Hi Sergey One last question.
As I know CXF support JAX-WS and JAX-RS service creation. What I want is to run an OAuth2 authorization server which can be used to authorized clients developed using other technologies (authorization require services are also independent apis deployed somewhere else). Is it ok to use CXF as a production grade OAuth2 authorization server ? Thanks Nishanta On Wed, Jul 17, 2013 at 8:52 PM, Sergey Beryozkin <[email protected]>wrote: > Hi > > On 17/07/13 16:05, Nishantha Pradeep wrote: > >> Hi Sergey >> >> Using jwt is not mandatory for my work. But does cxf support to use >> customized token type ? >> >> Check http://cxf.apache.org/docs/**jax-rs-oauth2.html#JAX-**RSOAuth2-** > CustomandEncryptedtokens<http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-CustomandEncryptedtokens>, > I think this section needs to be expanded. > > So you need to extend > http://svn.apache.org/repos/**asf/cxf/trunk/rt/rs/security/** > oauth-parent/oauth2/src/main/**java/org/apache/cxf/rs/** > security/oauth2/common/**ServerAccessToken.java<http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ServerAccessToken.java> > > and get your data provider return your custom token instance when > requested. > > You will then need to register AccessTokenValidator: > > http://svn.apache.org/repos/**asf/cxf/trunk/rt/rs/security/** > oauth-parent/oauth2/src/main/**java/org/apache/cxf/rs/** > security/oauth2/provider/**AccessTokenValidator.java<http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AccessTokenValidator.java> > > with OAuthRequestFilter. > > If your resource server and authorization server are not collocated (most > likely not) then register your custom validator with > AccessTokenValidatorService, you can find some info here: > > http://cxf.apache.org/docs/**jax-rs-oauth2.html#JAX-**RSOAuth2-** > ProtectingresourceswithOAuthfi**lters<http://cxf.apache.org/docs/jax-rs-oauth2.html#JAX-RSOAuth2-ProtectingresourceswithOAuthfilters> > > > > In addition can cxf be used as an independent oauth2 authorization server >> ? >> > > Do you mean can it be used to implement support for a flow like > authorization code flow, and get the grants replaced for tokens ? Yes, > please check the wiki, it has a dedicated section about it > > Cheers, Sergey > > >> Thanks >> Nishantha >> >> >> On Wed, Jul 17, 2013 at 5:06 PM, Sergey Beryozkin <[email protected] >> >wrote: >> >> Hi >>> >>> On 17/07/13 11:13, Nishantha Pradeep wrote: >>> >>> Hi >>>> >>>> I would like to know that does cxf support OAuth2 and is it using json >>>> web >>>> tokens ? >>>> >>>> See >>>> >>> http://cxf.apache.org/docs/****jax-rs-oauth2.html<http://cxf.apache.org/docs/**jax-rs-oauth2.html> >>> <http://cxf.**apache.org/docs/jax-rs-oauth2.**html<http://cxf.apache.org/docs/jax-rs-oauth2.html> >>> > >>> >>> >>> Re JWT - CXF does not offer any built-in support for JWT yet. >>> What needs to be decided is whether we should reuse some of 3rd party >>> libraries for it or do a basic JWT support locally. >>> >>> Is using JWT important for your case ? >>> Sergey >>> >>> Thanks >>>> Nishantha >>>> >>>> >>>> >>> >> >
