Announcement Announcement Module
Collapse
No announcement yet.
Specifying which urls to apply Spring OAuth 2 provider to Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Specifying which urls to apply Spring OAuth 2 provider to

    Hi, I have implemented a basic oauth2 provider configuration, which works, but also interferes with other parts of the web application I am developing. In particular, I am using Spring Social to connect to twitter and facebook (the app operating in a role of oauth consumer), yet I am also hoping to provide some services to other clients in the role of oauth provider. The thing is, with the OAuth 2 provider configuration in place, it is interfering with authentication callbacks from twitter (which uses oauth1)- apparently intercepting them, and then judging that the OAuth1 response back is invalid (which technically is true).

    I want to limit OAuth 2 provision to particular urls, and not have the configuration glom onto incoming authentication calls from third party service providers. I have searched and searched, and experimented, and I cannot see any way in which to instruct Spring Security OAuth 2 provider to limit itself to a particular url root (e.g., '/api/**').

    Can anybody give me a heads up? Any feedback appreciated, feeling a little desperate here....

  • #2
    Ok, an update. I consider this a hack, I don't vouch for its reliability, and I really hope there is a better way.

    First off, I implemented my own subclass of OAuth2ProtectedResourceFilter. All it does is inspect the request uri, and if the uri begins with '/api', treats the request as an api request and enforces oauth security by invoking its super.doFilter method.

    If the request is for any other resource, the instance delegates to the filterChain instead.

    Code:
    class OverriddenOAuth2ProtectedResourceFilter extends OAuth2ProtectedResourceFilter
    {
        @Override
        public void doFilter (ServletRequest servletRequest, ServletResponse servletResponse, FilterChain chain)
                throws IOException,
                ServletException
        {
            final HttpServletRequest httpRequest= (HttpServletRequest) servletRequest;
    	final boolean isApiRequest= httpRequest.getRequestURI().startsWith("/api");
            if (isApiRequest)
            {
                super.doFilter(servletRequest, servletResponse, chain);
            }
            else
            {
                chain.doFilter(servletRequest, servletResponse);
            }
        }
    }
    Secondly, I specified oauth2 provider configuration like so, overriding the providers default oauth2ProtectedResourceFilter bean with my own by declaring it
    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    <beans xmlns="http://www.springframework.org/schema/beans"
    	xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
    	xmlns:security="http://www.springframework.org/schema/security"
    	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
                  http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2.xsd
                  http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
    
    	<!-- services are injected via component scanning outside of this configuration file -->
    	<oauth:provider client-details-service-ref="clientDetailsService" token-services-ref="tokenServices"/>
    	
    	<!-- now override oauth2ProtectedResourceFilter with custom protected resource filter-->
    	<bean id="oauth2ProtectedResourceFilter" class="io.hubbub.oauth.provider.auth.HubbubOAuth2ProtectedResourceFilter"/>
    </beans>
    So now my oauth2 provider configuration is limited to only url schemes that begin with '/api', which is what I wanted.

    I really hope there is a better way of doing this- any advice? Thanks

    Comment


    • #3
      Where is your standard Spring Security <http/> configuration? You could use that to direct traffic through the filters you need. Spring Security also now allows you to define two <http/> elements and only add the oauth2ProtectedResourceFilter to only one of them. As things stand there isn't a really nice way to do that - you basically have to define the OAuth2 filter chain manually as bean definitions - but I plan to make it easier (https://jira.springsource.org/browse/SECOAUTH-97). Another issue with the current implementation of <oauth:provider/> is that it doesn't distinguish between authorization service and resource service (and the oauth2ProtectedResourceFilter is only needed for the latter): maybe you don't care about that one, but if the namespace supported more explicit separation and filter configuration it would be easier to see what was happening.
      Last edited by Dave Syer; Aug 24th, 2011, 03:22 AM. Reason: formatting

      Comment


      • #4
        Hi Dave, thanks for getting back to me

        You could use that [http configuration] to direct traffic through the filters you need.
        Thats what I was hoping was the case, but being relatively new to Spring Security, I couldn't find a way to do that. Would you show me how to configure the http security element to direct traffic through oauth provider filters on a specific uri root?

