Announcement Announcement Module
Collapse
No announcement yet.
Does a Spring Security OAuth2 Provider config play well with Spring-Social-Twitter? Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Does a Spring Security OAuth2 Provider config play well with Spring-Social-Twitter?

    Hi, I've been exploring spring-social, and have a basic application setup whereby I can use the spring social connect api to connect to twitter and facebook. However, when I introduce a Spring Security OAuth 2 provider configuration into the app, twitter connections fail to authenticate, because, as far as I can see, the OAuth2 provider intercepts the twitter callback url and determines the access token to be invalid (which is technically true, as the access token is an OAuth 1 token). However, I assumed that the callback would have been able to complete and be directed to the connect controller unfettered.

    I cannot determine whether this is a spring security issue or a spring social issue or a RTFM issue (!), but my impression is that it is has to do with the way the security filter chain is set up as a result of my security configuration (which is right now based on Greenhouse).

    I am looking into the issue, but I am hoping that in the meantime, someone would be able to confirm for me that Spring Security OAuth2 provider is compatible with spring-social and ConnectController- sorry, but new to all this, and at this point, I just can't tell!

    Thanks

  • #2
    Spring Social is a OAuth consumer, not a provider, so it should not conflict with Spring Security's OAuth 1 or 2 Provider. I wonder why Spring Security OAuth is intercepting a Social https://your.app.url/connect/twitter callback. Can you see what is triggering the SEC OAuth Filter to trigger on that callback? Is it the presence of the oauth_verifier parameter, perhaps? Which Filter is actually running and why would be helpful info - and you definitely don't want Spring Security OAuth's consumer stuff running. You might want to post over at the Security OAuth forum and see what Ryan and his team says.

    Comment


    • #3
      Hi Keith,

      thanks for getting back to me-
      Is it the presence of the oauth_verifier parameter, perhaps?
      Thats exactly my thought, so I've been researching Spring Security OAuth 2 provider namespace configuration, and it appears (can't confirm as of yet) that once introduced, because of its position in the filter chain, that it eventually gloms on to the connect/* urls, then 'mistakenly' intercepts twitter callbacks.

      There does not appear to be a straight forward way to isolate its behaviour to a specific url root using the provider element in xml, so right now, I'm in the process of defining the relevant beans to support oauth2 provision, and implementing a second http security configuration, limited to a custom url root. Frankly, I'm surprised that there is no way to configure the oauth2 provider with a url pattern (unless I'm missing something).

      The manual configuration appears work, (it does not interfere with spring socials callbacks), but I will have to implement a few more tests and do a little more research before I'm sure that my OAuth 2 provider configuration is up to task.

      In the meantime, I'll post the stack trace generated when oauth2 provider intercepts the spring social twitter callback url. Its pretty obvious that its down to the oauth2 provider intercepting the url... (apologies for the split posts- the trace was long!)
      Last edited by davidfoley; Aug 9th, 2011, 05:25 AM.

