java - Using Spring Security OAuth2, what's the right way to refresh the stored authentication in the TokenStore? -


we're using resource-owner credentials grant type (with oauth2:password in security-config.xml. let's play out scenario explain predicament:

  1. bob created authorities role_user
  2. bob tries access oauth2 protected resource
  3. bob uses official mobile app access it, client credentials correct
  4. bob's access token created , stored in tokenstore, keyed on username, client_id, , scope. (see defaultauthenticationkeygenerator.java)
  5. bob's phone tries call protected services access token, services require users have authority of role_mobile_user.
  6. bob contacts db owner , has role_moble_user added user in database.
  7. bob tries access token, defaulttokenservices returns him same, non-working access token.
  8. the way take advantage of new authority wait until old access token expires can new access token correct authority.

there number of ways address this.

for one, administration app adds role_mobile_user bob's authorities clear access tokens , authorizations in database. way defaulttokenservices create new 1 correct authorities serialized new oauth2authentication. may not want administration webapp concerned oauth @ point (at least not yet). if possible we'd keep administration app concerns concise possible, , right there no dependencies on oauth.

we expose delete method /oauth/access_token endpoint , tell mobile app try deleting access token , re-requesting one, in case stored authorities stale. feels more work-around though.

finally can serialize authorities in own defined authenticationkeygenerator. use username, client_id, scope, , authorities of authorization , perform same digest algorithm on them. way when bob tries log in he'll same access token, underlying token store recognize has different authentication (from authentication manager in token granter bean) , refresh database. problem have solution relies on implementation behavior of underlying token store (though both inmemorytokenstore , jdbctokenstore behave way).

can think of better/cleaner solutions? over-thinking this?

thanks in advance.

i resolved issue in app deleting tokens given user when authentication information sent.

use custom authenticationprovider bean.

@component("authenticationprovider") public class authenticationproviderimpl implements authenticationprovider

autowire in token store bean.

@autowired @qualifier("tokenstore") private tokenstore tokenstore;

then in authenticate method, remove tokens given user if credentials passed second time.

@override public authentication authenticate(authentication authentication) throws authenticationexception {     usernamepasswordauthenticationtoken token = (usernamepasswordauthenticationtoken) authentication;      try {          //do authentication          //delete previous tokens         collection<oauth2accesstoken> tokencollection = tokenstore.findtokensbyusername(token.getname());         (oauth2accesstoken otoken : tokencollection){             tokenstore.removeaccesstoken(otoken);         }          //return authentication;     } }

most of requests using token , bypass entirely, when credentials passed, new token generated. token associated new authentication object include new roles, , changes made user.


Comments

Post a Comment

Popular posts from this blog

javascript - addthis share facebook and google+ url -

i attempting use addthis create simple url shares whichever current page user on when click share button. of right now, have twitter working. when user clicks, able see url populated in tweet box. when user clicks facebook or google+, url doesn't seem show in share box. <ul class="addthis_toolbox addthis_default_style "> <li><a class="addthis_button_facebook"><img src="/img/facebook-social.png" width="20" height="20" border="0" alt="share" /></a></li> <li><a class="addthis_button_twitter"><img src="/img/twitter-social.png" width="20" height="20" border="0" alt="share" /></a></li> <li><a class="addthis_button_google_plusone_share"><img src="/img/google-social.png" width="20" height="20" border="0" alt="s...
Read more

ios - Show keyboard with UITextField in the input accessory view -

i have buttona , when buttona clicked, want keyboard show uitextfield in inputaccessoryview. there way have keyboard show manually , set inputaccessoryview without having uitextfield initially? thanks. you cannot summon keyboard without object can become first responder. there 2 ways work around: subclass uiview , implement uikeyinput protocol in it. example: in .h file: @interface inputobject : uiview<uikeyinput> @property (nonatomic, copy) nsstring *text; @property (nonatomic, strong) uiview *inputaccessoryview; // must override inputaccessoryview , since it's readonly default @end in .m file, implement protocol: - (bool)canbecomefirstresponder { return yes; } - (bool)hastext { return [self.text length]; } - (void)inserttext:(nsstring *)text { nsstring *selftext = self.text ? self.text : @""; self.text = [selftext stringbyappendingstring:text]; [[nsnotificationcenter defaultcenter] postnotificationname:kinputobjec...
Read more

c++ - importing crypto++ in QT application and occurring linker errors? -

i trying use crypto++ sankore-3.1 qt program, i've installed qt sdk 4.8.1 using vc++ 2010 compiler. i've compiled , built crypto++ using microsoft visual studio 2010, , have needed lib files, include .h files , dll file in hand. i testes these library simple qt application in empty project using qt creator, added libraries .pro file , run successfully. .pro file blow: win32:config(release, debug|release): libs += -l$$pwd/../../dokuman/sankore- 3.1/plugins/cryptopp/win32/dll_output/release/ -lcryptopp else:win32:config(debug, debug|release): libs += -l$$pwd/../../dokuman/sankore-3.1/plugins/cryptopp/win32/dll_output/debug/ -lcrypto includepath += $$pwd/../../dokuman/sankore-3.1/plugins/cryptopp/include dependpath += $$pwd/../../dokuman/sankore-3.1/plugins/cryptopp/include sources += \ main.cpp win32:config(release, debug|release): libs += -l$$pwd/../../dokuman/sankore-3.1/plugins/cryptopp/win32/output/release/ -lcryptlib else:win32:config(debug, de...
Read more