        This the config (essentially the same as the Greenhouse config at the moment). The oauth configuration is the configuration posted at the top of this thread. Other dependencies are injected via code config (don't believe thats an issue though)

        Code:
        <?xml version="1.0" encoding="UTF-8"?>
        <beans:beans xmlns="http://www.springframework.org/schema/security"
        	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:beans="http://www.springframework.org/schema/beans"
        	xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd
        		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd">
        	<http use-expressions="true">
        		<!-- Authentication policy -->
        		<form-login login-page="/signin" login-processing-url="/signin/authenticate"
        			authentication-failure-handler-ref="redirectingAuthenticationFailureHandler" />
        
        		<logout logout-url="/signout" delete-cookies="JSESSIONID" />
        
        		<!-- Authorization policy definition: TODO consider replacing with @Secured 
        			on @Controllers -->
        		<intercept-url pattern="/" access="permitAll" />
        		<intercept-url pattern="/favicon.ico" access="permitAll" />
        		<intercept-url pattern="/resources/**" access="permitAll" />
        		<intercept-url pattern="/signin" access="permitAll" />
        		<intercept-url pattern="/signup" access="permitAll" />
        		<intercept-url pattern="/signin/*" access="permitAll" />
        		<intercept-url pattern="/signin/*" access="permitAll" />
        		<intercept-url pattern="/**" access="isAuthenticated()" />
        	</http>
        
        	<authentication-manager alias="authenticationManager">
        		<authentication-provider ref="myAuthenticationService" />
        	</authentication-manager>
        
        	<!-- Spring security authentication and authorization listeners for debugging -->
        	<beans:bean id="authenticationListener"
        		class="org.springframework.security.authentication.event.LoggerListener" />
        		
        	<beans:bean id="authorizationListener"
        		class="org.springframework.security.access.event.LoggerListener" />
        
        	<!-- introduce oauth 2 provider configuration -->
        	<beans:import resource="security-oauth-provider.xml" />
        </beans:beans>
        On the other point you made
        Spring Security also now allows you to define two <http/> elements and only add the oauth2ProtectedResourceFilter to only one of them
        I noticed that, then discovered the requirement for manual configuration of the oauth security chain, which, being new to SEC, I wouldn't be entirely comfortable with.

        BTW,
        it doesn't distinguish between authorization service and resource service
        ... yes, it appeared as if that was the case, but I wasn't sure. So am I understanding you correctly? OAuth2ProtectedResourceFilter is used by the oauth2 provdier used as both an authorization and authentication service? Its not an issue right now, but perhaps down the line it would be.

        Thanks!

        Dave

        Comment


        • #5
          Originally posted by davidfoley View Post
          Would you show me how to configure the http security element to direct traffic through oauth provider filters on a specific uri root?
          Before Spring Security 3.1 there was a filters= attribute in the <intercept-url/> I think. Now you would do something like this:

          Code:
          <http pattern="/resources/**" security="none"/>
          <http ...>
              <intercept-url pattern="/oauth2/protected/**" access="ROLE_USER" />
              <custom-filter ref="oauth2ProtectedResourceFilter" after="EXCEPTION_TRANSLATION_FILTER"/>
          </http>
          <http ...>
              <intercept-url pattern="/normal/protected/**" access="ROLE_USER" />
              <form .../>
              ...
          </http>
          I'm sketching here because I don't really know your requirements.

          The example is a resource service configuration. It actually doesn't need any of the other filters in the OAuth2 stack. If you need the authorization service features as well look at my comments on https://jira.springsource.org/browse/SECOAUTH-97 for how to roll the filter chain manually. Later this week I hope to get some namespace support out for the same thing.
          Last edited by Dave Syer; Aug 24th, 2011, 04:32 PM. Reason: form login typo in oauth2 resource

          Comment


          • #6
            Hi Dave, sorry for the late response, but thanks for getting back to me. I've tried filling in the blanks above to customize for my own project, but its just not happening, so if I could trouble you again, this is what I am trying to achieve.

