Hi, I've been exploring spring-social, and have a basic application setup whereby I can use the spring social connect api to connect to twitter and facebook. However, when I introduce a Spring Security OAuth 2 provider configuration into the app, twitter connections fail to authenticate, because, as far as I can see, the OAuth2 provider intercepts the twitter callback url and determines the access token to be invalid (which is technically true, as the access token is an OAuth 1 token). However, I assumed that the callback would have been able to complete and be directed to the connect controller unfettered.

I cannot determine whether this is a spring security issue or a spring social issue or a RTFM issue (!), but my impression is that it is has to do with the way the security filter chain is set up as a result of my security configuration (which is right now based on Greenhouse).

I am looking into the issue, but I am hoping that in the meantime, someone would be able to confirm for me that Spring Security OAuth2 provider is compatible with spring-social and ConnectController- sorry, but new to all this, and at this point, I just can't tell!

Thanks

Spring Social is a OAuth consumer, not a provider, so it should not conflict with Spring Security's OAuth 1 or 2 Provider. I wonder why Spring Security OAuth is intercepting a Social https://your.app.url/connect/twitter callback. Can you see what is triggering the SEC OAuth Filter to trigger on that callback? Is it the presence of the oauth_verifier parameter, perhaps? Which Filter is actually running and why would be helpful info - and you definitely don't want Spring Security OAuth's consumer stuff running. You might want to post over at the Security OAuth forum and see what Ryan and his team says.

Hi Keith,

thanks for getting back to me-

Is it the presence of the oauth_verifier parameter, perhaps?
Thats exactly my thought, so I've been researching Spring Security OAuth 2 provider namespace configuration, and it appears (can't confirm as of yet) that once introduced, because of its position in the filter chain, that it eventually gloms on to the connect/* urls, then 'mistakenly' intercepts twitter callbacks.

There does not appear to be a straight forward way to isolate its behaviour to a specific url root using the provider element in xml, so right now, I'm in the process of defining the relevant beans to support oauth2 provision, and implementing a second http security configuration, limited to a custom url root. Frankly, I'm surprised that there is no way to configure the oauth2 provider with a url pattern (unless I'm missing something).

The manual configuration appears work, (it does not interfere with spring socials callbacks), but I will have to implement a few more tests and do a little more research before I'm sure that my OAuth 2 provider configuration is up to task.

In the meantime, I'll post the stack trace generated when oauth2 provider intercepts the spring social twitter callback url. Its pretty obvious that its down to the oauth2 provider intercepting the url... (apologies for the split posts- the trace was long!)

