On 21/02/14 13:15, Sergey Beryozkin wrote:
Hi
On 20/01/14 11:46, Marcello Ribeiro wrote:
Hi Sergey,
So that is the new status:
1 - I´ve updated my pom to pull CXF 2.7.11-Snapshot and so
OAuthRequestInterceptor is now available.
2 - A added this interceptor to one of my endpoint.
3 - I called this enpoint as usually and now i get a Not Authorized
Exception which makes my client to receive a http 500 directly, which in
my first point of view is not acceptable, because i think my client
should get at least a http 401, once he is trying to accessed the
endpoint directly with no token, and not having passed for all Oauth2
flow.
Now i am dealing with:
1 - Trying understand how to sent 401 back to my client instead of 500;
This is a SOAP path so 500 is returned, you can register a custom out
fault interceptor and make sure it is 401.
2 - Going deep inside the docs i understood that i do need also (of
course) to have my user authenticated and new fashion for this is using
WSS4JInInterceptor (using UsernameToken) which implements those new
Specs. I got problems here and i already raised my hand in another post
to this list. I´ve been using JAAS for a long time and i have to confess
the earth has not stopped rotating all those past years. :)
Any comments on this "saga"?
I don't think using WS-Security UserName token is appropriate when the
client has OAuth2 tokens.
Let me clarify a bit more.
1. You need to obtain an OAuth2 token on the client side first: there
are many ways, the easiest option, for POC at least, is to use OAuth2
client credentials flow where basically you use the client name &
password as a 'grant' - you post to the OAuth2 server, get back the token
2. JAX-WS client now uses WS-Security BinaryToken to pass the OAuth2
token along
3. You configure WSS4JIntercptor to handle the binary token
4. Have the customized OAuth2 interceptor validating it, meaning you
will have the custom interceptor extending CXF OAuth2 interceptor and
extracting the binary token from CXF Message (put there by
WSS4JInInterceptor)
Sergey
Cheers, Sergey
Att,
Marcello Ribeiro
Em 19/02/2014 14:05, Sergey Beryozkin escreveu:
So, did you get any luck at all or I have confused you ?
Basically, the OAuth2 server is there to get the tokens issued, which
is completely orthogonal to the process of clients invoking on the
JAX-RS or in this case, JAX-WS endpoints.
The client need to get the token first, can be done out of band,
depends on the flow, next you use it to invoke on the endpoint and at
this point of time the filter (or in you case interceptor) will
enforce the token is valid by contacting the OAuth2 server if needed
or validate it locally by using the data provider directly
HTH
Sergey
On 17/02/14 15:43, Sergey Beryozkin wrote:
Hi
On 17/02/14 12:43, Marcello Ribeiro wrote:
Good morning.
I´ve created Oauth2 Services as described in
https://cxf.apache.org/docs/jax-rs-oauth2.html , to be my complete
Oauth2 infrastructure, given tokens, authorization and the stuffs .
OK, but my point is how to make my JAX-WS Services (My Business WS
endpoints) being intecepted, and protected and authorized for this
brand
new Oauth2 infrastructure? What is the glue.
You have to register OAuthRequestInterceptor. not OAuthRequestFilter,
and it has to be 2.7.11-SNAPSHOT
I already put an interceptor for one of the endpoints as you can see
bellow, but i got none effects.
So you have added OAuthRequestInterceptor to your JAX-WS endpoint and
this interceptor does let the request which has no OAuth token attached
to it through ?
Thanks, Sergey
Do i explain myself?
Thank you.
Best Regards,
Marcello Ribeiro
Em 16/02/2014 18:12, Sergey Beryozkin escreveu:
Hi
On 16/01/14 19:58, Marcello Ribeiro wrote:
Hi Sergey, thank you for helping and for the nice blog...
I am sorry to say it is still nebulous in my mind...
What i did was to add a new interceptor targeting my OauthFilter
like
this:
My <jaxrs:server id="oauthServer" address="/oauth"> shares the
same
web application which my webservices share. Should i create a
diferent
web application for the Oauth2 Infraestructure??
