Re: Getting started with JOSE

2018-08-15 Thread Colm O hEigeartaigh
Hi Rabea,

What I'd suggest is to have a separate service for handling the initial
login and issuing a JWT. Then the services just need to be configured with
the JwtAuthenticationFilter, for example:

https://github.com/apache/cxf/blob/7d3cf5784f116f8882badde4f5cb4cb3fd5b03b2/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jose/jwt/authn-authz-server.xml#L43

One candidate you could use for the separate authentication service is to
re-use the CXF SecurityTokenService with a REST interface. For example see
this test:

https://github.com/apache/cxf/blob/7d3cf5784f116f8882badde4f5cb4cb3fd5b03b2/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/rest/STSRESTTest.java#L874

where the STS configuration is defined here:

https://github.com/apache/cxf/blob/7d3cf5784f116f8882badde4f5cb4cb3fd5b03b2/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/rest/cxf-rest-sts.xml

Colm.

On Fri, Aug 10, 2018 at 1:02 PM, Rabea Gransberger 
wrote:

> Hello,
>
> I've just started writing a CXF REST Client and had a look at JAX-RS JOSE
> for using JWT with JWS.
>
> Unfortunately I'm not sure how to use it after reading the documentation
> at: http://cxf.apache.org/docs/jax-rs-jose.html
>
> I need a login with user/password and authenticate against my own data
> store.
> After that I would like to use JWT for all subsequent requests to the
> other REST Services.
>
> I'm not sure which filters and providers I have to use and how they can be
> configured to be used only for all other Services excluding the login?
>
> My setup uses an Application implementation to register the services,
> providers etc.
>
> I tried exending JwtAuthenticationFilter and adding a NameBinding but this
> seems to be ignored and still be used for the login service.
>
> My idea is to let the LoginService implement JoseJwtProducer, check user
> and password and than issue a JwtToken in response to be used for further
> requests. This token should get checked in the AuthenticationFilter.
>
> Another question: How do I initialize they Keys for JOSE in my case?
>
> My environment: CXF 3.1.16 running in Embedded Jetty in Equinox OSGi for
> testing.
>
> Any help is appreciated even if somebody can only answer one of my
> questions.
>
> Kind regards,
> Rabea
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com


Getting started with JOSE

2018-08-10 Thread Rabea Gransberger
Hello,
 
I've just started writing a CXF REST Client and had a look at JAX-RS JOSE for 
using JWT with JWS.
 
Unfortunately I'm not sure how to use it after reading the documentation at: 
http://cxf.apache.org/docs/jax-rs-jose.html
 
I need a login with user/password and authenticate against my own data store.
After that I would like to use JWT for all subsequent requests to the other 
REST Services.
 
I'm not sure which filters and providers I have to use and how they can be 
configured to be used only for all other Services excluding the login?
 
My setup uses an Application implementation to register the services, providers 
etc.
 
I tried exending JwtAuthenticationFilter and adding a NameBinding but this 
seems to be ignored and still be used for the login service.
 
My idea is to let the LoginService implement JoseJwtProducer, check user and 
password and than issue a JwtToken in response to be used for further requests. 
This token should get checked in the AuthenticationFilter.
 
Another question: How do I initialize they Keys for JOSE in my case?
 
My environment: CXF 3.1.16 running in Embedded Jetty in Equinox OSGi for 
testing.
 
Any help is appreciated even if somebody can only answer one of my questions.
 
Kind regards,
Rabea