Results 1 to 6 of 6

Thread: The access token won't store in the InMemoryTokenStore.

  1. Jan 6th, 2012, 01:10 AM #1
    lai_chih_fei
    lai_chih_fei is offline Junior Member
    Join Date
    Jan 2012
    Posts
    3

    Default The access token won't store in the InMemoryTokenStore.

    I integrate spring-security-oauth2 1.0.0.M5 with my project. And it has a problem that the access token won't store in the InMemoryTokenStore.java. Please help me! Thanks a lot.

    Regards,
    Stanley

    Code:
    	<http access-denied-page="/login.jsp" access-decision-manager-ref="accessDecisionManager"
		xmlns="http://www.springframework.org/schema/security">
		<intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_ANONYMOUSLY" />
		<intercept-url pattern="/oauth/authorize" access="IS_AUTHENTICATED_ANONYMOUSLY" />
		<intercept-url pattern="/oauth/**" access="ROLE_USER" />
		<intercept-url pattern="/label" access="ROLE_USER,SCOPE_READ" />
		<intercept-url pattern="/label/**" access="ROLE_USER,SCOPE_READ" />
		<intercept-url pattern="/trusted/**" access="ROLE_CLIENT,SCOPE_TRUST" />
		<intercept-url pattern="/user/**" access="ROLE_USER,SCOPE_TRUST" />
		<intercept-url pattern="/**"
			access="IS_AUTHENTICATED_ANONYMOUSLY,DENY_OAUTH" />

		<form-login authentication-failure-url="/login.jsp"
			default-target-url="/index.jsp" login-page="/login.jsp"
			login-processing-url="/login.do" />

		<logout logout-success-url="/index.jsp" logout-url="/logout.do" />
		<anonymous />
		<custom-filter ref="resourceServerFilter" before="EXCEPTION_TRANSLATION_FILTER" />
 		<custom-filter ref="securityFilter" before="FILTER_SECURITY_INTERCEPTOR" />
	</http>

	<bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased"
		xmlns="http://www.springframework.org/schema/beans">
		<constructor-arg>
			<list>
				<bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter" />
				<bean class="org.springframework.security.access.vote.RoleVoter" />
				<bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
			</list>
		</constructor-arg>
	</bean>


	<bean id="securityFilter" class="com.apeer.aclms.interceptor.FilterSecurityInterceptor">
		<property name="authenticationManager" ref="authenticationManager" />
		<property name="accessDecisionManager" ref="accessDecisionManager" />
		<property name="securityMetadataSource" ref="invocationSecurityMetadataSourceService" />
	</bean>

	<bean id="invocationSecurityMetadataSourceService" init-method="loadResourceDefine"
		class="com.apeer.aclms.service.impl.InvocationSecurityMetadataSourceService">
	</bean>

	<authentication-manager alias="authenticationManager"
		xmlns="http://www.springframework.org/schema/security">
		<authentication-provider>
			<password-encoder hash="md5" />
			<jdbc-user-service data-source-ref="dataSource"
				users-by-username-query="select username, password, enabled from users where username=?"
				authorities-by-username-query="select username,authority from authorities where username=?" />
		</authentication-provider>
	</authentication-manager>

	<bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.RandomValueTokenServices">
		<property name="tokenStore">
			<bean class="org.springframework.security.oauth2.provider.token.InMemoryTokenStore" />
		</property>
		<property name="supportRefreshToken" value="true" />
	</bean>

	<oauth:authorization-server client-details-service-ref="clientDetails" token-services-ref="tokenServices">
		<oauth:authorization-code />
		<oauth:implicit />
		<oauth:refresh-token />
		<oauth:client-credentials />
		<oauth:password />
	</oauth:authorization-server>

	<oauth:resource-server id="resourceServerFilter" resource-id="sparklr" token-services-ref="tokenServices" />

