AccessTokenService returns the following:
{"access_token":"cca251f4e242eb106490ee326891e1c5","token_type":"bearer","expires_in":3600}
Thanks,
Venkat
-----Original Message-----
From: Sergey Beryozkin [mailto:[email protected]]
Sent: Wednesday, May 07, 2014 5:34 PM
To: NALLA, VENKAT
Cc: [email protected]
Subject: Re: FW: OAuth2 to protect CXF SOAP endpoints
Hi
On 07/05/14 17:52, NALLA, VENKAT wrote:
> Hi Sergey,
>
> AccessTokenService returns the token_type as "bearer", Validator Service
> expecting "Bearer". It should ignore the case while comparing right?
Validator Service checks the authorization scheme as specified in HTTP
Authorization header which must be "Bearer", it does it by default as
far as I recall.
Where exactly in the code do you see the issues with the
case-insensitive comparison ?
> I am using client credentials grant type; AccessTokenService does not include
> the refresh_token. Do I need to do any special configuration?
>
Your data provider can set a refresh token on ServerAccessToken it returns
HTH, Sergey
> Thanks,
> Venkat
>
>
> -----Original Message-----
> From: NALLA, VENKAT
> Sent: Wednesday, May 07, 2014 12:09 PM
> To: Sergey Beryozkin
> Subject: RE: FW: OAuth2 to protect CXF SOAP endpoints
>
> Thanks a lot. I am able to get the header now.
>
> Can please point me to an example how I can populate BinarySecurityToken on
> client side, and access it on the server side.
>
> Thanks,
> Venkat
>
>
> -----Original Message-----
> From: Sergey Beryozkin [mailto:[email protected]]
> Sent: Wednesday, May 07, 2014 11:42 AM
> To: NALLA, VENKAT
> Cc: [email protected]
> Subject: Re: FW: OAuth2 to protect CXF SOAP endpoints
>
> Hi
>
> OAuthRequestFilter In CXF 2.7.6 needs a bit more customization, the
> custom interceptor is expected to work on the trunk, but in 2.7.6
>
> you need to override its getMessageContext() method like this:
>
> return new
> org.apache.cxf.jaxrs.ext.MessageContextImpl(PhaseInterceptorChain.getCurrentMessage())
>
> HTH, Sergey
>
> On 07/05/14 16:06, NALLA, VENKAT wrote:
>> Hi Sergey,
>>
>> I am using CXF 2.7.6. OAuthRequestFilter is different from documentation,it
>> might have updated for 3.0.0 or later point releases of 2.7 and there is
>> OAuthRequestInterceptor.
>>
>> I am using the following OAuthRequestInterceptor:
>>
>> import java.util.Collection;
>> import java.util.Collections;
>> import java.util.Set;
>>
>> import org.apache.cxf.interceptor.Fault;
>> import org.apache.cxf.message.Message;
>> import org.apache.cxf.phase.Phase;
>> import org.apache.cxf.phase.PhaseInterceptor;
>> import org.apache.cxf.rs.security.oauth2.filters.*;
>>
>> public class OAuthRequestInterceptor extends OAuthRequestFilter
>> implements PhaseInterceptor<Message> {
>>
>> public void handleMessage(Message message) throws Fault {
>>
>>
>> //super.validateRequest(message);
>> super.handleRequest(message, null);
>> }
>>
>>
>>
>> public Collection<PhaseInterceptor<? extends Message>>
>> getAdditionalInterceptors() {
>> return null;
>> }
>>
>> public Set<String> getAfter() {
>> return Collections.emptySet();
>> }
>>
>> public Set<String> getBefore() {
>> return Collections.emptySet();
>> }
>>
>> public String getId() {
>> return getClass().getName();
>> }
>>
>> public String getPhase() {
>> return Phase.PRE_INVOKE;
>> }
>> public void handleFault(Message message) {
>> }
>>
>> }
>>
>> The server is unable to get the HTTP Header. Here is the incoming message
>> and the exception. Please help.
