Spring OAuth2 and an existing security infrastructure

[denis_k]

My application acts, among other things, as OAuth2 resource server and OAuth2 authorization server. I have AuthenticationManager configured with a chain of AuthenticationProviders (that is, a ProviderManager):

Code:

	<security:authentication-manager alias="authenticationManager">
		<!-- Register an authentication provider which can validate SFSESSION cookies -->
		<security:authentication-provider ref="sfAuthProvider" />
		<!--Basic authentication provider-->
		<security:authentication-provider ref="sfBasicAuthProvider"/>
	</security:authentication-manager>

Providers are tried one after other, until a suitable one is found.
I have created and added a custom OAuth2 AuthenticationProvider (a wrapper around OAuth2AuthenticationManager):

Code:

	<security:authentication-manager alias="authenticationManager">
		<!-- Register an authentication provider which can validate SFSESSION cookies -->
		<security:authentication-provider ref="sfAuthProvider" />
		<!--Basic authentication provider-->
		<security:authentication-provider ref="sfBasicAuthProvider"/>
                <!--OAuth2 provider-->
		<security:authentication-provider ref="sfOAuth2Provider"/>
	</security:authentication-manager>

This contradicts with the approach described in Spring OAuth2 docs, which suggest to create an instance of OAuth2AuthenticationProcessingFilter with <oauth:resource-server element. OAuth2AuthenticationProcessingFilter is tied directly to OAuth2AuthenticationManager, that is, it does not allow any oauth-specific AuthenticationProviders.
Am I doing something wrong? Is there a better practice to incorporate Spring OAuth2 into existing Security infrastructure?

[Dave Syer]

OAuth2AuthenticationProcessingFilter is actually not tied to any specific implementation of AuthenticationManager, but it does need one that understands a PreAuthenticatedAuthenticationToken. You need the OAuth2AuthenticationProcessingFilter to extract an access token from an incoming request, so I doubt if you can make do without one. You could use a ProviderManager with that filter, but it isn't especially useful.

It looks like your existing resources need a cookie to authenticate, so they won't be accessed using an OAuth2 token (probably) as well. Normally if you are adding OAuth2 resources to an existing app, you have some resources that are OAuth2 and some that are accessed by existing browser clients. You would be able to authenticate them differently by declaring separate <http/> filter chains for them.

[denis_k]

Thanks Dave, this makes total sense. I have actually sublassed OAuth2AuthenticationProcessingFilter to not use any AuthenticationManager at all, but to rather put PreAuthenticatedAuthenticationToken into spring security context. Doing like this I'm able to use protected parseToken method from OAuth2AuthenticationProcessingFilter. This (unauthenticated) PreAuthenticatedAuthenticationToken is then passed to all authentication providers inside ProviderManager, until it hits OAuth2Provider, which does the job of authenticating. I believe this will allow to expose services which require cookie authentication as OAuth2-capable services as well.