[SECOAUTH-207] oauth providers are overwriting with many <http> filter chain #116
Description
Priority: Major
Original Assignee: Ryan Heaton
Reporter: Marcelo Vega
Created At: Wed, 22 Feb 2012 20:04:44 +0000
Last Updated on Jira: Thu, 23 Feb 2012 20:52:12 +0000
if i have many config and many oauth:provider with filter-chain-ref , only work the last oauth:provider
I think that is a problem in the parser in OAuthProviderBeanDefinitionParser, in which always register the same beanName for two differents filter-chain-ref
List filterChain = ConfigUtils.findFilterChain(parserContext, element.getAttribute("filter-chain-ref"));
int index = insertIndex(filterChain);
parserContext.getRegistry().registerBeanDefinition("oauthRequestTokenFilter", requestTokenFilterBean.getBeanDefinition());
filterChain.add(index++, new RuntimeBeanReference("oauthRequestTokenFilter"));
parserContext.getRegistry().registerBeanDefinition("oauthAuthenticateTokenFilter", authenticateTokenFilterBean.getBeanDefinition());
filterChain.add(index++, new RuntimeBeanReference("oauthAuthenticateTokenFilter"));
parserContext.getRegistry().registerBeanDefinition("oauthAccessTokenFilter", accessTokenFilterBean.getBeanDefinition());
filterChain.add(index++, new RuntimeBeanReference("oauthAccessTokenFilter"));
parserContext.getRegistry().registerBeanDefinition("oauthProtectedResourceFilter", protectedResourceFilterBean.getBeanDefinition());
filterChain.add(index++, new RuntimeBeanReference("oauthProtectedResourceFilter"));
Spring 3.1.0 with OAuth 1.0.0
Comments:
david_syer on Thu, 23 Feb 2012 09:20:28 +0000
Yes, only one oauth:provider is supported. The OAUth1.0 support predates Spring Security 3.1 so it makes sense in that context. Can you explain your use case a bit more?
mvega on Thu, 23 Feb 2012 20:52:12 +0000
I want to make differents entrypoint-login based in the url access.
For example, if I go to /myapp1/users/mvega/ and I'm not authenticated, i want to be redirected to /myapp1/login (controller which loads modelAndView login_myapp1.jsp, but if I go to /myapp2/accounts/mvega/ , i want be redirected to /myapp2/login /which loads modelAndView login_myapp2).
Before the only way to do this (without Oauth1) was using a CustomEntryPoint (which extends from LoginUrlAuthenticationEntryPoint) and overwrited determineUrlToUseForThisRequest, returning different url for login deppending for the request URL.
Now, that is possible do this using multiple config, setting in each <form-login the corresponding information.
I think the same logic could be applied in OAuth. When I go to confirm access, i wish a particular oauth_confirm_access or access-granted-url according to the original entrypoint.
Then, if i go to /myapp1/users/mvega/ and if I'm not authenticated, i will be redirected to /myapp1/login. After that, when i'm logged, i will be redirected to /myapp/oauth_confirm_access, and then when I confirm, i will be redirected to /myapp1/request_token_authorized (when no callback URL was supplied)