...
The simplest strategy is to encrypt and decrypt the tokens with the symmetric/secret keys. Every new token can be encrypted with a unique secret key or all of them can be encrypted with a single secret key. The utilities provide few methods for creating secret keys with the default and advanced properties, in addition there are many examples around on how to create the keys with the specific properties.
For example, see EncryptingDataProviderorg.apache.cxf.rs.security.oauth2.grants.code.DefaultEncryptingCodeDataProvider and org.apache.cxf.rs.security.oauth2.provider.DefaultEncryptingOAuthDataProvider which are shipped starting from CXF 3.0.2.
Here is a typical code demonstrating how the encryption/decryption works:
Code Block |
---|
SecretKey key = EncryptionUtils.getSecretKey(); // create a new token, encrypt its state and return ServerAccessToken token = new BearerAccessToken(client, 3600L); String encryptedToken = ModelEncryptionSupport.encryptAccessToken(token, key); token.setTokenKey(encryptedToken); return token; // decrypt a token given a token key ModelEncryptionSupport.decryptAccessToken(this, encryptedToken, key); |
...
Starting from CXF 3.0.2 default Ehcache-based and encrypting OAuthDataProvider and AuthorizationCodeDataProvider implementations are shipped:.
org.apache.cxf.rs.security.oauth2.grants.code.DefaultEHCacheCodeDataProvider and org.apache.cxf.rs.security.oauth2.provider.DefaultEHCacheOAuthDataProvider use Ehcache to store grant, client, access and refresh token data.
org.apache.cxf.rs.security.oauth2.grants.code.DefaultEncryptingCodeDataProvider and org.apache.cxf.rs.security.oauth2.provider.DefaultEncryptingOAuthDataProvider use an auto-generated or provided Java symmetric SecretKey to store
grant, access and refresh token data.
Users Users who are happy with using EHCache are encouraged to experiment with these default providers, customize them if needed and provide the feedback.
Users implementing their own persistence strategy may consider extending org.apache.cxf.rs.security.oauth2.grants.code.AbstractAuthorizationCodeDataProvider or org.apache.cxf.rs.security.oauth2.provider.AbstractOAuthDataProvider - these classes might help with taking care of some basic data initialization and check routines.
OAuth Server JAX-RS endpoints
...