Announcement Announcement Module
Collapse
No announcement yet.
By passing OAuth2 Security? Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • By passing OAuth2 Security?

    Hi-

    While developing my own server using the OAuth2 module seen here, I was struggling with something. If I called my resource directly, I was sent to the login page, and when I logged in, I could call the resource directly without any tokens. I was doing this from curl:
    Code:
    curl -v --cookie cookies.txt --cookie-jar cookies.txt -H "Accept: application/json" "http://localhost:8080/test/get"
    (this would direct me to login.jsp)
    
    curl -v --cookie cookies.txt --cookie-jar cookies.txt --data "j_username=cory&j_password=password&login=Login" "http://localhost:8080/j_spring_security_check"
    
    (this would forward me back to my test)
    
    curl -v --cookie cookies.txt --cookie-jar cookies.txt -H "Accept: application/json" "http://localhost:8080/test/get"
    
    (this would access my resource)
    I thought I was doing something wrong and I pounded and pounded my head against the wall, until I did this:

    Code:
      curl -v --cookie cookies.txt --cookie-jar cookies.txt  "http://localhost:8080/sparklr2/rest/photos"
    
     curl -v --data "j_username=marissa&j_password=koala&login=Login" --cookie cookies.txt --cookie-jar cookies.txt "http://localhost:8080/sparklr2/login.do"
    
     curl -v --cookie cookies.txt --cookie-jar cookies.txt  "http://localhost:8080/sparklr2/rest/photos"

    And the last thing gave me:

    Code:
    <photos><photo id="1" name="photo1.jpg"/><photo id="3" name="photo3.jpg"/><photo id="5" name="photo5.jpg"/></photos>
    Huh? Is this right? Or does the OAuth2 dance only matter when you call Authorize? And in which case, doesn't this break my security? Shouldn't I be able to force a resource to ONLY go through Oauth?

    If this is not a smart question, please be gentle. =)

  • #2
    Sorry, I can't find "delete thread". I think I just confused "web security" with "web service security".

    Comment


    • #3
      Hi. Sorry for the late reply.

      Do you still have a problem/question?

      Comment


      • #4
        I don't think so. I think I was confusing web security and web service security- the former being simpler and involving the user more.

        Comment

        Working...
        X