Versions Compared

Old Version 48

changes.mady.by.user Sergey Beryozkin

Saved on

compared with

New Version 49

changes.mady.by.user Sergey Beryozkin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The simplest strategy is to encrypt and decrypt the tokens with the symmetric/secret keys. Every new token can be encrypted with a unique secret key or all of them can be encrypted with a single secret key. The utilities provide few methods for creating secret keys with the default and advanced properties, in addition there are many examples around on how to create the keys with the specific properties.

For example, see EncryptingDataProviderorg.apache.cxf.rs.security.oauth2.grants.code.DefaultEncryptingCodeDataProvider and org.apache.cxf.rs.security.oauth2.provider.DefaultEncryptingOAuthDataProvider which are shipped starting from CXF 3.0.2.

Here is a typical code demonstrating how the encryption/decryption works:

 

Code Block
SecretKey key = EncryptionUtils.getSecretKey();

// create a new token, encrypt its state and return

ServerAccessToken token = new BearerAccessToken(client, 3600L);

String encryptedToken = ModelEncryptionSupport.encryptAccessToken(token, key);

token.setTokenKey(encryptedToken);

return token;

// decrypt a token given a token key

ModelEncryptionSupport.decryptAccessToken(this, encryptedToken, key);

...

Starting from CXF 3.0.2 default Ehcache-based and encrypting  OAuthDataProvider and AuthorizationCodeDataProvider implementations are shipped:.

org.apache.cxf.rs.security.oauth2.grants.code.DefaultEHCacheCodeDataProvider and org.apache.cxf.rs.security.oauth2.provider.DefaultEHCacheOAuthDataProvider use Ehcache to store grant, client, access and refresh token data.

org.apache.cxf.rs.security.oauth2.grants.code.DefaultEncryptingCodeDataProvider and org.apache.cxf.rs.security.oauth2.provider.DefaultEncryptingOAuthDataProvider use an auto-generated or provided Java symmetric SecretKey to store

grant, access and refresh token data.

Users Users who are happy with using EHCache are encouraged to experiment with these default providers, customize them if needed and provide the feedback.

Users implementing their own persistence strategy may consider extending org.apache.cxf.rs.security.oauth2.grants.code.AbstractAuthorizationCodeDataProvider or org.apache.cxf.rs.security.oauth2.provider.AbstractOAuthDataProvider - these classes might help with taking care of some basic data initialization and check routines.

OAuth Server JAX-RS endpoints

...