Announcement Announcement Module
Collapse
No announcement yet.
Anyway to force token service inject token on a controller/action? Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Anyway to force token service inject token on a controller/action?

    Hi I'm building a plugin on an application and using OAuth 1 to make API calls to external server (using restTemplate). I have a challenge that I need to make an API call in a controller/action, but this action is not directly called by user browser. The application generates an ajax call to an proxy method within the application and proxy method somehow calls my action. (not sure how it does that? No source code for the application).

    Because of this, the oauth:consumer -> oauth:url pattern doesn't work for this request. So my API calls in that action doesn't have token and the token service is never called.

    My question is that is there a way I can force oauth to inject the token on the code level? Thanks.
    Last edited by compass; Apr 25th, 2013, 08:04 PM.

  • #2
    How are you going to authenticate the call to your plugin (how do you know that it is a valid request)? Where would you get the token from? If the ajax call comes from a browser where the user is authenticated it should send the session cookie, and your Spring authentication token will be in there if there is one. I don't have a very clear picture of what this application is that you don't control, but it's going to have to let you add the OAuth filters, so I assume it uses Spring Security already. More detail might help.

    Comment


    • #3
      Originally posted by Dave Syer View Post
      How are you going to authenticate the call to your plugin (how do you know that it is a valid request)? Where would you get the token from? If the ajax call comes from a browser where the user is authenticated it should send the session cookie, and your Spring authentication token will be in there if there is one. I don't have a very clear picture of what this application is that you don't control, but it's going to have to let you add the OAuth filters, so I assume it uses Spring Security already. More detail might help.
      Thanks for the reply. Because I'm making plugin for a proprietary web application, which I don't have control. The plugins is to integration an external tool into the application. Between the plugin and external tool, we use oauth 1 (2 leg) to make sure the request is valid. So the token and secret are shared between plugin and external tool. When an user issue an request to the application to access information in the external tool, where the url will be something like /approot/pluginname/action, the action is within plugin and running in the application. And plugin will send an API request using oauth to sign the message, which contains the token, to external tool.

      The way we set up spring security oauth is to watch /approot/pluginname/*. This works for most of the cases. however, there is one section on the screen where we want to display some information from external tool. The way the application does is generate an ajax request to async load the content. The URL for the ajax request is something like: /internalCall?someparameters=xxxx, in which it calls my action in controller. Because it is not match my oauth path patten, so no token is injected when my action calls the API. (I'm guessing, haven't trace the code to see if it is true. However, if I try to call my action directly from browser, it works because the patten matches.)

      PS: I can't change my patten, because my plugin root is restricted to /pluginname level.

      So I'm thinking if there is a way to allow me to inject the token then issuing the API request. Hope it make sense.

      Comment


      • #4
        Just found this ticket: https://jira.springsource.org/browse...mment-tabpanel

        My requirements is similar to this, but I'm using oauth 1.
        Last edited by compass; Apr 26th, 2013, 03:06 AM. Reason: typo

        Comment


        • #5
          I see. If the access token is not associated with the user it makes things a lot easier to make it secure, but as the JIRA issue shows, the design of the OAuthRestTemplate is not really very amenable to this kind of use case (whereas OAuth2 had a major overhaul in 1.0.0 and now is). I suppose the most straightforward solution is to manually populate the OAuthSecurityContext (which is threadbound so you have to do it for every request). Can you add a filter to the /internalCall path at all?

          Comment


          • #6
            Thanks Dave. I tracked down the code and found out OAuthSecurityContext is null so no token is added to the request. As you said, I manually added OAuthSecurityContext before OAuthRestTemplet request. It works now. Thanks again!

            Comment

            Working...
            X