Announcement Announcement Module
Collapse
No announcement yet.
Resource Server: who calls the ResourceServerTokenServices implementation? Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Resource Server: who calls the ResourceServerTokenServices implementation?

    I work with M6.
    I have a resource server. I implement ResourceServerTokenServices,

    Code:
    public class MyRsrcSrvTokenServices implements ResourceServerTokenServices
    and as I saw in the documentations, my XML looks like this:

    Code:
    ...	<security:http 	entry-point-ref="oauthAuthenticationEntryPoint" 	
    					access-decision-manager-ref="accessDecisionManager">
    		<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
            <security:custom-filter ref="resourceServerFilter" after="PRE_AUTH_FILTER" />
            <security:access-denied-handler ref="oauthAccessDeniedHandler" />
    		<security:anonymous />
    	</security:http>
    
    
    ...    <oauth:resource-server id="resourceServerFilter" 
        					resource-id="myResourceServer"
        					token-services-ref="tokenServices" />
    
        <bean id="oauthAuthenticationEntryPoint" class="org...oauth2.provider.error.MediaTypeAwareAuthenticationEntryPoint">
            <property name="realmName" value="client" />
        </bean>
    My questions:
    1. how my implementation of ResourceServerTokenServices suppose to be called? is it by the filter chain? do i have to call it explicitly? (do I miss something, because I put a breakpoint there and it does not stop there...)
    2. what exactly is the "resource_id"? the docs says "The id for the resource (optional, but recommended and will be validated by the auth server if present)", but how do I bind it?
    3. Is there a place to read more, except the current docs? what version the docs refer to?

    thanks!

  • #2
    Originally posted by OhadR View Post
    1. how my implementation of ResourceServerTokenServices suppose to be called? is it by the filter chain? do i have to call it explicitly? (do I miss something, because I put a breakpoint there and it does not stop there...)
    The custom filter you added to the standard chain (resourceServerFilter) uses the ResourceServerTokenServices. You didn't show how your custom token services was configured. Is it the "tokenServices" bean that you injected in to the filter?

    2. what exactly is the "resource_id"? the docs says "The id for the resource (optional, but recommended and will be validated by the auth server if present)", but how do I bind it?
    A resource id is an important check for the resource server that it was the intended audience for the access token it decodes. If you omit that check (by not specifying the resource id in the filter) your resource server might accept a bad token that was intended for another resource - the spec allows it but suggests in the security threat docs that this type of check is done, without saying how exactly.

    3. Is there a place to read more, except the current docs? what version the docs refer to?
    The docs should be up to date, but please help by improving them if you can. There have been changes since M6 so I would upgrade if I were you.

    Comment


    • #3
      Thanks,

      I was was missing this declaration:
      Code:
      	<bean id="tokenServices" class="com....token.MyRsrcSrvTokenServices " />
      However, I still do not stop at the breakpoint in MyRsrcSrvTokenServices
      I searched a little and saw that "OAuth2ProtectedResourceFilter" is calling it... Is this the filter that I need? how do I make this filter active? isn't it active by default in the resource-server? Or did you mean other filter (you said "resourceServerFilter"...)?

      Comment


      • #4
        Your resourceServerFilter should be one of those (the class name changed in RC1, but the basic function is the same). I can't say why you aren't seeing it being called - are you sure there is a security filter declared in the app (do you see it logging at DEBUG level)?

        Comment


        • #5
          I see this on my resource server startup:

          Sep 21, 2012 3:38:06 PM org.springframework.security.config.http.HttpSecur ityBeanDefinitionParser checkFilterChainOrder
          INFO: Checking sorted filter chain: [Root bean: class [org.springframework.security.web.context.SecurityC ontextPersistenceFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 300, <resourceServerFilter>, order = 601, Root bean: class [org.springframework.security.web.savedrequest.Requ estCacheAwareFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 1300, Root bean: class [org.springframework.security.web.servletapi.Securi tyContextHolderAwareRequestFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 1400, Root bean: class [org.springframework.security.web.authentication.An onymousAuthenticationFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 1700, Root bean: class [org.springframework.security.web.session.SessionMa nagementFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 1800, Root bean: class [org.springframework.security.web.access.ExceptionT ranslationFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 1900, <org.springframework.security.web.access.intercept .FilterSecurityInterceptor#0>, order = 2000]


          I see there <resourceServerFilter>, but I'm not sure what it means. Other filters are inside '[]'... what does it mean? that I have the filter in my chain or that it expects it but does not find it?

