by registered JAXB or JSON providers given that
AuthorizationRequestService supports producing "application/xml" and
"application/json" (See the OAuth Without Browser section below for more). But
in this case we have the end user working with a browser so an HTML form is
what is really expected back.</p><p>AuthorizationRequestService supports
producing "text/html" and simply relies on a regi
stered <a shape="rect"
href="http://cxf.apache.org/docs/jax-rs-redirection.html#JAX-RSRedirection-WithRequestDispatcherProvider";>RequestDispatcherProvider</a>
to set the OAuthAuthorizationData bean as an HttpServletRequest attribute and
redirect the response to a view handler (can be JSP or some other servlet) to
actually build the form and return it to the user. Alternatively, registering
<a shape="rect"
href="http://cxf.apache.org/docs/jax-rs-advanced-xml.html#JAX-RSAdvancedXML-XSLTsupport";>XSLTJaxbProvider</a>
would also be a good option for creating HTML views.</p><p>Assuming
RequestDispatcherProvider is used, the following example log shows the initial
response from AuthorizationRequestService:</p><div class="code panel pdl"
style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: xml; gutter: false; theme: Default"
style="font-size:12px;">08-Nov-2011 13:32:40
org.apache.cxf.jaxrs.provider.RequestDispatcherProvider logRedirection
INFO: Setting an instance of
"org.apache.cxf.rs.security.oauth.data.OAuthAuthorizationData"
as HttpServletRequest attribute "data" and redirecting the response to
"/forms/oauthAuthorize.jsp".
@@ -249,7 +249,7 @@ Authorization=[OAuth oauth_callback="oob
oauth_signature="ztTQuqaJS7L6dNQwn%2Fqi1MdaqQQ%3D"]
}
</pre>
-</div></div><p>RequestTokenService will only accept the "oob" value if a
client callbackURI property has been set to "oob" during the client application
registration process. Specifically, RequestTokenService will expect that a <a
shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/Client.java";>Client</a>
bean will have its callbackURI property being set to "oob".</p><p>When a
callback URI is set to "oob", it means that a user decision response needs to
be presented directly to the current user - which will then make the request
token and verifier info somehow available to the client application. In case of
"oob", AuthorizationRequestService, instead of redirecting the user back to the
callback URI as shown earlier on, will simply return an instance of <a
shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oau
th/src/main/java/org/apache/cxf/rs/security/oauth/services/OOBAuthorizationResponse.java">OOBAuthorizationResponse</a>.
RequestDispatcherProvider will need to be used for redirecting this data to
the view handler exactly how it is done when a user is asked to authorize the
client application, with the view handler formatting the data and actually
returning it to the user</p><h2
id="JAX-RSOAuth-AccessTokenService">AccessTokenService</h2><p>The role of
AccessTokenService is to exchange an authorized request token for a new access
token which will be used by the consumer to access the end user's resources.
<br clear="none"> Here is an example request log:</p><div class="code panel
pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+</div></div><p>RequestTokenService will only accept the "oob" value if a
client callbackURI property has been set to "oob" during the client application
registration process. Specifically, RequestTokenService will expect that a <a
shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/Client.java";
rel="nofollow">Client</a> bean will have its callbackURI property being set to
"oob".</p><p>When a callback URI is set to "oob", it means that a user decision
response needs to be presented directly to the current user - which will then
make the request token and verifier info somehow available to the client
application. In case of "oob", AuthorizationRequestService, instead of
redirecting the user back to the callback URI as shown earlier on, will simply
return an instance of <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/o
auth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/services/OOBAuthorizationResponse.java"
rel="nofollow">OOBAuthorizationResponse</a>. RequestDispatcherProvider will
need to be used for redirecting this data to the view handler exactly how it is
done when a user is asked to authorize the client application, with the view
handler formatting the data and actually returning it to the user</p><h2
id="JAX-RSOAuth-AccessTokenService">AccessTokenService</h2><p>The role of
AccessTokenService is to exchange an authorized request token for a new access
token which will be used by the consumer to access the end user's resources.
<br clear="none"> Here is an example request log:</p><div class="code panel
pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: xml; gutter: false; theme: Default"
style="font-size:12px;">Address: http://localhost:8080/services/oauth/token
Http-Method: POST
Headers: {
@@ -264,7 +264,7 @@ Authorization=[OAuth oauth_signature_met
oauth_signature="dU%2BhXPNFfFpX2sC74IOxzTjdVrY%3D"]
}
</pre>
-</div></div><p>This request is very similar to a temporarily token request.
