The Latest on Apache CXF. • Regular JAX-WS and ... exploring new ways to
deploy services in OSGI, 1.3.1 is out ... confidential clients running as web
services ...
OAuth Support in Apache CXF Sergey Beryozkin Talend Community Coder http://sberyozkin.blogspot.com
The Latest on Apache CXF • Regular JAX-WS and JAX-RS work • OSGI: every module is a bundle • Security: WS-Trust STS, OAuth 2.0 and 1.0, XML Security for JAX-RS endpoints, JAAS integration • DOSGi subproject: exploring new ways to deploy services in OSGI, 1.3.1 is out
OAuth 2.0 Highlights • It is the next major, most important effort in the world of HTTP services • Opportunities for new businesses and partnerships • Consistent processing model: grants first, tokens next • Grant types: redirection-based, simple credentials, SAML2 and JWT assertions
More OAuth 2.0 Highlights • Access Tokens: simple Bearer, MAC • Security Threat Model: Recommended • Parameters are simple text tokens, registration of new ones is possible • Effectively, a text based protocol is introduced (grant and token requests, access token and error representations) • UMA, OpenID-Connect: OAuth2 aware
Authorization Code Flow: Number 1 • Closest to the original OAuth 1.0 flow • Most interesting among all the OAuth2 flows (human user is involved) • Many new extensions will be based on it (example, OpenId-Connect) • Truly HTTP-Centric Flow • Optimized for confidential clients running as web services
Authorization Code In Detail • Client requests the authorization code by redirecting the end user (ext point) • AuthorizationService challenges the user to approve the code request • AuthorizationService redirects the user back to the client with the code or error • Client exchanges the code for a token • Client accesses Protected Resources
Authorization Code Sequence
Authorization Code Request Example
Access Token Request Example
Protected Resource Request Example
OAuth 2.0 in CXF • The runtime delegates to grant handlers, token validators and data providers • Authorization and AccessToken services implement most of the 'bare' OAuth2 • Redirection-based Authorization Code and Implicit Grants, Client Credentials • Pre-Authorized tokens are checked, grant types may be recorded and restricted
OAuth 2.0 in CXF, continued • Data providers: the data persistence, creating access tokens, conversion of scopes into the presentable data • Token Validation: basic Bearer tokens are checked if no validators are registered • Security Context: client and user subjects are available • JAX-RS MBW links to view handlers
Demo, Part1: Social.com
Demo, Part2: Reservations
Demo Highlights • Custom scopes, example: update calendar at the specific hour only • Default scope is added by the data provider • Good practice: user is offered a chance to down-scope • End user credentials are captured during the authorization code flow
From OAuth 1.0 to OAuth 2.0 • OAuth 2.0: HTTPS is required • Authorization Code Flow: simpler than OAuth 1.0 flow without the step involving the exchange of oauth_verifier for the new access token • OAuth 1.0 to 2.0 intermediaries : can help with step-by-step migrations to OAuth 2.0 (servers – first, clients - next)
Links • OAuth2: http://tools.ietf.org/html/draft-ietf-oauth-v2 • OAuth2 Demo in examples/cxf at: https://github.com/Talend/tesb-rt-se/ • Apache CXF OAuth2 Wiki: http://cxf.apache.org/docs/jax-rs-oauth2.html
![[PDF] Download Apache CXF Web Service ... - Google Sites](https://m.moam.info/img/260x300/pdf-download-apache-cxf-web-service-google-sites_64788e1b097c474e708cf0a9.jpg)
