Sunday, August 12, 2012

OAuth2 Demo in Talend ESB

Talend ESB ships many interesting, advanced examples demonstrating CXF and Camel in action. The demos attempt to show something interesting, something that one may try to do in the production.

JAX-RS OAuth2 demo has been evolving as a POC demo with the main goal to stress  CXF OAuth2 services and make sure that they can cope with what one might want to consider as a medium complexity OAuth2 deployment.

The demo shows 4 parties cooperating with or depending on each other, where Social.com service offers the registered users an option to reserve a table at the favorite restaurant with the help of Restaurant Reservations service (with the latter depending on its own partner).  A classical 3-leg OAuth flow (Authorization Code Flow in OAuth2) is demonstrated with most of the demo depending on CXF alone to do most of the work (OAuth2, Presentations, etc).

The end user (individual Social.com resource owner) can approve or disapprove a client (Restaurant Reservations) request to read and possibly update the user's calendar.  The demo can be run as a simple OAuth2 demo with all the endpoints running within the same container or as an advanced demo showing how a user can interact with the application supported by many application containers, with the SAML SSO feature introduced to improve the user experience - this advanced option will be covered in detail in one of the future posts.

Please check this presentation I did at JAX-2012 in Mainz for more information.
I'd like to encourage users to try the demo, provide the feedback and git pull requests :-)

Enjoy.

Thursday, August 2, 2012

Master Kerberos Security with Apache CXF

Kerberos is a well-known security protocol, originally developed at MIT and has been a major authentication protocol on Windows.

Why would you want to learn about or experiment with Kerberos today, when developing web services ?

One may want to do it if we have a web service which needs to expose the information available from the internal Kerberos-protected store or when a Single Sign-On service needs to use  Kerberos servers to keep the principal details or when Kerberos is deemed to be the best authentication protocol which can protect the given complex application exposed as a web service. 

The decision by Hadoop developers to support Kerberos will undoubtedly make it more important for developers to understand what Kerberos is about, due to the fact the Big Data is becoming so important these days.

In Apache CXF, Kerberos has been supported on a number of levels for a while. Colm has published a two-part series about the way WS-Security Kerberos is supported and tested in CXF, and Christian has implemented a client-side support for the HTTP Negotiate authorization scheme. 

Starting from CXF 2.6.2 (to be released soon), the JAX-RS frontend offers an additional server and client side support for making it very easy to support the Kerberos authentication for RS endpoints and clients. 

After installing Kerberos packages, the next thing you can do is to run JAXRSKerberosBookTest or add server and/or client Kerberos handlers to your own application as documented at the wiki and see what actually happens.

Have you been thinking of getting started with Kerberos for Web Services ?
Do it today with Apache CXF :-)