Announcement Announcement Module
Collapse
No announcement yet.
Client filters not being created Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Client filters not being created

    Just for facebook, I have two types of clients, one to authenticate, the other to authorize.

    Code:
    	<oauth2:client id="authenticationClient"
    		resource-details-service-ref="oauth2ResourceDetailsService">
    		<oauth2:url pattern="/j_spring_oauth_security_check"
    			resources="facebookLogin" />
    	</oauth2:client>
    and

    Code:
    	<oauth2:client id="authorizationClient"
    		resource-details-service-ref="oauth2ResourceDetailsService"> 
                    <oauth2:url pattern="/rest/auth/facebook" resources="facebook" />
    		<oauth2:url pattern="/rest/auth/google" resources="google" />
    	</oauth2:client>
    I took much of the login idea from the spring-security-oauth-example project. The reason why I need two clients is because one of them requires the user to have been authenticated (the authorization to get social contacts) while the other assumes that the authentication hasn't happened (facebook login.) The problem I have right now is that I don't have a way of adding the custom-filter on the spring-security setting.
    Code:
    		<sec:custom-filter after="EXCEPTION_TRANSLATION_FILTER"
    			ref="authenticationClient" />
    		<sec:custom-filter after="EXCEPTION_TRANSLATION_FILTER"
    			ref="authorizationClient" />
    		<sec:custom-filter before="FILTER_SECURITY_INTERCEPTOR"
    			ref="oauth2AuthFilter" />
    Basically, I'm putting 3 filters where 2 can go. Spring security does not like the fact that it doesn't know whether to run authentication client first, or authorization client. Is there a way to combine a couple of clients into 1 filter? One other option I was thinking of was to create a separate sec:http with the url pattern of /rest/auth/*, and add the custom filter of the authorizationClient to that separately declared sec:http. Is that preferable?

    Another question that I have is that I see the code for parsing require-authenticated as an attribute in the M5 milestone release (OAuth2ClientBeanDefinitionParser line 52), but I don't see it in the xsd at the github source. Am I using the wrong xsd?

    thanks for any help.
    Jeff
    Last edited by swang30; Dec 2nd, 2011, 05:11 AM. Reason: added question about requires-authenticated

  • #2
    Originally posted by swang30 View Post
    One other option I was thinking of was to create a separate sec:http with the url pattern of /rest/auth/*, and add the custom filter of the authorizationClient to that separately declared sec:http. Is that preferable?
    That's what I would do.

    Another question that I have is that I see the code for parsing require-authenticated as an attribute in the M5 milestone release (OAuth2ClientBeanDefinitionParser line 52), but I don't see it in the xsd at the github source. Am I using the wrong xsd?
    No, it's probably just missed out by mistake. You can raise a JIRA ticket and/or submit a pull request to get it fixed.

    Comment


    • #3
      Originally posted by Dave Syer View Post
      No, it's probably just missed out by mistake. You can raise a JIRA ticket and/or submit a pull request to get it fixed.
      created as SECOAUTH-169.

      As an aside, the xsd on the spring website, is that going to get updated? or will you wait until the RC/GA releases?

      Comment

      Working...
      X