            For general website security, I have implemented this (working) configuration.

            Code:
            	<authentication-manager alias="authenticationManager">
            		<authentication-provider ref="myOwnAuthenticationService" />
            	</authentication-manager>
            
            	<!-- site access security -->
            	<http use-expressions="true">
            		<!-- Authentication policy -->
            		<form-login login-page="/signin" login-processing-url="/signin/authenticate"
            			authentication-failure-handler-ref="redirectingAuthenticationFailureHandler" />
            		<logout logout-url="/signout" delete-cookies="JSESSIONID" />
            
            		<intercept-url pattern="/" access="permitAll" />
            		<intercept-url pattern="/favicon.ico" access="permitAll" />
            		<intercept-url pattern="/resources/**" access="permitAll" />
            		<intercept-url pattern="/signin" access="permitAll" />
            		<intercept-url pattern="/signup" access="permitAll" />
            		<intercept-url pattern="/signin/*" access="permitAll" />
            		<intercept-url pattern="/signup/*" access="permitAll" />
            		<intercept-url pattern="/**" access="isAuthenticated()" />
            	</http>
            For my oauth provider configuration I have this:

            Code:
            	<oauth:provider 
            		client-details-service-ref="myClientDetailsService" 
            		token-services-ref="myTokenServices">
            		<oauth:verification-code user-approval-page="/oauth/confirm_access" />
            	</oauth:provider>
            And thats it. With this implementation, I can successfully authorize access to my app, and the oauth client can subsequently authenticate with my app. However, the providers security filters are in the springSecurityChain and being applied to all urls, just like any other filter. However, I just want the providers filters to applied to one service root uri, specifically, /api** and specify the providers authorization and token endpoints at /oauth**.

            So to clarify, I want control over the providers authentication and authorization urls, and to limit the providers secure resource filters to a particular service root url. I just don't know how to stop the providers filters from being added to the 'global' securityFilterChain.

            Thanks!

            Comment


            • #7
              Using the current namespace support you can't stop the OAuth2 protected resource filter from being applied along with the rest of the chain. That's what I was trying to say before. SECOAUTH-97 is about changing the implementation to make it more explicit what you are doing, so you can apply a filter to whichever chain you need.

              Why do you care though? It probably doesn't add much overhead to a resource to go through the extra filter(s). If you really care you are going to have to add additional <http/> elements and add the OAuth filters manually, instead of relying on the namespace. Maybe you could explain a bit more what it is you want to happen and why?

              Comment


              • #8
                Hi Dave,

                Using the current namespace support you can't stop the OAuth2 protected resource filter from being applied along with the rest of the chain
                Thanks for confirming that for me, and for clarifying the purpose of SECOAUTH-97. I was really hoping to avoid having to get to know the oauth providers internals, but I guess I'll just have to go the route of rolling my own filter and applying it to a http configuration as you suggested, I was just really hoping to avoid this (for this particular project, I want to stay focused on the business logic, and avoid ownership of as much supporting code as possible).

                Why do you care though? It probably doesn't add much overhead to a resource to go through the extra filter(s).
                To clarify, its not the overhead thats an issue, its that the oauth provider intercepts authentication callbacks from third party service providers that were originally initiated by various actors in the Spring Social Connect API. To explain, if I use Spring Social Connect to establish a connection to Facebook, after the user authorizes access to my app, Spring Social Connect then attempts to authenticate with Facebook, but when that request completes, the oauth provider butts in (the response signature is the same) and assumes that the token was meant for it (assuming that an oauth client was attempting to authenticate with my app). Of course, as this is the case, the token is invalid within this context, so the provider throws an exception, and the Connect API callback never gets the opportunity to finish the authentication process.

                Ultimately, however I get there, I obviously want to avoid this situation, and prevent any interference between Spring Social and Sec OAuth provider. In order to do this, I need control over the provider authentication and authorization urls, but not familiar with the oauth provider implementation. Also, having never implemented my own filters before, I do not know which filters to group together under the heading of authorization, which filters to group together under the heading of authentication, or where to apply them respectively in a custom http configuration.

