I added a test-case to show how this can be done:
https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob_plain;f=systests/ws-security/src/test/java/org/apache/cxf/systest/ws/tokens/BinarySecurityTokenTest.java;hb=refs/heads/2.7.x-fixes
The client just adds the following interceptor:
<jaxws:client
name="{http://www.example.org/contract/DoubleIt}DoubleItBinarySecurityTokenPort";
createdFromAPI="true">
<jaxws:outInterceptors>
<bean
class="org.apache.cxf.ws.security.wss4j.BinarySecurityTokenInterceptor"
/>
</jaxws:outInterceptors>
</jaxws:client>
Where the BinarySecurityTokenInterceptor just takes a SecurityToken from
the message and adds it as a BinarySecurityToken:
https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob_plain;f=rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/BinarySecurityTokenInterceptor.java;hb=HEAD
You can likely re-use this or adapt it for your own needs.
Colm.
On Fri, May 9, 2014 at 2:15 PM, NALLA, VENKAT <[email protected]> wrote:
> Hi Colm,
>
> I need to use OAuth2 AccessToken for SOAP web Services security. With
> Sergey's help I am able to pass the token as HTTP Header and validate the
> token on the server side successfully. The documentation also says that it
> can be passed as BinarySecurityToken. I never used BinarySecurityToken, all
> the documentation leads me to X509 tokens, with sign and encrypt. The token
> is not a X509 cert, and it is not in keystore/truststore. Can you please
> help me how I can pass OAuth2 access token as BinarySecurityToken.
>
> Thanks,
> Venkat
>
>
> -----Original Message-----
> From: Sergey Beryozkin [mailto:[email protected]]
> Sent: Thursday, May 08, 2014 4:32 PM
> To: NALLA, VENKAT
> Cc: [email protected]
> Subject: Re: FW: OAuth2 to protect CXF SOAP endpoints
>
> Hi
>
> I don't have any specific experience with setting binary tokens. CXF
> email is not being delivered right now - Colm may have already replied.
> Check CXF sources/tests - there should be some examples,
>
> Cheers, Sergey
>
> On 08/05/14 19:54, NALLA, VENKAT wrote:
> > Hi Sergey,
> >
> > I never used BinarySecurityToken. How do I populate the OAuth2 token as
> Binary Security Token, without any singing and encryption?
> >
> > Thanks,
> > Venkat
> >
> >
> > -----Original Message-----
> > From: Sergey Beryozkin [mailto:[email protected]]
> > Sent: Thursday, May 08, 2014 11:04 AM
> > To: NALLA, VENKAT
> > Cc: [email protected]
> > Subject: Re: FW: OAuth2 to protect CXF SOAP endpoints
> >
> > Hi
> > On 08/05/14 14:38, NALLA, VENKAT wrote:
> >> AccessTokenService returns the following:
> >>
>
> {"access_token":"cca251f4e242eb106490ee326891e1c5","token_type":"bearer","expires_in":3600}
> >>
> > Sure, "bearer" is a token type. Client wishing to use such tokens need
> > to use a "Bearer" authorization scheme - which is not case sensitive
> > AFAIK (same way as we expect Authorization: Basic as opposed to
> > Authorization: basic)
> >
> > Thanks, Sergey
> >> Thanks,
> >> Venkat
> >>
> >>
> >> -----Original Message-----
> >> From: Sergey Beryozkin [mailto:[email protected]]
> >> Sent: Wednesday, May 07, 2014 5:34 PM
> >> To: NALLA, VENKAT
> >> Cc: [email protected]
> >> Subject: Re: FW: OAuth2 to protect CXF SOAP endpoints
> >>
> >> Hi
> >>
> >> On 07/05/14 17:52, NALLA, VENKAT wrote:
> >>> Hi Sergey,
> >>>
> >>> AccessTokenService returns the token_type as "bearer", Validator
> Service expecting "Bearer". It should ignore the case while comparing right?
> >>
> >> Validator Service checks the authorization scheme as specified in HTTP
> >> Authorization header which must be "Bearer", it does it by default as
> >> far as I recall.
> >> Where exactly in the code do you see the issues with the
> >> case-insensitive comparison ?
> >>
> >>> I am using client credentials grant type; AccessTokenService does not
> include the refresh_token. Do I need to do any special configuration?
> >>>
> >> Your data provider can set a refresh token on ServerAccessToken it
> returns
> >>
> >> HTH, Sergey
> >>> Thanks,
> >>> Venkat
> >>>
> >>>
> >>> -----Original Message-----
> >>> From: NALLA, VENKAT
> >>> Sent: Wednesday, May 07, 2014 12:09 PM
> >>> To: Sergey Beryozkin
> >>> Subject: RE: FW: OAuth2 to protect CXF SOAP endpoints
> >>>
> >>> Thanks a lot. I am able to get the header now.
