iainporter / oauth2-provider Goto Github PK

In these files :
oauth2-provider / src / main / resources / META-INF / velocity / *.vm

These lines need to be changed from:

<a href="${model.getHostNameUrl()}/******

To:

<a href="${model.getHostNameUrl()}/oauth2-provider/******

This is a minor issue related to the example login page (index.html).

When entering invalid credentials, a popup appears: Authentification Required: The server http://localhost:8080 requires a username and password. The server says: oauth.

This popup should not appear.

In VerificationTokenServiceImpl, don't think this is required since it's in the constructor. Unless I'm missing something....

@Autowired
public void setUserRepository(UserRepository userRepository) {
this.userRepository = userRepository;
}

Unable to login on http://localhost:8080/oauth2-provider/index.html

POST http://localhost:8080/oauth2-provider/oauth/token 500 (Server Error)

Would be great to implement server-side support for authentication through Facebook, Twitter, LinkedIn, etc.

line 28 of SpringCrossOriginResourceSharingFilter

is :
response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE, OPTIONS");

should be :
response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE");

I would be nice to use some of the more recent version of jersey. Currently you are using version 1.9.1 while the latest version is 2.11 - it's is causing conflicts with other components that we want to integrate with your framework but that uses jersey 2.11 - just a thought

1. When signing up, the fields "Password" and "Confirm Password" are set to two different values.

Result: Form is accepted and redirection to Dashboard, console message:
GET http://localhost:8080/oauth2-provider/v1.0/me 401 (Unauthorized) jquery-1.8.2.min.js:2

Expected: a message saying that the two passwords don't match

1. Idem when signing up with "Password" and "Confirm Password" set to the SAME value (e.g. "password")

Result: Form is accepted and redirection to Dashboard, console message:
GET http://localhost:8080/oauth2-provider/v1.0/me 401 (Unauthorized) jquery-1.8.2.min.js:2

1. Logout after signing up, then login is impossible with correct credentials

Result: Message "Email and/or password did not match a user account."
POST http://localhost:8080/oauth2-provider/oauth/token 400 (Bad Request) jquery-1.8.2.min.js:2

UPDATE: I numbered the points from 1. to 3. but they all appear as 1.

Hi, this is not an issue, this is just a question, can you help me, thanks in advance.
You added CORS filter to /oauth/token, that works, but do you know how to add CORS filter to resources (/v1.0/**). I always got this:
Remote Address:[::1]:8080
Request URL:http://localhost:8080/v1.0/xxx
Request Method:OPTIONS
Status Code:401 Unauthorized

After having submitted a password reset request, I received an email containing the following url:

http://localhost:8080/reset_password.html?ZGNkNTE0OTAtNTg0OC00MDUyLWJhZGQtMmRlOTQzYTUyNWQ3

When I enter this url in a browser, the page is blank at the following error is shown in the JavaScript console:

Failed to load resource: the server responded with a status of 404 (Not Found)

The MongoDB database is correctly configured as I can add a user, login and logout.

Using curl to get user information returns an error code 401.

1. Login

curl -v -X POST \
  -H "Content-Type: application/json" \
  -H "Authorization: Basic MzUzYjMwMmM0NDU3NGY1NjUwNDU2ODdlNTM0ZTdkNmE6Mjg2OTI0Njk3ZTYxNWE2NzJhNjQ2YTQ5MzU0NTY0NmM=" \
'http://localhost:8080/oauth2-provider/oauth/token?grant_type=password&username=xxx&password=password'

returns OK

1. /v1.0/me using access token returned previously

curl -v -X GET \
 -H "Content-Type: application/json" \
 -H "Authorization: Bearer 9ea7d2dc-eb01-40b2-a29f-bb33ef11c6c9" \
 'http://localhost:8080/oauth2-provider/v1.0/me'

returns

*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 8080 (#0)
> GET /oauth2-provider/v1.0/me HTTP/1.1
> User-Agent: curl/7.35.0
> Host: localhost:8080
> Accept: */*
> Content-Type: application/json
> Authorization: Bearer 9ea7d2dc-eb01-40b2-a29f-bb33ef11c6c9
> 
< HTTP/1.1 401 Unauthorized
< Date: Wed, 12 Nov 2014 15:20:23 GMT
< Content-Type: application/json
< Content-Length: 168
* Server Jetty(9.2.3.v20140905) is not blacklisted
< Server: Jetty(9.2.3.v20140905)
< 
* Connection #0 to host localhost left intact
{"errorCode":"401","consumerMessage":"You do not have the appropriate privileges to access this resource","applicationMessage":"Access is denied","validationErrors":[]}

