3

I am using OAuth2 token in rest based API. I wanted to override OAuth2AuthenticationProcessingFilter so that I can extract token if not provider in header attribute as Authorization(This could be provided as accessToken attribute in header long story don't ask why). Or if not then can anyone tell me how to add another filter after the OAuth2AuthenticationProcessingFilter ?

Improve this question
3
  • 1
    Did you try .addFilterAfter(yourFilter, OAuth2AuthenticationProcessingFilter.class) in configure(HttpSecurity)? Commented Apr 14, 2017 at 18:25
  • I am using xml namespace configuration how to do this in that config style. Commented Apr 16, 2017 at 2:40
  • Could you please show your spring security configuration? Commented Apr 16, 2017 at 9:39

2 Answers 2

Reset to default
3

Basically, in XML, to use the defaults, you add resource-server

<oauth:resource-server id="resourceServerFilter"
        token-services-ref="tokenServices"
        resource-id="myId" />

which adds OAuth2AuthenticationManager and OAuth2AuthenticationProcessingFilter (see https://github.com/spring-projects/spring-security-oauth/blob/ec215f79f4f73f8bb5d4b8a3ff9abe15b3335866/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/ResourceServerBeanDefinitionParser.java for details)

Then you add that filter into your <sec:http> element:

<sec:custom-filter ref="resourceServerFilter" position="PRE_AUTH_FILTER" />

But if you need to use OAuth2AuthenticationProcessingFilter specialization instead of OAuth2AuthenticationProcessingFilter itself, you could do the following:

I. Add OAuth2AuthenticationManager manually:

<bean id="authenticationManager" class="org.springframework.security.oauth2.config.xml.OAuth2AuthenticationManager">
    <property name="tokenServices" ref="tokenServices"/>
    <property name="resourceId" value="myId"/>
</bean>

II. Add your filter replacement manually:

<bean id="resourceServerFilter"class="YourFilterImplementationClass">
    <property name="authenticationManager" ref="authenticationManager"/>
</bean>

III. Insert the filter to filter chain, as usual:

<sec:custom-filter ref="resourceServerFilter" position="PRE_AUTH_FILTER" />
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

<property name="resourceId" value="myId"/> why valye is myId here ? Tell me what should be the correct value for resourceId.
Any value you choose, but it has to be the same in <resource-server> and authenticationManager definition at server, and in the client definition (it's resourceIds): stackoverflow.com/questions/8598960/…
1

A better approach could have been to extend org.springframework.security.oauth2.provider.authentication.BearerTokenExtractor and create bean for same and ref it in 

<oauth:resource-server id="resourceServerFilter"
        token-services-ref="tokenServices" token-extractor-ref="idofyourtokenextractionbeanhere" 
        resource-id="myId" />
Improve this answer

1 Comment

I was able to extract token in spring mvc doing this. thanks

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.