Note that the request token key is also included and this token key and its
secret pair, as well as the consumer key and secret pair are used to calculate
the signature.</p><p>AccessTokenService validates the signature, asks
OAuthDataProvider to remove a RequestToken identified by the "oauth_token" and
compares the "oauth_verifier" value against the one stored in this
RequestToken.</p><p>Note that if the "oauth_verifier" is missing then
AccessTokenService will check that RequestToken has been preauthorized and that
its UserSubject property is initialized. If both conditions are met then the
access token request is allowed to continue.</p><p>Next it asks the data
provider to create a new <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/AccessToken.java";>AccessToken</a>
based on this Reque
stToken. The resulting access token key and secret pair is returned back to a
consumer:</p><div class="code panel pdl" style="border-width: 1px;"><div
class="codeContent panelContent pdl">
+</div></div><p>This request is very similar to a temporarily token request.
Note that the request token key is also included and this token key and its
secret pair, as well as the consumer key and secret pair are used to calculate
the signature.</p><p>AccessTokenService validates the signature, asks
OAuthDataProvider to remove a RequestToken identified by the "oauth_token" and
compares the "oauth_verifier" value against the one stored in this
RequestToken.</p><p>Note that if the "oauth_verifier" is missing then
AccessTokenService will check that RequestToken has been preauthorized and that
its UserSubject property is initialized. If both conditions are met then the
access token request is allowed to continue.</p><p>Next it asks the data
provider to create a new <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/AccessToken.java";
rel="nofollow">AccessToken</a> base
d on this RequestToken. The resulting access token key and secret pair is
returned back to a consumer:</p><div class="code panel pdl"
style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: xml; gutter: false; theme: Default"
style="font-size:12px;">Response-Code: 200
Content-Type: application/x-www-form-urlencoded
Headers: {Date=[Tue, 08 Nov 2011 13:50:59 GMT]}
@@ -282,7 +282,7 @@ Authorization=[OAuth oauth_signature_met
oauth_signature="dU%2BhXPNFfFpX2sC74IOxzTjdVrY%3D"]
}
</pre>
-</div></div><p>Note that the access token is set and the access token key and
secret pair, as well as the consumer key and secret pair are used to create a
signature.</p><h2 id="JAX-RSOAuth-WritingOAuthDataProvider">Writing
OAuthDataProvider</h2><p>Using CXF OAuth service implementations will help a
lot with setting up an OAuth server. As you can see from the above sections,
these services rely on a custom <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/provider/OAuthDataProvider.java";>OAuthDataProvider</a>
implementation.</p><p>The main task of OAuthDataProvider is to persist request
and access tokens and generate authorization/verifier keys. The way it's done
is really application-specific. Consider starting with a basic memory based
implementation and then move on to keeping the data in some DB.</p><p>Note that
OAuthDataProvider supports retrieving <a shape="rect
" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/Client.java";>Client</a>
instances but it has no methods for creating or removing Clients. The reason
for it is that the process of registering third-party consumers is very
specific to a particular OAuth application, so CXF does not offer a
registration support service and hence OAuthDataProvider has no Client
create/update methods. You will likely need to do something like this:</p><div
class="code panel pdl" style="border-width: 1px;"><div class="codeContent
panelContent pdl">
+</div></div><p>Note that the access token is set and the access token key and
secret pair, as well as the consumer key and secret pair are used to create a
signature.</p><h2 id="JAX-RSOAuth-WritingOAuthDataProvider">Writing
OAuthDataProvider</h2><p>Using CXF OAuth service implementations will help a
lot with setting up an OAuth server. As you can see from the above sections,
these services rely on a custom <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/provider/OAuthDataProvider.java";
rel="nofollow">OAuthDataProvider</a> implementation.</p><p>The main task of
OAuthDataProvider is to persist request and access tokens and generate
authorization/verifier keys. The way it's done is really application-specific.
