Oauth1: User authentication is skipped for Token Authorization

**geertp** · Apr 4th, 2012, 04:20 AM

Hi all,

I've got a OAuth1 provider configuration, based on Spring Security 3.1.0 and Spring security Oauth 1.0.0.M6, that works partly:
The requestToken endpoint does function.
Then however, if the client calls the authorize endpoint directly with the request token, the provider just authorizes the request (returning a verifier code), without challenging the user to prove its mandatory role ("ROLE_USER")
Only if I hit the confirm_access endpoint manually, user authentication kicks in.

This is the core configuration:

Code:

  <http entry-point-ref="shibbolethEntryPoint">
    <intercept-url pattern="/oauth/**" access="ROLE_USER" />
    <custom-filter ref="requestHeaderAuthenticationFilter" position="PRE_AUTH_FILTER" />
  </http>

  <oauth:provider consumer-details-service-ref="clientDetailsService"
                  token-services-ref="tokenServices"
                  request-token-url="/oauth/requestToken"
                  authenticate-token-url="/oauth/authorize"
                  token-id-param="oauth_token"
                  authentication-failed-url="/oauth/confirm_access"
                  access-token-url="/oauth/accessToken"
                  require10a="false"/>

As you can see, I rely on a 'pre authenticated' request: an external Shibboleth apache module that puts a REMOTE_USER header on the request. This is triggered by the "shibbolethEntryPoint" which basically redirects the user to an external URL. Only after successful login the request will come back with the REMOTE_USER header set.

What it looks like to me at this point is:
the <intercept-url pattern="/oauth/**" access="ROLE_USER" /> seems only to be active for requests to /oauth/confirm_access and not for /oauth/authorize, because a request for the latter is handled by UserAuthorizationProcessingFilter (filter 9 of 12) (therefore not hitting FilterSecurityInterceptor, filter 12 of 12).

Although there is some authentication check, at UserAuthorizationProcessingFilter:92

Code:

    if (authentication == null || !authentication.isAuthenticated()) {
      throw new InsufficientAuthenticationException("User must be authenticated before authorizing a request token.");
    }

this is not hit because the authentication object is an anonymous authentication here, which seems to be enough, as you can see in the log below.

Code:

11:17:30,184 DEBUG [org.springframework.security.web.FilterChainProxy] /oauth/authorize?oauth_token=7d34636e-764e-4a0e-bfde-6bcc26bb7cbf at position 1 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
11:17:30,184 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] No HttpSession currently exists
11:17:30,184 DEBUG [org.springframework.security.web.context.HttpSessionSecurityContextRepository] No SecurityContext was available from the HttpSession: null. A new one will be created.
11:17:30,185 DEBUG [org.springframework.security.web.FilterChainProxy] /oauth/authorize?oauth_token=7d34636e-764e-4a0e-bfde-6bcc26bb7cbf at position 2 of 12 in additional filter chain; firing Filter: 'RequestHeaderAuthenticationFilter'
11:17:30,185 DEBUG [org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter] Checking secure context token: null
11:17:30,185 DEBUG [org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter] No pre-authenticated principal found in request
11:17:30,186 DEBUG [org.springframework.security.web.FilterChainProxy] /oauth/authorize?oauth_token=7d34636e-764e-4a0e-bfde-6bcc26bb7cbf at position 3 of 12 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
11:17:30,186 DEBUG [org.springframework.security.web.FilterChainProxy] /oauth/authorize?oauth_token=7d34636e-764e-4a0e-bfde-6bcc26bb7cbf at position 4 of 12 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
11:17:30,186 DEBUG [org.springframework.security.web.FilterChainProxy] /oauth/authorize?oauth_token=7d34636e-764e-4a0e-bfde-6bcc26bb7cbf at position 5 of 12 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
11:17:30,187 DEBUG [org.springframework.security.web.authentication.AnonymousAuthenticationFilter] Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
11:17:30,187 DEBUG [org.springframework.security.web.FilterChainProxy] /oauth/authorize?oauth_token=7d34636e-764e-4a0e-bfde-6bcc26bb7cbf at position 6 of 12 in additional filter chain; firing Filter: 'SessionManagementFilter'
11:17:30,188 DEBUG [org.springframework.security.web.FilterChainProxy] /oauth/authorize?oauth_token=7d34636e-764e-4a0e-bfde-6bcc26bb7cbf at position 7 of 12 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
11:17:30,188 DEBUG [org.springframework.security.web.FilterChainProxy] /oauth/authorize?oauth_token=7d34636e-764e-4a0e-bfde-6bcc26bb7cbf at position 8 of 12 in additional filter chain; firing Filter: 'UnauthenticatedRequestTokenProcessingFilter'
11:17:30,188 DEBUG [org.springframework.security.oauth.provider.filter.UnauthenticatedRequestTokenProcessingFilter] Request does not require authentication.  OAuth processing skipped.
11:17:30,189 DEBUG [org.springframework.security.web.FilterChainProxy] /oauth/authorize?oauth_token=7d34636e-764e-4a0e-bfde-6bcc26bb7cbf at position 9 of 12 in additional filter chain; firing Filter: 'UserAuthorizationProcessingFilter'
11:17:30,189 DEBUG [org.springframework.security.oauth.provider.filter.UserAuthorizationProcessingFilter] Request is to process authentication
11:18:00,240 DEBUG [org.springframework.security.oauth.provider.filter.UserAuthorizationProcessingFilter] Authentication success. Updating SecurityContextHolder to contain: org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
11:18:00,240 DEBUG [org.springframework.security.oauth.provider.filter.UserAuthorizationSuccessfulAuthenticationHandler] Processing successful authentication successful
11:18:00,242 DEBUG [org.springframework.security.oauth.provider.filter.UserAuthorizationSuccessfulAuthenticationHandler] Using default Url: /
11:18:00,242 DEBUG [org.springframework.security.web.DefaultRedirectStrategy] Redirecting to '/?oauth_token=null&oauth_verifier=SqC2Lz'

Is this behaviour correct? What am I missing?

Thanks for reading and replying in advance.

Geert

Thread: Oauth1: User authentication is skipped for Token Authorization

Thread Tools

Display

Threaded View

Oauth1: User authentication is skipped for Token Authorization

Posting Permissions