Announcement Announcement Module
Collapse
No announcement yet.
Error using UserApprovalHandler Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Error using UserApprovalHandler

    Hi, I'm trying to implement OAuth using the following tutorial http://www.javacodegeeks.com/2012/02...-security.html. I'm facing trouble when i try to auto-authenticate the user using the UserApprovalHandler.

    This is my xml configuration.
    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    <beans:beans xmlns:security="http://www.springframework.org/schema/security"
    	xmlns:beans="http://www.springframework.org/schema/beans" xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
    	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schem...-beans-3.0.xsd
               http://www.springframework.org/schema/security http://www.springframework.org/schem...curity-3.0.xsd
                  http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2.xsd">
    
    	<!-- Root Context: defines shared resources visible to all other web components -->
    	<security:http auto-config='true'>
    	    <security:intercept-url pattern="/_ah/**" access="" filters="none"/>
    		<security:intercept-url pattern="/login*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    		<security:intercept-url pattern="/register" access="" filters="none"/>
    		<security:intercept-url pattern="/**" access="" />
    		<security:intercept-url pattern="/home" access="ROLE_USER"/>
    		<security:intercept-url pattern="/error" access=""/>
    		<security:form-login login-page='/login' default-target-url='/home'/>
    	</security:http>
    
    	
    	<security:authentication-manager alias="authenticationManager">
    	    
    		<security:authentication-provider user-service-ref="MyUserDetailService" >
    		<security:password-encoder ref="passwordEncoder"></security:password-encoder>
    		</security:authentication-provider>
    		
    	</security:authentication-manager>
    <!-- 	<bean id="clientDetailsUserService" class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
    		<constructor-arg ref="clientDetails" />
    	</bean>
    	 -->
    	<oauth:authorization-server client-details-service-ref="clientDetails" token-services-ref="tokenServices" user-approval-handler-ref="userApprovalHandler">
    	   <oauth:authorization-code />
    	   <oauth:implicit />
    	   <oauth:refresh-token />
    	   <oauth:client-credentials />
    	   <oauth:password />
    	</oauth:authorization-server>
    	
    	<beans:bean id="userApprovalHandler" class="com.synclio.services.CustomUserApprovalHandler">
    	    <property name="autoApproveClients">
    	        <set>
    	            <value>foo</value>
    	        </set>
    	    </property>
    	</beans:bean>
    	
    	<beans:bean id="MyUserDetailService"   class="oauthdemo.MyUserDetailService"></beans:bean>
    	<beans:bean id="passwordEncoder" class="org.springframework.security.authentication.encoding.Md5PasswordEncoder"></beans:bean>
    	<beans:bean id="tokenServices"	 class="com.synclio.services.OAuthTokenService">
    		<beans:property name="supportRefreshToken" value="true" />
    		<beans:property name="clientDetailsService" ref="clientDetails"></beans:property>
    	</beans:bean>
    <!-- 	<oauth:provider client-details-service-ref="clientDetails"	token-services-ref="tokenServices">
    		<oauth:verification-code user-approval-page="/oauth/confirm_access" />
    	</oauth:provider> -->
    	<oauth:client-details-service id="clientDetails"  >
    		<oauth:client clientId="foo" authorizedGrantTypes="authorization_code"/>
    	</oauth:client-details-service>
    </beans:beans>
    I changed my code seeing sparklr implementation. Please help me understand the OAuth flow and also where i'm wrong.

  • #2
    You didn't really say what the problem is, unless I missed something? Note also that the UserApprovalHandler has nothing to do with authentication - a user is already authenticated at the time that the approvals are processed.

    Comment


    • #3
      Hi Dave,
      I'm trying to implement the oauth server provider and my client won't be using spring security. So i hit /oauth/authorize with my client id , redirect_uri and other parameters and get the code. with that code i hit /oauth/token to get the accesstoken. I have implemented my own token services where i'll store the token generated and given to the user using the principal object. But the principal has anonymoususer since the during the whole flow the user is never asked to enter his/her credentials. I'm extremely new to programming and any help from you will be highly appreciated.

      Also, my user can also login using his facebook credentials where i have to implicitly authenticate the user using his unique facebook id. Can you please guide me to achieve this.

      Comment


      • #4
        Originally posted by tarun1188 View Post
        But the principal has anonymoususer since the during the whole flow the user is never asked to enter his/her credentials.
        OK that makes sense. It means you haven't protected the /oauth/authorize endpoint with the usual standard Spring Security filters. Probably it makes sense to have a <http/> filter declaration specifically for that endpoint (but that's not mandatory).

