Hi
AuthorizationCodeGrantService is expected to be called by a human user
and therefore by the time the call reaches the service the
authentication should've already taken place. CXF sets up a security
context which just wraps whatever HttpServletRequest provides.
You can get the user authenticated using CXF JAASLoginInterceptor or any
other well-known mechanism (serevlet security, Spring, etc) or set up a
custom JAX-RS 2.0 ContainterRequestFilter, authenticate as needed and
set a new JAX-RS SecurityContext.
It is also simpler to start with some basic data provider, it os very
easy to implement... If you type "CXF OAuth2" in Google you'll get a
link to the demo...
HTH, Sergey
On 04/08/15 11:33, Di Xu wrote:
guys,
I am getting started with the DefaultEHCacheCodeDataProvider implementation
but stuck calling the /authorize rest call.
I used cxf release v3.1.1 and here is how I configured the beans:
<bean id="oauthProvider"
class="org.apache.cxf.rs.security.oauth2.grants.code.DefaultEHCacheCodeDataProvider"/>
<bean id="accessTokenService"
class="org.apache.cxf.rs.security.oauth2.services.AccessTokenService">
<property name="dataProvider" ref="oauthProvider"/>
</bean>
<bean id="accessTokenValidatorService"
class="org.apache.cxf.rs.security.oauth2.services.AccessTokenValidatorService">
<property name="dataProvider" ref="oauthProvider"/>
</bean>
<bean id="authorizationService"
class="org.apache.cxf.rs.security.oauth2.services.AuthorizationCodeGrantService">
<property name="dataProvider" ref="oauthProvider"/>
</bean>
<jaxrs:server id="oauth2_service" address="/">
<jaxrs:features>
<cxf:logging />
</jaxrs:features>
<jaxrs:serviceBeans>
<ref bean="accessTokenService"/>
<!--<ref bean="accessTokenValidatorService"/>-->
<ref bean="authorizationService"/>
</jaxrs:serviceBeans>
<jaxrs:providers>
<bean
class="com.wordnik.swagger.jaxrs.listing.ResourceListingProvider"/>
<bean class="com.wordnik.swagger.jaxrs.json.JacksonJsonProvider"/>
<bean
class="com.wordnik.swagger.jaxrs.listing.ApiDeclarationProvider"/>
</jaxrs:providers>
</jaxrs:server>
And here is the rest request (as suggested in
http://cxf.apache.org/docs/jax-rs-oauth2.html)
GET
http://localhost:8080/oauth2/rest/authorize?client_id=123456789&scope=updateCalendar-7&response_type=code&redirect_uri=http%3A//localhost%3A8080/services/reservations/reserve/complete&state=1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Authorization: Basic YmFycnlAc29jaWFsLmNvbToxMjM0
Cookie: JSESSIONID=suj2wyl54c4g
Referer: http://localhost:8080/services/forms/reservation.jsp
But the result is a 401 error.
I followed the source code and caught the exception source in
org.apache.cxf.rs.security.oauth2.services.RedirectionBasedGrantService.getAndValidateSecurityContext
if (securityContext == null || securityContext.getUserPrincipal() == null) {
throw ExceptionUtils.toNotAuthorizedException(null, null);
}
securityContext is not null but getUserPrincipal returns null. Is that
means the security context is not correctly generated given the
Authorization: Basic header is provided? Or do I need register a
custom request filter to do this?
I am new to CXF and thanks for any suggestion/hints.
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/