Affects Version/s: None
Fix Version/s: None
Please see also
Every JAX-RS application deployed without OAuth2 service properties will be configured to expose HTTP method scopes DELETE, GET, HEAD, OPTIONS, POST, PUT.
JAX-RS Application configured with oauth2.scopechecker.type=annotations OSGi service property can use following annotations from com.liferay.oauth2.provider.scope.api bundle:
JAX-RS Application can opt-out from provided scope checkers by specifying oauth2.scopechecker.type=something in the application service properties or using configuration and
Then it can publish own scopes by:
- Implementing com.liferay.oauth2.provider.scope.spi.scope.finder.ScopeFinder SPI from com.liferay.oauth2.provider.scope.spi bundle
- Publishing it as OSGi service with property osgi.jaxrs.name=someApplication where someApplication is the osgi.jaxrs.name of the JAX-RS application itself.
- Check the scopes using its own login by deploying a javax.ws.rs.container.ContainerRequestFilter , ideally extending com.liferay.oauth2.provider.rest.spi.scope.checker.container.request.filter.BaseScopeCheckerContainerRequestFilter , and using com.liferay.oauth2.provider.scope.ScopeChecker . Or directly using com.liferay.oauth2.provider.scope.ScopeChecker in the application code to check for the availability of certain scope.
Portal admin can create custom scopes mapping for existing application using com.liferay.oauth2.provider.rest.internal.jaxrs.feature.configuration.ConfigurableScopeCheckerFeatureConfiguration . Use this together with oauth2.scopechecker.type=something to disable other scope checking.
JSONWS works on top of Service Builder remote services that are guarded using Service Access Policies.
OAuth2 framewok is integrated with SAP:
- It exports SAPEntry records as OAuth2 scopes that can be granted to applications and approved for tokens - please see com.liferay.oauth2.provider.jsonws.internal.service.access.policy.scope.SAPEntryScopeDescriptorFinderRegistrator
- When calling API it reads SAPEntry names as token scopes and initializes context for checking Service Access Policies in JSONWSOAuth2AuthVerifier (please see
Scopes are checked using com.liferay.oauth2.provider.scope.ScopeChecker API from com.liferay.oauth2.provider.scope.api OSGi bundle. The default implementation com.liferay.oauth2.provider.scope.internal.ThreadLocalScopeContextScopeChecker tests a scope was granted to the access token (initialized using com.liferay.oauth2.provider.scope.liferay.ScopeContext)
For JAX-RS applications that don't export scopes themselves using com.liferay.oauth2.provider.scope.spi.scope.finder.ScopeFinder portal provides JAX-RS Feature com.liferay.oauth2.provider.rest.internal.jaxrs.feature.HttpMethodFeature that
- Publishes DELETE, GET, OPTIONS, POST, PUT scopes on behalf of the application.
- Registers JAX-RS filter for the application to check the scopes with com.liferay.oauth2.provider.scope.ScopeChecker OSGi service based on the current request HTTP method.
JAX-RS application is enhanced with the feature when it's published into OSGi with:
- no oauth2.scopechecker.type property or oauth2.scopechecker.type=http.method
We provide auto-discovery of JAX-RS application scopes using JAX-RS Feature com.liferay.oauth2.provider.rest.internal.jaxrs.feature.AnnotationFeature that:
- Traverse endpoints and their methods to find com.liferay.oauth2.provider.scope.RequiresScope or com.liferay.oauth2.provider.scope.RequiresNoScope annotations and publish them on behalf of the application
- Registers JAX-RS filter for the application to check the scopes using com.liferay.oauth2.provider.scope.ScopeChecker OSGi service when method is accessed
For JAX-RS application to be traversed for annotation it must publish following properties:
Portal provides for JAX-RS applications a configuration configuration com.liferay.oauth2.provider.rest.internal.jaxrs.feature.configuration.ConfigurableScopeCheckerFeatureConfiguration that allows to map and check any scopes based on URL pattern matching using com.liferay.oauth2.provider.rest.internal.jaxrs.feature.ConfigurableScopeCheckerFeature
The configuration can be created and managed using the portal System Settings portlet.
Using osgi.jaxrs.application.select it is possible to target specific JAX-RS application.
Property patterns specifies the actual scopes that matches to endpoint URLs. The syntax is following:
"HTTP method pattern" :: "URL pattern" :: "Scopes delimited with comma"
Patterns are checked and applied in the order of appearance, if none of the patterns matches, the algorithm returns value of allowUnmatched property.