	<oauth:client-details-service id="clientDetails">
		<oauth:client client-id="my-trusted-client" authorized-grant-types="password,authorization_code,refresh_token,implicit"
			authorities="ROLE_CLIENT, ROLE_TRUSTED_CLIENT" scope="read,write,trust" />
		<oauth:client client-id="my-trusted-client-with-secret" authorized-grant-types="password,authorization_code,refresh_token"
			secret="somesecret" authorities="ROLE_CLIENT, ROLE_TRUSTED_CLIENT" />
		<oauth:client client-id="my-less-trusted-client" authorized-grant-types="authorization_code,implicit"
			authorities="ROLE_CLIENT" />
		<oauth:client client-id="my-client-with-registered-redirect" authorized-grant-types="authorization_code,client_credentials"
			authorities="ROLE_CLIENT" redirect-uri="http://anywhere" scope="trust" />
		<oauth:client client-id="my-untrusted-client-with-registered-redirect" authorized-grant-types="authorization_code"
			authorities="ROLE_CLIENT" redirect-uri="http://anywhere" scope="read" />
		<oauth:client client-id="tonr" resource-ids="sparklr" authorized-grant-types="authorization_code"
			authorities="ROLE_CLIENT" scope="read,write" secret="secret" />
	</oauth:client-details-service>

	<sec:global-method-security pre-post-annotations="enabled" proxy-target-class="true">
		<!--you could also wire in the expression handler up at the layer of the http filters. See https://jira.springsource.org/browse/SEC-1452 -->
		<sec:expression-handler ref="oauthExpressionHandler" />
	</sec:global-method-security>

	<oauth:expression-handler id="oauthExpressionHandler" />


    Code:
    public class FilterSecurityInterceptor extends AbstractSecurityInterceptor implements
		Filter
{
	private static final Logger logger = Logger.getLogger(FilterSecurityInterceptor.class);
	private FilterInvocationSecurityMetadataSource securityMetadataSource;

	public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException
	{
		if (logger.isDebugEnabled())
		{
			logger.debug("doFilter(ServletRequest, ServletResponse, FilterChain) - start"); //$NON-NLS-1$  
		}
		FilterInvocation fi = new FilterInvocation(request, response, chain);
		invoke(fi);
		if (logger.isDebugEnabled())
		{
			logger.debug("doFilter(ServletRequest, ServletResponse, FilterChain) - end"); //$NON-NLS-1$  
		}
	}

	public FilterInvocationSecurityMetadataSource getSecurityMetadataSource()
	{
		return this.securityMetadataSource;
	}

	public Class<? extends Object> getSecureObjectClass()
	{
		return FilterInvocation.class;
	}

	public void invoke(FilterInvocation fi) throws IOException, ServletException
	{
		InterceptorStatusToken token = super.beforeInvocation(fi);
		try
		{
			fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
		}
		finally
		{
			super.afterInvocation(token, null);
		}
	}

	@Override
	public SecurityMetadataSource obtainSecurityMetadataSource()
	{
		return this.securityMetadataSource;
	}

	public void setSecurityMetadataSource(FilterInvocationSecurityMetadataSource securityMetadataSource)
	{
		this.securityMetadataSource = securityMetadataSource;
	}

	public void destroy()
	{
		// TODO Auto-generated method stub
	}

	public void init(FilterConfig filterconfig) throws ServletException
	{
		// TODO Auto-generated method stub
	}
}
    Code:
    public class InvocationSecurityMetadataSourceService implements
		FilterInvocationSecurityMetadataSource
{
	private static final Logger logger = Logger.getLogger(InvocationSecurityMetadataSourceService.class);

	@Autowired
	private AclService aclService;

	private PathMatcher urlMatcher = new AntPathMatcher();
	private static Map<String, Collection<ConfigAttribute>> resourceMap = null;

	public void loadResourceDefine() throws Exception
	{
		this.resourceMap = new HashMap<String, Collection<ConfigAttribute>>();

		for (Roles roles : this.aclService.getAllRoles())
		{
			Collection<ConfigAttribute> atts = new ArrayList<ConfigAttribute>();
			ConfigAttribute ca = new SecurityConfig(roles.getRolename());
			atts.add(ca);
			for (Urlresources urlresources : roles.getUrlresourceses())
			{
				logger.debug(String.format("The url %2$s of role %1$s.", new Object[] { roles.getRolename(), urlresources.getUrl() }));
				this.resourceMap.put(urlresources.getUrl(), atts);
			}

