Hi Sergey, thank you for helping and for the nice blog...
I am sorry to say it is still nebulous in my mind...
What i did was to add a new interceptor targeting my OauthFilter like this:
My <jaxrs:server id="oauthServer" address="/oauth"> shares the same
web application which my webservices share. Should i create a diferent
web application for the Oauth2 Infraestructure??
<jaxws:inInterceptors>
<ref bean="oauthFilter" />
</jaxws:inInterceptors>
But it seems to produce no effects... Client´s requests are not been
intercepted or no 403 response are sent back...
Would you have any git endpoint containing that POC
Thank you
Att,
Marcello Ribeiro
Em 14/02/2014 11:54, Sergey Beryozkin escreveu:
Hi, please see comments below
On 14/02/14 12:50, Marcello Ribeiro wrote:
Hi,
I have a couple of Webservice done and working properly using CXF 2.7.8
in the already known fashion:
<jaxws:endpoint xmlns:tns="http://blablabla.hello.com.br/";
id="blablablawsservice" implementor="br.com.hello.BlaBlaBla"
wsdlLocation="wsdl/blablablawsservice.wsdl"
endpointName="tns:BlaBlaBlaPort"
serviceName="tns:BlaBlaBlaServiceService"
address="/BlaBlaBlaPort">
<jaxws:features>
<bean class="org.apache.cxf.feature.LoggingFeature" />
</jaxws:features>
</jaxws:endpoint>
Now, what i need is to protect these services/urls using JAX-RS: OAuth2
and i have followed the instruction in CXF documentation:
https://cxf.apache.org/docs/jax-rs-oauth2.html
Based on this documentation, i have now:
1 - An Authorization Service;
|
<bean id="authorizationService"
class="org.apache.cxf.rs.security.oauth2.services.AuthorizationCodeGrantService">
<property name="dataProvider" ref="oauthProvider"/>
</bean>|
|
|
2 - An Access Token Service;
<bean id="oauthProvider"
class="br.com.hello.utils.cxf.security.oauth.SocialRideDataProvider" />
<bean id="accessTokenService"
class="org.apache.cxf.rs.security.oauth2.services.AccessTokenService">
<property name="dataProvider" ref="oauthProvider" />
</bean>
<bean id="accessTokenValidateService"
class="org.apache.cxf.rs.security.oauth2.services.AccessTokenValidatorService">
<property name="dataProvider" ref="oauthProvider" />
</bean>
<jaxrs:server id="oauthServer" address="/oauth">
<jaxrs:serviceBeans>
<ref bean="accessTokenService" />
<ref bean="accessTokenValidateService" />
</jaxrs:serviceBeans>
</jaxrs:server>
3 - A Request Filter
<bean id="oauthFilter"
class="org.apache.cxf.rs.security.oauth2.filters.OAuthRequestFilter">
<property name="dataProvider" ref="oauthProvider" />
</bean>
I'm assuming you have a WS client that would like to use an OAuth2
token to access the JAXWS endpoint, right ?
Typically you'd have OAuth2 RS (your applications) and AS
(Authorization/Access token) not collocated, though for simple cases
it is good enough for a start;
So, unless you already use CXF OAuth2 services to actually issue the
OAuth2 tokens, just remove all of the above and then simply follow the
few steps I happened to blog about few days ago - will update the docs
shortly:
http://sberyozkin.blogspot.ie/2014/02/use-oauth2-tokens-to-protect-cxf-soap.html
Basically, all you need to do is to add a simple custom WS
interceptor, you are right. If you have a remote OAuth2 AS then for a
start you can use a basic access token validator client (HTTP-based)
registered with your interceptor
This interceptor will only work in CXF 2.7.11-SNAPSHOT
Let me know if you have more questions
Sergey
So my point is:
How do i protect my JAX-WS webservices using this JAX-RS: OAuth2 Request
Filter? What is the glue between them?
For example: i have a url
"http://localhost:8080/myProject/services/MyService?wsdl"; how do it make
it under this Oauth Protection Structure??
Is that by interceptors, maybe?
Thank you.
Att,
Marcello Ribeirop
