To understand the CXF implementation of OAuth2 specification, I propose to
implement the case study described below.
Use case
Subject: The objective is to secure access to the RESTFul resource
PayGateway described by the table below.
Opération Path HTTP Verbs
Permission(Scope)
findAllAccounts /account GET
manage_accounts
findAccount /account/find GET
manage_accounts
createAccount /account/create POST
manage_accounts
modifyAccount /account/modify PUT
manage_accounts
deleteAccount /account/delete DELETE
manage_accounts
getAccountBalance /account/balance GET
view_balance
findAllCheckout /checkout GET
collect_payments
findCheckout /checkout/find GET
collect_payments
createCheckout /checkout/create POST
collect_payments
cancelCheckout /checkout/cancel POST
collect_payments
captureCheckout /checkout/capture POST
collect_payments
refundCheckout /checkout/refund POST
refund_payments
RESTFul Resource implementation class
org.apache.cxf.rs.security.oauth2.services.PayGateway
OAuthDataProvider implementation
org.apache.cxf.rs.security.oauth2.provider.JdbcOAuthDataProvider implements
org.apache.cxf.rs.security.oauth2.provider.OAuthDataProvider
My Oauth2.0 server implementation proposal
//OAuth2 Server services as independencies endpoints
<bean id="oauthProvider" class="
org.apache.cxf.rs.security.oauth2.provider.JdbcOAuthDataProvider"/>
<bean id="accessTokenService"
class="org.apache.cxf.rs.security.oauth2.services.AccessTokenService">
<property name="dataProvider" ref="oauthProvider"/>
</bean>
<bean id="accessTokenValidateService"
class="org.apache.cxf.rs.security.oauth2.services.AccessTokenValidateService">
<property name="dataProvider" ref="oauthProvider"/>
</bean>
<bean id="authorizationService"
class="org.apache.cxf.rs.security.oauth2.services.AuthorizationCodeGrantService">
<property name="dataProvider" ref="oauthProvider"/>
</bean>
<jaxrs:server id="oauthServer" address="/oauth">
<jaxrs:serviceBeans>
<ref bean="accessTokenService"/>
<ref bean="accessTokenValidateService"/>
<ref bean="authorizationService"/>
</jaxrs:serviceBeans>
</jaxrs:server>
//Restful resource services spring configuration
<bean id="tvServiceClientFactory"
class="org.apache.cxf.jaxrs.client.JAXRSClientFactoryBean">
<property name="address"
value="http://localhost:${http.port}/services/oauth/validate"/>
<property name="headers">
<map>
<entry key="Accept" value="application/xml"/>
<entry key="Accept" value="application/json"/>
</map>
</property>
</bean>
<bean id="tvServiceClient"
factory-bean="tvServiceClientFactory"
factory-method="createWebClient"/>
<bean id="tokenValidator"
class="org.apache.cxf.rs.security.oauth2.filters.AccessTokenValidatorClient">
<property name="tokenValidatorClient" ref="tvServiceClient"/>
</bean>
<bean id="oauthFiler"
class="org.apache.cxf.rs.security.oauth2.filters.OAuthRequestFilter">
<property name="tokenValidator" ref="tokenValidator"/>
</bean>
<bean id="payGateway"
class="org.apache.cxf.rs.security.oauth2.services.PayGateway"/>
<jaxrs:server id="payGatewayResource" address="/paygateway">
<jaxrs:serviceBeans>
<ref bean="payGateway"/>
</jaxrs:serviceBeans>
<jaxrs:providers>
<ref bean="oauthFilter"/>
</jaxrs:providers>
</jaxrs:server>
What do you propose to manage permissions (Scope) flexibly?
Can you approve my proposal for implementation of the following layers:
OAuth2 Services layer and Restful API Resource layer?
Thank you in advance.
Regards,
Ghislain
--
View this message in context:
http://cxf.547215.n5.nabble.com/Using-Database-to-store-OAuth2-0-server-informations-tp5715521p5715690.html
Sent from the cxf-user mailing list archive at Nabble.com.