Consider starting with a basic memory based implementation and then move on to
keeping the data in some DB.</p><p>Note that OAuthDataProvider supports
retrieving
<a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/Client.java";
rel="nofollow">Client</a> instances but it has no methods for creating or
removing Clients. The reason for it is that the process of registering
third-party consumers is very specific to a particular OAuth application, so
CXF does not offer a registration support service and hence OAuthDataProvider
has no Client create/update methods. You will likely need to do something like
this:</p><div class="code panel pdl" style="border-width: 1px;"><div
class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">public class CustomOAuthProvider implements
OAuthDataProvider {
public Client registerClient(String applicationName, String applicationURI,
...) {}
public void removeClient(String cliendId) {}
@@ -290,7 +290,7 @@ Authorization=[OAuth oauth_signature_met
// OAuthDataProvider methods
}
</pre>
-</div></div><p>CustomOAuthProvider will also remove all tokens associated with
a given Client in removeClient(String cliendId).</p><p>When creating
RequestToken or AccessToken tokens as well as authorization keys,
OAuthDataProvider will need to create unique identifiers.<br clear="none"> The
way it's done is application specific and custom implementations may also use a
utility <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/provider/MD5SequenceGenerator.java";>MD5SequenceGenerator</a>
shipped with CXF, for example:</p><div class="code panel pdl"
style="border-width: 1px;"><div class="codeContent panelContent pdl">
+</div></div><p>CustomOAuthProvider will also remove all tokens associated with
a given Client in removeClient(String cliendId).</p><p>When creating
RequestToken or AccessToken tokens as well as authorization keys,
OAuthDataProvider will need to create unique identifiers.<br clear="none"> The
way it's done is application specific and custom implementations may also use a
utility <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/provider/MD5SequenceGenerator.java";
rel="nofollow">MD5SequenceGenerator</a> shipped with CXF, for example:</p><div
class="code panel pdl" style="border-width: 1px;"><div class="codeContent
panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">public String setRequestTokenVerifier(RequestToken
requestToken) throws OAuthServiceException {
requestToken.setVerifier(generateSequence());
return requestToken.getVerifier();
@@ -305,7 +305,7 @@ private String generateSequence() throws
}
</pre>
-</div></div><p>Generating tokens/keys and persisting them effectively is what
OAuthDataProvider all about.<br clear="none"> Note that CXF will check that
Request and Access tokens have not expired every time it uses them and will ask
OAuthDataProvider to remove the expired tokens, but the custom
OAuthDataProvider implementation may do its own checks too.</p><p>Finally
OAuthDataProvider may need to convert opaque scope values such as
"readCalendar" into a list of <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/OAuthPermission.java";>OAuthPermission</a>s.
AuthorizationRequestService and OAuth security filters will depend on it
(assuming scopes are used in the first place). In the former case
AuthorizationRequestService will use this list to populate <a shape="rect"
class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oa
uth/src/main/java/org/apache/cxf/rs/security/oauth/data/OAuthAuthorizationData.java">OAuthAuthorizationData</a>
- the reason this bean only sees <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/Permission.java";>Permission</a>s
is that the properties OAuthPermission keeps are of no interest to
OAuthAuthorizationData handlers.</p><h2
id="JAX-RSOAuth-OAuthServerJAX-RSendpoints">OAuth Server JAX-RS
endpoints</h2><p>With CXF offering OAuth service implementations and a custom
OAuthAuthorizationData provider in place, it is time to deploy the OAuth
server. <br clear="none"> Most likely, you'd want to deploy RequestTokenService
and AccessTokenService as two root resources inside a single JAX-RS endpoint
(or have one RequestTokenService and one AccessTokenService endpoint), for
example:</p><div class="code panel pdl" style="border-width: 1px;"><div
class="codeContent pa
nelContent pdl">
+</div></div><p>Generating tokens/keys and persisting them effectively is what
OAuthDataProvider all about.<br clear="none"> Note that CXF will check that
Request and Access tokens have not expired every time it uses them and will ask
OAuthDataProvider to remove the expired tokens, but the custom
OAuthDataProvider implementation may do its own checks too.</p><p>Finally
OAuthDataProvider may need to convert opaque scope values such as
"readCalendar" into a list of <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/OAuthPermission.java";
rel="nofollow">OAuthPermission</a>s. AuthorizationRequestService and OAuth
security filters will depend on it (assuming scopes are used in the first
place). In the former case AuthorizationRequestService will use this list to
populate <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/
oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/OAuthAuthorizationData.java"
rel="nofollow">OAuthAuthorizationData</a> - the reason this bean only sees <a
shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/Permission.java";
rel="nofollow">Permission</a>s is that the properties OAuthPermission keeps
are of no interest to OAuthAuthorizationData handlers.</p><h2
id="JAX-RSOAuth-OAuthServerJAX-RSendpoints">OAuth Server JAX-RS
endpoints</h2><p>With CXF offering OAuth service implementations and a custom
OAuthAuthorizationData provider in place, it is time to deploy the OAuth
server. <br clear="none"> Most likely, you'd want to deploy RequestTokenService
