Can a custom spring-security AuthenticationProvider set up an OAuth2 Security Context?

1
votes

I am trying to set up a spring 3 webapp to act as a proxy for another app that serves protected resource with oauth2.

We're using the UsernamePassword grant type. My app should not know about the user database ; actually it will query the other app to get the details about the users (which permissions they have, amoung other things).

My app is responsible for displaying the login page.

I want to use a custom spring-security AuthenticationProvider that would :

  • connect to the oauth server to obtain an access token
  • then use an OAuth2RestTemplate to query the user that tries to login, in order to get its GrantedAuthorities, and other details
  • build a UserDetails out of this. (My AuthenticationProvider would extends AbstractUserDetailsAuthenticationProvider)

The problem is :

  • since I'm using to configure my spring app, spring adds an OAuth2ClientSecurityContextFilter to the filter chain
  • when the 'retrieveUser' method of my AuthenticationProvider class is called, this filter has not been passed through yet

  • so if I try using the OAuth2RestTemplate inside my overriden 'retrieveUser' method, I get an exception :

    java.lang.IllegalStateException: No OAuth 2 security context has been established. Unable to access resource 'avop-services'. at org.springframework.security.oauth2.consumer.OAuth2ClientHttpRequestFactory.createRequest(OAuth2ClientHttpRequestFactory.java:38) at org.springframework.http.client.support.HttpAccessor.createRequest(HttpAccessor.java:76) at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:434) at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:401) .. etc ..

(I'm linking this to the OAuth2ClientSecurityContextFilter because of this topic : http://forum.springsource.org/showthread.php?98141-error-No-OAuth-2-security-context-has-been-established )

So my question is :

  • does it make sense to have the AuthenticationProvider fire up after some other filters have played ?
  • if so, it is possible to control the order of filters ?
  • or is there a way to delay the computing of the UserDetails to later in the filter chain ?

I know this is probably a very specific case, but I'm wondering if I am attacking it the right way or if I am missing something.

Thanks in advance.

1
spring-securityoauth-2.0
I have a similar application which I was able to do a pseudo SSO solution using OAuth2 and an AbstractAuthenticationProcessingFilter. Here's the thread: forum.springsource.org/…headz68

1 Answers

-3
votes

The solution was to use add a filter at the right-position.