Multiple <http> (Spring 3.1.0) with OAuth (1.0.0)

[mvega]

Hi!

I have an API Rest with Oauth that works OK. Buy I'm trying to use multiple <http> elements (added on Spring 3.1.0) and i can't make the oauth work (It doesn't find the request and secret token)

I have this (working)

web.xml

Code:

(...)
        <filter>
		<filter-name>springSecurityFilterChain</filter-name>
		<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
	</filter>

	<filter-mapping>
		<filter-name>springSecurityFilterChain</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>
(..)

applicationContext.xml

Code:

	<http auto-config='false'  pattern="/myapp1/**" access-denied-page="/myapp1/login"  >
		<intercept-url pattern="/myapp1/v1/users/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
		<intercept-url pattern="/myapp1/oauth/**" access="ROLE_USER" />
		<intercept-url pattern="/myapp1/login**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
		<intercept-url pattern="/myapp1/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />	

		<form-login authentication-failure-url="/myapp1/login" 
			default-target-url="/myapp1/login" login-page="/myapp1/login"
			login-processing-url="/myapp1/login.do" />
		<logout logout-success-url="/myapp1/login" logout-url="/myapp1/logout.do" />
	</http>

(...)

	<oauth:provider 
		consumer-details-service-ref="consumerDetails" 
		token-services-ref="tokenServices" 
		request-token-url="/myapp1/oauth/request_token"
		authenticate-token-url="/myapp1/oauth/authorize" 
		authentication-failed-url="/myapp1/oauth/confirm_access"
		access-granted-url="/request_token_authorized.jsp" 
		access-token-url="/myapp1/oauth/access_token"
		require10a="false" />

	<oauth:consumer-details-service id="consumerDetails">
		<oauth:consumer name="myapp1.com" key="oauth-myapp1-consumer-key"
			secret="ASFmkJHuiLpnJfWqFfBKoNfasdaASDDS" resourceName="MyApp1 Account"
			resourceDescription="Access for your App 1 account" 
			/>

But if I change for this,nothing work (invoking myapp1 or myapp2)

Code:

	<http auto-config='false'  pattern="/myapp1/**" access-denied-page="/myapp1/login"  >
		<intercept-url pattern="/myapp1/v1/users/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
		<intercept-url pattern="/myapp1/oauth/**" access="ROLE_USER" />
		<intercept-url pattern="/myapp1/login**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
		<intercept-url pattern="/myapp1/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
		

		<form-login authentication-failure-url="/myapp1/login" 
			default-target-url="/myapp1/login" login-page="/myapp1/login"
			login-processing-url="/myapp1/login.do" />
		<logout logout-success-url="/myapp1/login" logout-url="/myapp1/logout.do" />
	</http>

	<http auto-config='false'  pattern="/myapp2/**" access-denied-page="/myapp2/login"  >
		<intercept-url pattern="/myapp2/v1/queues/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
		<intercept-url pattern="/myapp2/oauth/**" access="ROLE_USER" />
		<intercept-url pattern="/myapp2/login**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
		<intercept-url pattern="/myapp2/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
		

		<form-login authentication-failure-url="/myapp2/login" 
			default-target-url="/myapp2/login" login-page="/myapp2/login"
			login-processing-url="/myapp2/login.do" />
		<logout logout-success-url="/myapp2/login" logout-url="/myapp2/logout.do" />
	</http>

(...)

	<oauth:provider 
		consumer-details-service-ref="consumerDetailsApp1" 
		token-services-ref="tokenServices" 
		request-token-url="/myapp1/oauth/request_token"
		authenticate-token-url="/myapp1/oauth/authorize" 
		authentication-failed-url="/myapp1/oauth/confirm_access"
		access-token-url="/myapp1/oauth/access_token"
		require10a="false" />

	<oauth:consumer-details-service id="consumerDetailsApp1">
		<oauth:consumer name="myapp1.com" key="oauth-myapp1-consumer-key"
			secret="ASFmkJHuiLpnJfWqFfBKoNfasdaASDDS" resourceName="MyApp1 Account"
			resourceDescription="Access for your App 1 account" 
			/>

