combining OAuth1 and OAuth2

[geertp]

Hi,

It looks like recent changes in OAuth2AuthenticationProcessingFilter make it fail on Authorization:-headers that are not OAuth2 ones:

Code:

Caused by: org.springframework.security.authentication.BadCredentialsException: Missing token
	at org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationProcessingFilter.doFilter(OAuth2AuthenticationProcessingFilter.java:87)

In previous versions (before this commit, when this filter was still called OAuth2ProtectedResourceFilter) it silently continued (according to the source, not tested myself), which would let me combine OAuth1 and OAuth2 filters in one chain.

Could this be a regression of SECOAUTH-42?

[Dave Syer]

I guess you could loosely associate it with SECOAUTH-42 but that is really old, so I don't want to re-open it or call this a regression really. And do you really want OAuth2 and OAuth1 for the same resources? The filter is so much nicer than it was in so many other ways, and SECOAUTH-236 has shown lots of ways that this is difficult in general, so I don't want to go back to the old one. Can you suggest what would work better (e.g. via a pull request)?