spring-social 1.0.0.RELEASE client against spring-security-oauth 1.0.0.M3 provider..?

[tony_k]

i'm testing out this configuration (oauth2 style) and running into an issue where by
after the client successfully acquires a token the client calls back into the provider
and the provider treats the client as "anonymous" and redirects back to the login page.

obviously there are plenty of places to trip doing the oauth dance, but one thing i noticed
was that a "tonr2" based client sends the token via a header reading something like:

Authorization: OAuth2 <token>

and the spring-social based client which actually has three available settings for spec (BEARER, v8 and v10)
which send other variants of this header like:

Authorization: BEARER <token>
Authorization: Token token=<token>
Authorization: OAuth <token>

wondering if that may be part of the issue. any guidance appreciated.

relevant debug output:

Code:

acme-widget: 2011-09-10 15:11:53,726 DEBUG [o.s.s.w.FilterChainProxy:getFilters] - Converted URL to lowercase, from: '/users/current'; to: '/users/current'
acme-widget: 2011-09-10 15:11:53,728 DEBUG [o.s.s.w.FilterChainProxy:getFilters] - Candidate is: '/users/current'; pattern is /resources/**; matched=false
acme-widget: 2011-09-10 15:11:53,729 DEBUG [o.s.s.w.FilterChainProxy:getFilters] - Converted URL to lowercase, from: '/users/current'; to: '/users/current'
acme-widget: 2011-09-10 15:11:53,729 DEBUG [o.s.s.w.FilterChainProxy:getFilters] - Candidate is: '/users/current'; pattern is /**; matched=true
acme-widget: 2011-09-10 15:11:53,729 DEBUG [o.s.s.w.FilterChainProxy:doFilter] - /users/current at position 1 of 14 in additional filter chain; firing Filter: 'BasicUserApprovalFilter'
acme-widget: 2011-09-10 15:11:53,729 DEBUG [o.s.s.w.FilterChainProxy:doFilter] - /users/current at position 2 of 14 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
acme-widget: 2011-09-10 15:11:53,729 DEBUG [o.s.s.w.c.HttpSessionSecurityContextRepository:readSecurityContextFromSession] - No HttpSession currently exists
acme-widget: 2011-09-10 15:11:53,729 DEBUG [o.s.s.w.c.HttpSessionSecurityContextRepository:loadContext] - No SecurityContext was available from the HttpSession: null. A new one will be created.
acme-widget: 2011-09-10 15:11:53,730 DEBUG [o.s.s.w.FilterChainProxy:doFilter] - /users/current at position 3 of 14 in additional filter chain; firing Filter: 'LogoutFilter'
acme-widget: 2011-09-10 15:11:53,730 DEBUG [o.s.s.w.FilterChainProxy:doFilter] - /users/current at position 4 of 14 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
acme-widget: 2011-09-10 15:11:53,730 DEBUG [o.s.s.w.FilterChainProxy:doFilter] - /users/current at position 5 of 14 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
acme-widget: 2011-09-10 15:11:53,730 DEBUG [o.s.s.w.FilterChainProxy:doFilter] - /users/current at position 6 of 14 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
acme-widget: 2011-09-10 15:11:53,730 DEBUG [o.s.s.w.FilterChainProxy:doFilter] - /users/current at position 7 of 14 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
acme-widget: 2011-09-10 15:11:53,730 DEBUG [o.s.s.w.a.AnonymousAuthenticationFilter:doFilter] - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
acme-widget: 2011-09-10 15:11:53,731 DEBUG [o.s.s.w.FilterChainProxy:doFilter] - /users/current at position 8 of 14 in additional filter chain; firing Filter: 'SessionManagementFilter'
acme-widget: 2011-09-10 15:11:53,731 DEBUG [o.s.s.w.FilterChainProxy:doFilter] - /users/current at position 9 of 14 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
acme-widget: 2011-09-10 15:11:53,731 DEBUG [o.s.s.w.FilterChainProxy:doFilter] - /users/current at position 10 of 14 in additional filter chain; firing Filter: 'OAuth2ExceptionHandlerFilter'
acme-widget: 2011-09-10 15:11:53,731 DEBUG [o.s.s.w.FilterChainProxy:doFilter] - /users/current at position 11 of 14 in additional filter chain; firing Filter: 'VerificationCodeFilter'
acme-widget: 2011-09-10 15:11:53,731 DEBUG [o.s.s.w.FilterChainProxy:doFilter] - /users/current at position 12 of 14 in additional filter chain; firing Filter: 'OAuth2AuthorizationFilter'
