Hi Sergey, I never used BinarySecurityToken. How do I populate the OAuth2 token as Binary Security Token, without any singing and encryption?
Thanks, Venkat -----Original Message----- From: Sergey Beryozkin [mailto:[email protected]] Sent: Thursday, May 08, 2014 11:04 AM To: NALLA, VENKAT Cc: [email protected] Subject: Re: FW: OAuth2 to protect CXF SOAP endpoints Hi On 08/05/14 14:38, NALLA, VENKAT wrote: > AccessTokenService returns the following: > > {"access_token":"cca251f4e242eb106490ee326891e1c5","token_type":"bearer","expires_in":3600} > Sure, "bearer" is a token type. Client wishing to use such tokens need to use a "Bearer" authorization scheme - which is not case sensitive AFAIK (same way as we expect Authorization: Basic as opposed to Authorization: basic) Thanks, Sergey > Thanks, > Venkat > > > -----Original Message----- > From: Sergey Beryozkin [mailto:[email protected]] > Sent: Wednesday, May 07, 2014 5:34 PM > To: NALLA, VENKAT > Cc: [email protected] > Subject: Re: FW: OAuth2 to protect CXF SOAP endpoints > > Hi > > On 07/05/14 17:52, NALLA, VENKAT wrote: >> Hi Sergey, >> >> AccessTokenService returns the token_type as "bearer", Validator Service >> expecting "Bearer". It should ignore the case while comparing right? > > Validator Service checks the authorization scheme as specified in HTTP > Authorization header which must be "Bearer", it does it by default as > far as I recall. > Where exactly in the code do you see the issues with the > case-insensitive comparison ? > >> I am using client credentials grant type; AccessTokenService does not >> include the refresh_token. Do I need to do any special configuration? >> > Your data provider can set a refresh token on ServerAccessToken it returns > > HTH, Sergey >> Thanks, >> Venkat >> >> >> -----Original Message----- >> From: NALLA, VENKAT >> Sent: Wednesday, May 07, 2014 12:09 PM >> To: Sergey Beryozkin >> Subject: RE: FW: OAuth2 to protect CXF SOAP endpoints >> >> Thanks a lot. I am able to get the header now. >> >> Can please point me to an example how I can populate BinarySecurityToken on >> client side, and access it on the server side. >> >> Thanks, >> Venkat >> >> >> -----Original Message----- >> From: Sergey Beryozkin [mailto:[email protected]] >> Sent: Wednesday, May 07, 2014 11:42 AM >> To: NALLA, VENKAT >> Cc: [email protected] >> Subject: Re: FW: OAuth2 to protect CXF SOAP endpoints >> >> Hi >> >> OAuthRequestFilter In CXF 2.7.6 needs a bit more customization, the >> custom interceptor is expected to work on the trunk, but in 2.7.6 >> >> you need to override its getMessageContext() method like this: >> >> return new >> org.apache.cxf.jaxrs.ext.MessageContextImpl(PhaseInterceptorChain.getCurrentMessage()) >> >> HTH, Sergey >> >> On 07/05/14 16:06, NALLA, VENKAT wrote: >>> Hi Sergey, >>> >>> I am using CXF 2.7.6. OAuthRequestFilter is different from documentation,it >>> might have updated for 3.0.0 or later point releases of 2.7 and there is >>> OAuthRequestInterceptor. >>> >>> I am using the following OAuthRequestInterceptor: >>> >>> import java.util.Collection; >>> import java.util.Collections; >>> import java.util.Set; >>> >>> import org.apache.cxf.interceptor.Fault; >>> import org.apache.cxf.message.Message; >>> import org.apache.cxf.phase.Phase; >>> import org.apache.cxf.phase.PhaseInterceptor; >>> import org.apache.cxf.rs.security.oauth2.filters.*; >>> >>> public class OAuthRequestInterceptor extends OAuthRequestFilter >>> implements PhaseInterceptor<Message> { >>> >>> public void handleMessage(Message message) throws Fault { >>> >>> >>> //super.validateRequest(message); >>> super.handleRequest(message, null); >>> } >>> >>> >>> >>> public Collection<PhaseInterceptor<? extends Message>> >>> getAdditionalInterceptors() { >>> return null; >>> } >>> >>> public Set<String> getAfter() { >>> return Collections.emptySet(); >>> } >>> >>> public Set<String> getBefore() { >>> return Collections.emptySet(); >>> } >>> >>> public String getId() { >>> return getClass().getName(); >>> } >>> >>> public String getPhase() { >>> return Phase.PRE_INVOKE; >>> } >>> public void handleFault(Message message) { >>> } >>> >>> } >>> >>> The server is unable to get the HTTP Header. Here is the incoming message >>> and the exception. Please help. >>> >>> [java] Encoding: UTF-8 >>> [java] Http-Method: POST >>> [java] Content-Type: text/xml; charset=UTF-8 >>> [java] Headers: {Accept=[*/*], Authorization=[Bearer >>> 99fcfc643281ce8485127dbf2fba1b9], Cache-Control=[no-cache], >>> connection=[keep-alive], Content-Length=[253], content-type=[text/xml; >>> charset=UTF-8], Host=[localhost:5611], Pragma=[no-cache], SOAPAction=[""], >>> User-Agent=[Apache CXF 2.7.6]} >>> [java] Payload: <soap:Envelope >>> xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";><soap:Body><TestTwoRequest >>> xmlns="http://cssa.att.com/oauth2"; >>> xmlns:ns2="http://cio.att.com/commonheader/v3";><Input>Hello, >>> TestTwo</Input></TestTwoRequest></soap:Body></soap:Envelope> >>> [java] -------------------------------------- >>> [java] May 07, 2014 10:55:59 AM >>> org.apache.cxf.phase.PhaseInterceptorChaindoDefaultLogging >>> [java] WARNING: Interceptor for {...