Hi Pedro and Dan, I've already opened the topic on open-sourcing the OAuth2 module we've implemented but I don't think it can be done sooner.
What we did was basically find an implementation of OAuth2 and integrate it with Apache Isis. There are some suggested in [1] but are not well maintained. I have considered replacing Shiro with Spring Security but thought that it would take too much effort and time. In the end, we also had a hard time creating another JAX-RS application since resteasy used by RO viewer unfortunately doesn't support multiple applications. We wanted the OAuth2 module to be a detachable module on top of RO while maintaining no modifications to RO code, and with no changes to the existing wicket viewer. Due to these requirements, we had decided to use Restlet with its oauth extension, and integrated it with Shiro, RO, and Apache Isis. This also allowed us to create endpoints outside of RO. At the moment, we are needing only the password grant flow so the tokens are actually persisted but the client manager is in-memory. Basically we did the following to integrate Restlet with RO and Apache Isis: 1. Implement org.restlet.ext.oauth.internal.Token as domain object. 2. Implement org.restlet.ext.oauth.internal.TokenManager as domain service. 3. Implement org.restlet.ext.oauth.internal.Client. We implemented this in-memory. 4. Setup the Restlet OAuth2 token endpoint using the implementations above. Note they must be running under Isis context. We referred to the the security addon for integration patterns, and used similar techniques e.g. IsisContext to open session, execute closures using transaction manager, and close session. 5. Create transaction filter for this endpoint. Above will implement token generation, verification, and revocation. For integration with Shiro: 6. Implement org.restlet.ext.oauth.internal.ResourceOwnerManager. This creates wraps the username and password given for password grant flow in a AuthenticationRequestPassword, and passes it to Apache Isis AuthenticationManager. 7. Create implementations of AuthenticationRequestToken (we extended AuthenticationRequestPassword) and AuthenticationToken. This shall support token authentications while still maintaining username/password authentications (used in wicket and RO basic auth; since we still need to support both for prototyping and development). 8. Implement org.apache.isis.core.runtime.authentication.standard.Authenticator, and org.apache.isis.core.runtime.authorization.standard.Authorizer. We extended ShiroAuthenticatorOrAuthorizor to support token authentications. 9. Extend IsisModuleSecurityRealm to support getting authentication info for OAuth2 tokens. We had our own additions here since we need to support some forms of decoupled authentication vetos from other modules e.g. if tenant of the ApplicationUser is disabled then disallow login, password lockout policies, etc. 10. Extend AuthorizationManagerStandardInstallerAbstract and create the new authorizer. 11. Create an AuthenticationSessionStrategy supported token authentication to be used in RO. Here, we parse the token from the HTTP header, create AuthenticationRequestToken, and pass to the Apache Isis AuthenticationManager. To use in your app: 12. In your AppManifest, return the installer class name created in #10 for getAuthenticationMechanism and getAuthorizationMechanism. 13. In shiro.ini, set securityManager.realms to the security realm in #9 14. In web.xml, for the IsisSessionFilterForRestfulObjects, use the authentication session strategy created in 11 for the authenticationSessionStrategy init param. We also set whenNoSession to continue since we needed to provide different error messages on authentication failures by letting AuthenticationException propagate up to the authentication session strategy, and prettify the messages through another filter. 15. In web.xml, setup the Restlet servlet and the transaction filter in #5. I hope above makes sense. This was implemented a year ago and it's already a bit blurry to remember everything. I would advise to observe and study the authentication flow from viewer to the authentication realms, as well as the security addon. This helps in determining integration or customization points to adhere to your project's requirements. Best regards, Willie [1] https://issues.apache.org/jira/browse/SHIRO-119 On Tue, Jun 28, 2016 at 5:35 AM, Dan Haywood <[email protected]> wrote: > Hi Pedro, > Apache Isis doesn't ship with oauth out of the box, but I recall Willie > mentioning in passing [1] that they had extended Isis in this direction. > > @Willie, would you be able to share any code around this? > > Thx > Dan > > http://markmail.org/message/ia76ut3mwuppdqow > > On 27 June 2016 at 15:18, Pedro Alba <[email protected]> wrote: > >> Hello Dan. >> >> Dan, I have a question, I require implement OAuth authentication services >> to the rest exposing apache isis; how I can configure apache isis >> authentication OAUTH? >> >> Thanks. >> >> [image: Logo] >> >> *Pedro Antonio Alba * >> *Senior Development Analyst* >> Tel: (57) 1 703 17 77 >> Cel: (57) 301 3379810 >> E-mail: [email protected] >> Calle 93 # 19b - 66 Ofc 202 >> Bogotá D.C., Colombia >> www.ticxar.com >> >> >> >> [image: facebook] >> <http://www.facebook.com/pages/Ticxar/446503822192581> [image: twitter] >> <http://twitter.com/ticxar> [image: linkedIn] >> <http://www.linkedin.com/company/ticxar> >> > >