DEBUG: org.springframework.web.client.RestTemplate - POST request for "https://api.twitter.com/oauth/request_token" resulted in 200 (OK)
DEBUG: org.springframework.web.client.RestTemplate - Reading [org.springframework.util.MultiValueMap] as "text/html;charset=utf-8" using [org.springframework.social.oauth1.OAuth1Template$1 @586f403e]
INFO : io.hubbub.utils.LoggerInterceptor - #postHandle requestUri= POST:/hubbub/connect/twitter, view=null
DEBUG: org.springframework.web.servlet.DispatcherServlet - Rendering view [org.springframework.web.servlet.view.RedirectView: unnamed; URL [https://api.twitter.com/oauth/authorize?oauth_token=cTAuzIoQFneyA3TWx0NGmeHhZ2E1 sO79hXjzCqecNE]] in DispatcherServlet with name 'appServlet'
INFO : io.hubbub.utils.LoggerInterceptor - #afterCompletion requestUri= /hubbub/connect/twitter, controller=org.springframework.social.connect.web. ConnectController#connect
DEBUG: org.springframework.web.servlet.DispatcherServlet - Successfully completed request
DEBUG: org.springframework.security.oauth2.provider.OAuth 2ProtectedResourceFilter - Chain processed normally
DEBUG: org.springframework.security.oauth2.provider.OAuth 2ExceptionHandlerFilter - Chain processed normally
DEBUG: org.springframework.security.web.access.ExceptionT ranslationFilter - Chain processed normally
DEBUG: org.springframework.security.web.context.SecurityC ontextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
DEBUG: org.springframework.security.web.FilterChainProxy - /connect/twitter?oauth_token=cTAuzIoQFneyA3TWx0NGmeHhZ2E1sO 79hXjzCqecNE&oauth_verifier=Drk6zsvLgsLVwCiXSH1vAP9GCLFitEih7cv OQUAi9XQ at position 1 of 14 in additional filter chain; firing Filter: 'BasicUserApprovalFilter'
DEBUG: org.springframework.security.web.FilterChainProxy - /connect/twitter?oauth_token=cTAuzIoQFneyA3TWx0NGmeHhZ2E1sO 79hXjzCqecNE&oauth_verifier=Drk6zsvLgsLVwCiXSH1vAP9GCLFitEih7cv OQUAi9XQ at position 2 of 14 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG: org.springframework.security.web.context.HttpSessi onSecurityContextRepository - Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.Securit yContextImpl@b1c2a20f: Authentication: org.springframework.security.authentication.Userna mePasswordAuthenticationToken@b1c2a20f: Principal: io.hubbub.account.model.Account@4e3f905b; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.We bAuthenticationDetails@2cd90: RemoteIpAddress: 0:0:0:0:0:0:0:1%0; SessionId: FD94D9A744537EFDFB37562B434E4054; Not granted any authorities'
DEBUG: org.springframework.security.web.FilterChainProxy - /connect/twitter?oauth_token=cTAuzIoQFneyA3TWx0NGmeHhZ2E1sO 79hXjzCqecNE&oauth_verifier=Drk6zsvLgsLVwCiXSH1vAP9GCLFitEih7cv OQUAi9XQ at position 3 of 14 in additional filter chain; firing Filter: 'LogoutFilter'
DEBUG: org.springframework.security.web.FilterChainProxy - /connect/twitter?oauth_token=cTAuzIoQFneyA3TWx0NGmeHhZ2E1sO 79hXjzCqecNE&oauth_verifier=Drk6zsvLgsLVwCiXSH1vAP9GCLFitEih7cv OQUAi9XQ at position 4 of 14 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