                Do you happen to know if these features are being addressed in future revisions? Or even better, if there are existing examples of a similar working configuration that you know of, would you be able to point me to them? I believe that your example at SECOAUTH-97 demonstrates how to apply the oauth filters to a bespoke resource url(s). Does that code work as it stands? From which class should I extend 'my.own.CompositeFilter'?

                Thanks for your time, I really appreciate it.

                Dave
                Last edited by davidfoley; Aug 31st, 2011, 06:51 AM.

                Comment


                • #9
                  The code in the comments in SECOAUTH-97 works (I am using it in a project myself), but it doesn't address your concern directly because I'm not trying to separate out the requests that are handled by the SECOAUTH filters. The CompositeFilter code is not posted in JIRA, but it is in Spring 3.1 if you want to copy it.

                  What is it about the signature of the requests that clashes between SECOAUTH and SOCIAL? Maybe we can stop them from being intercepted just by tweaking the configuration using the existing namespace features? I'm actually surprised that there would be a clash, since you are not trying to be an OAuth provider for Facebook (you are a consumer, or more correctly a "client" in OAuth2 terminology).

                  Comment


                  • #10
                    Hi Dave, here's an example of the callback behaviour encountered. When the provider is enabled using the simple namespace configuration quoted above in my working configuration, and when I use the Spring Social Connect API to connect to Twitter, I recieve this error in the browser when Twitter redirects back to me

                    Code:
                    {
                      "error": "invalid_token",
                      "error_description": "Invalid access token: U2VB1VEXCfb9ethlTFa5pyuYq0cBKlJ3GF7xhipmgM"
                    }
                    at the following callback url on my server

                    Code:
                    http://localhost:8080/hubbub/connect/twitter?oauth_token=U2VB1VEXCfb9ethlTFa5pyuYq0cBKlJ3GF7xhipmgM&oauth_verifier=NhGEUpYHmxOv2CoZbPxx0e3M1Z8S5Q9OOYuUMAA4n2g
                    I've pasted the log messages beneath this message (character length constraints)

                    As you can see, the OAuth 2 provider is interfering with the OAuth 1 redirect from twitter. Hope this helps, and that we can do a simple workaround with the namespace configuration.

                    Hope this shows the issue!
                    Last edited by davidfoley; Aug 31st, 2011, 08:03 AM.

