Compilation of already published Articles/Ideas/Problems-Solutions which I faced or came across over the period of time. Largely a place for me to document it as note-to-self. Nothing serious. :)
Tuesday, November 19, 2013
of this tutorial is to demonstrate how to implement an OAuth consumer
with Apache Camel. In this tutorial, the OAuth consumer is a simple
web application running on Google App Engine. It reads data from a
user's Google Calendar i.e. it displays the names of the user's
public and private calendars. The OAuth-based authorization process
that allows the application to access a user's calendars is
implemented using Camel's gauth component.
The application is accessible online
at http://gauthcloud.appspot.com/oauth/calendar (later,
it will be explained how to build and deploy the application
yourself). Play with it by following these steps:
the link next to this message to start the OAuth authorization
process. You will be redirected to Google Accounts. A message is
shown that a third party application is requesting access
permissions. In order to grant (or deny) access, login to your
Google account. This step may be skipped by Google if you already
logged into Google Accounts before.
login, Google displays a message that gauthcloud.appspot.com wants
to access your Google Calendar. Press the Grant
to continue. No worries, the sample application will only read the
names of your public and private Google calendars. No further reads
or updates are made to your calendars. If you don't
want gauthcloud.appspot.com to
access your calendar, press Deny
you presses Grant
Google redirects you back to the application that now displays the
names of your public and private calendars. The following screenshot
shows the list of my calendars
(some of them have German names). Using OAUth, the web application
gained access to your calendar data without ever having seen your
Google username and password. These have been entered at a Google
result of a successful OAuth authorization process is an OAuth
access token that is issued to the web application. The application
stores this token for the duration of one hour. However, you can
invalidate the access token at any time by either following the link
below the calendar list or by going directly
This will display a list of applications for which you granted
access to your Google account. Among these, there's also an entry
invalidate the access token immediately.
you go back to the application or reload the page with the calendar
list, a message is shown that the OAuth access token is invalid.
Follow the OAuth authorization process again to renew the
web applications Camel's OAuth support is not limited to
web applications running on Google App Engine. It works for
standalone web applications as well as long as they are accessible
from the internet so that Google can make OAuth callbacks.
following figure sketches the architcture of the distributed web
application and an example sequence of interactions.
Spring MVC-based web application with a single controller
and a facade for accessing the Google calendar service
views for either displaying calendar data or error messages.
Camel-based integration layer for doing all the OAuth-specific
interactions with Google Accounts.
user navigates to the main page of the demo application.
The TutorialController detects
that there's no OAuth access token available and renders a
corresponding error message including a link for initiating an
OAuth authorization process. The link is targeted at an HTTP
endpoint implemented by the OAuth integration layer.
user triggers the authorization process by following that link.
integration layer obtains an unauthorized request token from the
Google Accounts API
then redirects the user to a Google Accounts web page for login.
user logs in and grants gauthcloud.appspot.com access
to his Google calendar.
redirects the user back to the OAUth integration layer together
with an authorized request token.
integration layer upgrades the token to an OAuth access token and
stores this token in a cookie. The cookie expiration time is set
to one hour.
user is redirected to the TutorialController.
The TutorialController can
now obtain a valid access token from the cookie and uses it to
obtain the user's calendar data (via the TutorialService).
having obtained the calendar data, the TutorialController selects
a view for rendering the list of calendar names.
of access tokens In production systems it
is not recommended to store access tokens in
cookies. The recommended approach is to store them in a database.
The demo application is only doing that to keep the example as
simple as possible. However, an attacker could not use an access
token alone to get access to a user's calendar data because the
application's consumer secret is necessary for that as well. The
consumer secret never leaves the demo application.
section explains how to build and deploy the web application
a Google App Engine account if you don't have one.
a new application via the admin
reuse an existing one for uploading the example.
Optional: register the
application for use with Google's OAuth. After registration you
should have access to a consumer
If you decide not to register your application, use anonymous for
the consumer key and the consumer secret. In this case Google will
display a warning message on the authorization page which is
acceptable for testing-purposes.
you don't want to register your application. Then go to
the camel-example-gauth directory
will create the application war file
in the target directory.
use the appcfg command-line
tool of the App Engine SDK to deploy the application.
appcfg update target/camel-example-gauth-
where version needs
to be replaced with the version of Camel you're using. You will be
prompted for the email address and password of your Google App Engine
account. After deployment the example application is ready to use.
issue when using appcfg from the GAE SDK It
is important that you run appcfg with
a java executable
that is part of a JDK. If it is part of a JRE only then JSP
compilation won't work. This is explained on the appengine-java
Editing appcfg.sh or appcfg.cmd and
pointing to an appropriate java executable
should do the trick.
point to the demo application is the TutorialController.
It tries to obtain an OAuth access token from a cookie and interacts
with theTutorialService for
getting a user's calendar data from the Google Calendar API. Error
messages (authentication failures) are displayed to the user by
selecting the authorize.jsp view.
This view also contains a link for starting the OAuth authorization
process as shown above. A list of calendar names is displayed to the
user by selecting the calendar.jsp view.
to the Google Calendar API is encapsulated in
the TutorialService class.
It uses Google's GData
client library for
abstracting from low-level protocol details.
The getCalendarNames method
is paramterized with an OAuth access token and access token secret.
If the access token is invalid then an AuthenticationException is
thrown by the GData client. The exception is handled by
integration layer uses Camel's gauth component
to implement the consumer part of the OAuth authorization process. It
cleanly separates OAuth integration logic from other parts of the
application and is implemented by the TutorialRouteBuilder class.
Builds the OAuth-specific routes (implements the OAuth
integration layer) of the demo application.
first route obtains an unauthorized access token from Google
Accounts and redirects the user to an authorization page provided by
second route handles OAuth callbacks from Google and upgrades an
authorized request tokens to access tokens.
last step in the second route is an application-specific processor
that stores the access token in a cookie and redirects the user to
the main page of the demo application (which is served by
further details about implementing OAuth integration layers in web
application refer to the gauth component
The TutorialController and TutorialService are
set up in their own Spring application context.
The TutorialController is
scanned from the classpath using
It is an annotation-based
Spring MVC controller.
integration layer and its CamelContext is
configured in context-camel.xml.
This application context also configures the gauth component
with an application specific consumer key and consumer secret. These
are read from a context.properties file.