<jaxws:inInterceptors>
<ref bean="oauthFilter" />
</jaxws:inInterceptors>
But it seems to produce no effects... Client´s requests are not been
intercepted or no 403 response are sent back...
How do obtain an OAuth2 token, where is it coming from ?
Cheers, Sergey
Would you have any git endpoint containing that POC
Thank you
Att,
Marcello Ribeiro
Em 14/02/2014 11:54, Sergey Beryozkin escreveu:
Hi, please see comments below
On 14/02/14 12:50, Marcello Ribeiro wrote:
Hi,
I have a couple of Webservice done and working properly using CXF
2.7.8
in the already known fashion:
<jaxws:endpoint xmlns:tns="http://blablabla.hello.com.br/";
id="blablablawsservice"
implementor="br.com.hello.BlaBlaBla"
wsdlLocation="wsdl/blablablawsservice.wsdl"
endpointName="tns:BlaBlaBlaPort"
serviceName="tns:BlaBlaBlaServiceService"
address="/BlaBlaBlaPort">
<jaxws:features>
<bean
class="org.apache.cxf.feature.LoggingFeature" />
</jaxws:features>
</jaxws:endpoint>
Now, what i need is to protect these services/urls using JAX-RS:
OAuth2
and i have followed the instruction in CXF documentation:
https://cxf.apache.org/docs/jax-rs-oauth2.html
Based on this documentation, i have now:
1 - An Authorization Service;
|
<bean id="authorizationService"
class="org.apache.cxf.rs.security.oauth2.services.AuthorizationCodeGrantService">
<property name="dataProvider" ref="oauthProvider"/>
</bean>|
|
|
2 - An Access Token Service;
<bean id="oauthProvider"
class="br.com.hello.utils.cxf.security.oauth.SocialRideDataProvider"
/>
<bean id="accessTokenService"
class="org.apache.cxf.rs.security.oauth2.services.AccessTokenService">
<property name="dataProvider" ref="oauthProvider" />
</bean>
<bean id="accessTokenValidateService"
class="org.apache.cxf.rs.security.oauth2.services.AccessTokenValidatorService">
<property name="dataProvider" ref="oauthProvider" />
</bean>
<jaxrs:server id="oauthServer" address="/oauth">
<jaxrs:serviceBeans>
<ref bean="accessTokenService" />
<ref bean="accessTokenValidateService" />
</jaxrs:serviceBeans>
</jaxrs:server>
3 - A Request Filter
<bean id="oauthFilter"
class="org.apache.cxf.rs.security.oauth2.filters.OAuthRequestFilter">
<property name="dataProvider" ref="oauthProvider" />
</bean>
I'm assuming you have a WS client that would like to use an OAuth2
token to access the JAXWS endpoint, right ?
Typically you'd have OAuth2 RS (your applications) and AS
(Authorization/Access token) not collocated, though for simple
cases
it is good enough for a start;
So, unless you already use CXF OAuth2 services to actually issue
the
OAuth2 tokens, just remove all of the above and then simply
follow the
few steps I happened to blog about few days ago - will update the
docs
shortly:
http://sberyozkin.blogspot.ie/2014/02/use-oauth2-tokens-to-protect-cxf-soap.html
Basically, all you need to do is to add a simple custom WS
interceptor, you are right. If you have a remote OAuth2 AS then
for a
start you can use a basic access token validator client
(HTTP-based)
registered with your interceptor
This interceptor will only work in CXF 2.7.11-SNAPSHOT
Let me know if you have more questions
Sergey
So my point is:
How do i protect my JAX-WS webservices using this JAX-RS: OAuth2
Request
Filter? What is the glue between them?
For example: i have a url
"http://localhost:8080/myProject/services/MyService?wsdl"; how
do it
make
it under this Oauth Protection Structure??
Is that by interceptors, maybe?
Thank you.
Att,
Marcello Ribeirop
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com