DEBUG: org.springframework.security.web.FilterChainProxy - /connect/twitter?oauth_token=cTAuzIoQFneyA3TWx0NGmeHhZ2E1sO 79hXjzCqecNE&oauth_verifier=Drk6zsvLgsLVwCiXSH1vAP9GCLFitEih7cv OQUAi9XQ at position 5 of 14 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
DEBUG: org.springframework.security.web.FilterChainProxy - /connect/twitter?oauth_token=cTAuzIoQFneyA3TWx0NGmeHhZ2E1sO 79hXjzCqecNE&oauth_verifier=Drk6zsvLgsLVwCiXSH1vAP9GCLFitEih7cv OQUAi9XQ at position 6 of 14 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
DEBUG: org.springframework.security.web.FilterChainProxy - /connect/twitter?oauth_token=cTAuzIoQFneyA3TWx0NGmeHhZ2E1sO 79hXjzCqecNE&oauth_verifier=Drk6zsvLgsLVwCiXSH1vAP9GCLFitEih7cv OQUAi9XQ at position 7 of 14 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
DEBUG: org.springframework.security.web.authentication.An onymousAuthenticationFilter - SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.authentication.Usern amePasswordAuthenticationToken@b1c2a20f: Principal: io.hubbub.account.model.Account@4e3f905b; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.We bAuthenticationDetails@2cd90: RemoteIpAddress: 0:0:0:0:0:0:0:1%0; SessionId: FD94D9A744537EFDFB37562B434E4054; Not granted any authorities'
DEBUG: org.springframework.security.web.FilterChainProxy - /connect/twitter?oauth_token=cTAuzIoQFneyA3TWx0NGmeHhZ2E1sO 79hXjzCqecNE&oauth_verifier=Drk6zsvLgsLVwCiXSH1vAP9GCLFitEih7cv OQUAi9XQ at position 8 of 14 in additional filter chain; firing Filter: 'SessionManagementFilter'
DEBUG: org.springframework.security.web.FilterChainProxy - /connect/twitter?oauth_token=cTAuzIoQFneyA3TWx0NGmeHhZ2E1sO 79hXjzCqecNE&oauth_verifier=Drk6zsvLgsLVwCiXSH1vAP9GCLFitEih7cv OQUAi9XQ at position 9 of 14 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
DEBUG: org.springframework.security.web.FilterChainProxy - /connect/twitter?oauth_token=cTAuzIoQFneyA3TWx0NGmeHhZ2E1sO 79hXjzCqecNE&oauth_verifier=Drk6zsvLgsLVwCiXSH1vAP9GCLFitEih7cv OQUAi9XQ at position 10 of 14 in additional filter chain; firing Filter: 'OAuth2ExceptionHandlerFilter'
DEBUG: org.springframework.security.web.FilterChainProxy - /connect/twitter?oauth_token=cTAuzIoQFneyA3TWx0NGmeHhZ2E1sO 79hXjzCqecNE&oauth_verifier=Drk6zsvLgsLVwCiXSH1vAP9GCLFitEih7cv OQUAi9XQ at position 11 of 14 in additional filter chain; firing Filter: 'VerificationCodeFilter'
DEBUG: org.springframework.security.web.FilterChainProxy - /connect/twitter?oauth_token=cTAuzIoQFneyA3TWx0NGmeHhZ2E1sO 79hXjzCqecNE&oauth_verifier=Drk6zsvLgsLVwCiXSH1vAP9GCLFitEih7cv OQUAi9XQ at position 12 of 14 in additional filter chain; firing Filter: 'OAuth2AuthorizationFilter'
DEBUG: org.springframework.security.web.FilterChainProxy - /connect/twitter?oauth_token=cTAuzIoQFneyA3TWx0NGmeHhZ2E1sO 79hXjzCqecNE&oauth_verifier=Drk6zsvLgsLVwCiXSH1vAP9GCLFitEih7cv OQUAi9XQ at position 13 of 14 in additional filter chain; firing Filter: 'OAuth2ProtectedResourceFilter'
DEBUG: org.springframework.security.oauth2.provider.OAuth 2ExceptionHandlerFilter - OAuth error.