        Comment


        • #5
          OK that makes sense. It means you haven't protected the /oauth/authorize endpoint with the usual standard Spring Security filters.
          Originally posted by Dave Syer View Post
          Probably it makes sense to have a <http/> filter declaration specifically for that endpoint (but that's not mandatory).
          Hi,
          I have declared a filter for /oauth/authorize so the normal(Where the user enters his/her user id and password)login works perfectly. But if the user wants to login using his facebook or using any other third i would have to implicitly authenticate the user using his facebook unique id. So when the user hits the login controller i tried getting his client it whether its an facebook, Google or other. But the parameters get lost when the user reaches /login. "The user has to go through /login for /oauth/authorize due to the new filter." I googled and found 2 ways to authenticate the user either using preAuthentication filter or using a Generic web filter. How my current xml will change if choose any one of them.

          This is my updated xml.
          Code:
          <?xml version="1.0" encoding="UTF-8"?>
          <beans:beans xmlns:security="http://www.springframework.org/schema/security"
          	xmlns:beans="http://www.springframework.org/schema/beans" xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
          	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                     http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd
                     http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2.xsd">
           <!-- entry-point-ref="preAuthenticatedProcessingFilterEntryPoint" -->
          	<!-- Root Context: defines shared resources visible to all other web components -->
          	<security:http auto-config='true'>
          		<security:intercept-url pattern="/_ah/**"	access=""	filters="none" />
          		<security:intercept-url pattern="/login*"	access="IS_AUTHENTICATED_ANONYMOUSLY" />
          		<security:intercept-url pattern="/oauth/authorize"	access="ROLE_USER" />
          		<security:intercept-url pattern="/oauth/token"	access="ROLE_USER" />
          		<security:intercept-url pattern="/register"	access=""	filters="none" />
          		<security:intercept-url pattern="/index"	access=""	filters="none" />
          		<security:intercept-url pattern="/**" 		access="" />
          		<!-- <security:custom-filter position="PRE_AUTH_FILTER" ref="preAuthFilter"/> -->
          		<security:form-login login-page='/login'	default-target-url='/home' authentication-failure-url="/error" />
          	</security:http>
          
          	<security:authentication-manager	alias="authenticationManager ">
          		<security:authentication-provider	user-service-ref="MyUserDetailService">
          		<security:password-encoder ref="passwordEncoder"></security:password-encoder>
          		</security:authentication-provider>
          	</security:authentication-manager>
          
          	<!-- <beans:bean id="preAuthenticatedProcessingFilterEntryPoint"    class="com.foocompany.services.SocialEntryPoint" /> -->
          	<beans:bean id="MyUserDetailService"	class="com.foocompany.services.MyUserDetailService"></beans:bean>
          	<beans:bean id="passwordEncoder"		class="org.springframework.security.authentication.encoding.Md5PasswordEncoder"></beans:bean>
          	<!-- <beans:bean id="tokenServices" 			class="com.foocompany.services.OAuthTokenService">
          		<beans:property name="supportRefreshToken" value="true" />
          	</beans:bean>
          	<oauth:provider client-details-service-ref="clientDetails"
          		token-services-ref="tokenServices">
          		<oauth:verification-code user-approval-page="/oauth/confirm_access" />
          	</oauth:provider>
          	<oauth:resource access-token-uri="" client-id=""/>
          	<oauth:client-details-service id="clientDetails">
          		<oauth:client clientId="foocompany"	authorizedGrantTypes="authorization_code" />
          		<oauth:client clientId="google"		authorizedGrantTypes="authorization_code" />
          		<oauth:client clientId="facebook"	authorizedGrantTypes="authorization_code" />
          	</oauth:client-details-service> -->
          </beans:beans>

          Comment


          • #6
            I'm not really very sure what you are trying to do here. You have a protected /oauth/authorize resource in <http/> but there is no <authorization-server/> so that endpoint isn't defined - I assume you don't actually want to provide it, and you only want to be an OAuth client for facebook etc? You are only supporting form-login, so there is no way for a user to choose facebook or other social authentications.

            Comment


            • #7
              As i said, I'm new to programming and this is the first time i'm using spring security. My basic requirement is to have a centralized login system where the user can login using their social accounts or a form based login. and the client can be from a web client or mobile.

              Can you shed me some light What is Authorization server and why is it needed for my project. and also what i all the changes i have to make to use the social login.

              P.S: Really appreciate for spending your time for my queries. Thanks

              Comment


              • #8
                An authorization server issues tokens for API access (broadly speaking). That doesn't seem to fit your use case which is all clientside in OAuth terms. Spring OAuth does provide clientside features, but if that's all you need and the providers are common (like Facebook) then Spring Social might be a better fit. If you prefer to use Spring OAuth you could look at OAuth2ClientAuthenticationProcessingFilter and try to provide a ResourceServerTokenServices that works with your social providers. In any case it would make sense to review the Spring Security docs and understand the filter chain approach to authentication generally.

                Comment


                • #9
                  Thanks Dave. I'll have a look at Spring social but first try to solve my requirements using spring security oauth.

                  BTW, Sorry for all the typos in the thread.

                  Comment

                  Working...
                  X