ProviderNotFoundException when implementing Resource Server's RemoteTokenServices

[tomasmano]

Hi,
Recently I have been trying implement a simple Resource Provider, which is separeted from Authorizatoin Server, inspired by RemoteTokenServices.
My Resource Provider is able to succesfully obtain the access token from the Authorization Server Check Token Endpoint. However the strange things follows.

To sum it up:

1. Resource Provider succesfully obtains access token from Authorization Server so it can access Authorizatoin Server's check token endpoint.
2. #loadAuthentication in ResourceServerTokenServices is called
3. Resource Provider succesfully processes all the necessary info required to populate DefaultAuthorizationRequest and Authentication (required for the instantiation of the OAuth2Authentication)
4. Instance of the OAuth2Authentication is created and returned.
5. #authenticate method in ProviderManager is invoked.
6. ProviderNotFoundException is thrown when no Authentication Provider capable of authenticating the passed Authentication object is found (No AuthenticationProvider found for org.springframework.security.oauth2.provider.OAuth 2Authentication).

Stacktrace is following:

Code:

00:03:34,024 DEBUG [simple-api::org.springframework.security.web.access.ExceptionTranslationFilter]: Authentication exception occurred; redirecting to authentication entry point
org.springframework.security.authentication.ProviderNotFoundException: No AuthenticationProvider found for org.springframework.security.oauth2.provider.OAuth2Authentication
	at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:196)
	at org.springframework.security.access.intercept.AbstractSecurityInterceptor.authenticateIfRequired(AbstractSecurityInterceptor.java:316)
	at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:202)
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:115)
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
	at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
	at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
	at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
	at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
	at org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationProcessingFilter.doFilter(OAuth2AuthenticationProcessingFilter.java:131)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
	at org.springframework.security.web.access.channel.ChannelProcessingFilter.doFilter(ChannelProcessingFilter.java:144)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
	at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:224)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:929)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:405)
	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:964)
	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:515)
	at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:304)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
	at java.lang.Thread.run(Thread.java:722)

When debugging, it states that the internal list of AuthenticationProvider-s in ProviderManager instance contains only the AnonymousAuthenticationProvider what is obviosly the reason why the mentioned exception is thrown. But I have no idea why.

Here is my oauth config: https://gist.github.com/anonymous/5094420
It is similar to the cloud-foundry resource server config, where the explicit definition of ProviderManager is missing as well (link).
Looking at the ResourceServerBeanDefinitionParser code, the refrence to OAuth2AuthenticationManager should be included automatically, when I declare resource-server element in the xml configuration, isn't it? Could anyone point me in the right direction with how to solve this issue?

I would be very gratefull for any help, thanks
Tomas

[Dave Syer]

I'm not really sure why the ProviderManager is being called at all, and I don't think it's possible to say from the configuration alone since it contains your custom code in the crucial spot. Maybe if you could show a stack trace we would see the call hierarchy from the filter chain to the ProviderManager?

[tomasmano]

I've added the stack trace to my original post.

[Dave Syer]

I see, so I think the problem is in your TokenServices implementation. It looks like your OAuth2Authentication has isAuthenticated()==false, so the FilterSecurityinterceptor is trying to mop it up and finish the authentication that it thinks is incomplete. Pay close attention to the implementation of OAuth2Authentication.isAuthenticated() and you should be able to figure it out.

[tomasmano]

bang you nailed it! it's fixed now.
Thank you very much, I would have never figured it out withou you.