Home/ Questions/Q 6871381
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-27T03:47:56+00:00

I am trying to set up a spring 3 webapp to act as a

  • 0

I am trying to set up a spring 3 webapp to act as a proxy for another app that serves protected resource with oauth2.

We’re using the UsernamePassword grant type.
My app should not know about the user database ; actually it will query the other app to get the details about the users (which permissions they have, amoung other things).

My app is responsible for displaying the login page.

I want to use a custom spring-security AuthenticationProvider that would :

  • connect to the oauth server to obtain an access token
  • then use an OAuth2RestTemplate to query the user that tries to login, in order to get its GrantedAuthorities, and other details
  • build a UserDetails out of this. (My AuthenticationProvider would extends AbstractUserDetailsAuthenticationProvider)

The problem is :

  • since I’m using to configure my spring app, spring adds an OAuth2ClientSecurityContextFilter to the filter chain
  • when the ‘retrieveUser’ method of my AuthenticationProvider class is called, this filter has not been passed through yet

  • so if I try using the OAuth2RestTemplate inside my overriden ‘retrieveUser’ method, I get an exception :

    java.lang.IllegalStateException: No OAuth 2 security context has been established. Unable to access resource ‘avop-services’.
    at org.springframework.security.oauth2.consumer.OAuth2ClientHttpRequestFactory.createRequest(OAuth2ClientHttpRequestFactory.java:38)
    at org.springframework.http.client.support.HttpAccessor.createRequest(HttpAccessor.java:76)
    at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:434)
    at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:401)
    .. etc ..

(I’m linking this to the OAuth2ClientSecurityContextFilter because of this topic : http://forum.springsource.org/showthread.php?98141-error-No-OAuth-2-security-context-has-been-established )

So my question is :

  • does it make sense to have the AuthenticationProvider fire up after some other filters have played ?
  • if so, it is possible to control the order of filters ?
  • or is there a way to delay the computing of the UserDetails to later in the filter chain ?

I know this is probably a very specific case, but I’m wondering if I am attacking it the right way or if I am missing something.

Thanks in advance.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The solution was to use add a filter at the right-position.

    • 0