Hi-

While developing my own server using the OAuth2 module seen here, I was struggling with something. If I called my resource directly, I was sent to the login page, and when I logged in, I could call the resource directly without any tokens. I was doing this from curl:
Code:
curl -v --cookie cookies.txt --cookie-jar cookies.txt -H "Accept: application/json" "http://localhost:8080/test/get"
(this would direct me to login.jsp)

curl -v --cookie cookies.txt --cookie-jar cookies.txt --data "j_username=cory&j_password=password&login=Login" "http://localhost:8080/j_spring_security_check"

(this would forward me back to my test)

curl -v --cookie cookies.txt --cookie-jar cookies.txt -H "Accept: application/json" "http://localhost:8080/test/get"

(this would access my resource)
I thought I was doing something wrong and I pounded and pounded my head against the wall, until I did this:

Code:
  curl -v --cookie cookies.txt --cookie-jar cookies.txt  "http://localhost:8080/sparklr2/rest/photos"

 curl -v --data "j_username=marissa&j_password=koala&login=Login" --cookie cookies.txt --cookie-jar cookies.txt "http://localhost:8080/sparklr2/login.do"

 curl -v --cookie cookies.txt --cookie-jar cookies.txt  "http://localhost:8080/sparklr2/rest/photos"

And the last thing gave me:

Code:
<photos><photo id="1" name="photo1.jpg"/><photo id="3" name="photo3.jpg"/><photo id="5" name="photo5.jpg"/></photos>
Huh? Is this right? Or does the OAuth2 dance only matter when you call Authorize? And in which case, doesn't this break my security? Shouldn't I be able to force a resource to ONLY go through Oauth?

If this is not a smart question, please be gentle. =)