swang30
Dec 2nd, 2011, 03:49 AM
Just for facebook, I have two types of clients, one to authenticate, the other to authorize.
<oauth2:client id="authenticationClient"
resource-details-service-ref="oauth2ResourceDetailsService">
<oauth2:url pattern="/j_spring_oauth_security_check"
resources="facebookLogin" />
</oauth2:client>
and
<oauth2:client id="authorizationClient"
resource-details-service-ref="oauth2ResourceDetailsService">
<oauth2:url pattern="/rest/auth/facebook" resources="facebook" />
<oauth2:url pattern="/rest/auth/google" resources="google" />
</oauth2:client>
I took much of the login idea from the spring-security-oauth-example project. The reason why I need two clients is because one of them requires the user to have been authenticated (the authorization to get social contacts) while the other assumes that the authentication hasn't happened (facebook login.) The problem I have right now is that I don't have a way of adding the custom-filter on the spring-security setting.
<sec:custom-filter after="EXCEPTION_TRANSLATION_FILTER"
ref="authenticationClient" />
<sec:custom-filter after="EXCEPTION_TRANSLATION_FILTER"
ref="authorizationClient" />
<sec:custom-filter before="FILTER_SECURITY_INTERCEPTOR"
ref="oauth2AuthFilter" />
Basically, I'm putting 3 filters where 2 can go. Spring security does not like the fact that it doesn't know whether to run authentication client first, or authorization client. Is there a way to combine a couple of clients into 1 filter? One other option I was thinking of was to create a separate sec:http with the url pattern of /rest/auth/*, and add the custom filter of the authorizationClient to that separately declared sec:http. Is that preferable?
Another question that I have is that I see the code for parsing require-authenticated as an attribute in the M5 milestone release (OAuth2ClientBeanDefinitionParser line 52), but I don't see it in the xsd at the github (https://raw.github.com/SpringSource/spring-security-oauth/master/spring-security-oauth2/src/main/resources/org/springframework/security/oauth/spring-security-oauth2-1.0.xsd) source. Am I using the wrong xsd?
thanks for any help.
Jeff
<oauth2:client id="authenticationClient"
resource-details-service-ref="oauth2ResourceDetailsService">
<oauth2:url pattern="/j_spring_oauth_security_check"
resources="facebookLogin" />
</oauth2:client>
and
<oauth2:client id="authorizationClient"
resource-details-service-ref="oauth2ResourceDetailsService">
<oauth2:url pattern="/rest/auth/facebook" resources="facebook" />
<oauth2:url pattern="/rest/auth/google" resources="google" />
</oauth2:client>
I took much of the login idea from the spring-security-oauth-example project. The reason why I need two clients is because one of them requires the user to have been authenticated (the authorization to get social contacts) while the other assumes that the authentication hasn't happened (facebook login.) The problem I have right now is that I don't have a way of adding the custom-filter on the spring-security setting.
<sec:custom-filter after="EXCEPTION_TRANSLATION_FILTER"
ref="authenticationClient" />
<sec:custom-filter after="EXCEPTION_TRANSLATION_FILTER"
ref="authorizationClient" />
<sec:custom-filter before="FILTER_SECURITY_INTERCEPTOR"
ref="oauth2AuthFilter" />
Basically, I'm putting 3 filters where 2 can go. Spring security does not like the fact that it doesn't know whether to run authentication client first, or authorization client. Is there a way to combine a couple of clients into 1 filter? One other option I was thinking of was to create a separate sec:http with the url pattern of /rest/auth/*, and add the custom filter of the authorizationClient to that separately declared sec:http. Is that preferable?
Another question that I have is that I see the code for parsing require-authenticated as an attribute in the M5 milestone release (OAuth2ClientBeanDefinitionParser line 52), but I don't see it in the xsd at the github (https://raw.github.com/SpringSource/spring-security-oauth/master/spring-security-oauth2/src/main/resources/org/springframework/security/oauth/spring-security-oauth2-1.0.xsd) source. Am I using the wrong xsd?
thanks for any help.
Jeff