By passing OAuth2 Security?
Hi-
While developing my own server using the OAuth2 module seen here, I was struggling with something. If I called my resource directly, I was sent to the login page, and when I logged in, I could call the resource directly without any tokens. I was doing this from curl:
Code:
curl -v --cookie cookies.txt --cookie-jar cookies.txt -H "Accept: application/json" "http://localhost:8080/test/get"
(this would direct me to login.jsp)
curl -v --cookie cookies.txt --cookie-jar cookies.txt --data "j_username=cory&j_password=password&login=Login" "http://localhost:8080/j_spring_security_check"
(this would forward me back to my test)
curl -v --cookie cookies.txt --cookie-jar cookies.txt -H "Accept: application/json" "http://localhost:8080/test/get"
(this would access my resource)
I thought I was doing something wrong and I pounded and pounded my head against the wall, until I did this:
Code:
curl -v --cookie cookies.txt --cookie-jar cookies.txt "http://localhost:8080/sparklr2/rest/photos"
curl -v --data "j_username=marissa&j_password=koala&login=Login" --cookie cookies.txt --cookie-jar cookies.txt "http://localhost:8080/sparklr2/login.do"
curl -v --cookie cookies.txt --cookie-jar cookies.txt "http://localhost:8080/sparklr2/rest/photos"
And the last thing gave me:
Code:
<photos><photo id="1" name="photo1.jpg"/><photo id="3" name="photo3.jpg"/><photo id="5" name="photo5.jpg"/></photos>
Huh? Is this right? Or does the OAuth2 dance only matter when you call Authorize? And in which case, doesn't this break my security? Shouldn't I be able to force a resource to ONLY go through Oauth?
If this is not a smart question, please be gentle. =)