> >>>
> >>> Can please point me to an example how I can populate
> BinarySecurityToken on client side, and access it on the server side.
> >>>
> >>> Thanks,
> >>> Venkat
> >>>
> >>>
> >>> -----Original Message-----
> >>> From: Sergey Beryozkin [mailto:[email protected]]
> >>> Sent: Wednesday, May 07, 2014 11:42 AM
> >>> To: NALLA, VENKAT
> >>> Cc: [email protected]
> >>> Subject: Re: FW: OAuth2 to protect CXF SOAP endpoints
> >>>
> >>> Hi
> >>>
> >>> OAuthRequestFilter In CXF 2.7.6 needs a bit more customization, the
> >>> custom interceptor is expected to work on the trunk, but in 2.7.6
> >>>
> >>> you need to override its getMessageContext() method like this:
> >>>
> >>> return new
> >>>
> org.apache.cxf.jaxrs.ext.MessageContextImpl(PhaseInterceptorChain.getCurrentMessage())
> >>>
> >>> HTH, Sergey
> >>>
> >>> On 07/05/14 16:06, NALLA, VENKAT wrote:
> >>>> Hi Sergey,
> >>>>
> >>>> I am using CXF 2.7.6. OAuthRequestFilter is different from
> documentation,it might have updated for 3.0.0 or later point releases of
> 2.7 and there is OAuthRequestInterceptor.
> >>>>
> >>>> I am using the following OAuthRequestInterceptor:
> >>>>
> >>>> import java.util.Collection;
> >>>> import java.util.Collections;
> >>>> import java.util.Set;
> >>>>
> >>>> import org.apache.cxf.interceptor.Fault;
> >>>> import org.apache.cxf.message.Message;
> >>>> import org.apache.cxf.phase.Phase;
> >>>> import org.apache.cxf.phase.PhaseInterceptor;
> >>>> import org.apache.cxf.rs.security.oauth2.filters.*;
> >>>>
> >>>> public class OAuthRequestInterceptor extends OAuthRequestFilter
> implements PhaseInterceptor<Message> {
> >>>>
> >>>> public void handleMessage(Message message) throws Fault {
> >>>>
> >>>>
> >>>> //super.validateRequest(message);
> >>>> super.handleRequest(message, null);
> >>>> }
> >>>>
> >>>>
> >>>>
> >>>> public Collection<PhaseInterceptor<? extends Message>>
> getAdditionalInterceptors() {
> >>>> return null;
> >>>> }
> >>>>
> >>>> public Set<String> getAfter() {
> >>>> return Collections.emptySet();
> >>>> }
> >>>>
> >>>> public Set<String> getBefore() {
> >>>> return Collections.emptySet();
> >>>> }
> >>>>
> >>>> public String getId() {
> >>>> return getClass().getName();
> >>>> }
> >>>>
> >>>> public String getPhase() {
> >>>> return Phase.PRE_INVOKE;
> >>>> }
> >>>> public void handleFault(Message message) {
> >>>> }
> >>>>
> >>>> }
> >>>>
> >>>> The server is unable to get the HTTP Header. Here is the incoming
> message and the exception. Please help.
> >>>>
> >>>> [java] Encoding: UTF-8
> >>>> [java] Http-Method: POST
> >>>> [java] Content-Type: text/xml; charset=UTF-8
> >>>> [java] Headers: {Accept=[*/*], Authorization=[Bearer
> 99fcfc643281ce8485127dbf2fba1b9], Cache-Control=[no-cache],
> connection=[keep-alive], Content-Length=[253], content-type=[text/xml;
> charset=UTF-8], Host=[localhost:5611], Pragma=[no-cache], SOAPAction=[""],
> User-Agent=[Apache CXF 2.7.6]}
> >>>> [java] Payload: <soap:Envelope xmlns:soap="
> http://schemas.xmlsoap.org/soap/envelope/";><soap:Body><TestTwoRequest
> xmlns="http://cssa.att.com/oauth2"; xmlns:ns2="
> http://cio.att.com/commonheader/v3";><Input>Hello,
> TestTwo</Input></TestTwoRequest></soap:Body></soap:Envelope>
> >>>> [java] --------------------------------------
> >>>> [java] May 07, 2014 10:55:59 AM
> org.apache.cxf.phase.PhaseInterceptorChaindoDefaultLogging
> >>>> [java] WARNING: Interceptor for {...}TestTwo has thrown
> exception, unwinding now
> >>>> [java] java.lang.NullPointerException
> >>>> [java] at
> org.apache.cxf.rs.security.oauth2.utils.AuthorizationUtils.getAuthorizationParts(AuthorizationUtils.java:61)
> >>>> [java] at
> org.apache.cxf.rs.security.oauth2.services.AbstractAccessTokenValidator.getAccessTokenValidation(AbstractAccessTokenValidator.java:98)
> >>>> [java] at
> org.apache.cxf.rs.security.oauth2.filters.OAuthRequestFilter.handleRequest(OAuthRequestFilter.java:61)
> >>>> [java] at
> com.att.cssa.oauth2test.server.OAuthRequestInterceptor.handleMessage(OAuthRequestInterceptor.java:16)
> >>>> [java] at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:271)
> >>>> [java] at
> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
> >>>>
> >>>> Thanks,
> >>>> Venkat
> >>>>
> >>>> -----Original Message-----
> >>>> From: NALLA, VENKAT
> >>>> Sent: Wednesday, May 07, 2014 9:05 AM
> >>>> To: 'Sergey Beryozkin'
> >>>> Subject: RE: FW: OAuth2 to protect CXF SOAP endpoints
> >>>>
> >>>> Hi Sergey,
> >>>>
> >>>> Sorry to bother you again.