and AccessTokenService as two root resources inside a single JAX-RS endpoint
(or have one RequestTokenService and one AccessTokenService endpoint), for
example:</p><div class="code panel pdl" style="b
order-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: xml; gutter: false; theme: Default"
style="font-size:12px;"><!-- implements OAuthDataProvider -->
<bean id="oauthProvider" class="oauth.manager.OAuthManager"/>
@@ -340,7 +340,7 @@ private String generateSequence() throws
</jaxrs:serviceBeans>
</jaxrs:server>
</pre>
-</div></div><p>AuthorizationRequestService listens on a relative "/authorize"
path so in this case its absolute address will be something like
"http://localhost:8080/services/myapp/authorize";. This address and those of
RequestTokenService and AccessTokenService will be used by third-party
consumers.</p><h1
id="JAX-RSOAuth-ProtectingresourceswithOAuthfilters">Protecting resources with
OAuth filters</h1><p><a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/OAuthRequestFilter.java";>OAuthRequestFilter</a>
request handler can be used to protect the resource server when processing the
requests from the third-party consumers. Add it as a jaxrs:provider to the
endpoint which deals with the consumers requesting the resources.</p><p>When
checking a request like this:</p><div class="code panel pdl"
style="border-width: 1px;"><div class="codeContent panelContent pdl">
+</div></div><p>AuthorizationRequestService listens on a relative "/authorize"
path so in this case its absolute address will be something like
"http://localhost:8080/services/myapp/authorize";. This address and those of
RequestTokenService and AccessTokenService will be used by third-party
consumers.</p><h1
id="JAX-RSOAuth-ProtectingresourceswithOAuthfilters">Protecting resources with
OAuth filters</h1><p><a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/OAuthRequestFilter.java";
rel="nofollow">OAuthRequestFilter</a> request handler can be used to protect
the resource server when processing the requests from the third-party
consumers. Add it as a jaxrs:provider to the endpoint which deals with the
consumers requesting the resources.</p><p>When checking a request like
this:</p><div class="code panel pdl" style="border-width: 1px;"><div
class="codeContent panelCon
tent pdl">
<pre class="brush: xml; gutter: false; theme: Default"
style="font-size:12px;">Address: http://localhost:8080/services/user/calendar
Http-Method: GET
Headers: {
@@ -352,7 +352,7 @@ Authorization=[OAuth oauth_signature_met
oauth_signature="dU%2BhXPNFfFpX2sC74IOxzTjdVrY%3D"]
}
</pre>
-</div></div><p>the filter will do the following:</p><p>1. It will validate the
signature and will get Client and AccessToken from OAuthDataProvider.</p><p>2.
It will check if <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/AccessToken.java";>AccessToken</a>
have a "uris" property set and if yes then it will validate the current
request URI against it.</p><p>3. If AccessToken has a list of <a shape="rect"
class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/OAuthPermission.java";>OAuthPermissions</a>.
For every permission it will:</p><ul class="alternate"><li>If it has a uri
property set then the current request URI will be checked against it</li><li>If
it has an httpVerb property set then the current HTTP verb will be checked
against it</li></ul><p>4. Finally, i
t will create a CXF <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/api/src/main/java/org/apache/cxf/security/SecurityContext.java";>SecurityContext</a>
using this list of <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/OAuthPermission.java";>OAuthPermissions</a>
and the <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/Client.java";>Client</a>
loginName property.</p><p>This loginName property is something that can be
optionally associated with the new Client during the registration - if it is
not set then the filter will use a Client "applicationName" property instead.
The application code checking the user Principal will see the chosen value.
Additionally every OAuthPermission may have a list of applicati
on-specific roles such as "consumer", etc, which will be added to
SecurityContext and will be checked during
SecurityContext.isUserInRole(roleName) calls.</p><p>If a "useUserSubject"
property is set on the filter then a UserSubject associated with the access
token will be used to populate the SecurityContext.</p><p>This SecurityContext
will not necessarily be important for some of OAuth applications. Most of the
security checks will be done by OAuth filters and security filters protecting
the main application path the end users themselves use. Only if you would like
to share the same JAX-RS resource code and access URIs between end users and
consumers then it can become handy. More on it below.</p><p>Note that <a
shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/OAuthServletFilter.java";>OAuthServletFilter</a>
can be deployed instead. It will need the OAuthDataPro
vider full class name referenced as an "oauth.data.provider-class" servlet
context parameter.</p><h1 id="JAX-RSOAuth-Howtogettheuserloginname">How to get
the user login name</h1><p>When one writes a custom server application which
needs to participate in 3-leg OAuth flows, the major question which needs to be
addressed is<br clear="none"> how one can access a user login name that was
used during the end-user authorizing the third-party client. This username will
help to uniquely identify the resources that the 3rd party client is now
attempting to access.<br clear="none"> The following code shows one way of how
this can be done starting from CXF 2.5.1:</p><div class="code panel pdl"
style="border-width: 1px;"><div class="codeContent panelContent pdl">
+</div></div><p>the filter will do the following:</p><p>1. It will validate the
signature and will get Client and AccessToken from OAuthDataProvider.</p><p>2.
