I was thinking about how to configure oauth authentication in cxf, below are my thoughts and doubts:
1. Oauth service provider needs to expose endpoint URLs for clients: Request Token URL, User Authorization URL and Access Token URL where client get request tokens and exchange request tokens for access tokens . How developers should define this endpoints? The first idea is to use servlet to handle issuing and exchanging tokens, and servlet context-params to define endpoint URLs: <servlet-mapping> <servlet-name>OAuthTokenService</servlet-name> <url-pattern>/oauth/*</url-pattern> </servlet-mapping> <context-param> <param-name>requestTokenURL</param-name> <param-value>/requestToken</param-value> </context-param> so i.e. client requests oauth request token at URL: http://www.domain.com/oauth/requestToken (respectively for other endpoints). The second one is to use jaxrs without annotations approach and have entry in beans.xml similar to: <model xmlns="http://cxf.apache.org/jaxrs";> <resource name="org.apache.cxf.auth.oauth.RequestTokenService" path="/oauth/requestTokenURL"> <operation name="getRequestToken" verb="GET" /> </resource> .... (respectively for other endpoints). </model> <operation name /> can be even omitted, and be configured through annotations. I like most second. 2. How to define which protected resources/jaxrs services require OAuth authentication and how to handle authentication process? I think we could register kind of oauthAuthenticationProvider (that handle authentication process) for every service that requires OAuth i.e.: <bean id="oauthAuthenticationProvider" class="org.apache.cxf.auth.oauth.providers.OAuthAuthenticationProvider"> <jaxrs:server id="customerService" address="/service1"> <jaxrs:serviceBeans> <ref bean="customerBean" /> </jaxrs:serviceBeans> <jaxrs:providers> <ref bean="oauthAuthenticationProvider" /> </jaxrs:providers> </jaxrs:server> or add attribute oauthSecured: <jaxrs:server id="customerService" address="/service1" oauthSecured="true">, so OAuthAuthenticationProvider is register automatically. or use java filter and filter mapping to intercept and handle OAuth authentication. I was thinking also about annotation that specify secured resources i.e. @OAuthSecured, but I'm not sure if it is good approach. Perhaps all described configuration ways can be used with better or worse effect, but I would like to hear WDYT? I hope it makes sense what I wrote:) Thanks. Cheers Lukasz Moren
