Hi-

While developing my own server using the OAuth2 module seen here, I was struggling with something. If I called my resource directly, I was sent to the login page, and when I logged in, I could call the resource directly without any tokens. I was doing this from curl:


curl -v --cookie cookies.txt --cookie-jar cookies.txt -H "Accept: application/json" "http://localhost:8080/test/get"
(this would direct me to login.jsp)

curl -v --cookie cookies.txt --cookie-jar cookies.txt --data "j_username=cory&j_password=password&login=Login" "http://localhost:8080/j_spring_security_check"

(this would forward me back to my test)

curl -v --cookie cookies.txt --cookie-jar cookies.txt -H "Accept: application/json" "http://localhost:8080/test/get"

(this would access my resource)


I thought I was doing something wrong and I pounded and pounded my head against the wall, until I did this:



curl -v --cookie cookies.txt --cookie-jar cookies.txt "http://localhost:8080/sparklr2/rest/photos"

curl -v --data "j_username=marissa&j_password=koala&login=Login" --cookie cookies.txt --cookie-jar cookies.txt "http://localhost:8080/sparklr2/login.do"

curl -v --cookie cookies.txt --cookie-jar cookies.txt "http://localhost:8080/sparklr2/rest/photos"



And the last thing gave me:



<photos><photo id="1" name="photo1.jpg"/><photo id="3" name="photo3.jpg"/><photo id="5" name="photo5.jpg"/></photos>


Huh? Is this right? Or does the OAuth2 dance only matter when you call Authorize? And in which case, doesn't this break my security? Shouldn't I be able to force a resource to ONLY go through Oauth?

If this is not a smart question, please be gentle. =)

Sorry, I can't find "delete thread". I think I just confused "web security" with "web service security".

Hi. Sorry for the late reply.

Do you still have a problem/question?

I don't think so. I think I was confusing web security and web service security- the former being simpler and involving the user more.