1

This is the sequence of question Problems redirecting to access token entry point Oauth Token.

I have had help on fixing some of it but I am now having an error with authorization/permission while getting to /oauth/token. I am using Spring 4.0.5.RELEASE, Spring-Security 3.2.5.RELEASE and now Spring-Oauth2 2.0.4-build in place of 2.0.3.RELEASE.

The error is the following and I suspect I have something wrong either with the entry-point security or the oauth2:authorization-server.

HTTP Status 500 - Request processing failed; nested exception is error="access_denied", error_description="Error requesting access token."

org.springframework.web.util.NestedServletException: Request processing failed; nested exception is error="access_denied", error_description="Error requesting access token."
    org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:973)
    org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:852)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:618)
    org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:837)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:725)
    org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
    org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:118)
    org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    org.springframework.security.oauth2.client.filter.OAuth2ClientContextFilter.doFilter(OAuth2ClientContextFilter.java:57)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:154)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:199)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:110)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:85)
    org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50)
    org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
    org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
    org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
    org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344)
    org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261)
    org.apache.logging.log4j.core.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:66)

Here is my authorization-server setup:

<oauth2:authorization-server client-details-service-ref="webServiceClientService" 
    token-services-ref="tokenServices" user-approval-page="/oauth/userapproval" 
    error-page="/oauth/error" authorization-endpoint-url="/oauth/authorize" 
    token-endpoint-url="/oauth/token" user-approval-handler-ref="userApprovalHandler" 
    redirect-resolver-ref="resolver">
    <oauth2:authorization-code
        authorization-code-services-ref="codes" />
    <oauth2:implicit/>
    <oauth2:refresh-token/>
    <oauth2:client-credentials/>
    <oauth2:password authentication-manager-ref="userAuthenticationManager"/>
</oauth2:authorization-server>

My userAuthenticationManager for password is: 

<sec:authentication-manager alias="userAuthenticationManager"> 
<sec:authentication-provider user-service-ref="userService"> 
<sec:password-encoder ref="passwordEncoder"/> 
</sec:authentication-provider> 
</sec:authentication-manager>

where userService is an implementations of UserDetailsService.

For the pattern="/oauth/token" I have access="hasAuthority('OAUTH_CLIENT')" to which I have defined on the user roles.I also have for session create-session="stateless" and my authentication-manager-ref="oauthClientAuthenticationManager". The oauthClientAuthenticationManager has as authentication-provider user-service-ref="clientDetailsUserService" which is UserDetailsService implementation.I have entry-point-ref="oauthAuthenticationEntryPoint" which is org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoin‌​t and not changing realm or TypeName.

I also have . clientAuthenticationEntryPoint is also a OAuth2AuthenticationEntryPoint but I have typeName set as Basic while the Realm reamins the default oauth.

I also set 

<sec:custom-filter ref="clientCredentialsTokenEndpointFilter" after="BASIC_AUTH_FILTER" /><sec:access-denied-handler ref="oauthAccessDeniedHandler" /> 
<sec:expression-handler ref="webSecurityExpressionHandler" />

Where clientCredentialsTokenEndpointFilter is org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpoi‌​ntFilter with oauthClientAuthenticationManager as an authentication manager.

<sec:authentication-manager id="oauthClientAuthenticationManager"> 
<sec:authentication-provider user-serviceref="clientDetailsUserService"> </sec:authentication-provider> 
</sec:authentication-manager>

I also have 

<sec:access-denied-handler ref="oauthAccessDeniedHandler" /> 
<sec:expression-handler ref="webSecurityExpressionHandler" />

oauthAccessDeniedHandler = org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler. And webSecurityExpressionHandler = org.springframework.security.oauth2.provider.expression.OAuth2WebSecurityExpress‌​ionHandler

Also my entry point is as follows:

<sec:http use-expressions="true" create-session="stateless"
    authentication-manager-ref="oauthClientAuthenticationManager"
    entry-point-ref="oauthAuthenticationEntryPoint" pattern="/oauth/token">
    <sec:intercept-url pattern="/oauth/token" access="hasAuthority('OAUTH_CLIENT')" />
    <!-- <sec:intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY" /> -->
    <!-- <sec:http-basic entry-point-ref="oauthAuthenticationEntryPoint"/> -->
    <sec:http-basic entry-point-ref="clientAuthenticationEntryPoint"/>
    <!-- <sec:http-basic/> -->
    <sec:anonymous enabled="false" />
    <sec:custom-filter ref="clientCredentialsTokenEndpointFilter" after="BASIC_AUTH_FILTER" />
    <sec:access-denied-handler ref="oauthAccessDeniedHandler" />
    <sec:expression-handler ref="webSecurityExpressionHandler" />
    <!-- <sec:custom-filter ref="corsFilter" after="LAST"/> -->
</sec:http>

Where the clientCredentialsTokenEndpointFilter is defined as:

<beans:bean id="clientCredentialsTokenEndpointFilter" class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
    <beans:property name="authenticationManager" ref="oauthClientAuthenticationManager"/>
</beans:bean>

And

<sec:authentication-manager id="oauthClientAuthenticationManager">
    <sec:authentication-provider user-service-ref="clientDetailsUserService">
    </sec:authentication-provider>
</sec:authentication-manager>

<beans:bean id="clientDetailsUserService" class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
        <beans:constructor-arg ref="webServiceClientService" />
    </beans:bean>

Is there any suggestions on it? Thanks.

Improve this question
1
  • The stack trace is from the client app right? What about the Auth server (the one that hosts the /oauth/token endpoint)? Commented Oct 22, 2014 at 3:50

1 Answer 1

Reset to default
0

I suspect your Spring version Spring 4.0.5.RELEASE, Spring-Security 3.2.5.RELEASE. Check Spring 4.0.5 is suitable with Spring-Security 3.2.5. I think you should down grade your Spring 4.0.5 to 3.xx.xx.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Not the case Thuta. They are compatible and work fine.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.