                    Comment


                    • #11
                      Code:
                      DEBUG: org.springframework.web.client.RestTemplate - Created POST request for "https://api.twitter.com/oauth/request_token"
                      DEBUG: org.springframework.web.client.RestTemplate - Setting request Accept header to [application/x-www-form-urlencoded, multipart/form-data]
                      DEBUG: org.springframework.web.client.RestTemplate - POST request for "https://api.twitter.com/oauth/request_token" resulted in 200 (OK)
                      DEBUG: org.springframework.web.client.RestTemplate - Reading [org.springframework.util.MultiValueMap] as "text/html;charset=utf-8" using [org.springframework.social.oauth1.OAuth1Template$1@3253be7c]
                      INFO : io.hubbub.utils.LoggerInterceptor - #postHandle requestUri= POST:/hubbub/connect/twitter, view=null, handler= org.springframework.web.method.HandlerMethod
                      DEBUG: org.springframework.web.servlet.DispatcherServlet - Rendering view [org.springframework.web.servlet.view.RedirectView: unnamed; URL [https://api.twitter.com/oauth/authorize?oauth_token=U2VB1VEXCfb9ethlTFa5pyuYq0cBKlJ3GF7xhipmgM]] in DispatcherServlet with name 'appServlet'
                      INFO : io.hubbub.utils.LoggerInterceptor - #afterCompletion requestUri= /hubbub/connect/twitter, controller=org.springframework.social.connect.web.ConnectController#connect
                      DEBUG: org.springframework.web.servlet.DispatcherServlet - Successfully completed request
                      DEBUG: org.springframework.security.oauth2.provider.OAuth2ProtectedResourceFilter - Chain processed normally
                      DEBUG: org.springframework.security.oauth2.provider.OAuth2ExceptionHandlerFilter - Chain processed normally
                      DEBUG: org.springframework.security.web.access.ExceptionTranslationFilter - Chain processed normally
                      DEBUG: org.springframework.security.web.context.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
                      DEBUG: org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/connect/twitter'; against '/'
                      DEBUG: org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/connect/twitter'; against '/favicon.ico'
                      DEBUG: org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/connect/twitter'; against '/resources/**'
                      DEBUG: org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/connect/twitter'; against '/signin*'
                      DEBUG: org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/connect/twitter'; against '/signup*'
                      DEBUG: org.springframework.security.web.FilterChainProxy - /connect/twitter?oauth_token=U2VB1VEXCfb9ethlTFa5pyuYq0cBKlJ3GF7xhipmgM&oauth_verifier=NhGEUpYHmxOv2CoZbPxx0e3M1Z8S5Q9OOYuUMAA4n2g at position 1 of 14 in additional filter chain; firing Filter: 'BasicUserApprovalFilter'
                      DEBUG: org.springframework.security.web.FilterChainProxy - /connect/twitter?oauth_token=U2VB1VEXCfb9ethlTFa5pyuYq0cBKlJ3GF7xhipmgM&oauth_verifier=NhGEUpYHmxOv2CoZbPxx0e3M1Z8S5Q9OOYuUMAA4n2g at position 2 of 14 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
                      DEBUG: org.springframework.security.web.context.HttpSessionSecurityContextRepository - Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: '[email protected]32e43: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@f6232e43: Principal: io.hubbub.account.model.Account@9dd0fe7; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@1de60: RemoteIpAddress: 0:0:0:0:0:0:0:1%0; SessionId: E622EC850A9C337312F714EBED7607E5; Not granted any authorities'
                      DEBUG: org.springframework.security.web.FilterChainProxy - /connect/twitter?oauth_token=U2VB1VEXCfb9ethlTFa5pyuYq0cBKlJ3GF7xhipmgM&oauth_verifier=NhGEUpYHmxOv2CoZbPxx0e3M1Z8S5Q9OOYuUMAA4n2g at position 3 of 14 in additional filter chain; firing Filter: 'LogoutFilter'
                      DEBUG: org.springframework.security.web.FilterChainProxy - /connect/twitter?oauth_token=U2VB1VEXCfb9ethlTFa5pyuYq0cBKlJ3GF7xhipmgM&oauth_verifier=NhGEUpYHmxOv2CoZbPxx0e3M1Z8S5Q9OOYuUMAA4n2g at position 4 of 14 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
                      DEBUG: org.springframework.security.web.FilterChainProxy - /connect/twitter?oauth_token=U2VB1VEXCfb9ethlTFa5pyuYq0cBKlJ3GF7xhipmgM&oauth_verifier=NhGEUpYHmxOv2CoZbPxx0e3M1Z8S5Q9OOYuUMAA4n2g at position 5 of 14 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
                      DEBUG: org.springframework.security.web.FilterChainProxy - /connect/twitter?oauth_token=U2VB1VEXCfb9ethlTFa5pyuYq0cBKlJ3GF7xhipmgM&oauth_verifier=NhGEUpYHmxOv2CoZbPxx0e3M1Z8S5Q9OOYuUMAA4n2g at position 6 of 14 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
                      DEBUG: org.springframework.security.web.FilterChainProxy - /connect/twitter?oauth_token=U2VB1VEXCfb9ethlTFa5pyuYq0cBKlJ3GF7xhipmgM&oauth_verifier=NhGEUpYHmxOv2CoZbPxx0e3M1Z8S5Q9OOYuUMAA4n2g at position 7 of 14 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
                      DEBUG: org.springframework.security.web.authentication.AnonymousAuthenticationFilter - SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken@f6232e43: Principal: io.hubbub.account.model.Account@9dd0fe7; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@1de60: RemoteIpAddress: 0:0:0:0:0:0:0:1%0; SessionId: E622EC850A9C337312F714EBED7607E5; Not granted any authorities'
                      DEBUG: org.springframework.security.web.FilterChainProxy - /connect/twitter?oauth_token=U2VB1VEXCfb9ethlTFa5pyuYq0cBKlJ3GF7xhipmgM&oauth_verifier=NhGEUpYHmxOv2CoZbPxx0e3M1Z8S5Q9OOYuUMAA4n2g at position 8 of 14 in additional filter chain; firing Filter: 'SessionManagementFilter'
                      DEBUG: org.springframework.security.web.FilterChainProxy - /connect/twitter?oauth_token=U2VB1VEXCfb9ethlTFa5pyuYq0cBKlJ3GF7xhipmgM&oauth_verifier=NhGEUpYHmxOv2CoZbPxx0e3M1Z8S5Q9OOYuUMAA4n2g at position 9 of 14 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
                      DEBUG: org.springframework.security.web.FilterChainProxy - /connect/twitter?oauth_token=U2VB1VEXCfb9ethlTFa5pyuYq0cBKlJ3GF7xhipmgM&oauth_verifier=NhGEUpYHmxOv2CoZbPxx0e3M1Z8S5Q9OOYuUMAA4n2g at position 10 of 14 in additional filter chain; firing Filter: 'OAuth2ExceptionHandlerFilter'
                      DEBUG: org.springframework.security.web.FilterChainProxy - /connect/twitter?oauth_token=U2VB1VEXCfb9ethlTFa5pyuYq0cBKlJ3GF7xhipmgM&oauth_verifier=NhGEUpYHmxOv2CoZbPxx0e3M1Z8S5Q9OOYuUMAA4n2g at position 11 of 14 in additional filter chain; firing Filter: 'VerificationCodeFilter'
                      DEBUG: org.springframework.security.web.FilterChainProxy - /connect/twitter?oauth_token=U2VB1VEXCfb9ethlTFa5pyuYq0cBKlJ3GF7xhipmgM&oauth_verifier=NhGEUpYHmxOv2CoZbPxx0e3M1Z8S5Q9OOYuUMAA4n2g at position 12 of 14 in additional filter chain; firing Filter: 'OAuth2AuthorizationFilter'
                      DEBUG: org.springframework.security.web.FilterChainProxy - /connect/twitter?oauth_token=U2VB1VEXCfb9ethlTFa5pyuYq0cBKlJ3GF7xhipmgM&oauth_verifier=NhGEUpYHmxOv2CoZbPxx0e3M1Z8S5Q9OOYuUMAA4n2g at position 13 of 14 in additional filter chain; firing Filter: 'OAuth2ProtectedResourceFilter'

