0

I am quite new to developing APIs with Oauth, so it would be great if I could get some help.

I have a Java/Spring web application with an AngularJS frontend that uses Oauth2 to authenticate its users using an authorization endpoint (the uaa application provided by cloudfoundry).

The application is an angularjs single-page application and the browser thus loads its data from the backend providing the token it received from the uaa. So far everything works fine. Yet I would also like to be able to call the backend endpoints via curl, so I would like to have two different clients for the API exposed by the backend.

  • The AngularJS frontend (works fine)
  • Curl, or some other non-browser application for scripting the API.

When I access the API with curl as follows:

curl -X DELETE $URL \
   -H "Authorization: bearer $TOKEN" \
   -H "Content-Type:application/json" \
   --insecure

I am getting Access denied:

Voter: org.springframework.security.web.access.expression.WebExpressionVoter@7d93e109, returned: -1
Access is denied (user is anonymous); redirecting to authentication entry point

Anyone has experience with this?

Thanks

user152468
  • 3,202
  • 6
  • 27
  • 57
  • 1
    Are you trying to access a secured resource, then you have to add JSESSIONID in the curl parameter as a cookie. This will tell Spring-security that you have a session. The accepted answer here should help you in making secure requests http://stackoverflow.com/questions/29276806/spring-security-testing-understanding-rest-authentication. – We are Borg Feb 18 '16 at 14:52
  • Thanks. In fact adding the JSESSIONID is the solution. Yet where do I get it from? I debugged with the Chrome Inspector Network tab, and it has a functionality "Copy as curl" for each request. This shows that Chrome is transmitting the session ID. – user152468 Feb 18 '16 at 17:04

0 Answers0