SECOAUTH-388: apply ClientCredentialsTokenEndpointFilter only if not …

…already authenticated
eonezhang · Jan 31, 2013 · 41be0b6 · 41be0b6
1 parent 6176757
commit 41be0b6
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 5 deletions.
diff --git a/samples/oauth2/sparklr/src/main/webapp/WEB-INF/spring-servlet.xml b/samples/oauth2/sparklr/src/main/webapp/WEB-INF/spring-servlet.xml
@@ -17,7 +17,7 @@
 		<anonymous enabled="false" />
 		<http-basic entry-point-ref="clientAuthenticationEntryPoint" />
 		<!-- include this only if you need to authenticate clients via request parameters -->
-		<custom-filter ref="clientCredentialsTokenEndpointFilter" before="BASIC_AUTH_FILTER" />
+		<custom-filter ref="clientCredentialsTokenEndpointFilter" after="BASIC_AUTH_FILTER" />
 		<access-denied-handler ref="oauthAccessDeniedHandler" />
 	</http>
 

diff --git a/...springframework/security/oauth2/provider/client/ClientCredentialsTokenEndpointFilter.java b/...springframework/security/oauth2/provider/client/ClientCredentialsTokenEndpointFilter.java
@@ -23,6 +23,7 @@
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.oauth2.common.exceptions.BadClientCredentialsException;
 import org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint;
 import org.springframework.security.web.AuthenticationEntryPoint;
@@ -40,17 +41,17 @@
  * 
  */
 public class ClientCredentialsTokenEndpointFilter extends AbstractAuthenticationProcessingFilter {
-	
+
 	private AuthenticationEntryPoint authenticationEntryPoint = new OAuth2AuthenticationEntryPoint();
 
 	public ClientCredentialsTokenEndpointFilter() {
 		this("/oauth/token");
 	}
-	
+
 	public ClientCredentialsTokenEndpointFilter(String path) {
 		super(path);
 	}
-	
+
 	/**
 	 * @param authenticationEntryPoint the authentication entry point to set
 	 */
@@ -85,8 +86,14 @@ public Authentication attemptAuthentication(HttpServletRequest request, HttpServ
 		String clientId = request.getParameter("client_id");
 		String clientSecret = request.getParameter("client_secret");
 
+		// If the request is already authenticated we can assume that this filter is not needed
+		Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+		if (authentication != null && authentication.isAuthenticated()) {
+			return authentication;
+		}
+
 		if (clientId == null) {
-			return null;
+			throw new BadCredentialsException("No client credentials presented");
 		}
 
 		if (clientSecret == null) {