Hi
On 20/01/14 11:46, Marcello Ribeiro wrote:
Hi Sergey,
So that is the new status:
1 - I´ve updated my pom to pull CXF 2.7.11-Snapshot and so
OAuthRequestInterceptor is now available.
2 - A added this interceptor to one of my endpoint.
3 - I called this enpoint as usually and now i get a Not Authorized
Exception which makes my client to receive a http 500 directly, which in
my first point of view is not acceptable, because i think my client
should get at least a http 401, once he is trying to accessed the
endpoint directly with no token, and not having passed for all Oauth2 flow.
Now i am dealing with:
1 - Trying understand how to sent 401 back to my client instead of 500;
This is a SOAP path so 500 is returned, you can register a custom out
fault interceptor and make sure it is 401.
2 - Going deep inside the docs i understood that i do need also (of
course) to have my user authenticated and new fashion for this is using
WSS4JInInterceptor (using UsernameToken) which implements those new
Specs. I got problems here and i already raised my hand in another post
to this list. I´ve been using JAAS for a long time and i have to confess
the earth has not stopped rotating all those past years. :)
Any comments on this "saga"?
I don't think using WS-Security UserName token is appropriate when the
client has OAuth2 tokens.
Cheers, Sergey
Att,
Marcello Ribeiro
Em 19/02/2014 14:05, Sergey Beryozkin escreveu:
So, did you get any luck at all or I have confused you ?
Basically, the OAuth2 server is there to get the tokens issued, which
is completely orthogonal to the process of clients invoking on the
JAX-RS or in this case, JAX-WS endpoints.
The client need to get the token first, can be done out of band,
depends on the flow, next you use it to invoke on the endpoint and at
this point of time the filter (or in you case interceptor) will
enforce the token is valid by contacting the OAuth2 server if needed
or validate it locally by using the data provider directly
HTH
Sergey
On 17/02/14 15:43, Sergey Beryozkin wrote:
Hi
On 17/02/14 12:43, Marcello Ribeiro wrote:
Good morning.
I´ve created Oauth2 Services as described in
https://cxf.apache.org/docs/jax-rs-oauth2.html , to be my complete
Oauth2 infrastructure, given tokens, authorization and the stuffs .
OK, but my point is how to make my JAX-WS Services (My Business WS
endpoints) being intecepted, and protected and authorized for this
brand
new Oauth2 infrastructure? What is the glue.
You have to register OAuthRequestInterceptor. not OAuthRequestFilter,
and it has to be 2.7.11-SNAPSHOT
I already put an interceptor for one of the endpoints as you can see
bellow, but i got none effects.
So you have added OAuthRequestInterceptor to your JAX-WS endpoint and
this interceptor does let the request which has no OAuth token attached
to it through ?
Thanks, Sergey
Do i explain myself?
Thank you.
Best Regards,
Marcello Ribeiro
Em 16/02/2014 18:12, Sergey Beryozkin escreveu:
Hi
On 16/01/14 19:58, Marcello Ribeiro wrote:
Hi Sergey, thank you for helping and for the nice blog...
I am sorry to say it is still nebulous in my mind...
What i did was to add a new interceptor targeting my OauthFilter like
this:
My <jaxrs:server id="oauthServer" address="/oauth"> shares the
same
web application which my webservices share. Should i create a
diferent
web application for the Oauth2 Infraestructure??
<jaxws:inInterceptors>
<ref bean="oauthFilter" />
</jaxws:inInterceptors>
But it seems to produce no effects... Client´s requests are not been
intercepted or no 403 response are sent back...
How do obtain an OAuth2 token, where is it coming from ?
Cheers, Sergey
Would you have any git endpoint containing that POC
Thank you
Att,
Marcello Ribeiro
Em 14/02/2014 11:54, Sergey Beryozkin escreveu:
Hi, please see comments below
On 14/02/14 12:50, Marcello Ribeiro wrote:
Hi,
I have a couple of Webservice done and working properly using CXF
2.7.8
in the already known fashion:
<jaxws:endpoint xmlns:tns="http://blablabla.hello.com.br/";
id="blablablawsservice"
implementor="br.com.hello.BlaBlaBla"
wsdlLocation="wsdl/blablablawsservice.wsdl"
endpointName="tns:BlaBlaBlaPort"
serviceName="tns:BlaBlaBlaServiceService"
address="/BlaBlaBlaPort">
<jaxws:features>
<bean class="org.apache.cxf.feature.LoggingFeature" />
</jaxws:features>
</jaxws:endpoint>
Now, what i need is to protect these services/urls using JAX-RS:
OAuth2
and i have followed the instruction in CXF documentation:
https://cxf.apache.org/docs/jax-rs-oauth2.html
Based on this documentation, i have now:
1 - An Authorization Service;
|
<bean id="authorizationService"
class="org.apache.cxf.rs.security.oauth2.services.AuthorizationCodeGrantService">
<property name="dataProvider" ref="oauthProvider"/>
</bean>|
|
|
2 - An Access Token Service;
<bean id="oauthProvider"
class="br.com.hello.utils.cxf.security.oauth.SocialRideDataProvider"
/>
<bean id="accessTokenService"
class="org.apache.cxf.rs.security.oauth2.services.AccessTokenService">
<property name="dataProvider" ref="oauthProvider" />
</bean>
<bean id="accessTokenValidateService"
class="org.apache.cxf.rs.security.oauth2.services.AccessTokenValidatorService">
<property name="dataProvider" ref="oauthProvider" />
</bean>
<jaxrs:server id="oauthServer" address="/oauth">
<jaxrs:serviceBeans>
<ref bean="accessTokenService" />
<ref bean="accessTokenValidateService" />
</jaxrs:serviceBeans>
</jaxrs:server>
3 - A Request Filter
<bean id="oauthFilter"
class="org.apache.cxf.rs.security.oauth2.filters.OAuthRequestFilter">
<property name="dataProvider" ref="oauthProvider" />
</bean>
I'm assuming you have a WS client that would like to use an OAuth2
token to access the JAXWS endpoint, right ?
Typically you'd have OAuth2 RS (your applications) and AS
(Authorization/Access token) not collocated, though for simple cases
it is good enough for a start;
So, unless you already use CXF OAuth2 services to actually issue the
OAuth2 tokens, just remove all of the above and then simply
follow the
few steps I happened to blog about few days ago - will update the
docs
shortly:
http://sberyozkin.blogspot.ie/2014/02/use-oauth2-tokens-to-protect-cxf-soap.html
Basically, all you need to do is to add a simple custom WS
interceptor, you are right. If you have a remote OAuth2 AS then
for a
start you can use a basic access token validator client (HTTP-based)
registered with your interceptor
This interceptor will only work in CXF 2.7.11-SNAPSHOT
Let me know if you have more questions
Sergey
So my point is:
How do i protect my JAX-WS webservices using this JAX-RS: OAuth2
Request
Filter? What is the glue between them?
For example: i have a url
"http://localhost:8080/myProject/services/MyService?wsdl"; how do it
make
it under this Oauth Protection Structure??
Is that by interceptors, maybe?
Thank you.
Att,
Marcello Ribeirop
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com
