oath 2 legged rest web service security

[samuel_coutinho]

what I would do is just inject an authentication manager into the <password/> token granter

What is the password token granter Dave? Is it this:

<oauth:authorization-server client-details-service-ref="clientDetails" token-services-ref="tokenServices"
user-approval-handler-ref="userApprovalHandler">
...
<oauthassword/>
...
</oauth:authorization-server>

How do I inject a an authentication manager into there to authenticate the access token request?

Another question for you: The oauth2 spec requires the username and password to be passed in as part of the access token request for the password grant. If these credentials are not verified by the oauth server when providng the token then what is the point of it? I can just pass in any username and password?

[Dave Syer]

If you use a decent XML editor you can ask it to autocomplete for you, and you will quickly find that <password/> has an authentication-manager-ref attribute (hopefully with obvious meaning, but also with some documentation in the XSD). It defaults to the normal Spring Security value of "authenticationManager".