	<oauth:provider 
		consumer-details-service-ref="consumerDetailsApp2" 
		token-services-ref="tokenServices" 
		request-token-url="/myapp2/oauth/request_token"
		authenticate-token-url="/myapp2/oauth/authorize" 
		authentication-failed-url="/myapp2/oauth/confirm_access"
		access-token-url="/myapp2/oauth/access_token"
		require10a="false" />

	<oauth:consumer-details-service id="consumerDetailsApp2">
		<oauth:consumer name="myapp2.com" key="oauth-myapp1-consumer-key"
			secret="ASFmkJHuiLpnJfWqFfBKoNfasdaASDDS" resourceName="MyApp2 Queues"
			resourceDescription="Access for your App 2 queues" 
			/>

Some idea?. How can I make explicit the relaction between <http> and the <oauth:consumer >?

A lot of thanks

[mvega]

I'm sorry. I found my omission

In the filter chain <http> can specify a name, and in the oauth provider can specify a filter-chain-ref . With that, http and oauthrovider is connected

[mvega]

I'm stuck again.

Using name and filter-chain-ref work, but only with the last oauthrovider defined (It seems to was overwritten)

Is possible to have many oauthroviders?

[Dave Syer]

It's rather brittle, I agree. I think you can set a filter-chain-ref="..." attribute on the provider element and fix the provider to a particular filter chain.

[mvega]

Thanks for your reply

Doesn't work using name in the filter chain <http> and filter-chain-ref with many <http> . Always survives the last <oauth: provider configuration.

I think that is a bug.

Each <http> filter chain calls an OAuthProviderBeanDefinitionParser, and i found

Code:

public BeanDefinition parse(Element element, ParserContext parserContext) {
(...)
    List<BeanMetadataElement> filterChain = ConfigUtils.findFilterChain(parserContext, element.getAttribute("filter-chain-ref"));
    int index = insertIndex(filterChain);
    parserContext.getRegistry().registerBeanDefinition("oauthRequestTokenFilter", requestTokenFilterBean.getBeanDefinition());
    filterChain.add(index++, new RuntimeBeanReference("oauthRequestTokenFilter"));
    parserContext.getRegistry().registerBeanDefinition("oauthAuthenticateTokenFilter", authenticateTokenFilterBean.getBeanDefinition());
    filterChain.add(index++, new RuntimeBeanReference("oauthAuthenticateTokenFilter"));
    parserContext.getRegistry().registerBeanDefinition("oauthAccessTokenFilter", accessTokenFilterBean.getBeanDefinition());
    filterChain.add(index++, new RuntimeBeanReference("oauthAccessTokenFilter"));
    parserContext.getRegistry().registerBeanDefinition("oauthProtectedResourceFilter", protectedResourceFilterBean.getBeanDefinition());
    filterChain.add(index++, new RuntimeBeanReference("oauthProtectedResourceFilter"));

    return null;
  }

I seem to it's always the same beanName

I changed the last part for this code

Code:

    
   String attribute = element.getAttribute("filter-chain-ref");
   List<BeanMetadataElement> filterChain = ConfigUtils.findFilterChain(parserContext, element.getAttribute("filter-chain-ref"));
    int index = insertIndex(filterChain);
    parserContext.getRegistry().registerBeanDefinition("oauthRequestTokenFilter_" + attribute, requestTokenFilterBean.getBeanDefinition());
    filterChain.add(index++, new RuntimeBeanReference("oauthRequestTokenFilter_" + attribute));
    parserContext.getRegistry().registerBeanDefinition("oauthAuthenticateTokenFilter_" + attribute, authenticateTokenFilterBean.getBeanDefinition());
    filterChain.add(index++, new RuntimeBeanReference("oauthAuthenticateTokenFilter_" + attribute));
    parserContext.getRegistry().registerBeanDefinition("oauthAccessTokenFilter_" + attribute, accessTokenFilterBean.getBeanDefinition());
    filterChain.add(index++, new RuntimeBeanReference("oauthAccessTokenFilter_" + attribute));
    parserContext.getRegistry().registerBeanDefinition("oauthProtectedResourceFilter_" + attribute, protectedResourceFilterBean.getBeanDefinition());
    filterChain.add(index++, new RuntimeBeanReference("oauthProtectedResourceFilter_" + attribute));

    return null;
  }

And seems to work

I'm going to open a Jira ticket