I am using OAuth2 token in rest based API. I wanted to override OAuth2AuthenticationProcessingFilter so that I can extract token if not provider in header attribute as Authorization(This could be provided as accessToken attribute in header long story don't ask why). Or if not then can anyone tell me how to add another filter after the OAuth2AuthenticationProcessingFilter ?
Asked
Active
Viewed 6,313 times
1
-
1Did you try `.addFilterAfter(yourFilter, OAuth2AuthenticationProcessingFilter.class)` in `configure(HttpSecurity)`? – Roman Puchkovskiy Apr 14 '17 at 18:25
-
I am using xml namespace configuration how to do this in that config style. – Asad Khan Apr 16 '17 at 02:40
-
Could you please show your spring security configuration? – Roman Puchkovskiy Apr 16 '17 at 09:39
2 Answers
3
Basically, in XML, to use the defaults, you add resource-server
<oauth:resource-server id="resourceServerFilter"
token-services-ref="tokenServices"
resource-id="myId" />
which adds OAuth2AuthenticationManager and OAuth2AuthenticationProcessingFilter (see https://github.com/spring-projects/spring-security-oauth/blob/ec215f79f4f73f8bb5d4b8a3ff9abe15b3335866/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/ResourceServerBeanDefinitionParser.java for details)
Then you add that filter into your <sec:http> element:
<sec:custom-filter ref="resourceServerFilter" position="PRE_AUTH_FILTER" />
But if you need to use OAuth2AuthenticationProcessingFilter specialization instead of OAuth2AuthenticationProcessingFilter itself, you could do the following:
I. Add OAuth2AuthenticationManager manually:
<bean id="authenticationManager" class="org.springframework.security.oauth2.config.xml.OAuth2AuthenticationManager">
<property name="tokenServices" ref="tokenServices"/>
<property name="resourceId" value="myId"/>
</bean>
II. Add your filter replacement manually:
<bean id="resourceServerFilter"class="YourFilterImplementationClass">
<property name="authenticationManager" ref="authenticationManager"/>
</bean>
III. Insert the filter to filter chain, as usual:
<sec:custom-filter ref="resourceServerFilter" position="PRE_AUTH_FILTER" />
Roman Puchkovskiy
- 11,415
- 5
- 36
- 72
-
why valye is myId here ? Tell me what should be the correct value for resourceId. – Asad Khan May 08 '17 at 06:00
-
Any value you choose, but it has to be the same in `
` and `authenticationManager` definition at server, and in the client definition (it's `resourceIds`): http://stackoverflow.com/questions/8598960/what-does-resourceid-mean-in-oauth-2-0-with-spring-security – Roman Puchkovskiy May 14 '17 at 19:14
0
A better approach could have been to extend org.springframework.security.oauth2.provider.authentication.BearerTokenExtractor and create bean for same and ref it in
<oauth:resource-server id="resourceServerFilter"
token-services-ref="tokenServices" token-extractor-ref="idofyourtokenextractionbeanhere"
resource-id="myId" />
Nikhil
- 1,021
- 12
- 13