It will check if <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/AccessToken.java";
rel="nofollow">AccessToken</a> have a "uris" property set and if yes then it
will validate the current request URI against it.</p><p>3. If AccessToken has a
list of <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/OAuthPermission.java";
rel="nofollow">OAuthPermissions</a>. For every permission it will:</p><ul
class="alternate"><li>If it has a uri property set then the current request URI
will be checked against it</li><li>If it has an httpVerb property set then the
current HTTP verb will be checked agains
t it</li></ul><p>4. Finally, it will create a CXF SecurityContext using this
list of <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/OAuthPermission.java";
rel="nofollow">OAuthPermissions</a> and the <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/Client.java";
rel="nofollow">Client</a> loginName property.</p><p>This loginName property is
something that can be optionally associated with the new Client during the
registration - if it is not set then the filter will use a Client
"applicationName" property instead. The application code checking the user
Principal will see the chosen value. Additionally every OAuthPermission may
have a list of application-specific roles such as "consumer", etc, which will
be added to SecurityContext and will be
checked during SecurityContext.isUserInRole(roleName) calls.</p><p>If a
"useUserSubject" property is set on the filter then a UserSubject associated
with the access token will be used to populate the SecurityContext.</p><p>This
SecurityContext will not necessarily be important for some of OAuth
applications. Most of the security checks will be done by OAuth filters and
security filters protecting the main application path the end users themselves
use. Only if you would like to share the same JAX-RS resource code and access
URIs between end users and consumers then it can become handy. More on it
below.</p><p>Note that <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/filters/OAuthServletFilter.java";
rel="nofollow">OAuthServletFilter</a> can be deployed instead. It will need
the OAuthDataProvider full class name referenced as an
"oauth.data.provider-class" servlet cont
ext parameter.</p><h1 id="JAX-RSOAuth-Howtogettheuserloginname">How to get the
user login name</h1><p>When one writes a custom server application which needs
to participate in 3-leg OAuth flows, the major question which needs to be
addressed is<br clear="none"> how one can access a user login name that was
used during the end-user authorizing the third-party client. This username will
help to uniquely identify the resources that the 3rd party client is now
attempting to access.<br clear="none"> The following code shows one way of how
this can be done starting from CXF 2.5.1:</p><div class="code panel pdl"
style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">
@Path("/userResource")
public class ThirdPartyAccessService {
@@ -376,7 +376,7 @@ public class ThirdPartyAccessService {
}
</pre>
-</div></div><p>The above shows a fragment of the JAX-RS service managing the
access to user resources from authorized 3rd-party clients (see the Design
Considerations section for more information).</p><p>The injected MessageContext
provides an access to <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/OAuthContext.java";>OAuthContext</a>
which has been set by OAuth filters described in the previous section.
OAuthContext will act as a container of the information which can be useful to
the custom application code which do not need to deal with the OAuth internals
which will likely change between OAuth 1.0 and OAuth 2.0. At the moment
OAuthContext provides an access to <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/UserSubject.java";>UserSubje
ct</a> which is created by CXF AuthorizationService at the moment of the end
user authorizing the third-party client and captures the end user's login name
(and roles which will be available if CXF JAASLoginInterceptor is used to
authenticate end users) and associates it with the current <a shape="rect"
class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/RequestToken.java";>RequestToken</a>.
It will be a responsibility of custom OAuthDataProviders to make sure this
UserSubject bean is copied across to a corresponding <a shape="rect"
class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/AccessToken.java";>AccessToken</a>.
