Securing REST with OAuth2: Authentication object was not found in the SecurityContext
I have an existing REST API (Apache CXF), which I am trying to secure using oAuth2. I'm going to have to re-write the API in Spring anyway (I need ACL and new endpoints), but initially I just want to secure one endpoint: /services/rest/version
I've read the wiki, and the oAuth2 spec, and I'm trying to adapt the sparklr2 example to what I want.
I've got a form-based login.jsp page, and a AccountController linked to a /register endpoint, where I can create new users and log them in and out. It's backed by a jdbc store.
This is how I've secured my REST endpoint:
I noticed some odd behavior: I expected that /services/rest/version would give me an error if I viewed it in my browser, but if I first login using the form, it doesn't give me an error, it gives me the version number. If I'm not loged in, it does give me an error:Code:<http pattern="/services/rest/**" create-session="never" entry-point-ref="oauthAuthenticationEntryPoint" access-decision-manager-ref="accessDecisionManager" xmlns="http://www.springframework.org/schema/security"> <anonymous enabled="false" /> <intercept-url pattern="/services/rest/version" access="ROLE_USER,SCOPE_READ" /> <custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" /> <access-denied-handler ref="oauthAccessDeniedHandler" /> </http>
I wasn't sure if this was right or not, because of course my browser isn't a oAuth client. So I tried to adapt some of the tests in tonr. I copied ServerRunning wholesale, and for TestAuthorizationCodeGrant I made some modifications. When I tried the tests,Code:<oauth> <error_description> An Authentication object was not found in the SecurityContext </error_description> <error>unauthorized</error> </oauth>andCode:testCannotConnectWithoutToken()both pass. The third test fails. My version is:Code:testAttemptedTokenAcquisitionWithNoRedirect()
It fails at the lineCode:@Test public void testTokenAcquisitionWithCorrectContext() throws Exception { MultiValueMap<String, String> form = new LinkedMultiValueMap<String, String>(); form.add("j_username", "a@b.com"); form.add("j_password", "password"); HttpHeaders response = serverRunning.postForHeaders("/TSSKeyManagementService/login.do", form); String cookie = response.getFirst("Set-Cookie"); HttpHeaders headers = new HttpHeaders(); headers.set("Cookie", cookie); headers.setAccept(Collections.singletonList(MediaType.ALL)); // headers.setAccept(MediaType.parseMediaTypes("image/png,image/*;q=0.8,*/*;q=0.5")); String location = serverRunning.getForRedirect("/TSSKeyManagementService/services/rest/version", headers); location = authenticateAndApprove(location); assertTrue("Redirect location should be to the original photo URL: " + location, location.contains("version")); HttpStatus status = serverRunning.getStatusCode(location, headers); assertEquals((double)HttpStatus.OK.value(), (double)status.value(), (double)0); }
because the headers of the response it's getting are justCode:String location = serverRunning.getForRedirect("/TSSKeyManagementService/services/rest/version", headers);
There's no location in that. The body is also null. So the test expects to be redirected to the login page, but it isn't. Just like in the browser? I suppose that the server should request un-authenticated requests to /services/rest/version to /oauth/authorize?Code:{Server=[Apache-Coyote/1.1], Date=[Thu, 29 Nov 2012 05:22:04 GMT], Content-Type=[application/xml], Content-Length=[20]}
My point is: What have I done wrong? Where might I have done something wrong? Please guide me o wise members of the forum.
I've tried to avoid spamming this post with all my source files. If you know of something helpful, please tell me, I'm happy to add it, I'm really new to SpringSecurity, so I'm not quite sure what's relevent.
Reply With Quote
Originally Posted by eve
