Resource Server: who calls the ResourceServerTokenServices implementation?

**OhadR** · Sep 21st, 2012, 02:22 AM

I work with M6.
I have a resource server. I implement ResourceServerTokenServices,

Code:

public class MyRsrcSrvTokenServices implements ResourceServerTokenServices

and as I saw in the documentations, my XML looks like this:

Code:

...	<security:http 	entry-point-ref="oauthAuthenticationEntryPoint" 	
					access-decision-manager-ref="accessDecisionManager">
		<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
        <security:custom-filter ref="resourceServerFilter" after="PRE_AUTH_FILTER" />
        <security:access-denied-handler ref="oauthAccessDeniedHandler" />
		<security:anonymous />
	</security:http>


...    <oauth:resource-server id="resourceServerFilter" 
    					resource-id="myResourceServer"
    					token-services-ref="tokenServices" />

    <bean id="oauthAuthenticationEntryPoint" class="org...oauth2.provider.error.MediaTypeAwareAuthenticationEntryPoint">
        <property name="realmName" value="client" />
    </bean>

My questions:
1. how my implementation of ResourceServerTokenServices suppose to be called? is it by the filter chain? do i have to call it explicitly? (do I miss something, because I put a breakpoint there and it does not stop there...)
2. what exactly is the "resource_id"? the docs says "The id for the resource (optional, but recommended and will be validated by the auth server if present)", but how do I bind it?
3. Is there a place to read more, except the current docs? what version the docs refer to?

thanks!

**Dave Syer** · Sep 21st, 2012, 03:20 AM

Originally Posted by OhadR

1. how my implementation of ResourceServerTokenServices suppose to be called? is it by the filter chain? do i have to call it explicitly? (do I miss something, because I put a breakpoint there and it does not stop there...)

The custom filter you added to the standard chain (resourceServerFilter) uses the ResourceServerTokenServices. You didn't show how your custom token services was configured. Is it the "tokenServices" bean that you injected in to the filter?

2. what exactly is the "resource_id"? the docs says "The id for the resource (optional, but recommended and will be validated by the auth server if present)", but how do I bind it?

A resource id is an important check for the resource server that it was the intended audience for the access token it decodes. If you omit that check (by not specifying the resource id in the filter) your resource server might accept a bad token that was intended for another resource - the spec allows it but suggests in the security threat docs that this type of check is done, without saying how exactly.

3. Is there a place to read more, except the current docs? what version the docs refer to?

The docs should be up to date, but please help by improving them if you can. There have been changes since M6 so I would upgrade if I were you.

**OhadR** · Sep 21st, 2012, 03:51 AM

Thanks,

I was was missing this declaration:

Code:

	<bean id="tokenServices" class="com....token.MyRsrcSrvTokenServices " />

However, I still do not stop at the breakpoint in MyRsrcSrvTokenServices

I searched a little and saw that "OAuth2ProtectedResourceFilter" is calling it... Is this the filter that I need? how do I make this filter active? isn't it active by default in the resource-server? Or did you mean other filter (you said "resourceServerFilter"...)?

**Dave Syer** · Sep 21st, 2012, 05:19 AM

Your resourceServerFilter should be one of those (the class name changed in RC1, but the basic function is the same). I can't say why you aren't seeing it being called - are you sure there is a security filter declared in the app (do you see it logging at DEBUG level)?

**OhadR** · Sep 21st, 2012, 07:46 AM

I see this on my resource server startup:

Sep 21, 2012 3:38:06 PM org.springframework.security.config.http.HttpSecur ityBeanDefinitionParser checkFilterChainOrder
INFO: Checking sorted filter chain: [Root bean: class [org.springframework.security.web.context.SecurityC ontextPersistenceFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 300, <resourceServerFilter>, order = 601, Root bean: class [org.springframework.security.web.savedrequest.Requ estCacheAwareFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 1300, Root bean: class [org.springframework.security.web.servletapi.Securi tyContextHolderAwareRequestFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 1400, Root bean: class [org.springframework.security.web.authentication.An onymousAuthenticationFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 1700, Root bean: class [org.springframework.security.web.session.SessionMa nagementFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 1800, Root bean: class [org.springframework.security.web.access.ExceptionT ranslationFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 1900, <org.springframework.security.web.access.intercept .FilterSecurityInterceptor#0>, order = 2000]

I see there <resourceServerFilter>, but I'm not sure what it means. Other filters are inside '[]'... what does it mean? that I have the filter in my chain or that it expects it but does not find it?

Oh, and I see this line as well in the log:
INFO: Pre-instantiating singletons in org.springframework.beans.factory.support.DefaultL istableBeanFactory@19efd160: defining beans [helloController,org.springframework.context.annota tion.internalConfigurationAnnotationProcessor,org. springframework.context.annotation.internalAutowir edAnnotationProcessor,org.springframework.con... bla bla bla ... .DefaultSecurityFilterChain#4,org.springframework. security.authentication.DefaultAuthenticationEvent Publisher#0,org.springframework.security.authentic ationManager,oauth2ExceptionHandlerFilter,oauth2ProtectedResourceFilter,resourceServerFilter ,tokenServices,oauthAuthenticationEntryPoint,oauthAccessDeniedHa ndler,accessDecisionManager,org.springframework.co ntext.annotation.ConfigurationClassPostProcessor$I mportAwareBeanPostProcessor#0]; root of factory hierarchy

so indeed I see there "oauth2ProtectedResourceFilter, resourceServerFilter, tokenServices"

ADD:
I have put a breakpoint in OAuth2ProtectedResourceFilter. (I see that the "tokenServices" is indeed of type 'MyRsrcSrvTokenServices '.) I see that afterPropertiesSet() method is being called on application init, but the doFilter() is never being called...

Any ideas?
thanks for your help, Dave!

**Dave Syer** · Sep 21st, 2012, 09:56 AM

Switch on debug logging for spring security. You will see the filter chain being evaluated, if you have it enabled. All I see so far is the bean defnitions in the application context - there's no link to the actual filter or web.xml yet. Are you sure you have enabled the filter?

**OhadR** · Sep 21st, 2012, 10:11 AM

I'll switch to DEBUG mode and see...

Are you sure you have enabled the filter?

I feel ashamed to ask, but how do I enable the filter? the fact that I see its afterPropertiesSet() being called doesn't mean it is enabled?

**Dave Syer** · Sep 21st, 2012, 11:22 AM

The filter is usuall enabled and mapped in web.xml. See the sparklr2 sample for an example. Or any of the Spring Security samples.

**OhadR** · Sep 21st, 2012, 11:32 AM

oh, sure. in my web.xml I currently do the following:

Code:

    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
        <init-param>
            <param-name>contextAttribute</param-name>
            <param-value>org.springframework.web.servlet.FrameworkServlet.CONTEXT.spring</param-value>
        </init-param>
    </filter>
    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

I guess this is the mapping that you mean. Yet, from some reason, seems like the OAuth2ProtectedResourceFilter is not functioning. Is there something that I'm missing?

**Dave Syer** · Sep 21st, 2012, 11:37 AM

Do you have a dispatcher servlet named "spring" and is the XML you showed before the config file for that servlet? What about the DEBUG logs?

Thread: Resource Server: who calls the ResourceServerTokenServices implementation?

Thread Tools

Display

Resource Server: who calls the ResourceServerTokenServices implementation?

Tags for this Thread

Posting Permissions