OAuthContext also references the list of the permissions which have been
validated againt the current client request.</p><p>Additionally you may get
OAuth filters t
o set up a SecurityContext which will use the information available in <a
shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/UserSubject.java";>UserSubject</a>,
in other words, get the 3rd-party client impersonating the end user (which
authorized this client in the first place) for the duration of the current
request. Set a jaxrs contextual
"org.apache.cxf.rs.security.oauth.use_user_subject" property to 'true' for this
to happen.</p><h1 id="JAX-RSOAuth-Client-sidesupport">Client-side
support</h1><p>When developing a third party application which needs to
participate in OAuth flows one has to write the code that will redirect users
to OAuth AuthorizationRequestService, interact with RequestTokenService and
AccessTokenService in order to get request and access tokens as well as
correctly build Authorization OAuth headers when accessing the end users'
resources. JAX-RS m
akes it straightforward to support the redirection, while <a shape="rect"
class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/client/OAuthClientUtils.java";>OAuthClientUtils</a>
class makes it possible to encapsulate most of the complexity away from the
client application code.</p><p>OAuthClientUtils has utility methods for getting
request and access tokens, the consumer is expected to provide a properly
initialized WebClient pointing to either RequestTokenService and
AccessTokenService, Consumer bean containing the registration key and secret, a
callback URI for requesting a request token and the request Token and the
verifier for requesting the access token which is all quite straightforward. It
also helps to create a proper URI for redirecting to
AuthorizationRequestService. A correct Authorization header will also need to
be used when accessing the user resources at the resource ser
ver and OAuthClientUtils will help with creating this header as
well.</p><p>For example, the following custom code can be used by the
third-party application:</p><div class="code panel pdl" style="border-width:
1px;"><div class="codeContent panelContent pdl">
+</div></div><p>The above shows a fragment of the JAX-RS service managing the
access to user resources from authorized 3rd-party clients (see the Design
Considerations section for more information).</p><p>The injected MessageContext
provides an access to <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/OAuthContext.java";
rel="nofollow">OAuthContext</a> which has been set by OAuth filters described
in the previous section. OAuthContext will act as a container of the
information which can be useful to the custom application code which do not
need to deal with the OAuth internals which will likely change between OAuth
1.0 and OAuth 2.0. At the moment OAuthContext provides an access to <a
shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/UserSubject.
java" rel="nofollow">UserSubject</a> which is created by CXF
AuthorizationService at the moment of the end user authorizing the third-party
client and captures the end user's login name (and roles which will be
available if CXF JAASLoginInterceptor is used to authenticate end users) and
associates it with the current <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/RequestToken.java";
rel="nofollow">RequestToken</a>. It will be a responsibility of custom
OAuthDataProviders to make sure this UserSubject bean is copied across to a
corresponding <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/AccessToken.java";
rel="nofollow">AccessToken</a>. OAuthContext also references the list of the
permissions which have been validated againt the current cl
ient request.</p><p>Additionally you may get OAuth filters to set up a
SecurityContext which will use the information available in <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/UserSubject.java";
rel="nofollow">UserSubject</a>, in other words, get the 3rd-party client
impersonating the end user (which authorized this client in the first place)
for the duration of the current request. Set a jaxrs contextual
"org.apache.cxf.rs.security.oauth.use_user_subject" property to 'true' for this
to happen.</p><h1 id="JAX-RSOAuth-Client-sidesupport">Client-side
support</h1><p>When developing a third party application which needs to
participate in OAuth flows one has to write the code that will redirect users
to OAuth AuthorizationRequestService, interact with RequestTokenService and
AccessTokenService in order to get request and access tokens as well as
correctly build Au
thorization OAuth headers when accessing the end users' resources. JAX-RS
makes it straightforward to support the redirection, while <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/client/OAuthClientUtils.java";
rel="nofollow">OAuthClientUtils</a> class makes it possible to encapsulate
most of the complexity away from the client application
code.</p><p>OAuthClientUtils has utility methods for getting request and access
tokens, the consumer is expected to provide a properly initialized WebClient
pointing to either RequestTokenService and AccessTokenService, Consumer bean
containing the registration key and secret, a callback URI for requesting a
request token and the request Token and the verifier for requesting the access
token which is all quite straightforward. It also helps to create a proper URI
for redirecting to AuthorizationRequestService. A correct Authorizat
