Re: [Resteasy-users] OAuth2 example - different roles per REST Method
Thanks. As a follow up, I'd like to request a bearer token but limit the Roles identified in the bearer token. I'm looking at org.jboss.resteasy.example.oauth.ProductDatabaseClient. Would it be right to look that the Access Token Scope to try and accomplish this. What I'm trying to do is have a set of REST services protected using the @RolesAllowed and a less sensitive role. Even though the Resource Owner may have access to more sensitive roles, I don't wan the bearer token being given to the client to have all of these roles. I'm working my way through org.jboss.resteasy.skeleton.key.servlet.ServletOAuthClient and mapping to the OAuth2 spec, but would welcome any guidance pointing me in the right direction. -- Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter___ Resteasy-users mailing list Resteasy-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/resteasy-users
Re: [Resteasy-users] OAuth2 example - different roles per REST Method
OAuth2 does not define the token format. We have defined our own token format that transmits signed role-mapping metadata. Check this out: http://docs.jboss.org/resteasy/docs/3.0-beta-4/userguide/html/oauth2.html#d4e1454 An Oauth client in skeleton key can be assigned a set of roles that it is allowed to assume. So, even though a specific user might have admin and user permissions, you can specify in the oauth client role mapping that the oauth client is only allowed to assume user permissions. Please read the linked documentation and get back to this list if you have more questions. FYI, because our OAuth2 code reuses and is built on top of JBoss's existing Security Domain APIs there's only so much flexibility that can be provided. In the future, I have plans to leverage the new IDM API in AS8 so that you can do more complex role mappings and OAuth2 scopes . Right now you're limited to what the documentation specifies. Please get back to me. I want to know if what we have is good enough for now, or if it is unusable. On 4/16/2013 9:17 AM, Doug Schnelzer wrote: Thanks. As a follow up, I'd like to request a bearer token but limit the Roles identified in the bearer token. I'm looking at org.jboss.resteasy.example.oauth.ProductDatabaseClient. Would it be right to look that the Access Token Scope to try and accomplish this. What I'm trying to do is have a set of REST services protected using the @RolesAllowed and a less sensitive role. Even though the Resource Owner may have access to more sensitive roles, I don't wan the bearer token being given to the client to have all of these roles. I'm working my way through org.jboss.resteasy.skeleton.key.servlet.ServletOAuthClient and mapping to the OAuth2 spec, but would welcome any guidance pointing me in the right direction. -- Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter ___ Resteasy-users mailing list Resteasy-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/resteasy-users -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -- Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter ___ Resteasy-users mailing list Resteasy-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/resteasy-users
Re: [Resteasy-users] OAuth2 example - different roles per REST Method
So continuing to peel back the onion... and getting somewhere... Thanks for the pointers. I re-read the docs especially around http://docs.jboss.org/resteasy/docs/3.0-beta-4/userguide/html/oauth2.html#d4e1454 I noticed that the commerce-roles.properties for the current OAuth2 examples has the following: bbu...@redhat.com=user,products admin=admin customer-portal=login product-portal=login third-party=oauth,* I see that the oauth-client-example project is using the client-id third-party which is specified in the org.jboss.resteasy.example.oauth.Bootstrap.contextInitialized(). What I want to do is to get a bearer tokan programmatically as is done in as is done in the client-grant example (i.e. org.jboss.resteasy.example.oauth.ProductDatabaseClient.getProducts() ) but I want to specify the client-id so that I can limit the roles that are encoded in the bearer token. My assumption is that since org.jboss.resteasy.example.oauth.ProductDatabaseClient.getProducts() is using basic authentication to the auth server that the bearer token returned will have all roles for bbu...@redhat.com. So my question is can I easily modify the ProductDatabaseClient.getProducts() so that I am specifying a client-id for the resulting bearer token and if so can you point at the right part of the API that I should be looking at? Thanks much, Doug On Tue, Apr 16, 2013 at 9:33 AM, Bill Burke bbu...@redhat.com wrote: OAuth2 does not define the token format. We have defined our own token format that transmits signed role-mapping metadata. Check this out: http://docs.jboss.org/resteasy/docs/3.0-beta-4/userguide/html/oauth2.html#d4e1454 An Oauth client in skeleton key can be assigned a set of roles that it is allowed to assume. So, even though a specific user might have admin and user permissions, you can specify in the oauth client role mapping that the oauth client is only allowed to assume user permissions. Please read the linked documentation and get back to this list if you have more questions. FYI, because our OAuth2 code reuses and is built on top of JBoss's existing Security Domain APIs there's only so much flexibility that can be provided. In the future, I have plans to leverage the new IDM API in AS8 so that you can do more complex role mappings and OAuth2 scopes . Right now you're limited to what the documentation specifies. Please get back to me. I want to know if what we have is good enough for now, or if it is unusable. On 4/16/2013 9:17 AM, Doug Schnelzer wrote: Thanks. As a follow up, I'd like to request a bearer token but limit the Roles identified in the bearer token. I'm looking at org.jboss.resteasy.example.oauth.ProductDatabaseClient. Would it be right to look that the Access Token Scope to try and accomplish this. What I'm trying to do is have a set of REST services protected using the @RolesAllowed and a less sensitive role. Even though the Resource Owner may have access to more sensitive roles, I don't wan the bearer token being given to the client to have all of these roles. I'm working my way through org.jboss.resteasy.skeleton.key.servlet.ServletOAuthClient and mapping to the OAuth2 spec, but would welcome any guidance pointing me in the right direction. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -- Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter___ Resteasy-users mailing list Resteasy-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/resteasy-users
