oddly, i am having what seems to be a timing issue where if i have my spring-security-oauth related beans configuration in a separate xml file from my spring-security related beans, like so:



<?xml version="1.0" encoding="UTF-8"?>

<beans xmlns="http://www.springframework.org/schema/beans" xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2.xsd">

<bean class="org.springframework.security.oauth2.provider.verif ication.DefaultClientAuthenticationCache" />

<bean id="tokenServices" class="org.springframework.security.oauth2.provider.token .InMemoryOAuth2ProviderTokenServices" />

<oauth:provider client-details-service-ref="clientDetails" token-services-ref="tokenServices">
<oauth:verification-code user-approval-page="/oauth/accessConfirmationForm" />
</oauth:provider>

<oauth:client-details-service id="clientDetails">
<oauth:client clientId="acme-widget-client" secret="acme-widget-client-secret" authorizedGrantTypes="authorization_code" />
</oauth:client-details-service>

</beans>


i get this:



Caused by: org.springframework.beans.factory.NoSuchBeanDefini tionException: No bean named 'org.springframework.security.filterChainProxy' is defined
at org.springframework.beans.factory.support.DefaultL istableBeanFactory.getBeanDefinition(DefaultListab leBeanFactory.java:527)
at org.springframework.security.oauth2.config.OAuth2P roviderBeanDefinitionParser.parse(OAuth2ProviderBe anDefinitionParser.java:57)
at org.springframework.beans.factory.xml.NamespaceHan dlerSupport.parse(NamespaceHandlerSupport.java:73)
at org.springframework.beans.factory.xml.BeanDefiniti onParserDelegate.parseCustomElement(BeanDefinition ParserDelegate.java:1335)
at org.springframework.beans.factory.xml.BeanDefiniti onParserDelegate.parseCustomElement(BeanDefinition ParserDelegate.java:1325)
at org.springframework.beans.factory.xml.DefaultBeanD efinitionDocumentReader.parseBeanDefinitions(Defau ltBeanDefinitionDocumentReader.java:135)
at org.springframework.beans.factory.xml.DefaultBeanD efinitionDocumentReader.registerBeanDefinitions(De faultBeanDefinitionDocumentReader.java:93)
at org.springframework.beans.factory.xml.XmlBeanDefin itionReader.registerBeanDefinitions(XmlBeanDefinit ionReader.java:493)
at org.springframework.beans.factory.xml.XmlBeanDefin itionReader.doLoadBeanDefinitions(XmlBeanDefinitio nReader.java:390)
... 21 more


but some experimentation showed that if i place the oauth related config in the same file as the spring-security config (at the end), that issue goes away:



<?xml version="1.0" encoding="UTF-8"?>

<beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:p="http://www.springframework.org/schema/p"
xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
xsi:schemaLocation="
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2.xsd
">

<authentication-manager>
<authentication-provider>
<user-service>
<user name="marissa" password="koala" authorities="ROLE_USER" />
<user name="paul" password="emu" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>

<http auto-config="false" use-expressions="true">
<intercept-url pattern="/resources/**" filters="none" />
<intercept-url pattern="/oauth/accessConfirmationForm" access="permitAll" />
<intercept-url pattern="/home" access="hasRole('ROLE_ANONYMOUS') or hasRole('ROLE_USER')" />
<intercept-url pattern="/login" access="hasRole('ROLE_ANONYMOUS') or hasRole('ROLE_USER')" />
<intercept-url pattern="/accounts/registration/**" access="hasRole('ROLE_ANONYMOUS')" />
<intercept-url pattern="/accounts/*/activation" access="hasRole('ROLE_ANONYMOUS')" />
<intercept-url pattern="/**" access="hasRole('ROLE_USER')" />

<form-login login-page="/login" default-target-url="/home" />
<logout logout-url="/logout" logout-success-url="/login" />
</http>

<beans:bean factory-method="getContextHolderStrategy" class="org.springframework.security.core.context.Security ContextHolder" />


<!-- oauth2 stuff below here -->

<beans:bean class="org.springframework.security.oauth2.provider.verif ication.DefaultClientAuthenticationCache" />

<beans:bean id="tokenServices" class="org.springframework.security.oauth2.provider.token .InMemoryOAuth2ProviderTokenServices" />

<oauth:provider client-details-service-ref="clientDetails" token-services-ref="tokenServices">
<oauth:verification-code user-approval-page="/oauth/accessConfirmationForm" />
</oauth:provider>

<oauth:client-details-service id="clientDetails">
<oauth:client clientId="acme-widget-client" secret="acme-widget-client-secret" authorizedGrantTypes="authorization_code" />
</oauth:client-details-service>

</beans:beans>

I guess I can believe that. It's not timing though, if I'm guessing right: it's the order in which the bean definitions are hitting the parser. You can change that by making sure your externalized file is last in the list of imports, or file paths. This problem will go away when we change the whole thing so that the filters are configured explicitly (SECOAUTH-97).

thanks dave,

yes, "order" is more fitting than "timing" in this case.

not sure if my follow up question is better posted on a grails forum, but i'll try my luck here first:

i'm experiencing the same issue attempting to integrate the client side of spring-security-oauth with the grails spring-security plugin.

i'm a grails noob myself, but for those unfamiliar, grails allows for a file called "resources.xml" to contain "plain old" spring xml configuration.

i placed requisite client side config there and i'm experiencing the filterChainProxy not found condition:



<?xml version="1.0" encoding="UTF-8"?>

<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:p="http://www.springframework.org/schema/p" xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
xsi:schemaLocation="
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2.xsd
">

<oauth:client token-services-ref="oAuth2ClientTokenServices" />

<bean id="oAuth2ClientTokenServices" class="org.springframework.security.oauth2.consumer.token .InMemoryOAuth2ClientTokenServices" />

<oauth:resource id="widgetResource" type="authorization_code" clientId="acme-widget-client"
clientSecret="acme-widget-client-secret" accessTokenUri="${widget.oauth.provider.uri.root}/oauth/authorize"
userAuthorizationUri="${widget.oauth.provider.uri.root}/oauth/user/authorize" />

<bean id="widgetRestTemplate" class="org.springframework.security.oauth2.consumer.OAuth 2RestTemplate">
<constructor-arg ref="widgetResource" />
</bean>

</beans>


in this case, i don't have the liberty of manipulating bean definition order because the spring-security configuration is embedded in the spring-security grails plugin,
any suggestions for work arounds welcome!

i'll probably also cross post to the appropriate grails forum...

You might have to give up using the <oauth:/> namespace until SECOAUTH-97 is addressed. The comments in that issue show you how to configure the OAuth2 filters as a bean definition, and then you can use the Grails security plugin clientRegisterFilter feature.

being less grails savvy i decided to try configuring spring-security along side of spring-security-oauth via "resources.xml".

this allowed me to control the order of evaluation and skirt the 'filterChainProxy' not found issue.

(of course) i ran into another issue where this grails component, GrailsExceptionResolver, seems to be eating (or i should say re-packaging),
exceptions thrown from the controller layer (including OAuth2AccessTokenRequiredException) such that they never reach the filter chain.

i'm currently attempting to find a way to allow exceptions to "tunnel" through this mechanism,
otherwise it could be a show stopper for client side spring-security-oauth in a grails environment.

That does sound like a question for the Grails mailing list. I assume it's a common problem since Spring Security in general relies on propagating exceptions up to the filter layer.