      Comment


      • #4
        Code:
        DEBUG: org.springframework.web.client.RestTemplate - POST request for "https://api.twitter.com/oauth/request_token" resulted in 200 (OK)
        DEBUG: org.springframework.web.client.RestTemplate - Reading [org.springframework.util.MultiValueMap] as "text/html;charset=utf-8" using [org.springframework.social.oauth1.OAuth1Template$1@586f403e]
        INFO : io.hubbub.utils.LoggerInterceptor - #postHandle requestUri= POST:/hubbub/connect/twitter, view=null
        DEBUG: org.springframework.web.servlet.DispatcherServlet - Rendering view [org.springframework.web.servlet.view.RedirectView: unnamed; URL [https://api.twitter.com/oauth/authorize?oauth_token=cTAuzIoQFneyA3TWx0NGmeHhZ2E1sO79hXjzCqecNE]] in DispatcherServlet with name 'appServlet'
        INFO : io.hubbub.utils.LoggerInterceptor - #afterCompletion requestUri= /hubbub/connect/twitter, controller=org.springframework.social.connect.web.ConnectController#connect
        DEBUG: org.springframework.web.servlet.DispatcherServlet - Successfully completed request
        DEBUG: org.springframework.security.oauth2.provider.OAuth2ProtectedResourceFilter - Chain processed normally
        DEBUG: org.springframework.security.oauth2.provider.OAuth2ExceptionHandlerFilter - Chain processed normally
        DEBUG: org.springframework.security.web.access.ExceptionTranslationFilter - Chain processed normally
        DEBUG: org.springframework.security.web.context.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
        DEBUG: org.springframework.security.web.FilterChainProxy - /connect/twitter?oauth_token=cTAuzIoQFneyA3TWx0NGmeHhZ2E1sO79hXjzCqecNE&oauth_verifier=Drk6zsvLgsLVwCiXSH1vAP9GCLFitEih7cvOQUAi9XQ at position 1 of 14 in additional filter chain; firing Filter: 'BasicUserApprovalFilter'
        DEBUG: org.springframework.security.web.FilterChainProxy - /connect/twitter?oauth_token=cTAuzIoQFneyA3TWx0NGmeHhZ2E1sO79hXjzCqecNE&oauth_verifier=Drk6zsvLgsLVwCiXSH1vAP9GCLFitEih7cvOQUAi9XQ at position 2 of 14 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
        DEBUG: org.springframework.security.web.context.HttpSessionSecurityContextRepository - Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: '[email protected]2a20f: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@b1c2a20f: Principal: io.hubbub.account.model.Account@4e3f905b; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@2cd90: RemoteIpAddress: 0:0:0:0:0:0:0:1%0; SessionId: FD94D9A744537EFDFB37562B434E4054; Not granted any authorities'
        DEBUG: org.springframework.security.web.FilterChainProxy - /connect/twitter?oauth_token=cTAuzIoQFneyA3TWx0NGmeHhZ2E1sO79hXjzCqecNE&oauth_verifier=Drk6zsvLgsLVwCiXSH1vAP9GCLFitEih7cvOQUAi9XQ at position 3 of 14 in additional filter chain; firing Filter: 'LogoutFilter'
        DEBUG: org.springframework.security.web.FilterChainProxy - /connect/twitter?oauth_token=cTAuzIoQFneyA3TWx0NGmeHhZ2E1sO79hXjzCqecNE&oauth_verifier=Drk6zsvLgsLVwCiXSH1vAP9GCLFitEih7cvOQUAi9XQ at position 4 of 14 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
        DEBUG: org.springframework.security.web.FilterChainProxy - /connect/twitter?oauth_token=cTAuzIoQFneyA3TWx0NGmeHhZ2E1sO79hXjzCqecNE&oauth_verifier=Drk6zsvLgsLVwCiXSH1vAP9GCLFitEih7cvOQUAi9XQ at position 5 of 14 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
        DEBUG: org.springframework.security.web.FilterChainProxy - /connect/twitter?oauth_token=cTAuzIoQFneyA3TWx0NGmeHhZ2E1sO79hXjzCqecNE&oauth_verifier=Drk6zsvLgsLVwCiXSH1vAP9GCLFitEih7cvOQUAi9XQ at position 6 of 14 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
        DEBUG: org.springframework.security.web.FilterChainProxy - /connect/twitter?oauth_token=cTAuzIoQFneyA3TWx0NGmeHhZ2E1sO79hXjzCqecNE&oauth_verifier=Drk6zsvLgsLVwCiXSH1vAP9GCLFitEih7cvOQUAi9XQ at position 7 of 14 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
        DEBUG: org.springframework.security.web.authentication.AnonymousAuthenticationFilter - SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken@b1c2a20f: Principal: io.hubbub.account.model.Account@4e3f905b; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@2cd90: RemoteIpAddress: 0:0:0:0:0:0:0:1%0; SessionId: FD94D9A744537EFDFB37562B434E4054; Not granted any authorities'
        DEBUG: org.springframework.security.web.FilterChainProxy - /connect/twitter?oauth_token=cTAuzIoQFneyA3TWx0NGmeHhZ2E1sO79hXjzCqecNE&oauth_verifier=Drk6zsvLgsLVwCiXSH1vAP9GCLFitEih7cvOQUAi9XQ at position 8 of 14 in additional filter chain; firing Filter: 'SessionManagementFilter'
        DEBUG: org.springframework.security.web.FilterChainProxy - /connect/twitter?oauth_token=cTAuzIoQFneyA3TWx0NGmeHhZ2E1sO79hXjzCqecNE&oauth_verifier=Drk6zsvLgsLVwCiXSH1vAP9GCLFitEih7cvOQUAi9XQ at position 9 of 14 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
        DEBUG: org.springframework.security.web.FilterChainProxy - /connect/twitter?oauth_token=cTAuzIoQFneyA3TWx0NGmeHhZ2E1sO79hXjzCqecNE&oauth_verifier=Drk6zsvLgsLVwCiXSH1vAP9GCLFitEih7cvOQUAi9XQ at position 10 of 14 in additional filter chain; firing Filter: 'OAuth2ExceptionHandlerFilter'
        DEBUG: org.springframework.security.web.FilterChainProxy - /connect/twitter?oauth_token=cTAuzIoQFneyA3TWx0NGmeHhZ2E1sO79hXjzCqecNE&oauth_verifier=Drk6zsvLgsLVwCiXSH1vAP9GCLFitEih7cvOQUAi9XQ at position 11 of 14 in additional filter chain; firing Filter: 'VerificationCodeFilter'
        DEBUG: org.springframework.security.web.FilterChainProxy - /connect/twitter?oauth_token=cTAuzIoQFneyA3TWx0NGmeHhZ2E1sO79hXjzCqecNE&oauth_verifier=Drk6zsvLgsLVwCiXSH1vAP9GCLFitEih7cvOQUAi9XQ at position 12 of 14 in additional filter chain; firing Filter: 'OAuth2AuthorizationFilter'
        DEBUG: org.springframework.security.web.FilterChainProxy - /connect/twitter?oauth_token=cTAuzIoQFneyA3TWx0NGmeHhZ2E1sO79hXjzCqecNE&oauth_verifier=Drk6zsvLgsLVwCiXSH1vAP9GCLFitEih7cvOQUAi9XQ at position 13 of 14 in additional filter chain; firing Filter: 'OAuth2ProtectedResourceFilter'
        DEBUG: org.springframework.security.oauth2.provider.OAuth2ExceptionHandlerFilter - OAuth error.

