Broadleaf Commerce Discussion Forums

Posted: **Thu Jun 25, 2015 2:13 am**

Hi all,

I'm trying to apply oauth2 security for rest api using Spring security OAuth2 but TokenEndpoint is not invoked after BASIC_AUTH_FILTER when getting access token.

1. With below config, the ProductHandlerMapping will capture and NPE happens in getHandlerInternal() method.

Code: Select all

<http pattern="/oauth/token" create-session="stateless" 
          authentication-manager-ref="clientAuthenticationManager"
          xmlns="http://www.springframework.org/schema/security">
        <anonymous enabled="false"/>
        <http-basic entry-point-ref="clientAuthenticationEntryPoint"/>
        <custom-filter ref="clientCredentialsTokenEndpointFilter" after="BASIC_AUTH_FILTER"/>
        <access-denied-handler ref="oauthAccessDeniedHandler"/>
    </http>

2. And with below config, /api/v1/oauth/token IS NOT FOUND.

Code: Select all

<http pattern="/api/v1/oauth/token" create-session="stateless" 
          authentication-manager-ref="clientAuthenticationManager"
          xmlns="http://www.springframework.org/schema/security">
        <anonymous enabled="false"/>
        <http-basic entry-point-ref="clientAuthenticationEntryPoint"/>
        <custom-filter ref="clientCredentialsTokenEndpointFilter" after="BASIC_AUTH_FILTER"/>
        <access-denied-handler ref="oauthAccessDeniedHandler"/>
</http>

<oauth:authorization-server 
    client-details-service-ref="client-details-service" 
    token-services-ref="tokenServices"
    token-endpoint-url="/api/v1/oauth/token">
        <oauth:refresh-token/>
        <oauth:password/>
</oauth:authorization-server>

Could you please help if you experienced it?

Thanks much,
Rukawa

Posted: **Thu Jun 25, 2015 5:49 am**

Case (1):
Just for testing, I override getHandlerInternal() of handler mapping (ProductHandlerMapping, PageHandlerMapping, CategoryHandlerMapping) to ignore "/oauth/token" by return null. Then TokenEndpoint can catch request and process as usual.

Posted: **Mon Jul 06, 2015 5:36 am**

Another approach:
1. Create custom controller and forward request to spring oauth token endpoint:

Code: Select all

public class OAuthController extends BroadleafProductController implements ApplicationContextAware {
    
    protected ApplicationContext context;
    
    @RequestMapping(value = "/oauth/token", method = RequestMethod.GET)
    public Object getAccessToken(Principal principal,
            @RequestParam(value = "grant_type", required = false) String grantType,
            @RequestParam Map<String, String> parameters) {
        TokenEndpoint oauthTokenEndpoint = getOAuthTokenEndpoint();
        return oauthTokenEndpoint.getAccessToken(principal, grantType, parameters);
    }
    
    protected TokenEndpoint getOAuthTokenEndpoint() {
        return (TokenEndpoint) context.getBean("oauth2TokenEndpoint");
    }
    // ...
}

2. Update rest customer state filter (RestApiCustomerStateFilter) to get customerId from security context instead of request parameter:

Code: Select all

// get customerId base on OAuth2 security
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (authentication != null) {
            CustomerUserDetails userDetails = (CustomerUserDetails) authentication.getPrincipal();
            if (userDetails != null) {
                customerId = String.valueOf(userDetails.getId());
            }
        }

Posted: **Sat Aug 22, 2015 7:44 am**

Hi

I am new to broadleaf ecommerce. and i started enable the rest api and it's works fine. Now i want to enable the oauth2 security for rest api. could you please tell me steps and provide the code snippet for the chanages you have made to works. Thanks in advance
Syed

Broadleaf Commerce Discussion Forums

Spring security OAuth2 for rest api

Spring security OAuth2 for rest api

Re: Spring security OAuth2 for rest api

Re: Spring security OAuth2 for rest api

Re: Spring security OAuth2 for rest api