1. In addition to the roles presented in your last post, there is a reference to ROLE_PROVIDER in security-configuration.xml. A grep didn't show any other reference to it. What is it used for?
2. security-configuration.xml has references to four roles (ROLE_ADMIN, ROLE_PROVIDER, ROLE_USER, ROLE_GUEST) but Role.java only defines ROLE_ADMIN and ROLE_USER. May that not lead to issues?
3. I've modified your User::getUser(targetUser, securityContext) method so that not only the logged in user can access its data but also any logged in users who have the role ROLE_ADMIN.

    @RolesAllowed({"ROLE_USER"})
    @Path("/{id}")
    @GET
    public ApiUser getUser(final @PathParam("id") String userId, final @Context SecurityContext securityContext) {
        User requestingUser = loadUserFromSecurityContext(securityContext);
        for (Role role : requestingUser.getRoles()) {
            LOG.info(role.toString());
        }
        ApiUser targetUser = userService.getUser(userId);
        if (targetUser == null) {
            throw new UserNotFoundException();
        }
        if (requestingUser.getRoles().contains(Role.ROLE_ADMIN) || requestingUser.getId().equals(userId)) {
            return targetUser;
        }
        throw new AuthorizationException("User not permitted to access this resource");
    } 

I manually changed the role of UserA in MongoDB from ROLE_USER to ROLE_ADMIN. But when I execute the above method, requestingUser = UserA prints that it has only the role ROLE_USER.

If I replace @RolesAllowed({"ROLE_USER"}) by @RolesAllowed({"ROLE_USER", "ROLE_ADMIN"}) (which contradicts the purpose of the hierarchical roles you presented), an error 401 ("Access is denied") is systematically returned and the content of the method getUser() is never evaluated.

UPDATE: I also get an error 401 when I use @RolesAllowed({"ROLE_ADMIN"}) and I'm logged in with an account which has the role ROLE_ADMIN.

Issue #5 Authentification Required - should be reopened (or revisited)

The behaviour and response is different in these 2 scenarios :

1. login with INVALID username and INVALID password

2. login with CORRECT username and INVALID password

The fix only works for scenario 1), but why is a HTML response considered RESTful ?

If you add this to User.java for example :

@CompoundIndexes(value=@CompoundIndex(name="email_idx", def="{'emailAddress':1}", unique=true))
public class User extends BaseEntity implements UserDetails {

This breaks the MongoDbConfigurationTest tests with this error , it looks like Mongo is not running ?

Caused by: com.mongodb.MongoServerSelectionException: Unable to connect to any server that matches AnyServerSelector{}
at com.mongodb.BaseCluster.getServer(BaseCluster.java:80)
at com.mongodb.DBTCPConnector.getServer(DBTCPConnector.java:666)
at com.mongodb.DBTCPConnector.access$300(DBTCPConnector.java:42)
at com.mongodb.DBTCPConnector$MyPort.getConnection(DBTCPConnector.java:511)
at com.mongodb.DBTCPConnector$MyPort.get(DBTCPConnector.java:459)
at com.mongodb.DBTCPConnector.getPrimaryPort(DBTCPConnector.java:417)
at com.mongodb.DBCollectionImpl.createIndex(DBCollectionImpl.java:337)
at com.mongodb.DBCollection.createIndex(DBCollection.java:564)
at org.springframework.data.mongodb.core.index.MongoPersistentEntityIndexCreator.createIndex(MongoPersistentEntityIndexCreator.java:135)
....
.....

The following error is thrown when user tries to login with valid credentials:
[http-nio-8080-exec-3] INFO org.springframework.security.oauth2.provider.endpoint.TokenEndpoint - Handling error: IllegalArgumentException, The given entity must not be null!

I suspect it has something to do with access tokens because if I delete the entries in oAuth2AuthenticationAccessToken, it seems to work again.