Overriding OAuth2AuthorizationFilter

[Jeremy_Mason]

Hi,

I'm trying to override the behaviour of OAuth2AuthorizationFilter. There are a couple of posts on this subject. One post implies it's not trivial to override. The other I've tried by declaring a bean in applicationContext:

<beans:bean id="oauth2AuthorizationFilter" class="org.springframework.security.oauth2.provide r.CustomOAuth2AuthorizationFilter">
</beans:bean>

but couldn't get this to pick up.

I'm trying to model different grant types using separate paths:

/oauth/authorize - for resource owner password grant type
/oauth/refresh - for exchanging a refresh token for an access token.

and I still want OAuth2AuthorizationFilter to do the work and want to avoid running two instances of the filter in the chain. If that makes sense.

Any help would be much appreciated.

J

[Dave Syer]

I haven't tried it, but the bean override should work if you define that bean *after* the <oauth:provider/>. To me this seems rather brittle anyway, so I have issues with the way <oauth:provider/> is implemented. Maybe it would be better to make all the filter configuration more explicit, so you can easily see where the individual filters are and inject your customizations directly?

[stoicflame]

I haven't tried it, but the bean override should work if you define that bean *after* the <oauth:provider/>.

Jeremy, did that work?

To me this seems rather brittle anyway,

Probably true. We could make it less brittle by making that bean name explicit in the config file, but that doesn't address your other concerns...

so I have issues with the way <oauth:provider/> is implemented. Maybe it would be better to make all the filter configuration more explicit, so you can easily see where the individual filters are and inject your customizations directly?

Seems reasonable to consider. Is there an issue open on this?

[Dave Syer]

Is there an issue open on this?

There is now: https://jira.springsource.org/browse/SECOAUTH-97