Announcement Announcement Module
No announcement yet.
usage of filters Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • usage of filters


    I'm trying to use the oauth 2.0 spring sec impl for a small project using a javascript client and a http rest service.

    The goal is to let the user authenticate with his username and password against a dedicated security module in return for an access token.

    With this access token he can use the business module.

    The security module uses the OAuth2AuthorizationFilter filter. This works fine: an access token is returned.

    The business module uses the OAuth2ProtectedResourceFilter and security method annotations. However, when you don't pass any access token (if the parseOAuthParameters returns null), the filter doesn't throw any exception.

    Is this the way it should be?

  • #2
    Can you provide a few more details?

    I'm not seeing any "parseOAuthParameters" method. The OAuth2ProtectedResourceFilter looks for an access token and if it finds one, it sets up the security context with it. If the token is provided but invalid, it throws an exception.

    If there is no token provided, no security context is established and the filter continues. This is pretty standard to the Spring Security model-- the idea being that you can allow other filters to set up the security context and if no security context is established, the resources that you have configured to be secure won't be accessible (and an appropriate exception will be thrown).

    Perhaps your resources aren't configured to be secure?


    • #3
      Thanks for the reply.

      The method is definitely there

      In the source code:

      Map<String, String> oauthParameters = parseOAuthParameters(request);
      if (oauthParameters != null) {
      chain.doFilter(request, response);

      So when no token is provided, 'nothing' happens and the authentication in the SecurityContext is left unchanged. Maybe you're right and this is the best solution.

      I did some further debugging and I found that my problem is at the level of the SecurityContext (sometimes it 'looses' the authentication, and the next request it has it again ), so nothing to do with your implementation.
      I think I will need to clear it after every request, forcing the token to be provided at each request.

      Looking at my case where the authentication service and the business services run in different webapps or machines, are there any plans to provide an implementation for a 'check token' http call, returning the associated user and role (even though it is outside the scope of the oauth 2.0 spec)?


      • #4
        So are you using the springsource version of the code? It looks like the parseOAuthParameters method is in the old version, but the newest version (1.0.0.M1) is updated.


        • #5
          Where can I find this version (using maven)?

          The link on doesn't work.

          I'm using the codehaus version



          • #6
            Nevermind, I found the correct download page in a previous topic.