Jun 4th, 2012, 03:04 AM
Oauth2: setting up oauth2 provider for non-springed restful api
i'm trying to set up an oauth 2.0 provider that should "secure" our restful api using spring-security-oauth.
main point is this restful thingie is not spring based.
it would look like the oauth provider can be a separate application, but i'm starting to doubt that. (got this impression by reading spring-security-oauth).
Going through the specs it would appear that Resource Owner and Authentication Server might be separate entities, but can't seem to work that out with the sparklr example.
(i'm also new here so haven't really got my hands into this other (jersey-powered) restul api so can't really say if adding that to it can be a viable solution)
any help/hint will be much appreciated.
Jun 4th, 2012, 03:47 AM
I'm trying to do the same and I guess that I can mannually config the OAuth2ExceptionHandlerFilter and OAuth2ProtectedResourceFilter with a customized ResourceServerTokenService for the resource server to achieve that. The problem with me now is that these classes seems gone in the source code repository. I'm looking at the source code in M6 release now.
Jun 4th, 2012, 08:15 AM
let's define the issue better:
I can't seem to understand how it is possible to separate Authorization Server and Resource Server.
(in my case the latter is also a non-spring webapp)
Jun 5th, 2012, 06:49 AM
The XML DSL has <authorization-server/> and <resource-server/> which should make it pretty clear. The sparklr2 sample has both, but they are quite separately configured, I think, so it should be possible to extract the <resource-server/> and everything that references it quite easily.
Jun 9th, 2012, 02:49 AM
i'll try to simplify my situation:
we've been serving some restul api from our http://mycompany.com/api/
so people call us by making http request to that url (like there might be a GET request over to http://mycompany.com/api/myresource/123 )
this (jersey powered) webapp is for now secured with basic authentication.
i was asked to add and oauth 2.0 authentication and get rid of the basic auth.
so first question is: will this require changes to the api webapp?
or can i just start working on a separate (sparklr-like) webapp and that'd be it?
as far as i can see, the API-webapp will be our resource server whilst our sparklr will be the auth server.
will they need to be deployed together somehow?
Jun 9th, 2012, 07:31 AM
Shouldn't be a problem. Your resource server has to have a Spring context for the Spring Security filters, and as long as it gets the OAuth2 filter form the <resource-server/> you should be fine. In order to decode the tokens it will need a reference to a ResourceServerTokenServices, and if you are using sparklr out of the box for the auth server that won't work because the tokens are opaque and are stored in memory. You can either store the tokens in a shared back end (there is a JdbcTokenServices) or make the token decodable natively by the resource server, e.g. by providing a TokenEnhancer to the auth server and a ResourceServerTokenServices to the resource server, or by providing a ResourceServerTokenServices that can contact the auth server over HTTP (example https://github.com/cloudfoundry/uaa/...nServices.java).
Tags for this Thread