Code review request for oauth pseudo-authentication

[moradan]

I have written examples for using oauth1 and oauth2 with spring-security for pseudo-authentication and placed them here: https://github.com/isopov/spring-sec...authentication

The example for OAuth2 is based on the sample taken from git history of cloudfoundry and sample for OAuth1 is written using OAuth2 as a reference. (I'm going to use OAuth1 in my app). Can anyone review this code, since it is security related and therefor price of mistake is very high?

To start, what bothers me with https://github.com/isopov/spring-sec...ionContext.xml is that if I look at security filter chain in debug I see not only oauthConsumerContextFilter and oauthConsumerFilter wrapped in my wrapper (I wrapped them because it seems that both should be placed after EXCEPTION_TRANSLATION_FILTER) but also them at the end of normal security filter chain.

Any thoughts on how this can be fixed or any other problems with this code?

[Dave Syer]

if I look at security filter chain in debug I see not only oauthConsumerContextFilter and oauthConsumerFilter wrapped in my wrapper (I wrapped them because it seems that both should be placed after EXCEPTION_TRANSLATION_FILTER) but also them at the end of normal security filter chain.

That's because the OAuth1 support has this rather weird implementation that magically modifies your security filter chain. So <oauth:consumer/> is supposed to be all you need to get the filter in the right place (hence you have a duplicate because you explicitly inserted it as well).

I'm guessing your MultipleFilterWrapper is probably the same as the org.springframework.web.filter.CompositeFilter in Spring web, so you might not need that class either.

[moradan]

Thanks for CompositeFilter - replaced that custom hack with a more "standard" hack.

I've replaced <oauth:consumer/> with manual creation of OAuthConsumerProcessingFilter and OAuthConsumerContextFilter.

Any further tips are greatly appreciated.