ion header will also need to be used when accessing the user resources at the
resource server and OAuthClientUtils will help with creating this header as
well.</p><p>For example, the following custom code can be used by the
third-party application:</p><div class="code panel pdl" style="border-width:
1px;"><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">public class OAuthClientManager {
private WebClient accessTokenService;
@@ -428,7 +428,7 @@ Accept=[application/XML],
Authorization=[Basic base64EncodedValue]
}
</pre>
-</div></div><p>In this mode the Client is expected to reference a
pre-authorized AccessToken. OAuth filters validate this token as usual.</p><h1
id="JAX-RSOAuth-OAuthWithoutaBrowser">OAuth Without a Browser</h1><p>When an
end user is accessing the 3rd party application and is authorizing it later on,
it's usually expected that the user is relying on a browser. <br clear="none">
However, supporting other types of end users is easy enough. Writing the client
code that processes the redirection requests from the 3rd party application and
AuthorizationRequestService is simple with JAX-RS and additionally CXF can be
configured to do auto-redirects on the client side.</p><p>Also note that
AuthorizationRequestService can return XML or JSON <a shape="rect"
class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/OAuthAuthorizationData.java";>OAuthAuthorizationData</a>
representations. That make
s it easy for a client code to get OAuthAuthorizationData and offer a pop-up
window or get the input from the command-line. Authorizing the third-party
application might even be automated in this case - which can lead to a complete
3-leg OAuth flow implemented without a human user being involved.</p><h1
id="JAX-RSOAuth-Reportingtheerrordetails">Reporting the error
details</h1><p>CXF OAuth 1.0 services will report only HTTP status code in case
of various OAuth-related errors to minimize the information about the actual
cause of the failure and will log the details locally. If providing the extra
error information can help with debugging 3rd-party applications or if such
application can indeed recover from the failures based on such details, then
setting a contextual "report.failure.details" property to "true" will get the
error messages available in the response body. Some OAuth1.0 implementers have
chosen to return a custom "oauth_problem" HTTP header instead - this option can
be su
pported by additionally setting a contextual
"report.failure.details.as.header" property to "true", for example:</p><div
class="code panel pdl" style="border-width: 1px;"><div class="codeContent
panelContent pdl">
+</div></div><p>In this mode the Client is expected to reference a
pre-authorized AccessToken. OAuth filters validate this token as usual.</p><h1
id="JAX-RSOAuth-OAuthWithoutaBrowser">OAuth Without a Browser</h1><p>When an
end user is accessing the 3rd party application and is authorizing it later on,
it's usually expected that the user is relying on a browser. <br clear="none">
However, supporting other types of end users is easy enough. Writing the client
code that processes the redirection requests from the 3rd party application and
AuthorizationRequestService is simple with JAX-RS and additionally CXF can be
configured to do auto-redirects on the client side.</p><p>Also note that
AuthorizationRequestService can return XML or JSON <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/OAuthAuthorizationData.java";
rel="nofollow">OAuthAuthorizationData</a> representat
ions. That makes it easy for a client code to get OAuthAuthorizationData and
offer a pop-up window or get the input from the command-line. Authorizing the
third-party application might even be automated in this case - which can lead
to a complete 3-leg OAuth flow implemented without a human user being
involved.</p><h1 id="JAX-RSOAuth-Reportingtheerrordetails">Reporting the error
details</h1><p>CXF OAuth 1.0 services will report only HTTP status code in case
of various OAuth-related errors to minimize the information about the actual
cause of the failure and will log the details locally. If providing the extra
error information can help with debugging 3rd-party applications or if such
application can indeed recover from the failures based on such details, then
setting a contextual "report.failure.details" property to "true" will get the
error messages available in the response body. Some OAuth1.0 implementers have
chosen to return a custom "oauth_problem" HTTP header instead - this o
ption can be supported by additionally setting a contextual
"report.failure.details.as.header" property to "true", for example:</p><div
class="code panel pdl" style="border-width: 1px;"><div class="codeContent
panelContent pdl">
<pre class="brush: xml; gutter: false; theme: Default"
style="font-size:12px;"><jaxrs:server id="oauthServer"
address="/initiate">
<jaxrs:serviceBeans>
<bean
class="org.apache.cxf.rs.security.oauth.services.RequestTokenService"/>
@@ -479,7 +479,7 @@ public class CalendarResource {
}
}
</pre>
-</div></div><p>Lets assume that the 3rd party consumer has been allowed to
read the public user Calendars at "/calendar/{id}" only, how to make sure that
the consumer won't try to:<br clear="none"> 1. update the calendar available at
the same path <br clear="none"> 2. read the private Calendars available at
"/calendar/{id}/private"</p><p>As noted above, Client, AccessToken (in its
Token superclass) and <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth/src/main/java/org/apache/cxf/rs/security/oauth/data/OAuthPermission.java";>OAuthPermission</a>
