Geek Answers Handbook

Spring oauth security 2 simple examples

I am trying to implement my own example based on the official Sparklr2 / Tonr2 tutorial . Everything looks fine, but when I remove from web.xml in my Tonr2 implementation, the spring security filter has an exception:

No redirect URL set for current request

I can’t figure out which URL should I use. Here is my code for implementing the client:

 <!--apply the oauth client context --> <oauth:client id="oauth2ClientFilter" /> <!--define an oauth 2 resource for sparklr --> <oauth:resource id="provider" type="authorization_code" client-id="client" client-secret="secret" access-token-uri="http://localhost:8080/provider/oauth/token" user-authorization-uri="http://localhost:8080/provider/oauth/authorize" scope="read,write" /> <beans:bean id="clientController" class="com.aouth.client.ClientController"> <beans:property name="trustedClientRestTemplate"> <oauth:rest-template resource="provider" /> </beans:property> </beans:bean>

And for the provider:

 <http pattern="/oauth/token" create-session="stateless" authentication-manager-ref="clientAuthenticationManager" xmlns="http://www.springframework.org/schema/security"> <intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY" /> <anonymous enabled="false" /> <http-basic /> </http> <authentication-manager id="clientAuthenticationManager" xmlns="http://www.springframework.org/schema/security"> <authentication-provider user-service-ref="clientDetailsUserService" /> </authentication-manager> <bean id="clientDetailsUserService" class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService"> <constructor-arg ref="clientDetails" /> </bean> <!-- The OAuth2 protected resources are separated out into their own block so we can deal with authorization and error handling separately. This isn't mandatory, but it makes it easier to control the behaviour. --> <http pattern="/secured" create-session="never" access-decision-manager-ref="accessDecisionManager" xmlns="http://www.springframework.org/schema/security"> <anonymous enabled="false" /> <intercept-url pattern="/secured" access="ROLE_USER,SCOPE_READ" /> <custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" /> <http-basic /> </http> <bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased" xmlns="http://www.springframework.org/schema/beans"> <constructor-arg> <list> <bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter" /> <bean class="org.springframework.security.access.vote.RoleVoter" /> <bean class="org.springframework.security.access.vote.AuthenticatedVoter" /> </list> </constructor-arg> </bean> <oauth:resource-server id="resourceServerFilter" resource-id="resource" token-services-ref="tokenServices" /> <bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.DefaultTokenServices"> <property name="tokenStore" ref="tokenStore" /> <property name="supportRefreshToken" value="true" /> <property name="clientDetailsService" ref="clientDetails"/> </bean> <bean id="tokenStore" class="org.springframework.security.oauth2.provider.token.InMemoryTokenStore" /> <http auto-config="true" xmlns="http://www.springframework.org/schema/security"> <intercept-url pattern="/test" access="ROLE_USER" /> <intercept-url pattern="/" access="IS_AUTHENTICATED_ANONYMOUSLY" /> </http> <authentication-manager alias="authenticationManager" xmlns="http://www.springframework.org/schema/security"> <authentication-provider> <user-service> <user name="pr" password="pr" authorities="ROLE_USER" /> </user-service> </authentication-provider> </authentication-manager> <oauth:authorization-server client-details-service-ref="clientDetails" token-services-ref="tokenServices" > <oauth:authorization-code /> <oauth:implicit /> <oauth:refresh-token /> <oauth:client-credentials /> <oauth:password /> </oauth:authorization-server> <oauth:client-details-service id="clientDetails"> <oauth:client client-id="client" resource-ids="resource" authorized-grant-types="authorization_code, implicit" authorities="ROLE_CLIENT" scope="read,write" secret="secret" /> </oauth:client-details-service>

I just want my client to work without spring security. And when I need my secure resource, I want to log in only on the provider side.

+6
source share
1 answer

The second XML that you inserted here is spring XML for oauth-provider and protected-resource , which in your case runs in the same webapp (you can separate them, of course, if you want).

The client (first nested XML) is a different story. If you understand correctly, you want your client to work without spring help (to be a regular webapp, not spring-security-oauth-client webapp).

You need to understand how oAuth works: the client is trying to get to a secure resource; if it does not have an access token, it is redirected to oAuth-provider (which displays the login page and provides the token). By standard, the token request MUST contain the "redirect-uri" parameter, so after successful login, the oAuth provider knows where to redirect the client. The oAuth client does this for you, and if you remove the "oauth client" from your web.xml, now you have to implement it yourself.

Thanks for your reply. But I still don't understand how spring security affects my oAuth client. And can I use spring -oauth (spring -mvc) without spring -security for the client side?

When you write this line in your XML:

 < oauth:client id="oauth2ClientFilter" />

this means that you are using spring -security-oauth, which is a package designed for oauth, built on spring -security. If you dig, it puts in a chain a special filter (OAuth2ClientContextFilter), which processes the oAuth material that is relevant to the client. One of them sends a request with all parameters ("redirect-uri" is one of them).

If you decide NOT to use spring-security-oauth, well, you will have to implement this logic yourself ...

Hope this helps!

+10
source

More articles:


All Articles