>>
>> [java] Encoding: UTF-8
>> [java] Http-Method: POST
>> [java] Content-Type: text/xml; charset=UTF-8
>> [java] Headers: {Accept=[*/*], Authorization=[Bearer
>> 99fcfc643281ce8485127dbf2fba1b9], Cache-Control=[no-cache],
>> connection=[keep-alive], Content-Length=[253], content-type=[text/xml;
>> charset=UTF-8], Host=[localhost:5611], Pragma=[no-cache], SOAPAction=[""],
>> User-Agent=[Apache CXF 2.7.6]}
>> [java] Payload: <soap:Envelope
>> xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";><soap:Body><TestTwoRequest
>> xmlns="http://cssa.att.com/oauth2";
>> xmlns:ns2="http://cio.att.com/commonheader/v3";><Input>Hello,
>> TestTwo</Input></TestTwoRequest></soap:Body></soap:Envelope>
>> [java] --------------------------------------
>> [java] May 07, 2014 10:55:59 AM
>> org.apache.cxf.phase.PhaseInterceptorChaindoDefaultLogging
>> [java] WARNING: Interceptor for {...}TestTwo has thrown exception,
>> unwinding now
>> [java] java.lang.NullPointerException
>> [java] at
>> org.apache.cxf.rs.security.oauth2.utils.AuthorizationUtils.getAuthorizationParts(AuthorizationUtils.java:61)
>> [java] at
>> org.apache.cxf.rs.security.oauth2.services.AbstractAccessTokenValidator.getAccessTokenValidation(AbstractAccessTokenValidator.java:98)
>> [java] at
>> org.apache.cxf.rs.security.oauth2.filters.OAuthRequestFilter.handleRequest(OAuthRequestFilter.java:61)
>> [java] at
>> com.att.cssa.oauth2test.server.OAuthRequestInterceptor.handleMessage(OAuthRequestInterceptor.java:16)
>> [java] at
>> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:271)
>> [java] at
>> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
>>
>> Thanks,
>> Venkat
>>
>> -----Original Message-----
>> From: NALLA, VENKAT
>> Sent: Wednesday, May 07, 2014 9:05 AM
>> To: 'Sergey Beryozkin'
>> Subject: RE: FW: OAuth2 to protect CXF SOAP endpoints
>>
>> Hi Sergey,
>>
>> Sorry to bother you again.
>> Could you please point me to the documentation (or simple example) on how to
>> configure BinarySecurityToken for both client and server? I do not need to
>> encrypt the message and I do not need to use HTTPS either.
>>
>> Thanks a lot for help,
>> Venkat
>>
>> -----Original Message-----
>> From: Sergey Beryozkin [mailto:[email protected]]
>> Sent: Tuesday, May 06, 2014 5:29 PM
>> To: NALLA, VENKAT
>> Cc: [email protected]
>> Subject: Re: FW: OAuth2 to protect CXF SOAP endpoints
>>
>> Hi Venkat
>>
>> These are all very good questions so I'm CC-ing to CXF users
>>
>>
>> On 06/05/14 21:34, NALLA, VENKAT wrote:
>>> Hi Sergey,
>>>
>>> I was able to add the OAuth2 token as a HTTP Header. I have to use
>>> AccessTokenValidatorService which in not in the same process of resource
>>> service, the OAuth2 server with AccessTokenService, and
>>> AccessTokenValidatorService is a separate instance. Do I need to customize
>>> OAuthRequestFilter, and OAuthRequestInterceptor to work in this case?
>> org.apache.cxf.rs.security.oauth2.filters.AccessTokenValidatorClient is
>> an out of the box HTTP-aware AccessTokenValidator, so you can start from
>> it, register it with the request filter/interceptor
>>> If I use BinarySecurityToken, is it possible to provide a validator which
>>> works with WS-Security context either using WSS4J or WS-SecurityPolicy?
>>>
>> Yes, see the source of the OAuthRequestInterceptor - you can extend it
>> and so a simple override and utilize a binary token or indeed some other
>> token
>>> How is UserSubject (login, roles) is related to OAuth2? My understanding is
>>> that it has only client_id, client_secret, scope, App Name. Do I need some
>>> kind of mapping to security context?
>>>
>> UserSubject represents either an authenticate end user/resource owner,
>> example, the one which authorized a 3rd party web app. It also
>> represents a Client (example, when a client is registered it is
>> allocated a client id).
>>
>> Let me know please if you have more questions
>>
>> Thanks, Sergey
>>> Thanks,
>>> Venkat
>>>
>>>
>>> -----Original Message-----
>>> From: Sergey Beryozkin [mailto:[email protected]]
>>> Sent: Tuesday, April 29, 2014 11:21 AM
>>> To: NALLA, VENKAT
>>> Subject: Re: FW: OAuth2 to protect CXF SOAP endpoints
>>>
>>> Hi, I forwarded the answer to the users list given that it will be of
>>> interest to others too
>>>
>>> Cheers, Sergey
>>>
>>> On 29/04/14 15:25, NALLA, VENKAT wrote:
>>>> Hi Sergey,
>>>>
>>>> I was looking at your blogspot and came across "Use
>>>> OAuth2 tokens to protect CXF SOAP endpoints". I would like try and
>>>> understand how it works. Could you please send me the link to the
>>>> example code? Does it work in CXF 2.7.6 or do I need 3.0 milestone
>>>> release to try the example code? BTW what is the expected release date
>>>> for 3.0?
>>>>
>>>> Thanks,
>>>>
>>>> Venkat
>>>>
>>>
>>>
>>
>>
>
>
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com