all have an optional URIs property. Thus one way to solve the problem with the
private calendar is to add, say, a uri "/calendar/{id}" or "/calendar/1" (etc)
property to OAuthPermission (representing a scope like "readCalendar") and the
OAuth filter will make sure no subresources beyond "/calendar/{id}" can be
accessed. Note, adding a "*" at the end of a given URI property,
for example, "/a*" will let the consumer to access "/a", "/a/b",
etc.</p><p>Solving the problem with preventing the update can be easily solved
by adding an httpVerb property to a given OAuthPermission.</p><p>One more
option is to rely on the role-based access control and have @RolesAllowed
allocated such that only users in roles like "consumer" or "enduser" can invoke
the getCalendar() method and let only those in the "enduser" role access
getPrivateCalendar() and updateCalendar(). OAuthPermission can help here too as
described in the section on using OAuth fiters.</p><h3
id="JAX-RSOAuth-Providingdifferentaccesspointstoendusersandconsumers">Providing
different access points to end users and consumers</h3><p>Rather than letting
both the end users and 3rd party consumers use the same URI such as
"http://myapp.com/service/calendars/{id}";, one may want to introduce two URIs,
one for end users and one for third-party consumers, for example,
"http://myapp.com/service/calendars/{id}"; - fo
r endusers, "http://myapp.com/partners/calendars/{id}"; - for the 3rd party
consumers and deploy 2 jaxrs endpoints, where one is protected by the security
filter checking the end users, and the one - by OAuth
filters.</p><p>Additionally the endpoint managing the 3rd party consumers will
deploy a resource which will offer a resticted URI space support. For example,
if the application will only allow 3rd party consumers to read calendars then
this resource will only have a method supporting @GET and
"/calendar/{id}".</p><h2 id="JAX-RSOAuth-SingleSignOn">Single Sign
On</h2><p>When dealing with authenticating the end users, having an SSO
solution in place is very handy. This is because the end user interacts with
both the third-party and its resource server web applications and is also
redirected from the consumer application to the resource server and back again.
OpenID or say a <a shape="rect"
href="http://cxf.apache.org/docs/saml-web-sso.html";>WebBrowser SSO profile</a>
can help.</p><
h1 id="JAX-RSOAuth-WhatIsNext">What Is Next</h1><p>Fine tuning the current
OAuth 1.0 will be continued and the feedback from the implementers will be
welcomed.</p></div>
+</div></div><p>Lets assume that the 3rd party consumer has been allowed to
read the public user Calendars at "/calendar/{id}" only, how to make sure that
the consumer won't try to:<br clear="none"> 1. update the calendar available at
the same path <br clear="none"> 2. read the private Calendars available at
"/calendar/{id}/private"</p><p>As noted above, Client, AccessToken (in its
Token superclass) and OAuthPermission all have an optional URIs property. Thus
one way to solve the problem with the private calendar is to add, say, a uri
"/calendar/{id}" or "/calendar/1" (etc) property to OAuthPermission
(representing a scope like "readCalendar") and the OAuth filter will make sure
no subresources beyond "/calendar/{id}" can be accessed. Note, adding a "*" at
the end of a given URI property, for example, "/a*" will let the consumer to
access "/a", "/a/b", etc.</p><p>Solving the problem with preventing the update
can be easily solved by adding an httpVerb property to a given OAuthPermiss
ion.</p><p>One more option is to rely on the role-based access control and
have @RolesAllowed allocated such that only users in roles like "consumer" or
"enduser" can invoke the getCalendar() method and let only those in the
"enduser" role access getPrivateCalendar() and updateCalendar().
OAuthPermission can help here too as described in the section on using OAuth
fiters.</p><h3
id="JAX-RSOAuth-Providingdifferentaccesspointstoendusersandconsumers">Providing
different access points to end users and consumers</h3><p>Rather than letting
both the end users and 3rd party consumers use the same URI such as
"http://myapp.com/service/calendars/{id}";, one may want to introduce two URIs,
one for end users and one for third-party consumers, for example,
"http://myapp.com/service/calendars/{id}"; - for endusers,
"http://myapp.com/partners/calendars/{id}"; - for the 3rd party consumers and
deploy 2 jaxrs endpoints, where one is protected by the security filter
checking the end users, and the one -
by OAuth filters.</p><p>Additionally the endpoint managing the 3rd party
consumers will deploy a resource which will offer a resticted URI space
support. For example, if the application will only allow 3rd party consumers to
read calendars then this resource will only have a method supporting @GET and
"/calendar/{id}".</p><h2 id="JAX-RSOAuth-SingleSignOn">Single Sign
On</h2><p>When dealing with authenticating the end users, having an SSO
solution in place is very handy. This is because the end user interacts with
both the third-party and its resource server web applications and is also
redirected from the consumer application to the resource server and back again.
OpenID or say a <a shape="rect"
href="http://cxf.apache.org/docs/saml-web-sso.html";>WebBrowser SSO profile</a>
can help.</p><h1 id="JAX-RSOAuth-WhatIsNext">What Is Next</h1><p>Fine tuning
the current OAuth 1.0 will be continued and the feedback from the implementers
will be welcomed.</p></div>
</div>
<!-- Content -->
</td>