Stack (contd..)

DEBUG: org.springframework.security.oauth2.provider.OAuth 2ExceptionHandlerFilter - OAuth error.
org.springframework.security.oauth2.common.excepti ons.InvalidTokenException: Invalid access token: cTAuzIoQFneyA3TWx0NGmeHhZ2E1sO79hXjzCqecNE
at org.springframework.security.oauth2.provider.token .RandomValueOAuth2ProviderTokenServices.loadAuthen tication(RandomValueOAuth2ProviderTokenServices.ja va:175)
at org.springframework.security.oauth2.provider.OAuth 2ProtectedResourceFilter.doFilter(OAuth2ProtectedR esourceFilter.java:48)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 340)
at org.springframework.security.web.authentication.Ab stractAuthenticationProcessingFilter.doFilter(Abst ractAuthenticationProcessingFilter.java:187)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 340)
at org.springframework.security.web.authentication.Ab stractAuthenticationProcessingFilter.doFilter(Abst ractAuthenticationProcessingFilter.java:187)
at org.springframework.security.oauth2.provider.verif ication.VerificationCodeFilter.doFilter(Verificati onCodeFilter.java:98)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 340)
at org.springframework.security.oauth2.provider.OAuth 2ExceptionHandlerFilter.doFilter(OAuth2ExceptionHa ndlerFilter.java:36)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 340)
at org.springframework.security.web.access.ExceptionT ranslationFilter.doFilter(ExceptionTranslationFilt er.java:95)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 340)
at org.springframework.security.web.session.SessionMa nagementFilter.doFilter(SessionManagementFilter.ja va:100)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 340)
at org.springframework.security.web.authentication.An onymousAuthenticationFilter.doFilter(AnonymousAuth enticationFilter.java:79)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 340)
at org.springframework.security.web.servletapi.Securi tyContextHolderAwareRequestFilter.doFilter(Securit yContextHolderAwareRequestFilter.java:54)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 340)
at org.springframework.security.web.savedrequest.Requ estCacheAwareFilter.doFilter(RequestCacheAwareFilt er.java:35)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 340)
at org.springframework.security.web.authentication.Ab stractAuthenticationProcessingFilter.doFilter(Abst ractAuthenticationProcessingFilter.java:187)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 340)
at org.springframework.security.web.authentication.lo gout.LogoutFilter.doFilter(LogoutFilter.java:105)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 340)
at org.springframework.security.web.context.SecurityC ontextPersistenceFilter.doFilter(SecurityContextPe rsistenceFilter.java:80)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 340)
at org.springframework.security.oauth2.provider.verif ication.BasicUserApprovalFilter.doFilter(BasicUser ApprovalFilter.java:41)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 340)
at org.springframework.security.web.FilterChainProxy. doFilter(FilterChainProxy.java:175)
at org.springframework.web.filter.DelegatingFilterPro xy.invokeDelegate(DelegatingFilterProxy.java:346)
at org.springframework.web.filter.DelegatingFilterPro xy.doFilter(DelegatingFilterProxy.java:259)
at org.apache.catalina.core.ApplicationFilterChain.in ternalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.do Filter(ApplicationFilterChain.java:206)
at org.springframework.web.filter.HiddenHttpMethodFil ter.doFilterInternal(HiddenHttpMethodFilter.java:7 7)
at org.springframework.web.filter.OncePerRequestFilte r.doFilter(OncePerRequestFilter.java:76)
at org.apache.catalina.core.ApplicationFilterChain.in ternalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.do Filter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invo ke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invo ke(StandardContextValve.java:191)
at org.apache.catalina.authenticator.AuthenticatorBas e.invoke(AuthenticatorBase.java:563)
at org.apache.catalina.core.StandardHostValve.invoke( StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke (ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invok e(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.servic e(CoyoteAdapter.java:298)
at org.apache.coyote.http11.Http11Processor.process(H ttp11Processor.java:859)
at org.apache.coyote.http11.Http11Protocol$Http11Conn ectionHandler.process(Http11Protocol.java:588)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run( JIoEndpoint.java:489)
at java.lang.Thread.run(Thread.java:680)
DEBUG: org.springframework.security.web.access.ExceptionT ranslationFilter - Chain processed normally
DEBUG: org.springframework.security.web.context.SecurityC ontextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed

And this is what I get in the browser


{
"error": "invalid_token",
"error_description": "Invalid access token: cTAuzIoQFneyA3TWx0NGmeHhZ2E1sO79hXjzCqecNE"
}

I've discovered a workaround, but I don't believe it to be reliable. I have posted the details here (http://forum.springsource.org/showthread.php?113109-Specifying-which-urls-to-apply-Spring-OAuth-2-provider-to&p=375086#post375086), but I would still like some feedback on how to manage this situation *correctly*!

Hi David,

Do you know whether there has been an update to this issue? I just ran into the same problem myself with the Spring-Social 1.0.0.RELEASE. Going to try to update to the latest build of spring-security-oauth to see if that fixes things. What did you do to work around it and what where the limitations you mentioned. Did you create a Jira ticket for the springs social framework?

Cheers
bjorn

No resolution yet, but I do intend to look into this issue soon and have created https://jira.springsource.org/browse/SOCIAL-270 to track it.

David or Bjorn: Two questions for you that will help me diagnose this problem: (1) Do you have a project (ideally in GitHub) that exhibits this problem and (2) are you using the latest Spring Security OAuth builds?

I'm trying to recreate this, but so far am not able to. But it's quite possible you've configured things differently than I have or are using an older snapshot of S2OAuth, so your help with the questions above would be great. I'd *especially* love to be able to checkout some code from GitHub that exhibits this behavior so that I can start from a broken state and try to work my way out of it.

FWIW, I am attempting to recreate this by starting with the Spring Social Showcase sample (which already has the Twitter social stuff in place) and then adding the S2OAuth config. For the S2OAuth config, I'm using the provider config from the OAuth 2 Sparklr example (almost verbatim). So far, no problems at all. Note that I am using the very latest S2OAuth snapshot, so if there were a problem in a previous version of S2OAuth, it may have been fixed since.

This has been fixed in the latest source code in spring security oauth.

Thanks Bjorn! Based on your feedback, I'll close SOCIAL-270.