Willie, thanks very much for taking the time to document all this; great to know it's doable.
It *is* in fact possible to add additional endpoints to the RO viewer; you need to subclass RestfulObjectsApplication [1] to add your additional endpoints and then to register in web.xml [2] I'll take a note to add this detail into the "ro viewer" guide [3], and also to add your longer recipe as to how oauth can be added into the "beyond the basics" guide [4] Or, if you/anyone else has the time, PRs on docs gratefully received! Thx again Dan [1] https://github.com/apache/isis/blob/master/core/viewer-restfulobjects-server/src/main/java/org/apache/isis/viewer/restfulobjects/server/RestfulObjectsApplication.java#L36 [2] https://github.com/apache/isis/blob/master/example/application/simpleapp/webapp/src/main/webapp/WEB-INF/web.xml#L272 [3] https://github.com/apache/isis/blob/master/adocs/documentation/src/main/asciidoc/guides/ugvro.adoc [4] https://github.com/apache/isis/blob/master/adocs/documentation/src/main/asciidoc/guides/ugbtb.adoc On 28 June 2016 at 08:44, Willie Loyd Tandingan <[email protected]> wrote: > Hi Pedro and Dan, > > I've already opened the topic on open-sourcing the OAuth2 module we've > implemented but I don't think it can be done sooner. > > What we did was basically find an implementation of OAuth2 and integrate > it with Apache Isis. There are some suggested in [1] but are not well > maintained. I have considered replacing Shiro with Spring Security but > thought that it would take too much effort and time. > > In the end, we also had a hard time creating another JAX-RS application > since resteasy used by RO viewer unfortunately doesn't support multiple > applications. We wanted the OAuth2 module to be a detachable module on top > of RO while maintaining no modifications to RO code, and with no changes to > the existing wicket viewer. Due to these requirements, we had decided to > use Restlet with its oauth extension, and integrated it with Shiro, RO, and > Apache Isis. This also allowed us to create endpoints outside of RO. At the > moment, we are needing only the password grant flow so the tokens are > actually persisted but the client manager is in-memory. > > Basically we did the following to integrate Restlet with RO and Apache > Isis: > > 1. Implement org.restlet.ext.oauth.internal.Token as domain object. > 2. Implement org.restlet.ext.oauth.internal.TokenManager as domain service. > 3. Implement org.restlet.ext.oauth.internal.Client. We implemented this > in-memory. > 4. Setup the Restlet OAuth2 token endpoint using the implementations > above. Note they must be running under Isis context. We referred to the the > security addon for integration patterns, and used similar techniques e.g. > IsisContext to open session, execute closures using transaction manager, > and close session. > 5. Create transaction filter for this endpoint. > > Above will implement token generation, verification, and revocation. For > integration with Shiro: > > 6. Implement org.restlet.ext.oauth.internal.ResourceOwnerManager. This > creates wraps the username and password given for password grant flow in a > AuthenticationRequestPassword, and passes it to Apache Isis > AuthenticationManager. > 7. Create implementations of AuthenticationRequestToken (we extended > AuthenticationRequestPassword) and AuthenticationToken. This shall support > token authentications while still maintaining username/password > authentications (used in wicket and RO basic auth; since we still need to > support both for prototyping and development). > 8. Implement > org.apache.isis.core.runtime.authentication.standard.Authenticator, and > org.apache.isis.core.runtime.authorization.standard.Authorizer. We extended > ShiroAuthenticatorOrAuthorizor to support token authentications. > 9. Extend IsisModuleSecurityRealm to support getting authentication info > for OAuth2 tokens. We had our own additions here since we need to support > some forms of decoupled authentication vetos from other modules e.g. if > tenant of the ApplicationUser is disabled then disallow login, password > lockout policies, etc. > 10. Extend AuthorizationManagerStandardInstallerAbstract and create the > new authorizer. > 11. Create an AuthenticationSessionStrategy supported token authentication > to be used in RO. Here, we parse the token from the HTTP header, create > AuthenticationRequestToken, and pass to the Apache Isis > AuthenticationManager. > > To use in your app: > > 12. In your AppManifest, return the installer class name created in #10 > for getAuthenticationMechanism and getAuthorizationMechanism. > 13. In shiro.ini, set securityManager.realms to the security realm in #9 > 14. In web.xml, for the IsisSessionFilterForRestfulObjects, use the > authentication session strategy created in 11 for the > authenticationSessionStrategy init param. We also set whenNoSession to > continue since we needed to provide different error messages on > authentication failures by letting AuthenticationException propagate up to > the authentication session strategy, and prettify the messages through > another filter. > 15. In web.xml, setup the Restlet servlet and the transaction filter in #5. > > > I hope above makes sense. This was implemented a year ago and it's already > a bit blurry to remember everything. I would advise to observe and study > the authentication flow from viewer to the authentication realms, as well > as the security addon. This helps in determining integration or > customization points to adhere to your project's requirements. > > Best regards, > Willie > > [1] https://issues.apache.org/jira/browse/SHIRO-119 > > On Tue, Jun 28, 2016 at 5:35 AM, Dan Haywood <[email protected] > > wrote: > >> Hi Pedro, >> Apache Isis doesn't ship with oauth out of the box, but I recall Willie >> mentioning in passing [1] that they had extended Isis in this direction. >> >> @Willie, would you be able to share any code around this? >> >> Thx >> Dan >> >> http://markmail.org/message/ia76ut3mwuppdqow >> >> On 27 June 2016 at 15:18, Pedro Alba <[email protected]> wrote: >> >>> Hello Dan. >>> >>> Dan, I have a question, I require implement OAuth authentication >>> services to the rest exposing apache isis; how I can configure apache isis >>> authentication OAUTH? >>> >>> Thanks. >>> >>> [image: Logo] >>> >>> *Pedro Antonio Alba * >>> *Senior Development Analyst* >>> Tel: (57) 1 703 17 77 >>> Cel: (57) 301 3379810 >>> E-mail: [email protected] >>> Calle 93 # 19b - 66 Ofc 202 >>> Bogotá D.C., Colombia >>> www.ticxar.com >>> >>> >>> >>> [image: facebook] >>> <http://www.facebook.com/pages/Ticxar/446503822192581> [image: twitter] >>> <http://twitter.com/ticxar> [image: linkedIn] >>> <http://www.linkedin.com/company/ticxar> >>> >> >> >