        Comment


        • #5
          Stack (contd..)
          Code:
          DEBUG: org.springframework.security.oauth2.provider.OAuth2ExceptionHandlerFilter - OAuth error.
          org.springframework.security.oauth2.common.exceptions.InvalidTokenException: Invalid access token: cTAuzIoQFneyA3TWx0NGmeHhZ2E1sO79hXjzCqecNE
          	at org.springframework.security.oauth2.provider.token.RandomValueOAuth2ProviderTokenServices.loadAuthentication(RandomValueOAuth2ProviderTokenServices.java:175)
          	at org.springframework.security.oauth2.provider.OAuth2ProtectedResourceFilter.doFilter(OAuth2ProtectedResourceFilter.java:48)
          	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:340)
          	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:187)
          	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:340)
          	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:187)
          	at org.springframework.security.oauth2.provider.verification.VerificationCodeFilter.doFilter(VerificationCodeFilter.java:98)
          	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:340)
          	at org.springframework.security.oauth2.provider.OAuth2ExceptionHandlerFilter.doFilter(OAuth2ExceptionHandlerFilter.java:36)
          	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:340)
          	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:95)
          	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:340)
          	at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:100)
          	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:340)
          	at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:79)
          	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:340)
          	at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
          	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:340)
          	at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:35)
          	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:340)
          	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:187)
          	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:340)
          	at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
          	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:340)
          	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:80)
          	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:340)
          	at org.springframework.security.oauth2.provider.verification.BasicUserApprovalFilter.doFilter(BasicUserApprovalFilter.java:41)
          	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:340)
          	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:175)
          	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
          	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
          	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
          	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
          	at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:77)
          	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
          	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
          	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
          	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
          	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
          	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:563)
          	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
          	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
          	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
          	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
          	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)
          	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
          	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
          	at java.lang.Thread.run(Thread.java:680)
          DEBUG: org.springframework.security.web.access.ExceptionTranslationFilter - Chain processed normally
          DEBUG: org.springframework.security.web.context.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
          And this is what I get in the browser

          Code:
          {
            "error": "invalid_token",
            "error_description": "Invalid access token: cTAuzIoQFneyA3TWx0NGmeHhZ2E1sO79hXjzCqecNE"
          }
          Last edited by davidfoley; Aug 9th, 2011, 10:30 AM.

          Comment


          • #6
            I've discovered a workaround, but I don't believe it to be reliable. I have posted the details here, but I would still like some feedback on how to manage this situation *correctly*!

            Comment


            • #7
              Hi David,

              Do you know whether there has been an update to this issue? I just ran into the same problem myself with the Spring-Social 1.0.0.RELEASE. Going to try to update to the latest build of spring-security-oauth to see if that fixes things. What did you do to work around it and what where the limitations you mentioned. Did you create a Jira ticket for the springs social framework?

              Cheers
              bjorn

              Comment


              • #8
                No resolution yet, but I do intend to look into this issue soon and have created https://jira.springsource.org/browse/SOCIAL-270 to track it.

                Comment


                • #9
                  David or Bjorn: Two questions for you that will help me diagnose this problem: (1) Do you have a project (ideally in GitHub) that exhibits this problem and (2) are you using the latest Spring Security OAuth builds?

                  I'm trying to recreate this, but so far am not able to. But it's quite possible you've configured things differently than I have or are using an older snapshot of S2OAuth, so your help with the questions above would be great. I'd *especially* love to be able to checkout some code from GitHub that exhibits this behavior so that I can start from a broken state and try to work my way out of it.

                  FWIW, I am attempting to recreate this by starting with the Spring Social Showcase sample (which already has the Twitter social stuff in place) and then adding the S2OAuth config. For the S2OAuth config, I'm using the provider config from the OAuth 2 Sparklr example (almost verbatim). So far, no problems at all. Note that I am using the very latest S2OAuth snapshot, so if there were a problem in a previous version of S2OAuth, it may have been fixed since.
                  Last edited by habuma; Oct 31st, 2011, 04:27 PM.

                  Comment


                  • #10
                    This has been fixed in the latest source code in spring security oauth.

                    Comment


                    • #11
                      Thanks Bjorn! Based on your feedback, I'll close SOCIAL-270.

                      Comment

                      Working...
                      X