4

I have successfully enabled the '/oauth/check_token' endpoint using spring-security 3.2.* and javaconfig but currently I'm restricted to spring-security 3.1.4 and then i'm stucked to XML config. '/oauth/token' endpoint is working as i wish but I can't get the check_token endpoint to be enabled and I can't find any (non javaconfig) documentation explaining what to do.

Vanila Authorization server config:

<oauth:authorization-server 
        client-details-service-ref="client-service" 
        token-services-ref="tokenServices" >
    <oauth:refresh-token disabled="false" />
    <oauth:client-credentials disabled="false" />
    <oauth:password authentication-manager-ref="userAuthenticationManager"  />       
</oauth:authorization-server>

http security config:

<sec:http 
        auto-config="true"
        pattern="/oauth/token" 
        create-session="stateless"
        authentication-manager-ref="clientAuthenticationManager">
    <sec:intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY" />
    <sec:anonymous enabled="false"/>
    <sec:http-basic entry-point-ref="clientAuthenticationEntryPoint" />
</sec:http>

I've tried to add following http config without success.

<sec:http 
        auto-config="true"
        pattern="/oauth/check_token" 
        create-session="stateless"
        authentication-manager-ref="clientAuthenticationManager">
    <sec:intercept-url pattern="/oauth/check_token" access="IS_AUTHENTICATED_FULLY" />
    <sec:anonymous enabled="false"/>
    <sec:http-basic entry-point-ref="clientAuthenticationEntryPoint" />
</sec:http>

please, any suggestions. A working example would be great.

best ./Kristofer

Kristofer S
  • 43
  • 1
  • 4
  • That last snippet is good for securing the endpoint. To expose it to HTTP clients you also need to create a bean of type `CheckTokenEndpoint`. – Dave Syer Feb 23 '15 at 10:23

2 Answers2

6

You need to create a bean of type CheckTokenEndpoint (org.springframework.security.oauth2.provider.endpoint.CheckTokenEndpoint).

Krishna
  • 1,871
  • 14
  • 26
Dave Syer
  • 56,583
  • 10
  • 155
  • 143
4

Use the last version of spring oauth2:

<dependency>
  <groupId>org.springframework.security.oauth</groupId>
  <artifactId>spring-security-oauth2</artifactId>
  <version>2.0.10.RELEASE</version>
</dependency>

Ensure what the correct version of xsd is in use in spring security oauth file configuration:

http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd

Insert the option check-token-enabled="true" in the element authorization-server:

<oauth:authorization-server ... check-token-enabled="true">
... 
</oauth:authorization-server>
Scott Weldon
  • 9,673
  • 6
  • 48
  • 67
thiagoms83
  • 81
  • 3