Mar 3rd, 2012, 02:02 PM
OAuth2 - sample app
I've got my OAuth2 server and client running.
My client is able to get a valid access token from the server as well.
The issue arises when I send a rest request to get the response from the server.
If I use firefox, I get the expected response, where as using chrome/curl/java to make the webrequest, the "principal" ends up being null in my handler.
Taking a look at the http calls using wireshark, for the request:
I got the following:
User-Agent:Mozilla /5.0 (Macintosh; U; Intel Mac OS X 10.6;en-US; rv:184.108.40.206) Gecko/20101026 Fire fox/3.6.12..
Accept: text/html,application/xhtml+ xml,application/ xml;q=0.9,*/*;q= 0.8..
Accept-Language: en-us,en;q =0.5..
Accept-Charset: ISO-8859-1, utf-8;q=0.7,*;q= 0.7..
Keep-Alive: 115..Connection : keep-alive..
Cookie: JSESSIONID =1e9qxdzom44fr1t brdcjlts 9yw; JSESSIONID=238244B4 C0DAB2311794E4BC A2833E5C
User-Agent: Mozilla/5.0 (Macintosh;Intel M ac OS X 10_6_8) AppleWebKit/535. 11 (KHTML, like Gecko) Chrome/17 .0.963.56 Safari /535.11..
Accept: text/html,application/xhtml+xml ,application/xml ;q=0.9,*/*;q=0.8 ..
Accept-Language: en-US,en; q=0.8..
Accept-Encoding: gzip,deflate, sdch..
Accept-Charset: ISO-8859- 1,utf-8;q=0.7,*; q=0.3..
Cookie: JSESSIONID=9cguv6 hkgeknzlxelqm1py ux....
I've been trying to step through the code, but the layers upon layers of calls being made makes the task quite difficult. Any ideas/thoughts on what might be going on?
Mar 3rd, 2012, 09:28 PM
Ok...figured out part of the problem. It was due to the fact that when a request was being made to the OAuth server for the token, the server would set a cookie with the JSESSIONID in Firefox, which was being used to authenticate any subsequent requests. But the problem still remains, how to use Spring OAuth2 to respond to a request that has a valid access token? The request fails at the anonymousAuthenticationFilter check. How do I setup a request to get past that?
Mar 4th, 2012, 04:11 AM
If I were you I'd disable the anonymous filter on the oauth endpoints. The spec seays that a token request must be authenticated.