Announcement Announcement Module
No announcement yet.
OAuth2 - emitting access token succeed oauth2 authentication processing? Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • OAuth2 - emitting access token succeed oauth2 authentication processing?

    Dave and team,
    I'm checking out the Spring Security OAuth support. I must say you folks have done a fantastic job in delivering yet another solid f/w in the Spring family.

    I have a question - I have a prototype with a resource server and an auth server sharing the same token service on the same tomcat. When I access the protected resource with a valid token it goes through, good. If an invalid token it fails authentication with the error message, also good. However if the request has no access token in the header or the request parameter, the request is authenticated. I am wondering if I didn't do it right? no token should equal wrong token, doesn't it?

    Here are the logs:

    DEBUG: - /rest/hello at position 2 of 5 in additional filter chain; firing Filter: 'OAuth2AuthenticationProcessingFilter'
    DEBUG: ntication.OAuth2AuthenticationProcessingFilter - Token not found in headers. Trying request parameters.
    DEBUG: ntication.OAuth2AuthenticationProcessingFilter - Token not found in request parameters. Not an OAuth2 request.
    DEBUG: ntication.OAuth2AuthenticationProcessingFilter - No token in request, will continue chain.

    Thanks in advance,

  • #2
    Maybe you have another filter in the chain that authenticates the request? The OAuth2AuthenticationProcessingFilter is a pre-auth filter, so you can easily have more stuff downstream (e.g. <anonymous/>).


    • #3
      Very true Dave. Looks like OAuth2AuthenticationProcessingFilter abstains from casting the vote when it can't find the token. Is this the designed behavior? What do I do if I want to block the request unless it is a valid token? Is it a way to tell OAuth2AuthenticationProcessingFilter to treat no-token as wrong-token? Or a different way to go?



      • #4
        The design is pretty standard in Spring Security - authentication first, then access decision. Your access decision manager can disallow access to your resources with anonymous (or other non-token borne) credentials, or you can remove the filters that created the authentication you don't like.


        • #5
          Good explanation Dave. Yes adding an explicit anonymous-blocking access control works.


          • #6
            Hi Dave and danliang.

            I've the same problem exposed above... but i can't solve. I tried adding an anonymous-blocking but the filter chain continue when no access token in the request and the request access to the resource.

            My desired behaviour is stop the request when no access token present in request and return an authorization error. How can I do this?

            The protected resources are defined below:

            <http pattern="/protected/**" create-session="never" entry-point-ref="oauthAuthenticationEntryPoint"
                    <anonymous enabled="false" />
                    <intercept-url pattern="/protected/**" method="GET" />
                    <custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
                    <access-denied-handler ref="oauthAccessDeniedHandler" />
                <oauth:resource-server id="resourceServerFilter" resource-id="res" token-services-ref="tokenServices" />
            Thanks in advance!