Hi Colm, I need to use OAuth2 AccessToken for SOAP web Services security. With Sergey's help I am able to pass the token as HTTP Header and validate the token on the server side successfully. The documentation also says that it can be passed as BinarySecurityToken. I never used BinarySecurityToken, all the documentation leads me to X509 tokens, with sign and encrypt. The token is not a X509 cert, and it is not in keystore/truststore. Can you please help me how I can pass OAuth2 access token as BinarySecurityToken.
Thanks, Venkat -----Original Message----- From: Sergey Beryozkin [mailto:[email protected]] Sent: Thursday, May 08, 2014 4:32 PM To: NALLA, VENKAT Cc: [email protected] Subject: Re: FW: OAuth2 to protect CXF SOAP endpoints Hi I don't have any specific experience with setting binary tokens. CXF email is not being delivered right now - Colm may have already replied. Check CXF sources/tests - there should be some examples, Cheers, Sergey On 08/05/14 19:54, NALLA, VENKAT wrote: > Hi Sergey, > > I never used BinarySecurityToken. How do I populate the OAuth2 token as > Binary Security Token, without any singing and encryption? > > Thanks, > Venkat > > > -----Original Message----- > From: Sergey Beryozkin [mailto:[email protected]] > Sent: Thursday, May 08, 2014 11:04 AM > To: NALLA, VENKAT > Cc: [email protected] > Subject: Re: FW: OAuth2 to protect CXF SOAP endpoints > > Hi > On 08/05/14 14:38, NALLA, VENKAT wrote: >> AccessTokenService returns the following: >> >> {"access_token":"cca251f4e242eb106490ee326891e1c5","token_type":"bearer","expires_in":3600} >> > Sure, "bearer" is a token type. Client wishing to use such tokens need > to use a "Bearer" authorization scheme - which is not case sensitive > AFAIK (same way as we expect Authorization: Basic as opposed to > Authorization: basic) > > Thanks, Sergey >> Thanks, >> Venkat >> >> >> -----Original Message----- >> From: Sergey Beryozkin [mailto:[email protected]] >> Sent: Wednesday, May 07, 2014 5:34 PM >> To: NALLA, VENKAT >> Cc: [email protected] >> Subject: Re: FW: OAuth2 to protect CXF SOAP endpoints >> >> Hi >> >> On 07/05/14 17:52, NALLA, VENKAT wrote: >>> Hi Sergey, >>> >>> AccessTokenService returns the token_type as "bearer", Validator Service >>> expecting "Bearer". It should ignore the case while comparing right? >> >> Validator Service checks the authorization scheme as specified in HTTP >> Authorization header which must be "Bearer", it does it by default as >> far as I recall. >> Where exactly in the code do you see the issues with the >> case-insensitive comparison ? >> >>> I am using client credentials grant type; AccessTokenService does not >>> include the refresh_token. Do I need to do any special configuration? >>> >> Your data provider can set a refresh token on ServerAccessToken it returns >> >> HTH, Sergey >>> Thanks, >>> Venkat >>> >>> >>> -----Original Message----- >>> From: NALLA, VENKAT >>> Sent: Wednesday, May 07, 2014 12:09 PM >>> To: Sergey Beryozkin >>> Subject: RE: FW: OAuth2 to protect CXF SOAP endpoints >>> >>> Thanks a lot. I am able to get the header now. >>> >>> Can please point me to an example how I can populate BinarySecurityToken on >>> client side, and access it on the server side. >>> >>> Thanks, >>> Venkat >>> >>> >>> -----Original Message----- >>> From: Sergey Beryozkin [mailto:[email protected]] >>> Sent: Wednesday, May 07, 2014 11:42 AM >>> To: NALLA, VENKAT >>> Cc: [email protected] >>> Subject: Re: FW: OAuth2 to protect CXF SOAP endpoints >>> >>> Hi >>> >>> OAuthRequestFilter