Re: [Resteasy-users] OAuth2 example - different roles per REST Method
So you want to specify user, client-id, and their credentials and get back a token that is limited to what the client-id is allowed to get? All in one request? I don't have an API for this at the moment. On 4/16/2013 11:50 AM, Doug Schnelzer wrote: So continuing to peel back the onion... and getting somewhere... Thanks for the pointers. I re-read the docs especially around http://docs.jboss.org/resteasy/docs/3.0-beta-4/userguide/html/oauth2.html#d4e1454 I noticed that the commerce-roles.properties for the current OAuth2 examples has the following: bbu...@redhat.com mailto:bbu...@redhat.com=user,products admin=admin customer-portal=login product-portal=login third-party=oauth,* I see that the oauth-client-example project is using the client-id third-party which is specified in the org.jboss.resteasy.example.oauth.Bootstrap.contextInitialized(). What I want to do is to get a bearer tokan programmatically as is done in as is done in the client-grant example (i.e. org.jboss.resteasy.example.oauth.ProductDatabaseClient.getProducts() ) but I want to specify the client-id so that I can limit the roles that are encoded in the bearer token. My assumption is that since org.jboss.resteasy.example.oauth.ProductDatabaseClient.getProducts() is using basic authentication to the auth server that the bearer token returned will have all roles for bbu...@redhat.com mailto:bbu...@redhat.com. So my question is can I easily modify the ProductDatabaseClient.getProducts() so that I am specifying a client-id for the resulting bearer token and if so can you point at the right part of the API that I should be looking at? Thanks much, Doug On Tue, Apr 16, 2013 at 9:33 AM, Bill Burke bbu...@redhat.com mailto:bbu...@redhat.com wrote: OAuth2 does not define the token format. We have defined our own token format that transmits signed role-mapping metadata. Check this out: http://docs.jboss.org/resteasy/docs/3.0-beta-4/userguide/html/oauth2.html#d4e1454 An Oauth client in skeleton key can be assigned a set of roles that it is allowed to assume. So, even though a specific user might have admin and user permissions, you can specify in the oauth client role mapping that the oauth client is only allowed to assume user permissions. Please read the linked documentation and get back to this list if you have more questions. FYI, because our OAuth2 code reuses and is built on top of JBoss's existing Security Domain APIs there's only so much flexibility that can be provided. In the future, I have plans to leverage the new IDM API in AS8 so that you can do more complex role mappings and OAuth2 scopes . Right now you're limited to what the documentation specifies. Please get back to me. I want to know if what we have is good enough for now, or if it is unusable. On 4/16/2013 9:17 AM, Doug Schnelzer wrote: Thanks. As a follow up, I'd like to request a bearer token but limit the Roles identified in the bearer token. I'm looking at org.jboss.resteasy.example.oauth.ProductDatabaseClient. Would it be right to look that the Access Token Scope to try and accomplish this. What I'm trying to do is have a set of REST services protected using the @RolesAllowed and a less sensitive role. Even though the Resource Owner may have access to more sensitive roles, I don't wan the bearer token being given to the client to have all of these roles. I'm working my way through org.jboss.resteasy.skeleton.key.servlet.ServletOAuthClient and mapping to the OAuth2 spec, but would welcome any guidance pointing me in the right direction. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -- Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter ___ Resteasy-users mailing list Resteasy-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/resteasy-users -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com -- Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis visualization. Get a free account!
[Resteasy-users] OAuth2 example - different roles per REST Method
In the oauth2 skeleton key example their was just one role (user) specified for the database-services REST services. Is it easy to protect some services with one role (say using the role customer for the CustomerService) and another required role for other services (say using the role products for the ProductService)? Can I use the @RolesAllowed annotation? Thanks for the help -- Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter___ Resteasy-users mailing list Resteasy-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/resteasy-users
Re: [Resteasy-users] OAuth2 example - different roles per REST Method
I modified the Skeleton Key example and see that it does work with the @RolesAllowed annotation which makes sense. I know have different roles for the CustomerService REST methods and the ProductService rest methods. The Skeleton Key solution is looking very good and will be good for many of the requirements we come up against. Thanks Bill! *Doug Schnelzer* *Technical Director, **Vizuri* *571-969-3793* On Mon, Apr 15, 2013 at 2:36 PM, Doug Schnelzer dschnel...@vizuri.comwrote: In the oauth2 skeleton key example their was just one role (user) specified for the database-services REST services. Is it easy to protect some services with one role (say using the role customer for the CustomerService) and another required role for other services (say using the role products for the ProductService)? Can I use the @RolesAllowed annotation? Thanks for the help -- Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter___ Resteasy-users mailing list Resteasy-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/resteasy-users