Announcement Announcement Module
Collapse
No announcement yet.
Code review request for oauth pseudo-authentication Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Code review request for oauth pseudo-authentication

    I have written examples for using oauth1 and oauth2 with spring-security for pseudo-authentication and placed them here: https://github.com/isopov/spring-sec...authentication

    The example for OAuth2 is based on the sample taken from git history of cloudfoundry and sample for OAuth1 is written using OAuth2 as a reference. (I'm going to use OAuth1 in my app). Can anyone review this code, since it is security related and therefor price of mistake is very high?

    To start, what bothers me with https://github.com/isopov/spring-sec...ionContext.xml is that if I look at security filter chain in debug I see not only oauthConsumerContextFilter and oauthConsumerFilter wrapped in my wrapper (I wrapped them because it seems that both should be placed after EXCEPTION_TRANSLATION_FILTER) but also them at the end of normal security filter chain.

    Any thoughts on how this can be fixed or any other problems with this code?

  • #2
    Originally posted by moradan View Post
    if I look at security filter chain in debug I see not only oauthConsumerContextFilter and oauthConsumerFilter wrapped in my wrapper (I wrapped them because it seems that both should be placed after EXCEPTION_TRANSLATION_FILTER) but also them at the end of normal security filter chain.
    That's because the OAuth1 support has this rather weird implementation that magically modifies your security filter chain. So <oauth:consumer/> is supposed to be all you need to get the filter in the right place (hence you have a duplicate because you explicitly inserted it as well).

    I'm guessing your MultipleFilterWrapper is probably the same as the org.springframework.web.filter.CompositeFilter in Spring web, so you might not need that class either.

    Comment


    • #3
      Thanks for CompositeFilter - replaced that custom hack with a more "standard" hack.

      I've replaced <oauth:consumer/> with manual creation of OAuthConsumerProcessingFilter and OAuthConsumerContextFilter.

      Any further tips are greatly appreciated.

      Comment

      Working...
      X