So, did you get any luck at all or I have confused you ?
Basically, the OAuth2 server is there to get the tokens issued, which is
completely orthogonal to the process of clients invoking on the JAX-RS
or in this case, JAX-WS endpoints.
The client need to get the token first, can be done out of band, depends
on the flow, next you use it to invoke on the endpoint and at this point
of time the filter (or in you case interceptor) will enforce the token
is valid by contacting the OAuth2 server if needed or validate it
locally by using the data provider directly
HTH
Sergey
On 17/02/14 15:43, Sergey Beryozkin wrote:
Hi
On 17/02/14 12:43, Marcello Ribeiro wrote:
Good morning.
I´ve created Oauth2 Services as described in
https://cxf.apache.org/docs/jax-rs-oauth2.html , to be my complete
Oauth2 infrastructure, given tokens, authorization and the stuffs .
OK, but my point is how to make my JAX-WS Services (My Business WS
endpoints) being intecepted, and protected and authorized for this brand
new Oauth2 infrastructure? What is the glue.
You have to register OAuthRequestInterceptor. not OAuthRequestFilter,
and it has to be 2.7.11-SNAPSHOT
I already put an interceptor for one of the endpoints as you can see
bellow, but i got none effects.
So you have added OAuthRequestInterceptor to your JAX-WS endpoint and
this interceptor does let the request which has no OAuth token attached
to it through ?
Thanks, Sergey
Do i explain myself?
Thank you.
Best Regards,
Marcello Ribeiro
Em 16/02/2014 18:12, Sergey Beryozkin escreveu:
Hi
On 16/01/14 19:58, Marcello Ribeiro wrote:
Hi Sergey, thank you for helping and for the nice blog...
I am sorry to say it is still nebulous in my mind...
What i did was to add a new interceptor targeting my OauthFilter like
this:
My <jaxrs:server id="oauthServer" address="/oauth"> shares the same
web application which my webservices share. Should i create a diferent
web application for the Oauth2 Infraestructure??
<jaxws:inInterceptors>
<ref bean="oauthFilter" />
</jaxws:inInterceptors>
But it seems to produce no effects... Client´s requests are not been
intercepted or no 403 response are sent back...
How do obtain an OAuth2 token, where is it coming from ?
Cheers, Sergey
Would you have any git endpoint containing that POC
Thank you
Att,
Marcello Ribeiro
Em 14/02/2014 11:54, Sergey Beryozkin escreveu:
Hi, please see comments below
On 14/02/14 12:50, Marcello Ribeiro wrote:
Hi,
I have a couple of Webservice done and working properly using CXF
2.7.8
in the already known fashion:
<jaxws:endpoint xmlns:tns="http://blablabla.hello.com.br/";
id="blablablawsservice" implementor="br.com.hello.BlaBlaBla"
wsdlLocation="wsdl/blablablawsservice.wsdl"
endpointName="tns:BlaBlaBlaPort"
serviceName="tns:BlaBlaBlaServiceService"
address="/BlaBlaBlaPort">
<jaxws:features>
<bean class="org.apache.cxf.feature.LoggingFeature" />
</jaxws:features>
</jaxws:endpoint>
Now, what i need is to protect these services/urls using JAX-RS:
OAuth2
and i have followed the instruction in CXF documentation:
https://cxf.apache.org/docs/jax-rs-oauth2.html
Based on this documentation, i have now:
1 - An Authorization Service;
|
<bean id="authorizationService"
class="org.apache.cxf.rs.security.oauth2.services.AuthorizationCodeGrantService">
<property name="dataProvider" ref="oauthProvider"/>
</bean>|
|
|
2 - An Access Token Service;
<bean id="oauthProvider"
class="br.com.hello.utils.cxf.security.oauth.SocialRideDataProvider"
/>
<bean id="accessTokenService"
class="org.apache.cxf.rs.security.oauth2.services.AccessTokenService">
<property name="dataProvider" ref="oauthProvider" />
</bean>
<bean id="accessTokenValidateService"
class="org.apache.cxf.rs.security.oauth2.services.AccessTokenValidatorService">
<property name="dataProvider" ref="oauthProvider" />
</bean>
<jaxrs:server id="oauthServer" address="/oauth">
<jaxrs:serviceBeans>
<ref bean="accessTokenService" />
<ref bean="accessTokenValidateService" />
</jaxrs:serviceBeans>
</jaxrs:server>
3 - A Request Filter
<bean id="oauthFilter"
class="org.apache.cxf.rs.security.oauth2.filters.OAuthRequestFilter">
<property name="dataProvider" ref="oauthProvider" />
</bean>
I'm assuming you have a WS client that would like to use an OAuth2
token to access the JAXWS endpoint, right ?
Typically you'd have OAuth2 RS (your applications) and AS
(Authorization/Access token) not collocated, though for simple cases
it is good enough for a start;
So, unless you already use CXF OAuth2 services to actually issue the
OAuth2 tokens, just remove all of the above and then simply follow the
few steps I happened to blog about few days ago - will update the docs
shortly:
http://sberyozkin.blogspot.ie/2014/02/use-oauth2-tokens-to-protect-cxf-soap.html
Basically, all you need to do is to add a simple custom WS
interceptor, you are right. If you have a remote OAuth2 AS then for a
start you can use a basic access token validator client (HTTP-based)
registered with your interceptor
This interceptor will only work in CXF 2.7.11-SNAPSHOT
Let me know if you have more questions
Sergey
So my point is:
How do i protect my JAX-WS webservices using this JAX-RS: OAuth2
Request
Filter? What is the glue between them?
For example: i have a url
"http://localhost:8080/myProject/services/MyService?wsdl"; how do it
make
it under this Oauth Protection Structure??
Is that by interceptors, maybe?
Thank you.
Att,
Marcello Ribeirop
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com
