I am trying to set up a spring 3 webapp to act as a proxy for another app that serves protected resource with oauth2.
We're using the UsernamePassword grant type. My app should not know about the user database ; actually it will query the other app to get the details about the users (which permissions they have, amoung other things).
My app is responsible for displaying the login page.
I want to use a custom spring-security AuthenticationProvider that would :
- connect to the oauth server to obtain an access token
- then use an OAuth2RestTemplate to query the user that tries to login, in order to get its GrantedAuthorities, and other details
- build a UserDetails out of this. (My AuthenticationProvider would extends AbstractUserDetailsAuthenticationProvider)
The problem is :
- since I'm using to configure my spring app, spring adds an OAuth2ClientSecurityContextFilter to the filter chain
- when the 'retrieveUser' method of my AuthenticationProvider class is called, this filter has not been passed through yet
so if I try using the OAuth2RestTemplate inside my overriden 'retrieveUser' method, I get an exception :
java.lang.IllegalStateException: No OAuth 2 security context has been established. Unable to access resource 'avop-services'. at org.springframework.security.oauth2.consumer.OAuth2ClientHttpRequestFactory.createRequest(OAuth2ClientHt开发者_运维知识库tpRequestFactory.java:38) at org.springframework.http.client.support.HttpAccessor.createRequest(HttpAccessor.java:76) at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:434) at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:401) .. etc ..
(I'm linking this to the OAuth2ClientSecurityContextFilter because of this topic : http://forum.springsource.org/showthread.php?98141-error-No-OAuth-2-security-context-has-been-established )
So my question is :
- does it make sense to have the AuthenticationProvider fire up after some other filters have played ?
- if so, it is possible to control the order of filters ?
- or is there a way to delay the computing of the UserDetails to later in the filter chain ?
I know this is probably a very specific case, but I'm wondering if I am attacking it the right way or if I am missing something.
Thanks in advance.
The solution was to use add a filter at the right-position.
精彩评论