non-namespace configuration

**dseale** · Mar 17th, 2011, 06:35 PM

For a variety of reasons, we cannot use Spring's namespace configuration. Is there an example of the OAuth 2.0 configuration that doesn't use the namespace configuration mechanism?

**stoicflame** · Mar 21st, 2011, 01:14 PM

I'm afraid I don't have one available. I've opened up a JIRA issue to track the work.

https://jira.springsource.org/browse/SECOAUTH-53

If you get around to doing it yourself, we'd love to have you post it for everyone to benefit.

**dseale** · Mar 21st, 2011, 07:33 PM

Originally Posted by stoicflame

If you get around to doing it yourself, we'd love to have you post it for everyone to benefit.

I'm not going to lie, this was a big PITA.

The following is what I set up to get the basic OAuth 2.0 flow working (essentially the same as in the Tonr/Sparklr demo). Our security setup is complicated, so I'll only reproduce the relevant snippets below. The OAuth filters are in bold.

First, the filter chain order:

Code:

BasicUserApprovalFilter, SecurityContextPersistenceFilter, LogoutFilter, UsernamePasswordAuthenticationFilter, BasicAuthenticationFilter, RequestCacheAwareFilter, SecurityContextHolderAwareRequestFilter, AnonymousAuthenticationFilter, SessionManagementFilter, ExceptionTranslationFilter, OAuth2ExceptionHandlerFilter, VerificationCodeFilter, OAuth2AuthorizationFilter, OAuth2ProtectedResourceFilter, FilterSecurityInterceptor

Note that the AnonymousAuthenticationFilter is absolutely required even if you don't use it anywhere else.

Now the supporting beans:

Code:

<bean id="oauth2UserApprovalFilter" class="org.springframework.security.oauth2.provider.verification.BasicUserApprovalFilter"/>

    <bean id="oauth2ExceptionTranslationFilter" class="org.springframework.security.oauth2.provider.OAuth2ExceptionHandlerFilter"/>

    <bean id="oauth2VerificationCodeFilter" class="org.springframework.security.oauth2.provider.verification.VerificationCodeFilter">
        <property name="clientDetailsService" ref="clientDetailsService"/>
        <property name="verificationServices" ref="verificationCodeServices"/>
        <property name="userApprovalHandler" ref="oauth2UserApprovalFilter"/>

        <property name="unapprovedAuthenticationHandler">
            <bean class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
                <!-- This is where you define your confirmation page -->
                <property name="defaultFailureUrl" value="/oauth/confirm.action"/>
            </bean>
        </property>
    </bean>

    <bean id="oauth2AuthorizationFilter" class="org.springframework.security.oauth2.provider.OAuth2AuthorizationFilter">
        <property name="authenticationManager" ref="authenticationManager"/>
        <property name="authenticationSuccessHandler">
            <bean class="org.springframework.security.oauth2.provider.OAuth2AuthorizationSuccessHandler">
                <property name="tokenServices" ref="tokenServices"/>
            </bean>
        </property>
    </bean>

    <bean id="oauth2ProtectedResourceFilter" class="org.springframework.security.oauth2.provider.OAuth2ProtectedResourceFilter">
        <property name="tokenServices" ref="tokenServices"/>
    </bean>

    <bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.InMemoryOAuth2ProviderTokenServices">
        <property name="supportRefreshToken" value="true"/>
    </bean>

    <bean id="clientDetailsService" class="org.springframework.security.oauth2.provider.InMemoryClientDetailsService">
        <property name="clientDetailsStore">
            <map>
                <entry key="tonr">
                    <bean class="org.springframework.security.oauth2.provider.BaseClientDetails">
                        <property name="clientId" value="tonr"/>
                        <property name="authorizedGrantTypes">
                            <list>
                                <value>authorization_code</value>
                                <value>refresh_token</value>
                            </list>
                        </property>
                    </bean>
                </entry>
            </map>
        </property>
    </bean>

    <bean id="verificationCodeServices" class="org.springframework.security.oauth2.provider.verification.InMemoryVerificationCodeServices"/>

    <bean id="oauth2VerificationAuthenticationProvider" class="org.springframework.security.oauth2.provider.verification.VerificationCodeAuthenticationProvider">
        <property name="verificationServices" ref="verificationCodeServices"/>
    </bean>

    <bean id="oauth2AccessGrantAuthenticationProvider" class="org.springframework.security.oauth2.provider.AccessGrantAuthenticationProvider">
        <property name="clientDetailsService" ref="clientDetailsService"/>
    </bean>

    <bean id="oauth2RefreshAuthenticationProvider" class="org.springframework.security.oauth2.provider.refresh.RefreshAuthenticationProvider"/>

Note that the services (client, token, verification code) are just the supplied in memory versions. You'll need to create your own versions to be persistent.

Finally, you need to tie the providers into your authentication manager:

Code:

<bean id="authenticationManager" class="org.springframework.security.authentication.ProviderManager">
        <property name="providers">
            <list>
                <ref local="daoAuthenticationProvider"/>
                <ref local="oauth2AccessGrantAuthenticationProvider"/>
                <ref local="oauth2VerificationAuthenticationProvider"/>
                <ref local="oauth2RefreshAuthenticationProvider"/>
                <bean class="org.springframework.security.authentication.AnonymousAuthenticationProvider">
                    <property name="key" value="mykey"/>
                </bean>
            </list>
        </property>
    </bean>

Thread: non-namespace configuration

Thread Tools

Display

non-namespace configuration

Posting Permissions