OAuth for Spring Security


There's a good getting started guide that illustrates OAuth by describing two different (but related) services. One is a photo-sharing application. The other is a photo-printing application. In OAuth terms, the photo sharing application is the OAuth provider and the photo printing application is the OAuth consumer.

For this tutorial, we will see OAuth for Spring Security in action by deploying a photo-sharing application and a photo-printing application on our local machine. We'll name the photo-sharing application "Sparklr" and the photo-printing application "Tonr". A user named "Marissa" (who has an account at both Sparkr and Tonr) will use Tonr to access her photos on Sparklr without ever giving Tonr her credentials to Sparklr.

Each application is a standard Maven project, so you will need Maven installed. You will also need Subversion installed in order to download these applications for local install. (Hopefully, these are tools that you're already familiar with.)

Each application is a standard Spring MVC application with Spring Security integrated. Presumably, you're familiar with Spring and Spring Security so the configuration files will look familiar to you.


Checkout Sparklr

svn co http://svn.codehaus.org/spring-security-oauth/trunk/sparklr/

Checkout Tonr

svn co http://svn.codehaus.org/spring-security-oauth/trunk/tonr/

Get familiar with the applications.

Note especially the Spring configuration files in src/main/webapp/WEB-INF.

For Sparklr, you'll notice the definition of the OAuth provider mechanism and the consumer details along with the standard spring security configuration elements. For Tonr, you'll notice the definition of the OAuth consumer mechanism and the resource details. For more information about the necessary components of an OAuth provider and consumer, see the user guide.

You'll also notice the Spring Security filter chain in applicationContext.xml and how it's configured for OAuth support.

Deploy Sparklr.

cd sparklr
mvn jetty:run

Sparklr should be started on port 8080. Go ahead and browse to http;//localhost:8080/sparklr. Note the basic login page and the page that can be used to browse Marissa's photos. Logout to ensure Marissa's session is no longer valid. (Of course, the logout isn't mandatory; an active Sparklr session will simply bypass the step that prompts for Marissa's credentials before confirming authorization for Marissa's protected resources.)

Start Tonr.

cd tonr
mvn jetty:run

Tonr should be started on port 8888. Browse to http://localhost:8888/tonr. Note Tonr's home page.


Now that you've got both applications deployed, you're ready to observe OAuth in action.

  • Login to Tonr.

    Marissa's credentials are already hardcoded into the login form.

  • Click to view Marissa's Sparklr photos.

    You will be redirected to the Sparklr site where you will be prompted for Marissa's credentials.

  • Login to Sparklr.

    Upon successful login, you will be prompted with a confirmation screen to authorize access to Tonr for Marissa's pictures.

  • Click "authorize".

    Upon authorization, you should be redirected back to Tonr where Marissa's Sparklr photos are displayed (presumably to be printed).