how the resource-server protects its data? (or: how it validates the token)

**OhadR** · Oct 24th, 2012, 12:31 PM

Maybe I'm a bit confused - but how the resource server technically protects its data?
The fact that i use <resource-server> in my XML causes OAuth2AuthenticationProcessingFilter to be added to the chain; I thought that this filter check for access-token or code, and does what it needs (redirects etc) in order to get them if they are not exist... but i saw it does not do so.

who does?
how the resource server makes sure the calls come with a token?

thanks dave.

**Dave Syer** · Oct 25th, 2012, 03:16 AM

OAuth2AuthenticationProcessingFilter does check for a bearer access token (not code, whatever you mean by that). The <resource-server/> needs to be explicitly added to the security filter chain in a position that doesn't interfere with its operation, but other than that I can't guess what you might have done wrong without more information. The sparklr sample has everything you need to see it working.

**OhadR** · Oct 25th, 2012, 03:28 AM

I've added it to my filter chain, of course, and I see that OAuth2AuthenticationProcessingFilter is called.

I was asking about the resource server - when I have a WAR, that in its beans XML i defined the <resource-server> (and of course added it in the filter chain) - does it mean that this JAR is "protected" (in terms of oAuth)?
If so, what class makes the check that clients who tries to use the resources in this JAR come with a valid token?

When a client tries to reach a protected resource, it suppose to be directed (/authorize) to get a code, and then with this code it asks for a token (/token). who is responsible for these redirections? (who throws the UserRedirectRequiredException?)

**Dave Syer** · Oct 25th, 2012, 05:06 AM

Originally Posted by OhadR

If so, what class makes the check that clients who tries to use the resources in this JAR come with a valid token?

On the resource server it's the OAuth2AuthenticationProcessingFilter. Which resources it checks of course depends on your Spring Securtity configuration - you don't have to protect /**.

When a client tries to reach a protected resource, it suppose to be directed (/authorize) to get a code, and then with this code it asks for a token (/token). who is responsible for these redirections? (who throws the UserRedirectRequiredException?)

That's on the client. Not all clients are built with Spring Security OAuth, but one that is will handle that flow. Other libraries do it in a similar way. The resource server just protects resources - it can't tell you how to get a token.

**OhadR** · Oct 25th, 2012, 05:12 AM

Originally Posted by Dave Syer

That's on the client. Not all clients are built with Spring Security OAuth, but one that is will handle that flow. Other libraries do it in a similar way. The resource server just protects resources - it can't tell you how to get a token.

Yeah, it was clear that it happens in the client. What I was asking is who throws the UserRedirectRequiredException so the client knows to redirect, and I digged-in and found it is the Oauth2RestTemplate. When the client asks for the token (getAccessToken()), and token is not available, it throws the redirect-exception.

(I DO work with client that is built on Spring-Security-OAuth, otherwise all these questions were irrelevant)

thanks!

Thread: how the resource-server protects its data? (or: how it validates the token)

Thread Tools

Display

how the resource-server protects its data? (or: how it validates the token)

Posting Permissions