                      Comment


                      • #12
                        Stack trace (part 2)

                        Code:
                        DEBUG: org.springframework.security.oauth2.provider.OAuth2ExceptionHandlerFilter - OAuth error.
                        org.springframework.security.oauth2.common.exceptions.InvalidTokenException: Invalid access token: U2VB1VEXCfb9ethlTFa5pyuYq0cBKlJ3GF7xhipmgM
                        	at org.springframework.security.oauth2.provider.token.RandomValueOAuth2ProviderTokenServices.loadAuthentication(RandomValueOAuth2ProviderTokenServices.java:175)
                        	at org.springframework.security.oauth2.provider.OAuth2ProtectedResourceFilter.doFilter(OAuth2ProtectedResourceFilter.java:48)
                        	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:340)
                        	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:187)
                        	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:340)
                        	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:187)
                        	at org.springframework.security.oauth2.provider.verification.VerificationCodeFilter.doFilter(VerificationCodeFilter.java:98)
                        	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:340)
                        	at org.springframework.security.oauth2.provider.OAuth2ExceptionHandlerFilter.doFilter(OAuth2ExceptionHandlerFilter.java:36)
                        	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:340)
                        	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:95)
                        	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:340)
                        	at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:100)
                        	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:340)
                        	at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:79)
                        	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:340)
                        	at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
                        	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:340)
                        	at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:35)
                        	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:340)
                        	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:187)
                        	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:340)
                        	at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
                        	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:340)
                        	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:80)
                        	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:340)
                        	at org.springframework.security.oauth2.provider.verification.BasicUserApprovalFilter.doFilter(BasicUserApprovalFilter.java:41)
                        	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:340)
                        	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:175)
                        	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
                        	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
                        	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
                        	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
                        	at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:77)
                        	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
                        	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
                        	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
                        	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
                        	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
                        	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:563)
                        	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
                        	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
                        	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
                        	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
                        	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)
                        	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
                        	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
                        	at java.lang.Thread.run(Thread.java:680)
                        Last edited by davidfoley; Sep 8th, 2011, 10:42 AM. Reason: Redundant