acme-widget: 2011-09-10 15:11:53,731 DEBUG [o.s.s.w.FilterChainProxy:doFilter] - /users/current at position 13 of 14 in additional filter chain; firing Filter: 'OAuth2ProtectedResourceFilter'
acme-widget: 2011-09-10 15:11:53,732 DEBUG [o.s.s.w.FilterChainProxy:doFilter] - /users/current at position 14 of 14 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
acme-widget: 2011-09-10 15:11:53,732 DEBUG [o.s.s.w.a.e.ExpressionBasedFilterInvocationSecurityMetadataSource:lookupAttributes] - Converted URL to lowercase, from: '/users/current'; to: '/users/current'
acme-widget: 2011-09-10 15:11:53,732 DEBUG [o.s.s.w.a.e.ExpressionBasedFilterInvocationSecurityMetadataSource:extractMatchingAttributes] - Candidate is: '/users/current'; pattern is /oauth/accessconfirmationform; matched=false
acme-widget: 2011-09-10 15:11:53,732 DEBUG [o.s.s.w.a.e.ExpressionBasedFilterInvocationSecurityMetadataSource:extractMatchingAttributes] - Candidate is: '/users/current'; pattern is /home; matched=false
acme-widget: 2011-09-10 15:11:53,733 DEBUG [o.s.s.w.a.e.ExpressionBasedFilterInvocationSecurityMetadataSource:extractMatchingAttributes] - Candidate is: '/users/current'; pattern is /login; matched=false
acme-widget: 2011-09-10 15:11:53,733 DEBUG [o.s.s.w.a.e.ExpressionBasedFilterInvocationSecurityMetadataSource:extractMatchingAttributes] - Candidate is: '/users/current'; pattern is /accounts/registration/**; matched=false
acme-widget: 2011-09-10 15:11:53,733 DEBUG [o.s.s.w.a.e.ExpressionBasedFilterInvocationSecurityMetadataSource:extractMatchingAttributes] - Candidate is: '/users/current'; pattern is /accounts/*/activation; matched=false
acme-widget: 2011-09-10 15:11:53,733 DEBUG [o.s.s.w.a.e.ExpressionBasedFilterInvocationSecurityMetadataSource:extractMatchingAttributes] - Candidate is: '/users/current'; pattern is /**; matched=true
acme-widget: 2011-09-10 15:11:53,733 DEBUG [o.s.s.w.a.i.FilterSecurityInterceptor:beforeInvocation] - Secure object: FilterInvocation: URL: /users/current; Attributes: [hasRole('ROLE_USER')]
acme-widget: 2011-09-10 15:11:53,734 DEBUG [o.s.s.w.a.i.FilterSecurityInterceptor:authenticateIfRequired] - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
acme-widget: 2011-09-10 15:11:53,734 DEBUG [o.s.s.a.v.AffirmativeBased:decide] - Voter: org.springframework.security.web.access.expression.WebExpressionVoter@289d9155, returned: -1
acme-widget: 2011-09-10 15:11:53,741 DEBUG [o.s.s.w.a.ExceptionTranslationFilter:handleException] - Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
	at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:71) ~[spring-security-core-3.0.5.RELEASE.jar:3.0.5.RELEASE]
	at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:203) ~[spring-security-core-3.0.5.RELEASE.jar:3.0.5.RELEASE]
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:106) ~[spring-security-web-3.0.5.RELEASE.jar:3.0.5.RELEASE]
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83) ~[spring-security-web-3.0.5.RELEASE.jar:3.0.5.RELEASE]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380) [spring-security-web-3.0.5.RELEASE.jar:3.0.5.RELEASE]
	at org.springframework.security.oauth2.provider.OAuth2ProtectedResourceFilter.doFilter(OAuth2ProtectedResourceFilter.java:57) ~[spring-security-oauth-1.0.0.M3.jar:na]

[tony_k]

https://jira.springsource.org/browse/SOCIAL-250

[Dave Syer]

The correct header prefix according to the spec is "Bearer" so that's what we use in Spring Security OAuth, and if you can train Spring Social to send that it should work I guess (in recent snapshots - you will need to upgrade to test it properly, or M4 is due out soon). Does that help?

[tony_k]

in "bearer" mode spring-social sends:

Authorization: BEARER f1bc423a-ea63-4c8a-86e3-e629329b5b9f

i am witnessing this as being rejected by spring-security-oauth M3...

should it be "Bearer" v "BEARER"...?

[Dave Syer]

I think that's a bug in Spring Social then since the spec is very explicit about it. Craig Walls is building a sample app with Spring Social and a Spring Security OAuth, so he will probably hit the same problem. Between you guys, I'm sure you can fix it.