Home/ Questions/Q 8780029
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-13T19:56:33+00:00

I’ve setup an OAuth2 server with spring security. I want to write client application

  • 0

I’ve setup an OAuth2 server with spring security. I want to write client application to use this oauth server with spring security without protecting any resource. Means I just want to run oauth2 from client side with spring security 3.1. I have written the following configuration but it asks for credentials before redirecting to oauth2 server authorize page. But I want to redirect user to oauth2 server authorization page before asking any credentials from client side. I am using following configuration

<http auto-config='true' xmlns="http://www.springframework.org/schema/security">
    <intercept-url pattern="/product/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    <custom-filter ref="oauth2ClientFilter" after="EXCEPTION_TRANSLATION_FILTER" />
</http>

<authentication-manager xmlns="http://www.springframework.org/schema/security">
    <authentication-provider>
        <user-service>
            <user name="jimi" password="jimi" authorities="ROLE_USER" />
        </user-service>
    </authentication-provider>
</authentication-manager>

<!--apply the oauth client context -->
<oauth:client id="oauth2ClientFilter" />


<oauth:resource id="fooClient" type="authorization_code"
    client-id="foo" client-secret="secret" access-token-uri="${accessTokenUri}"
    user-authorization-uri="${userAuthorizationUri}" scope="read" />


 <bean id="dService" class="com.abc.service.DServiceImpl">
    <property name="dURL" value="${dURL}"></property>
    <property name="dRestTemplate">
        <oauth:rest-template resource="fooClient" />
    </property>

 </bean>

So i just want /product url should access oauth2 server. Rest of the URL mapping should work without this.
And User should be anonymous for client ( No need to show login from on client side).

But When I run my application “http://localhost/client-sample/product/1&#8221; then it shows “http://localhost/client-sample/spring_security_login&#8221;. But I want user should redirect to oaut2 server page.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Spring security prevents anonymous users from acquiring an access token. But if you still want this functionality in your application then you will have to extend org.springframework.security.oauth2.client.token.grant.code.AuthorizationCodeResourceDetails class and override isClientOnly() method.

    import org.springframework.security.oauth2.client.token.grant.code.AuthorizationCodeResourceDetails;

public class ExtendedBaseOAuth2ProtectedResourceDetails extends
    AuthorizationCodeResourceDetails {

public boolean isClientOnly() {
    return true;
}
}

    By default this method returns false. So you have to override this method to return true.
    Then in your root-context.xml file you have to define oaut2 resource like this.

    <bean id="fooClient" class="com.abc.service.ExtendedBaseOAuth2ProtectedResourceDetails">
  <property name="clientId" value="foo"></property>
  <property name="clientSecret" value="secret"></property>
  <property name="accessTokenUri" value="${accessTokenUri}"></property>
  <property name="userAuthorizationUri" value="${userAuthorizationUri}"></property>
  <property name="scope" value="#{{'read','write'}}">   </property>
</bean>

<bean id="dService" class="com.abc.service.DServiceImpl">
  <property name="dURL" value="${dURL}"></property>
  <property name="dRestTemplate">
      <oauth:rest-template resource="fooClient" />
  </property>
</bean>

    This will not ask authorization on client side before redirecting the user to the oauth2 provider authorization page.

    • 0