                        Comment


                        • #13
                          Can you upgrade to a snapshot? I think the OAuth2 provider used to pick out OAuth 1 specific request parameters, because that used to be valid according to the spec, but it changed relatively recently.

                          Comment


                          • #14
                            Hi Dave, first up, thanks a million, that did the trick! There seems to be a considerable difference (for the better) between the current project and the last milestone release on Maven. No interference anymore and we can successfully authenticate and authorize clients with our app... for the most part.

                            Could you confirm that that the current build snapshot supports authentication with client secrets? We tried to implement our own ClientDetailsService, supplying the client secrets there, but when we attempted to authenticate with our server, we encountered 'client secret mismatch' exceptions. We then tried to see if the current sparklr2 and tonr2 examples would behave any differently... so fired them up, and supplied a client secret to the tonr client, also configuring sparklr to define the tonr client with the same client secret, but we still received the same error when authenticating. Below is sparklr2's stack trace when tonr2 client attempts to authenticate with client secret.

                            Code:
                            OAuth2ExceptionHandlerFilter - OAuth error. <org.springframework.security.oauth2.common.exceptions.InvalidClientException: Client secret mismatch>org.springframework.security.oauth2.common.exceptions.InvalidClientException: Client secret mismatch
                            	at org.springframework.security.oauth2.provider.code.UnconfirmedAuthorizationCodeAuthenticationProvider.authenticate(UnconfirmedAuthorizationCodeAuthenticationProvider.java:63)
                            	at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:134)
                            	at org.springframework.security.oauth2.provider.filter.OAuth2AuthorizationFilter.attemptAuthentication(OAuth2AuthorizationFilter.java:45)
                            	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:199)
                            	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:340)
                            	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:187)
                            	at org.springframework.security.oauth2.provider.code.AuthorizationCodeFilter.doFilter(AuthorizationCodeFilter.java:103)
                            	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:340)
                            	at org.springframework.security.oauth2.provider.filter.OAuth2ExceptionHandlerFilter.doFilter(OAuth2ExceptionHandlerFilter.java:36)
                            	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:340)
                            	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:95)
                            	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:340)
                            	at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:100)
                            	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:340)
                            	at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:79)
                            	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:340)
                            	at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
                            	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:340)
                            	at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:35)
                            	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:340)
                            	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:187)
                            	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:340)
                            	at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
                            	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:340)
                            	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:80)
                            	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:340)
                            	at org.springframework.security.oauth2.provider.code.BasicUserApprovalFilter.doFilter(BasicUserApprovalFilter.java:43)
                            	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:340)
                            	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:175)
                            	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
                            	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
                            	at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1157)
                            	at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:388)
                            	at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216)
                            	at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:182)
                            	at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:765)
                            	at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:440)
                            	at org.mortbay.jetty.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:230)
                            	at org.mortbay.jetty.handler.HandlerCollection.handle(HandlerCollection.java:114)
                            	at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
                            	at org.mortbay.jetty.Server.handle(Server.java:326)
                            	at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:542)
                            	at org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:943)
                            	at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:756)
                            	at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:218)
                            	at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:404)
                            	at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:410)
                            	at org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:582)

                            Comment


                            • #15
                              I can confirm that is broken in the way you describe. I opened a JIRA ticket (SECOAUTH-122). I'll try and fix it today.

                              Comment

                              Working...
                              X