Announcement Announcement Module
Collapse
No announcement yet.
non-namespace configuration Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • non-namespace configuration

    For a variety of reasons, we cannot use Spring's namespace configuration. Is there an example of the OAuth 2.0 configuration that doesn't use the namespace configuration mechanism?

  • #2
    I'm afraid I don't have one available. I've opened up a JIRA issue to track the work.

    https://jira.springsource.org/browse/SECOAUTH-53

    If you get around to doing it yourself, we'd love to have you post it for everyone to benefit.

    Comment


    • #3
      Originally posted by stoicflame View Post
      If you get around to doing it yourself, we'd love to have you post it for everyone to benefit.
      I'm not going to lie, this was a big PITA.

      The following is what I set up to get the basic OAuth 2.0 flow working (essentially the same as in the Tonr/Sparklr demo). Our security setup is complicated, so I'll only reproduce the relevant snippets below. The OAuth filters are in bold.

      First, the filter chain order:

      Code:
      BasicUserApprovalFilter, SecurityContextPersistenceFilter, LogoutFilter, UsernamePasswordAuthenticationFilter, BasicAuthenticationFilter, RequestCacheAwareFilter, SecurityContextHolderAwareRequestFilter, AnonymousAuthenticationFilter, SessionManagementFilter, ExceptionTranslationFilter, OAuth2ExceptionHandlerFilter, VerificationCodeFilter, OAuth2AuthorizationFilter, OAuth2ProtectedResourceFilter, FilterSecurityInterceptor
      Note that the AnonymousAuthenticationFilter is absolutely required even if you don't use it anywhere else.

      Now the supporting beans:

      Code:
      <bean id="oauth2UserApprovalFilter" class="org.springframework.security.oauth2.provider.verification.BasicUserApprovalFilter"/>
      
          <bean id="oauth2ExceptionTranslationFilter" class="org.springframework.security.oauth2.provider.OAuth2ExceptionHandlerFilter"/>
      
          <bean id="oauth2VerificationCodeFilter" class="org.springframework.security.oauth2.provider.verification.VerificationCodeFilter">
              <property name="clientDetailsService" ref="clientDetailsService"/>
              <property name="verificationServices" ref="verificationCodeServices"/>
              <property name="userApprovalHandler" ref="oauth2UserApprovalFilter"/>
      
              <property name="unapprovedAuthenticationHandler">
                  <bean class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
                      <!-- This is where you define your confirmation page -->
                      <property name="defaultFailureUrl" value="/oauth/confirm.action"/>
                  </bean>
              </property>
          </bean>
      
          <bean id="oauth2AuthorizationFilter" class="org.springframework.security.oauth2.provider.OAuth2AuthorizationFilter">
              <property name="authenticationManager" ref="authenticationManager"/>
              <property name="authenticationSuccessHandler">
                  <bean class="org.springframework.security.oauth2.provider.OAuth2AuthorizationSuccessHandler">
                      <property name="tokenServices" ref="tokenServices"/>
                  </bean>
              </property>
          </bean>
      
          <bean id="oauth2ProtectedResourceFilter" class="org.springframework.security.oauth2.provider.OAuth2ProtectedResourceFilter">
              <property name="tokenServices" ref="tokenServices"/>
          </bean>
      
          <bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.InMemoryOAuth2ProviderTokenServices">
              <property name="supportRefreshToken" value="true"/>
          </bean>
      
          <bean id="clientDetailsService" class="org.springframework.security.oauth2.provider.InMemoryClientDetailsService">
              <property name="clientDetailsStore">
                  <map>
                      <entry key="tonr">
                          <bean class="org.springframework.security.oauth2.provider.BaseClientDetails">
                              <property name="clientId" value="tonr"/>
                              <property name="authorizedGrantTypes">
                                  <list>
                                      <value>authorization_code</value>
                                      <value>refresh_token</value>
                                  </list>
                              </property>
                          </bean>
                      </entry>
                  </map>
              </property>
          </bean>
      
          <bean id="verificationCodeServices" class="org.springframework.security.oauth2.provider.verification.InMemoryVerificationCodeServices"/>
      
          <bean id="oauth2VerificationAuthenticationProvider" class="org.springframework.security.oauth2.provider.verification.VerificationCodeAuthenticationProvider">
              <property name="verificationServices" ref="verificationCodeServices"/>
          </bean>
      
          <bean id="oauth2AccessGrantAuthenticationProvider" class="org.springframework.security.oauth2.provider.AccessGrantAuthenticationProvider">
              <property name="clientDetailsService" ref="clientDetailsService"/>
          </bean>
      
          <bean id="oauth2RefreshAuthenticationProvider" class="org.springframework.security.oauth2.provider.refresh.RefreshAuthenticationProvider"/>
      Note that the services (client, token, verification code) are just the supplied in memory versions. You'll need to create your own versions to be persistent.

      Finally, you need to tie the providers into your authentication manager:

      Code:
      <bean id="authenticationManager" class="org.springframework.security.authentication.ProviderManager">
              <property name="providers">
                  <list>
                      <ref local="daoAuthenticationProvider"/>
                      <ref local="oauth2AccessGrantAuthenticationProvider"/>
                      <ref local="oauth2VerificationAuthenticationProvider"/>
                      <ref local="oauth2RefreshAuthenticationProvider"/>
                      <bean class="org.springframework.security.authentication.AnonymousAuthenticationProvider">
                          <property name="key" value="mykey"/>
                      </bean>
                  </list>
              </property>
          </bean>

      Comment

      Working...
      X