How to disable basic authentication in tonr project?

[polina]

Hi,
Assuming that I do not need to protect 'photo' page by tonr authentication except the oAuthentication on sparclr side surely, what should I do with spring context and web.xml configs to remove it? I removed <http> from applicationContext, but now it fails that no such bean exists "springSecurityFilterChain".

Thanks in advance

[Dave Syer]

The OAuth protection relies on having Spring Security installed in your app. Maybe you need to read the Spring Security manual? Probably changing the <intercept-url/> to access="IS_AUTHENTICATED_ANONYMOUSLY" would be a good initial direction for you to try.

[polina]

So, there is no simple way just to turn off the consumer-side authentication if it's not required for application?

Changing all intercept-urls to anonimous access only will helps surely, but there are still a lot of useless unused security filters on consumer side - remember me, authentication filters and so on... I use this configuration currently:

<http auto-config='true' >
</http>

<authentication-manager>
</authentication-manager>

It does nothing, but still forces to have a lot of SS dependencies and useless filters in chain.

I completely understand that SS is needed for OAuth provider application... but it's unclear why all this stuff should be on consumer application too.
In my opinion consumer should only can be able to make all these tokens, signatures, encodings and so on, and send requests / responses, that's all...

Could you please help with liitle config's example to show how to completely switch off useless SS on consumer side (if it is possible)

[Dave Syer]

You can get a bare minimum filter chain by *not* using the auto-config attribute (defaults to false, and many people believe it is a misfeature anyway). You will still need an empty authentication manager, but the filter chain will be the OAuth consumer filters, plus one or two others. It is possible that Spring Security could be more lenient in accepting an explicit null authentication manager, and it is also possible (I believe, but haven't tested) that Spring Security OAuth might be able to provide an implementation that would work in your use case. I don't see how you can get rid of any dependencies, but please correct me if I am wrong.

Note that you probably should protect your resource service with some explicit non-anonymous constraints (e.g. SCOPE_READ_MY_STUFF or something), and this applies even more so if you implement an OAuth client (what you have called a consumer) with no local authentication.

[Dave Syer]

I played around with this a bit and I think you can get an unauthenticated client just by removing all the Spring Security configuration, removing the <oauth:client/> piece, and replacing it with a bean definition for an OAuth2ClientContextFilter. Two conditions: 1) the bean id matches your filter delegate declaration in web.xml, e.g. "springSecurityFilterChain", 2) the OAuth2ProfileChain that you inject into the filter has to have its requireAuthentication flag set to false. This worked for me on a local branch that I am using to implement SECOAUTH-97, but it should work anywhere. SECOAUTH-97 should make it easier by using <oauth:client/> to define the filter instead of a raw bean definition.

[polina]

Hi Dave,
thank you for your help.. currently the circumstances was changed and now I need to leave spring security dep-ncies as well as local authorisation (not authentication, it's still OAuth-provided)
So, the question is... how to implement this authorisation... if I have no any authentication at all (excepting the OAuth)

Maybe I really need to read as much SS docs as possible