14

I am trying to use spring security oauth (library not grails plugin, there is only an extremely outdated grails plugin).

I want my app to be an OAuth 1.0a provider (not OAuth 2). The OAuth2 part of spring-security-oauth does not seem to have this problem, because it does not require a reference to the filterchain in the provider config.

What i want is to configure it as shown here: https://github.com/spring-projects/spring-security-oauth/blob/master/samples/oauth/sparklr/src/main/webapp/WEB-INF/applicationContext.xml

I translated this to the groovy syntax of grails:

consumerDetails(InMemoryConsumerDetailsService)
tokenServices(InMemoryProviderTokenServices)

xmlns oauth: "http://www.springframework.org/schema/security/oauth"
oauth.'consumer-details-service'(id:'consumerDetails') {
    oauth.consumer(name: 'AndroidRegisterApp', key:'testkey', secret:"testkey123", resourceName:'mobileApi', resourceDescription:'Register devices via mobile app')
}

oauth.provider(
        'consumer-details-service-ref': "consumerDetails",
        'token-services-ref':'tokenServices',
        'request-token-url':'/oauth/request_token',
        'authenticate-token-url':'/oauth/authorize',
        'access-granted-url':'/requestTokenAuthorized',
        'access-token-url':'/oauth/access_token',
        'filter-chain-ref':'springSecurityFilterChainProxy',
        'require10a':'true'
)

The problem is that when OAuthProviderBeanDefinitionParser parses this config during grails app start, the springSecurityFilterChainProxy does not yet exist so it fails here: https://github.com/spring-projects/spring-security-oauth/blob/master/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/OAuthProviderBeanDefinitionParser.java#L179 while calling ConfigUtils.findFilterChain the important line in there is:

parserContext.getRegistry().getBeanDefinition(filterChainRef)

which fails because "springSecurityFilterChainProxy" just doesn't exist in the parserContext (I guess because it only gets created later on). I also tried to postpone this initialization, by putting it in the bootstrap code like this:

def initOauthProvider() {
    def bb = new BeanBuilder(grailsApplication.getMainContext())
    bb.beans {
                   // same bean initialization code as above
            }
     }

this also fails because here i only have the beans in the parserContext that are part of my definition (it doesn't see any other grails beans)

is there any way i can fix this? I've seen that the BeanBuilder can also be initialized with a RuntimeSpringConfiguration object but i haven't found any way how to get this from my grails app.

I am using:

  • Grails 2.2.4
  • spring-security-oauth:1.0.5 with these excludes: 'spring-security-web', 'spring-security-core', 'spring-asm'
  • spring-security-core:2.0-RC2 grails plugin
NoUsername
  • 693
  • 6
  • 20
  • Have you checked [this](https://github.com/danveloper/grails-oauth2) repo? –  Oct 29 '13 at 15:12
  • I have looked at similar examples which (including your link) all use oauth2 provider which isn't what i need. The OAuth2 config looks different (edited & explained in my question) they don't seem to need a reference to the spring security filterchain, they just define their own filterchain. I cannot simply omit the "filter-chain-ref" argument since it just falls back on some default. – NoUsername Oct 29 '13 at 15:18
  • But the repository show's you that you can have a file called resources.xml instead of declaring the beans in the Groovy way, so you can use the xml sample. –  Oct 29 '13 at 15:27
  • but that is not my problem. the groovy syntax is just an alternative. i have debugged into the beandefinitionparser mentioned above which is a normal spring xml config parser and everything works fine it reads all the values exactly as if they came from an xml. The problem is that this config parser wants to access a bean that simply doesn't exist at that time (if its name comes form xml or from groovy dsl won't matter). – NoUsername Oct 29 '13 at 15:30
  • i also can't use the ["depends-on" attribute](http://stackoverflow.com/questions/9378962/) because it isn't a normal bean definition, but a spring config definition. Or is there a way to "wrap" spring config definition in some kind of depends-on block? – NoUsername Oct 29 '13 at 15:33
  • Now I see. Are you using Spring Security Core plugin? It configures the springSecurityFilterChain to you. –  Oct 29 '13 at 16:31
  • yes, as stated in the question i use spring-security-core:2.0-RC2. Yes it does configure the springSecurityFilterChain but this seems to happen later than the evaluation of resources.groovy that's why i tried the other workaround via Bootstrap.groovy – NoUsername Oct 29 '13 at 16:49
  • Are you using the correct bean name? The bean you want is 'springSecurityFilterChain', not 'springSecurityFilterChainProxy' I think (even though it's of type FilterChainProxy). – TomW Feb 04 '14 at 17:47
  • Have you removed it and checked if the beans `springSecurityFilterChainProxy` was created at all after the application started? – JohnTheBeloved May 15 '15 at 18:32

2 Answers2

1

You may try to explicitly define all the spring bean dependencies (references) in grails-app/conf/spring/resources.groovy file.

Here is a sample syntax: 

// resources.groovy
beans = { 

    yourBean(com.company.YourBean) {
        springSecurityService = ref('springSecurityService')
        otherService = ref('otherService')
        anotherService = ref('anotherService')
    }

}

So, in this case, you should get all three springSecurityService, otherService and anotherService initialized and accessible from within the yourBean bean.

Oleh Vasyliv
  • 64
  • 3
0

add your existing xml file in resource folder and use the below 

beans = {
   importBeans('classpath:/applicationContext-services.xml')
}
Ramkumar Pillai
  • 154
  • 2
  • 8