          Oh, and I see this line as well in the log:
          INFO: Pre-instantiating singletons in org.springframework.beans.factory.support.DefaultL istableBeanFactory@19efd160: defining beans [helloController,org.springframework.context.annota tion.internalConfigurationAnnotationProcessor,org. springframework.context.annotation.internalAutowir edAnnotationProcessor,org.springframework.con... bla bla bla ... .DefaultSecurityFilterChain#4,org.springframework. security.authentication.DefaultAuthenticationEvent Publisher#0,org.springframework.security.authentic ationManager,oauth2ExceptionHandlerFilter,oauth2ProtectedResourceFilter,resourceServerFilter ,tokenServices,oauthAuthenticationEntryPoint,oauthAccessDeniedHa ndler,accessDecisionManager,org.springframework.co ntext.annotation.ConfigurationClassPostProcessor$I mportAwareBeanPostProcessor#0]; root of factory hierarchy

          so indeed I see there "oauth2ProtectedResourceFilter, resourceServerFilter, tokenServices"

          ADD:
          I have put a breakpoint in OAuth2ProtectedResourceFilter. (I see that the "tokenServices" is indeed of type 'MyRsrcSrvTokenServices '.) I see that afterPropertiesSet() method is being called on application init, but the doFilter() is never being called...

          Any ideas?
          thanks for your help, Dave!
          Last edited by OhadR; Sep 21st, 2012, 09:28 AM. Reason: adding information

          Comment


          • #6
            Switch on debug logging for spring security. You will see the filter chain being evaluated, if you have it enabled. All I see so far is the bean defnitions in the application context - there's no link to the actual filter or web.xml yet. Are you sure you have enabled the filter?

            Comment


            • #7
              I'll switch to DEBUG mode and see...

              Are you sure you have enabled the filter?
              I feel ashamed to ask, but how do I enable the filter? the fact that I see its afterPropertiesSet() being called doesn't mean it is enabled?

              Comment


              • #8
                The filter is usuall enabled and mapped in web.xml. See the sparklr2 sample for an example. Or any of the Spring Security samples.

                Comment


                • #9
                  oh, sure. in my web.xml I currently do the following:


                  Code:
                      <filter>
                          <filter-name>springSecurityFilterChain</filter-name>
                          <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
                          <init-param>
                              <param-name>contextAttribute</param-name>
                              <param-value>org.springframework.web.servlet.FrameworkServlet.CONTEXT.spring</param-value>
                          </init-param>
                      </filter>
                      <filter-mapping>
                          <filter-name>springSecurityFilterChain</filter-name>
                          <url-pattern>/*</url-pattern>
                      </filter-mapping>
                  I guess this is the mapping that you mean. Yet, from some reason, seems like the OAuth2ProtectedResourceFilter is not functioning. Is there something that I'm missing?

                  Comment


                  • #10
                    Do you have a dispatcher servlet named "spring" and is the XML you showed before the config file for that servlet? What about the DEBUG logs?

                    Comment


                    • #11
                      Sure, I have this

                      Code:
                          <servlet>
                              <servlet-name>spring</servlet-name>
                              <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
                              <load-on-startup>1</load-on-startup>
                          </servlet>
                      
                          <servlet-mapping>
                              <servlet-name>spring</servlet-name>
                              <url-pattern>/</url-pattern>
                          </servlet-mapping>
                      o/w spring wouldn't have worked at all.

                      about the debug - well, I guess I do something wrong... I've added this to my log4j.properties:

                      Code:
                      log4j.logger.org.springframework.security=DEBUG, INFO, CONSOLE, LOGFILE
                      but when I run the rsc-server alone (without the client WAR and the authentication WAR) I do not see any debug logs. when I run other components (client and auth-provider), I get tons of debug logs but they are irrelevant and I don't see there the FilterChain prints

                      Comment


                      • #12
                        Try

                        Code:
                        log4j.category.org.springframework.security=DEBUG

                        Comment


                        • #13
                          Nothing.
                          I even tried adding this to my xml file:

                          <security:debug/>

                          Yet, I see no DEBUG outputs.

                          Comment


                          • #14
                            I guess you are not using log4j then? Can you push the whole app onto a gist or something, so I can take a look?

                            Comment


                            • #15
                              haleluyja I setup the log4j, so i see now (among tons of debug logs

                              21 Sep 2012 20:26:35,925 [localhost-startStop-1] DEBUG servlet.handler.BeanNameUrlHandlerMapping - Rejected bean name 'oauth2ProtectedResourceFilter': no URL paths identified


                              21 Sep 2012 20:26:36,249 [localhost-startStop-1] DEBUG factory.support.DefaultListableBeanFactory - Returning cached instance of singleton bean 'oauth2ProtectedResourceFilter'

                              is this what you wanted to see? is there something else i should check ?

                              Comment

                              Working...
                              X