Details

    • Type: Sub-Task
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None

      Description

      Please see also OAUTH2-32

      Developer API

      Every JAX-RS application deployed without OAuth2 service properties will be configured to expose HTTP method scopes DELETE, GET, HEAD, OPTIONS, POST, PUT.

      JAX-RS Application configured with oauth2.scopechecker.type=annotations  OSGi service property can use following annotations from com.liferay.oauth2.provider.scope.api  bundle:

      • com.liferay.oauth2.provider.scope.RequiresScope
      • com.liferay.oauth2.provider.scope.RequiresNoScope

      Developer SPI

      JAX-RS Application can opt-out from provided scope checkers by specifying oauth2.scopechecker.type=something  in the application service properties or using configuration and

      Then it can publish own scopes by:

      1. Implementing com.liferay.oauth2.provider.scope.spi.scope.finder.ScopeFinder  SPI from com.liferay.oauth2.provider.scope.spi  bundle
      2. Publishing it as OSGi service with property osgi.jaxrs.name=someApplication  where someApplication  is the osgi.jaxrs.name  of the JAX-RS application itself.
      1. Check the scopes using its own login by deploying a javax.ws.rs.container.ContainerRequestFilter , ideally extending com.liferay.oauth2.provider.rest.spi.scope.checker.container.request.filter.BaseScopeCheckerContainerRequestFilter , and using com.liferay.oauth2.provider.scope.ScopeChecker . Or directly using com.liferay.oauth2.provider.scope.ScopeChecker  in the application code to check for the availability of certain scope.

       

      Portal Admin

      Portal admin can create custom scopes mapping for existing application using com.liferay.oauth2.provider.rest.internal.jaxrs.feature.configuration.ConfigurableScopeCheckerFeatureConfiguration . Use this together with oauth2.scopechecker.type=something  to disable other scope checking. 

      Developer Implementation details

      JSON Web Services

      JSONWS works on top of Service Builder remote services that are guarded using Service Access Policies.

      OAuth2 framewok is integrated with SAP:

      • It exports SAPEntry records as OAuth2 scopes that can be granted to applications and approved for tokens - please see com.liferay.oauth2.provider.jsonws.internal.service.access.policy.scope.SAPEntryScopeDescriptorFinderRegistrator
      • When calling API it reads SAPEntry names as token scopes and initializes context for checking Service Access Policies in JSONWSOAuth2AuthVerifier (please see OAUTH2-31)

      JAX-RS applications

      Scopes are checked using com.liferay.oauth2.provider.scope.ScopeChecker API from com.liferay.oauth2.provider.scope.api OSGi bundle. The default implementation com.liferay.oauth2.provider.scope.internal.ThreadLocalScopeContextScopeChecker tests a scope was granted to the access token (initialized using com.liferay.oauth2.provider.scope.liferay.ScopeContext)

      Default HTTP Method Support

      For JAX-RS applications that don't export scopes themselves using com.liferay.oauth2.provider.scope.spi.scope.finder.ScopeFinder portal provides JAX-RS Feature com.liferay.oauth2.provider.rest.internal.jaxrs.feature.HttpMethodFeature that

      • Publishes DELETE, GET, OPTIONS, POST, PUT scopes on behalf of the application.
      • Registers JAX-RS filter for the application to check the scopes with com.liferay.oauth2.provider.scope.ScopeChecker OSGi service based on the current request HTTP method.

      JAX-RS application is enhanced with the feature when it's published into OSGi with:

      • no oauth2.scopechecker.type property or oauth2.scopechecker.type=http.method

      Annotations support

      We provide auto-discovery of JAX-RS application scopes using JAX-RS Feature com.liferay.oauth2.provider.rest.internal.jaxrs.feature.AnnotationFeature that:

      • Traverse endpoints and their methods to find com.liferay.oauth2.provider.scope.RequiresScope or com.liferay.oauth2.provider.scope.RequiresNoScope annotations and publish them on behalf of the application
      • Registers JAX-RS filter for the application to check the scopes using com.liferay.oauth2.provider.scope.ScopeChecker OSGi service when method is accessed

      For JAX-RS application to be traversed for annotation it must publish following properties:

      • oauth2.scopechecker.type=annotations

      Configurable ScopeChecker Feature

      Portal provides for JAX-RS applications a configuration configuration com.liferay.oauth2.provider.rest.internal.jaxrs.feature.configuration.ConfigurableScopeCheckerFeatureConfiguration that allows to map and check any scopes based on URL pattern matching using com.liferay.oauth2.provider.rest.internal.jaxrs.feature.ConfigurableScopeCheckerFeature

      The configuration can be created and managed using the portal System Settings portlet.

      Using osgi.jaxrs.application.select it is possible to target specific JAX-RS application.

      Property patterns specifies the actual scopes that matches to endpoint URLs. The syntax is following:

      "HTTP method pattern" :: "URL pattern" :: "Scopes delimited with comma"

      For example:

      	^GET$::^/apple/.*$::apple_read
      	^POST$::^/apple/.*$::apple_write,apple_read
      	^GET$::^/apple/public/.*$::
      	^.*$::^/apple/.*$::apple_all
      	^GET$::^/apple/.*$::everything.readonly
      	^.*$::^/apple/.*$::everything
      

      Patterns are checked and applied in the order of appearance, if none of the patterns matches, the algorithm returns value of allowUnmatched property.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                Dates

                • Created:
                  Updated:

                  Packages

                  Version Package