> >>>> Could you please point me to the documentation (or simple example) on
> how to configure BinarySecurityToken for both client and server? I do not
> need to encrypt the message and I do not need to use HTTPS either.
> >>>>
> >>>> Thanks a lot for help,
> >>>> Venkat
> >>>>
> >>>> -----Original Message-----
> >>>> From: Sergey Beryozkin [mailto:[email protected]]
> >>>> Sent: Tuesday, May 06, 2014 5:29 PM
> >>>> To: NALLA, VENKAT
> >>>> Cc: [email protected]
> >>>> Subject: Re: FW: OAuth2 to protect CXF SOAP endpoints
> >>>>
> >>>> Hi Venkat
> >>>>
> >>>> These are all very good questions so I'm CC-ing to CXF users
> >>>>
> >>>>
> >>>> On 06/05/14 21:34, NALLA, VENKAT wrote:
> >>>>> Hi Sergey,
> >>>>>
> >>>>> I was able to add the OAuth2 token as a HTTP Header. I have to use
> AccessTokenValidatorService which in not in the same process of resource
> service, the OAuth2 server with AccessTokenService, and
> AccessTokenValidatorService is a separate instance. Do I need to customize
> OAuthRequestFilter, and OAuthRequestInterceptor to work in this case?
> >>>> org.apache.cxf.rs.security.oauth2.filters.AccessTokenValidatorClient
> is
> >>>> an out of the box HTTP-aware AccessTokenValidator, so you can start
> from
> >>>> it, register it with the request filter/interceptor
> >>>>> If I use BinarySecurityToken, is it possible to provide a validator
> which works with WS-Security context either using WSS4J or
> WS-SecurityPolicy?
> >>>>>
> >>>> Yes, see the source of the OAuthRequestInterceptor - you can extend it
> >>>> and so a simple override and utilize a binary token or indeed some
> other
> >>>> token
> >>>>> How is UserSubject (login, roles) is related to OAuth2? My
> understanding is that it has only client_id, client_secret, scope, App
> Name. Do I need some kind of mapping to security context?
> >>>>>
> >>>> UserSubject represents either an authenticate end user/resource owner,
> >>>> example, the one which authorized a 3rd party web app. It also
> >>>> represents a Client (example, when a client is registered it is
> >>>> allocated a client id).
> >>>>
> >>>> Let me know please if you have more questions
> >>>>
> >>>> Thanks, Sergey
> >>>>> Thanks,
> >>>>> Venkat
> >>>>>
> >>>>>
> >>>>> -----Original Message-----
> >>>>> From: Sergey Beryozkin [mailto:[email protected]]
> >>>>> Sent: Tuesday, April 29, 2014 11:21 AM
> >>>>> To: NALLA, VENKAT
> >>>>> Subject: Re: FW: OAuth2 to protect CXF SOAP endpoints
> >>>>>
> >>>>> Hi, I forwarded the answer to the users list given that it will be of
> >>>>> interest to others too
> >>>>>
> >>>>> Cheers, Sergey
> >>>>>
> >>>>> On 29/04/14 15:25, NALLA, VENKAT wrote:
> >>>>>> Hi Sergey,
> >>>>>>
> >>>>>> I was looking at your blogspot and came
> across "Use
> >>>>>> OAuth2 tokens to protect CXF SOAP endpoints". I would like try and
> >>>>>> understand how it works. Could you please send me the link to the
> >>>>>> example code? Does it work in CXF 2.7.6 or do I need 3.0 milestone
> >>>>>> release to try the example code? BTW what is the expected release
> date
> >>>>>> for 3.0?
> >>>>>>
> >>>>>> Thanks,
> >>>>>>
> >>>>>> Venkat
> >>>>>>
> >>>>>
> >>>>>
> >>>>
> >>>>
> >>>
> >>>
> >>
> >>
> >
>
>
> --
> Sergey Beryozkin
>
> Talend Community Coders
> http://coders.talend.com/
>
> Blog: http://sberyozkin.blogspot.com
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
> <http://sberyozkin.blogspot.com>
>