}TestTwo has thrown exception, >>> unwinding now >>> [java] java.lang.NullPointerException >>> [java] at >>> org.apache.cxf.rs.security.oauth2.utils.AuthorizationUtils.getAuthorizationParts(AuthorizationUtils.java:61) >>> [java] at >>> org.apache.cxf.rs.security.oauth2.services.AbstractAccessTokenValidator.getAccessTokenValidation(AbstractAccessTokenValidator.java:98) >>> [java] at >>> org.apache.cxf.rs.security.oauth2.filters.OAuthRequestFilter.handleRequest(OAuthRequestFilter.java:61) >>> [java] at >>> com.att.cssa.oauth2test.server.OAuthRequestInterceptor.handleMessage(OAuthRequestInterceptor.java:16) >>> [java] at >>> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:271) >>> [java] at >>> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) >>> >>> Thanks, >>> Venkat >>> >>> -----Original Message----- >>> From: NALLA, VENKAT >>> Sent: Wednesday, May 07, 2014 9:05 AM >>> To: 'Sergey Beryozkin' >>> Subject: RE: FW: OAuth2 to protect CXF SOAP endpoints >>> >>> Hi Sergey, >>> >>> Sorry to bother you again. >>> Could you please point me to the documentation (or simple example) on how >>> to configure BinarySecurityToken for both client and server? I do not need >>> to encrypt the message and I do not need to use HTTPS either. >>> >>> Thanks a lot for help, >>> Venkat >>> >>> -----Original Message----- >>> From: Sergey Beryozkin [mailto:[email protected]] >>> Sent: Tuesday, May 06, 2014 5:29 PM >>> To: NALLA, VENKAT >>> Cc: [email protected] >>> Subject: Re: FW: OAuth2 to protect CXF SOAP endpoints >>> >>> Hi Venkat >>> >>> These are all very good questions so I'm CC-ing to CXF users >>> >>> >>> On 06/05/14 21:34, NALLA, VENKAT wrote: >>>> Hi Sergey, >>>> >>>> I was able to add the OAuth2 token as a HTTP Header. I have to use >>>> AccessTokenValidatorService which in not in the same process of resource >>>> service, the OAuth2 server with AccessTokenService, and >>>> AccessTokenValidatorService is a separate instance. Do I need to customize >>>> OAuthRequestFilter, and OAuthRequestInterceptor to work in this case? >>> org.apache.cxf.rs.security.oauth2.filters.AccessTokenValidatorClient is >>> an out of the box HTTP-aware AccessTokenValidator, so you can start from >>> it, register it with the request filter/interceptor >>>> If I use BinarySecurityToken, is it possible to provide a validator which >>>> works with WS-Security context either using WSS4J or WS-SecurityPolicy? >>>> >>> Yes, see the source of the OAuthRequestInterceptor - you can extend it >>> and so a simple override and utilize a binary token or indeed some other >>> token >>>> How is UserSubject (login, roles) is related to OAuth2? My understanding >>>> is that it has only client_id, client_secret, scope, App Name. Do I need >>>> some kind of mapping to security context? >>>> >>> UserSubject represents either an authenticate end user/resource owner, >>> example, the one which authorized a 3rd party web app. It also >>> represents a Client (example, when a client is registered it is >>> allocated a client id). >>> >>> Let me know please if you have more questions >>> >>> Thanks, Sergey >>>> Thanks, >>>> Venkat >>>> >>>> >>>> -----Original Message----- >>>> From: Sergey Beryozkin [mailto:[email protected]] >>>> Sent: Tuesday, April 29, 2014 11:21 AM >>>> To: NALLA, VENKAT >>>> Subject: Re: FW: OAuth2 to protect CXF SOAP endpoints >>>> >>>> Hi, I forwarded the answer to the users list given that it will be of >>>> interest to others too >>>> >>>> Cheers, Sergey >>>> >>>> On 29/04/14 15:25, NALLA, VENKAT wrote: >>>>> Hi Sergey, >>>>> >>>>> I was looking at your blogspot and came across "Use >>>>> OAuth2 tokens to protect CXF SOAP endpoints". I would like try and >>>>> understand how it works. Could you please send me the link to the >>>>> example code? Does it work in CXF 2.7.6 or do I need 3.0 milestone >>>>> release to try the example code? BTW what is the expected release date >>>>> for 3.0? >>>>> >>>>> Thanks, >>>>> >>>>> Venkat >>>>> >>>> >>>> >>> >>> >> >> > >
