Hi Sergey,
I am using CXF 2.7.6. OAuthRequestFilter is different from documentation,it
might have updated for 3.0.0 or later point releases of 2.7 and there is
OAuthRequestInterceptor.
I am using the following OAuthRequestInterceptor:
import java.util.Collection;
import java.util.Collections;
import java.util.Set;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.message.Message;
import org.apache.cxf.phase.Phase;
import org.apache.cxf.phase.PhaseInterceptor;
import org.apache.cxf.rs.security.oauth2.filters.*;
public class OAuthRequestInterceptor extends OAuthRequestFilter implements
PhaseInterceptor<Message> {
public void handleMessage(Message message) throws Fault {
//super.validateRequest(message);
super.handleRequest(message, null);
}
public Collection<PhaseInterceptor<? extends Message>>
getAdditionalInterceptors() {
return null;
}
public Set<String> getAfter() {
return Collections.emptySet();
}
public Set<String> getBefore() {
return Collections.emptySet();
}
public String getId() {
return getClass().getName();
}
public String getPhase() {
return Phase.PRE_INVOKE;
}
public void handleFault(Message message) {
}
}
The server is unable to get the HTTP Header. Here is the incoming message and
the exception. Please help.
[java] Encoding: UTF-8
[java] Http-Method: POST
[java] Content-Type: text/xml; charset=UTF-8
[java] Headers: {Accept=[*/*], Authorization=[Bearer
99fcfc643281ce8485127dbf2fba1b9], Cache-Control=[no-cache], connection=[keep-alive],
Content-Length=[253], content-type=[text/xml; charset=UTF-8], Host=[localhost:5611],
Pragma=[no-cache], SOAPAction=[""], User-Agent=[Apache CXF 2.7.6]}
[java] Payload: <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";><soap:Body><TestTwoRequest
xmlns="http://cssa.att.com/oauth2"; xmlns:ns2="http://cio.att.com/commonheader/v3";><Input>Hello,
TestTwo</Input></TestTwoRequest></soap:Body></soap:Envelope>
[java] --------------------------------------
[java] May 07, 2014 10:55:59 AM
org.apache.cxf.phase.PhaseInterceptorChaindoDefaultLogging
[java] WARNING: Interceptor for {...}TestTwo has thrown exception,
unwinding now
[java] java.lang.NullPointerException
[java] at
org.apache.cxf.rs.security.oauth2.utils.AuthorizationUtils.getAuthorizationParts(AuthorizationUtils.java:61)
[java] at
org.apache.cxf.rs.security.oauth2.services.AbstractAccessTokenValidator.getAccessTokenValidation(AbstractAccessTokenValidator.java:98)
[java] at
org.apache.cxf.rs.security.oauth2.filters.OAuthRequestFilter.handleRequest(OAuthRequestFilter.java:61)
[java] at
com.att.cssa.oauth2test.server.OAuthRequestInterceptor.handleMessage(OAuthRequestInterceptor.java:16)
[java] at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:271)
[java] at
org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
Thanks,
Venkat
-----Original Message-----
From: NALLA, VENKAT
Sent: Wednesday, May 07, 2014 9:05 AM
To: 'Sergey Beryozkin'
Subject: RE: FW: OAuth2 to protect CXF SOAP endpoints
Hi Sergey,
Sorry to bother you again.
Could you please point me to the documentation (or simple example) on how to
configure BinarySecurityToken for both client and server? I do not need to
encrypt the message and I do not need to use HTTPS either.
Thanks a lot for help,
Venkat
-----Original Message-----
From: Sergey Beryozkin [mailto:[email protected]]
Sent: Tuesday, May 06, 2014 5:29 PM
To: NALLA, VENKAT
Cc: [email protected]
Subject: Re: FW: OAuth2 to protect CXF SOAP endpoints
Hi Venkat
These are all very good questions so I'm CC-ing to CXF users
On 06/05/14 21:34, NALLA, VENKAT wrote:
Hi Sergey,
I was able to add the OAuth2 token as a HTTP Header. I have to use
AccessTokenValidatorService which in not in the same process of resource
service, the OAuth2 server with AccessTokenService, and
AccessTokenValidatorService is a separate instance. Do I need to customize
OAuthRequestFilter, and OAuthRequestInterceptor to work in this case?
org.apache.cxf.rs.security.oauth2.filters.AccessTokenValidatorClient is
an out of the box HTTP-aware AccessTokenValidator, so you can start from
it, register it with the request filter/interceptor
If I use BinarySecurityToken, is it possible to provide a validator which works
with WS-Security context either using WSS4J or WS-SecurityPolicy?
Yes, see the source of the OAuthRequestInterceptor - you can extend it
and so a simple override and utilize a binary token or indeed some other
token
How is UserSubject (login, roles) is related to OAuth2? My understanding is
that it has only client_id, client_secret, scope, App Name. Do I need some
kind of mapping to security context?
UserSubject represents either an authenticate end user/resource owner,
example, the one which authorized a 3rd party web app. It also
represents a Client (example, when a client is registered it is
allocated a client id).
Let me know please if you have more questions
Thanks, Sergey
Thanks,
Venkat
-----Original Message-----
From: Sergey Beryozkin [mailto:[email protected]]
Sent: Tuesday, April 29, 2014 11:21 AM
To: NALLA, VENKAT
Subject: Re: FW: OAuth2 to protect CXF SOAP endpoints
Hi, I forwarded the answer to the users list given that it will be of
interest to others too
Cheers, Sergey
On 29/04/14 15:25, NALLA, VENKAT wrote:
Hi Sergey,
I was looking at your blogspot and came across "Use
OAuth2 tokens to protect CXF SOAP endpoints". I would like try and
understand how it works. Could you please send me the link to the
example code? Does it work in CXF 2.7.6 or do I need 3.0 milestone
release to try the example code? BTW what is the expected release date
for 3.0?
Thanks,
Venkat