In CXF 2.7.6 needs a bit more customization, the >>> custom interceptor is expected to work on the trunk, but in 2.7.6 >>> >>> you need to override its getMessageContext() method like this: >>> >>> return new >>> org.apache.cxf.jaxrs.ext.MessageContextImpl(PhaseInterceptorChain.getCurrentMessage()) >>> >>> HTH, Sergey >>> >>> On 07/05/14 16:06, NALLA, VENKAT wrote: >>>> Hi Sergey, >>>> >>>> I am using CXF 2.7.6. OAuthRequestFilter is different from >>>> documentation,it might have updated for 3.0.0 or later point releases of >>>> 2.7 and there is OAuthRequestInterceptor. >>>> >>>> I am using the following OAuthRequestInterceptor: >>>> >>>> import java.util.Collection; >>>> import java.util.Collections; >>>> import java.util.Set; >>>> >>>> import org.apache.cxf.interceptor.Fault; >>>> import org.apache.cxf.message.Message; >>>> import org.apache.cxf.phase.Phase; >>>> import org.apache.cxf.phase.PhaseInterceptor; >>>> import org.apache.cxf.rs.security.oauth2.filters.*; >>>> >>>> public class OAuthRequestInterceptor extends OAuthRequestFilter >>>> implements PhaseInterceptor<Message> { >>>> >>>> public void handleMessage(Message message) throws Fault { >>>> >>>> >>>> //super.validateRequest(message); >>>> super.handleRequest(message, null); >>>> } >>>> >>>> >>>> >>>> public Collection<PhaseInterceptor<? extends Message>> >>>> getAdditionalInterceptors() { >>>> return null; >>>> } >>>> >>>> public Set<String> getAfter() { >>>> return Collections.emptySet(); >>>> } >>>> >>>> public Set<String> getBefore() { >>>> return Collections.emptySet(); >>>> } >>>> >>>> public String getId() { >>>> return getClass().getName(); >>>> } >>>> >>>> public String getPhase() { >>>> return Phase.PRE_INVOKE; >>>> } >>>> public void handleFault(Message message) { >>>> } >>>> >>>> } >>>> >>>> The server is unable to get the HTTP Header. Here is the incoming message >>>> and the exception. Please help. >>>> >>>> [java] Encoding: UTF-8 >>>> [java] Http-Method: POST >>>> [java] Content-Type: text/xml; charset=UTF-8 >>>> [java] Headers: {Accept=[*/*], Authorization=[Bearer >>>> 99fcfc643281ce8485127dbf2fba1b9], Cache-Control=[no-cache], >>>> connection=[keep-alive], Content-Length=[253], content-type=[text/xml; >>>> charset=UTF-8], Host=[localhost:5611], Pragma=[no-cache], SOAPAction=[""], >>>> User-Agent=[Apache CXF 2.7.6]} >>>> [java] Payload: <soap:Envelope >>>> xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";><soap:Body><TestTwoRequest >>>> xmlns="http://cssa.att.com/oauth2"; >>>> xmlns:ns2="http://cio.att.com/commonheader/v3";><Input>Hello, >>>> TestTwo</Input></TestTwoRequest></soap:Body></soap:Envelope> >>>> [java] -------------------------------------- >>>> [java] May 07, 2014 10:55:59 AM >>>> org.apache.cxf.phase.PhaseInterceptorChaindoDefaultLogging >>>> [java] WARNING: Interceptor for {...}TestTwo has thrown >>>> exception, unwinding now >>>> [java] java.lang.NullPointerException >>>> [java] at >>>> org.apache.cxf.rs.security.oauth2.utils.AuthorizationUtils.getAuthorizationParts(AuthorizationUtils.java:61) >>>> [java] at >>>> org.apache.cxf.rs.security.oauth2.services.AbstractAccessTokenValidator.getAccessTokenValidation(AbstractAccessTokenValidator.java:98) >>>> [java] at >>>> org.apache.cxf.rs.security.oauth2.filters.OAuthRequestFilter.handleRequest(OAuthRequestFilter.java:61) >>>> [java] at >>>> com.att.cssa.oauth2test.server.OAuthRequestInterceptor.handleMessage(OAuthRequestInterceptor.java:16) >>>> [java] at >>>> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:271) >>>> [java] at >>>> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) >>>> >>>> Thanks, >>>> Venkat >>>> >>>> -----Original Message----- >>>> From: NALLA, VENKAT >>>> Sent: Wednesday, May 07, 2014 9:05 AM >>>> To: 'Sergey Beryozkin' >>>> Subject: RE: FW: OAuth2 to protect CXF SOAP endpoints >>>> >>>> Hi Sergey, >>>> >>>> Sorry to bother you again. >>>> Could you please point me to the documentation (or simple example) on how >>>> to configure BinarySecurityToken for both client and server? I do not need >>>> to encrypt the message and I do not need to use HTTPS either. >>>> >>>> Thanks a lot for help, >>>> Venkat >>>> >>>> -----Original Message----- >>>> From: Sergey Beryozkin [mailto:[email protected]] >>>> Sent: Tuesday, May 06, 2014 5:29 PM >>>> To: NALLA, VENKAT >>>> Cc: [email protected] >>>> Subject: Re: FW: OAuth2 to protect CXF SOAP endpoints >>>> >>>> Hi Venkat >>>> >>>> These are all very good questions so I'm CC-ing to CXF users >>>> >>>> >>>> On 06/05/14 21:34, NALLA, VENKAT wrote: >>>>> Hi Sergey, >>>>> >>>>> I was able to add the OAuth2 token as a HTTP Header. I have to use >>>>> AccessTokenValidatorService which in not in the same process of resource >>>>> service, the OAuth2 server with AccessTokenService, and >>>>> AccessTokenValidatorService is a separate instance. Do I need to >>>>> customize OAuthRequestFilter, and OAuthRequestInterceptor to work in this >>>>> case? >>>> org.apache.cxf.rs.security.oauth2.filters.AccessTokenValidatorClient is >>>> an out of the box HTTP-aware AccessTokenValidator, so you can start from >>>> it, register it with the request filter/interceptor >>>>> If I use BinarySecurityToken, is it possible to provide a validator which >>>>> works with WS-Security context either using WSS4J or WS-SecurityPolicy? >>>>> >>>> Yes, see the source of the OAuthRequestInterceptor - you can extend it >>>> and so a simple override and utilize a binary token or indeed some other >>>> token >>>>> How is UserSubject (login, roles) is related to OAuth2? My understanding >>>>> is that it has only client_id, client_secret, scope, App Name. Do I need >>>>> some kind of mapping to security context? >>>>> >>>> UserSubject represents either an authenticate end user/resource owner, >>>> example, the one which authorized a 3rd party web app. It also >>>> represents a Client (example, when a client is registered it is >>>> allocated a client id). >>>> >>>> Let me know please if you have more questions >>>> >>>> Thanks, Sergey >>>>> Thanks, >>>>> Venkat >>>>> >>>>> >>>>> -----Original Message----- >>>>> From: Sergey Beryozkin [mailto:[email protected]] >>>>> Sent: Tuesday, April 29, 2014 11:21 AM >>>>> To: NALLA, VENKAT >>>>> Subject: Re: FW: OAuth2 to protect CXF SOAP endpoints >>>>> >>>>> Hi, I forwarded the answer to the users list given that it will be of >>>>> interest to others too >>>>> >>>>> Cheers, Sergey >>>>> >>>>> On 29/04/14 15:25, NALLA, VENKAT wrote: >>>>>> Hi Sergey, >>>>>> >>>>>> I was looking at your blogspot and came across "Use >>>>>> OAuth2 tokens to protect CXF SOAP endpoints". I would like try and >>>>>> understand how it works. Could you please send me the link to the >>>>>> example code? Does it work in CXF 2.7.6 or do I need 3.0 milestone >>>>>> release to try the example code? BTW what is the expected release date >>>>>> for 3.0? >>>>>> >>>>>> Thanks, >>>>>> >>>>>> Venkat >>>>>> >>>>> >>>>> >>>> >>>> >>> >>> >> >> > -- Sergey Beryozkin Talend Community Coders http://coders.talend.com/ Blog: http://sberyozkin.blogspot.com