		}

	}

	// According to a URL, Find out permission configuration of this URL.
	public Collection<ConfigAttribute> getAttributes(Object object) throws IllegalArgumentException
	{
		if (logger.isDebugEnabled())
		{
			logger.debug("getAttributes(Object) - start"); //$NON-NLS-1$  
		}
		// guess object is a URL.
		String url = ((FilterInvocation) object).getRequestUrl();
		Iterator<String> ite = resourceMap.keySet().iterator();
		while (ite.hasNext())
		{
			String resURL = ite.next();
			if (urlMatcher.match(resURL, url))
			{
				Collection<ConfigAttribute> returnCollection = resourceMap.get(resURL);
				if (logger.isDebugEnabled())
				{
					logger.debug("getAttributes(Object) - end"); //$NON-NLS-1$  
				}
				return returnCollection;
			}
		}
		if (logger.isDebugEnabled())
		{
			logger.debug("getAttributes(Object) - end"); //$NON-NLS-1$  
		}
		return null;
	}

	public boolean supports(Class<?> clazz)
	{
		return true;
	}

	public Collection<ConfigAttribute> getAllConfigAttributes()
	{
		return null;
	}

}
    Reply With Quote Reply With Quote
  2. Jan 6th, 2012, 02:45 AM #2
    Dave Syer
    Dave Syer is offline Senior Member
    Join Date
    Jun 2005
    Posts
    4,231

    Default

    Thanks for the detailed configuration, but you haven't really described the problem. What makes you think that the token isn't stored? Is a token granted?
    Reply With Quote Reply With Quote
  3. Jan 6th, 2012, 02:52 AM #3
    lai_chih_fei
    lai_chih_fei is offline Junior Member
    Join Date
    Jan 2012
    Posts
    3

    Default

    The access token was generated by the authorization server. it was passed to the client. The client used it to access the resource server. But the resource server said InvalidTokenException. So I guess the access token was not stored in the InMemoryTokenStore.
    Reply With Quote Reply With Quote
  4. Jan 6th, 2012, 05:46 AM #4
    Dave Syer
    Dave Syer is offline Senior Member
    Join Date
    Jun 2005
    Posts
    4,231

    Default

    Is the resource server the same application as the authorization server (like in the sparklr2 sample)? I'm assuming it is because you posted the config of *a* server and it contains both. (Obviously the InMemoryTokenStore is not going to work across different apps.) Do the integration tests for sparklr2 pass with your app?
    Reply With Quote Reply With Quote
  5. Jan 6th, 2012, 06:03 AM #5
    lai_chih_fei
    lai_chih_fei is offline Junior Member
    Join Date
    Jan 2012
    Posts
    3

    Default

    Quote Originally Posted by Dave Syer View Post
    Is the resource server the same application as the authorization server (like in the sparklr2 sample)? I'm assuming it is because you posted the config of *a* server and it contains both. (Obviously the InMemoryTokenStore is not going to work across different apps.) Do the integration tests for sparklr2 pass with your app?
    Yes, the resource server is the same application as the authorization server.
    In the above content, the app dynamically retrieves the url resource. In the previous version, the app uses the static way to get intercept url and it passes with my app.
    Reply With Quote Reply With Quote
  6. Jan 6th, 2012, 06:39 AM #6
    Dave Syer
    Dave Syer is offline Senior Member
    Join Date
    Jun 2005
    Posts
    4,231

    Default

    The samples work today from master, and as far as I know they worked in M5, and they don't look all that different to me. Did you try upgrading to a snapshot?
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules