These are chat archives for spring-cloud/spring-cloud

14th
Jan 2015
Dave Syer
@dsyer
Jan 14 2015 10:27
@wgorder I have a new solution to the /user endpoint problem we discussed yesterday
It's one I think we will bake into Spring OAuth2 as an option in the resource server (spring-projects/spring-security-oauth#360)
William Gorder
@wgorder
Jan 14 2015 12:46
Ok Ill have a look
William Gorder
@wgorder
Jan 14 2015 12:59
I like it. Currently I don't have @ResourceServer on my auth server. But I suppose the /user is a resource so I probably should
Ill try it out. I think a lot of my weird issues are coming from my use of spring-session. Some things are being shared that make things inconvenient. For example when I log out I would expect to be able to log back in (without providing credentials) since I am still logged into the auth server, (and I can). However if I try to access a protected resource while logged out of the application, I am redirected to the login screen to provide credentials rather then just being logged in automatically. Seems kind of strange that the auth server remembers in once scenario and not in the other.
William Gorder
@wgorder
Jan 14 2015 13:05
I will implement your solution though, I think its a reasonable solution
William Gorder
@wgorder
Jan 14 2015 13:10
actually being redirected to the login screen makes sense since I am logged out, its just not making sense why I need to provide credentials in one case and not the other. If I log out of stack overflow I get this message

Log Out
Clicking Log Out will clear our cookies and log you out of Stack Overflow on all devices.

If you're on a shared computer, remember to log out of your Open ID provider (Facebook, Google, Stack Exchange, etc.) as well.

I guess once logged out on stack overflow login sends you to a screen that you can enter your stack overflow credentials or re-autheticate with facebook or google. it does not do it automatically.
William Gorder
@wgorder
Jan 14 2015 13:17
oddly accessing the account edit screen while logged out results in a 404 rather than a redirect or a 403/401
on SO that is.
I am trying to figure out what the norm is with sso on the internet of things and I am not sure there really is one :)
William Gorder
@wgorder
Jan 14 2015 14:53
@dsyer your solution is not quite working for me. When the api-gateway server is starting up it tries things go haywire in the JWT stuff. It makes a call to the auth-server on /oauth/token_key and gets denied and redirected to the authentiction entry point.
Dave Syer
@dsyer
Jan 14 2015 14:53
Your /token_key endpoint is probably secure and it shouldn't be?
Assuming you are using JWT and RSA
William Gorder
@wgorder
Jan 14 2015 14:54
I thought token_key had to be secure
I am using the jwt out of the box the spring-cloud-security provides
Dave Syer
@dsyer
Jan 14 2015 14:54
With RSA it makes more sense to be open (it's a public key)
Out of the box it is denyAll() so you can't use it without explicitly setting the access rule
William Gorder
@wgorder
Jan 14 2015 14:55
Ok I basically have the same configuration as the examples. Does it use RSA out of the box?
Dave Syer
@dsyer
Jan 14 2015 14:55
Spring Cloud Security has nothing to say about this
Which example?
Dave Syer
@dsyer
Jan 14 2015 14:56
That's the client app
It expects the server to provide JWT tokens
William Gorder
@wgorder
Jan 14 2015 14:57
yes mine looks the same.
Dave Syer
@dsyer
Jan 14 2015 14:57
And for the public key to be available
William Gorder
@wgorder
Jan 14 2015 14:57
then it makes a call to the auth server
which in my case is being denied and my auth server follows the xample here
Dave Syer
@dsyer
Jan 14 2015 14:58
Right
On the server demo it has
        @Override
        public void configure(AuthorizationServerSecurityConfigurer oauthServer)
                throws Exception {
            oauthServer.tokenKeyAccess("permitAll()").checkTokenAccess(
                    "isAuthenticated()");
        }
William Gorder
@wgorder
Jan 14 2015 14:58
hmm well then mine should have that to let me check
Dave Syer
@dsyer
Jan 14 2015 14:59
You can hand code the key in your YAML as well
William Gorder
@wgorder
Jan 14 2015 14:59
Yeah actually mine has that
so I don't know what is going on
Does it have all the correct URLs?
William Gorder
@wgorder
Jan 14 2015 15:00
The configuration part is basically taken from the example.
Dave Syer
@dsyer
Jan 14 2015 15:00
I just pushed a change to the properties (spring.oauth2.* prefixes) as well so watch out for snapshots
only diff is that I added the code snippet for your /user endpoint changes
the onceperrequest filter
which does not show in my link
Oh I am using a snapshot
what was the change.
just as in just now?
Here is what I am seeing...
2015-01-14 09:49:37.675 DEBUG 15261 --- [nio-8083-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/oauth/token_key'; against '/css/'
2015-01-14 09:49:37.675 DEBUG 15261 --- [nio-8083-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/oauth/token_key'; against '/js/
'
2015-01-14 09:49:37.675 DEBUG 15261 --- [nio-8083-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/oauth/token_key'; against '/images/'
2015-01-14 09:49:37.675 DEBUG 15261 --- [nio-8083-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/oauth/token_key'; against '/
/favicon.ico'
2015-01-14 09:49:37.675 DEBUG 15261 --- [nio-8083-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/oauth/token_key'; against '/error'
2015-01-14 09:49:37.675 DEBUG 15261 --- [nio-8083-exec-2] o.s.security.web.FilterChainProxy : /oauth/token_key at position 1 of 12 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2015-01-14 09:49:37.675 DEBUG 15261 --- [nio-8083-exec-2] o.s.security.web.FilterChainProxy : /oauth/token_key at position 2 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2015-01-14 09:49:37.675 DEBUG 15261 --- [nio-8083-exec-2] w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
2015-01-14 09:49:37.675 DEBUG 15261 --- [nio-8083-exec-2] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: null. A new one will be created.
2015-01-14 09:49:37.675 DEBUG 15261 --- [nio-8083-exec-2] o.s.security.web.FilterChainProxy : /oauth/token_key at position 3 of 12 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2015-01-14 09:49:37.675 DEBUG 15261 --- [nio-8083-exec-2] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@198f4152
2015-01-14 09:49:37.675 DEBUG 15261 --- [nio-8083-exec-2] o.s.security.web.FilterChainProxy : /oauth/token_key at position 4 of 12 in additional filter chain; firing Filter: 'CsrfFilter'
2015-01-14 09:49:37.675 DEBUG 15261 --- [nio-8083-exec-2] o.s.security.web.FilterChainProxy : /oauth/token_key at position 5 of 12 in additional filter chain; firing Filter: 'LogoutFilter'
2015-01-14 09:49:37.675 DEBUG 15261 --- [nio-8083-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /oauth/token_key' doesn't match 'POST /logout
2015-01-14 09:49:37.675 DEBUG 15261 --- [nio-8083-exec-2] o.s.security.web.FilterChainProxy : /oauth/token_key at position 6 of 12 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2015-01-14 09:49:37.675 DEBUG 15261 --- [nio-8083-exec-2] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /oauth/token_key' doesn't match 'POST /login
2015-01-14 09:49:37.675 DEBUG 15261 --- [nio-8083-exec-2] o.s.security.web.FilterChainProxy : /oauth/token_key at position 7 of 12 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2015-01-14 09:49:37.675 DEBUG 15261 --- [nio-8083-exec-2] o.s.security.web.FilterChainProxy : /oauth/token_key at position 8 of 12 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2015-01-14 09:49:37.675 DEBUG 15261 --- [nio-8083-exec-2] o.s.security.web.FilterChainProxy : /oauth/token_key at position 9 of 12 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2015-01-14 09:49:37.675 DEBUG 15261 --- [nio-8083-exec-2] o.s.s.w.a.AnonymousAuthenticationFilter : Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055e4a6: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authori
William Gorder
@wgorder
Jan 14 2015 15:06

Yet that endpoint is set to permitAll just like in the example. I am going to remove the filter and see if the problem goes away
Dave Syer
@dsyer
Jan 14 2015 15:08
There's no session so that filter I added won't do anything
Anyway it shouldn't be in the chain for /oauth/token_key
William Gorder
@wgorder
Jan 14 2015 15:09
ok so removing this block
Dave Syer
@dsyer
Jan 14 2015 15:09
anonymous is fine though
William Gorder
@wgorder
Jan 14 2015 15:09
@Configuration
// @EnableResourceServer
// protected static class Oauth2ResourceConfiguration extends ResourceServerConfigurerAdapter {
// TokenExtractor tokenExtractor = new BearerTokenExtractor();
//
// @Override
// void configure(HttpSecurity http) throws Exception {
// http.addFilterAfter(new OncePerRequestFilter() {
// @Override
// protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, java.io.IOException {
// //We don't want to allow access to a resource with no token so clear the security context in case
// //it is actually an OAuth2Authentication
// if(tokenExtractor.extract(request) == null ) {
// SecurityContextHolder.clearContext()
// }
// filterChain.doFilter(request, response)
// }
// }, AbstractPreAuthenticatedProcessingFilter.class)
// http.authorizeRequests().anyRequest().authenticated()
// }
// }
and changing @Order(-10) back to @Order(ManagementServerProperties.ACCESS_OVERRIDE_ORDER)
fixed everything
Dave Syer
@dsyer
Jan 14 2015 15:11
That's the order of the LoginConfig?
William Gorder
@wgorder
Jan 14 2015 15:12
Well I had it split into 2 files so the Oauth2ResourceConfiguration I put in this class
and the @Order was changed on this class
Dave Syer
@dsyer
Jan 14 2015 15:13
The sample app works for me:
$ curl localhost:8080/uaa/oauth/token_key
{"alg":"SHA256withRSA","value":"-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnGp/Q5lh0P8nPL21oMMrt2RrkT9AW5jgYwLfSUnJVc9G6uR3cXRRDCjHqWU5WYwivcF180A6CWp/ireQFFBNowgc5XaA0kPpzEtgsA5YsNX7iSnUibB004iBTfU9hZ2Rbsc8cWqynT0RyN4TP1RYVSeVKvMQk4GT1r7JCEC+TNu1ELmbNwMQyzKjsfBXyIOCFU/E94ktvsTZUHF4Oq44DBylCDsS1k7/sfZC2G5EU7Oz0mhG8+Uz6MSEQHtoIi6mc8u64Rwi3Z3tscuWG2ShtsUFuNSAFNkY7LkLn+/hxLCu2bNISMaESa8dG22CIMuIeRLVcAmEWEWH5EEforTg+QIDAQAB\n-----END PUBLIC KEY-----"}
William Gorder
@wgorder
Jan 14 2015 15:14
odd yeah I cant even get the app running on 8080 to start with that change. The token_key actually gets hit while its starting since I don't hardcode the key
Dave Syer
@dsyer
Jan 14 2015 15:14
It doesn't have @EnableResourceServer though
William Gorder
@wgorder
Jan 14 2015 15:15
the app your testing with or mine?
Dave Syer
@dsyer
Jan 14 2015 15:15
The one from spring-cloud-samples
William Gorder
@wgorder
Jan 14 2015 15:15
ahh ok
yeah mine basically has the same stuff just split into different files
OK, I'm looking at yours
@SessionAttributes("authorizationRequest") should be on a @Controller I think
Dave Syer
@dsyer
Jan 14 2015 15:17
That's why I mentioned it
William Gorder
@wgorder
Jan 14 2015 15:17
the other thing I noticed is you have @EnableResourceServer twice in the link above
Dave Syer
@dsyer
Jan 14 2015 15:17
Probably harmless, but you might have wanted it to do something and it's not
William Gorder
@wgorder
Jan 14 2015 15:18
oh I was looking at the wrong link :) Ill add an @Controller
Dave Syer
@dsyer
Jan 14 2015 15:18
That's a typo (duplicate @EnableResourceServer)
William Gorder
@wgorder
Jan 14 2015 15:18
ok
Well those are the only 2 differences I really see
apart from separate files
Dave Syer
@dsyer
Jan 14 2015 15:20
The order is important
Your log says that it is creating an anonymous token but I didn't see the access decision
William Gorder
@wgorder
Jan 14 2015 15:21
Yeah
let me check in exactly what I have.
Dave Syer
@dsyer
Jan 14 2015 15:22
And the antMatchers are different in the security config
You basically have anyRequest() whereas I specifically secure only "/login", "/oauth/authorize", "/oauth/confirm_access"
That's also important
William Gorder
@wgorder
Jan 14 2015 15:24
Hmm ok well your /user endpoint is not secured then? Actually I guess it doesnt need to be it will be null if not authenticated
Dave Syer
@dsyer
Jan 14 2015 15:24
/user is secured by the @EnableResourceServer
William Gorder
@wgorder
Jan 14 2015 15:25
oh ok.
Yeah the problem is my security config was based off of
and I didnt go back and check those
that is probably it
let me fix that
Dave Syer
@dsyer
Jan 14 2015 15:26
The latter is a better example for this use case
William Gorder
@wgorder
Jan 14 2015 15:26
agreed
William Gorder
@wgorder
Jan 14 2015 15:35
on your example in the LoginConfig you don't explicity mention /oauth/token_key enpoint
Dave Syer
@dsyer
Jan 14 2015 15:36
That's because it handled by the @EnableAuthorizationServer
William Gorder
@wgorder
Jan 14 2015 15:36
I also notice you don't put a permitAll() at the end of you antmatcher list is that intentional?
Dave Syer
@dsyer
Jan 14 2015 15:36
In which class?
Dave Syer
@dsyer
Jan 14 2015 15:37
permitAll() is only used on the loginPage() config
William Gorder
@wgorder
Jan 14 2015 15:38
ok.
well mine already has
oauthServer.tokenKeyAccess("permitAll()").checkTokenAccess(
"isAuthenticated()");
Dave Syer
@dsyer
Jan 14 2015 15:38
Oh I get it, you asked why I don't use it
William Gorder
@wgorder
Jan 14 2015 15:38
so I am not sure if this will help me at all
yea its not used
Dave Syer
@dsyer
Jan 14 2015 15:38
Because I'm doing requestMatchers() not authorizeRequests()
i.e. the API does not allow me to permitAll() there
William Gorder
@wgorder
Jan 14 2015 15:38
that builder confuses the hell out of me :)
Dave Syer
@dsyer
Jan 14 2015 15:39
Me too, I must admit
I like looking at it when it's done
But getting there can be painful
William Gorder
@wgorder
Jan 14 2015 15:39
alright that authorizeRequests is probably whats getting me then
William Gorder
@wgorder
Jan 14 2015 15:53
Ok so I can start up the gateway no errors there now. But if I click the login link I am correctly redirected to localhost:8083/uaa/login however the page rendered has this
<oauth>
<error_description>
An Authentication object was not found in the SecurityContext
</error_description>
<error>unauthorized</error>
</oauth>
I see this in the auth server logs
Dave Syer
@dsyer
Jan 14 2015 15:53
8083 is the right port I guess?
That's the resource server error handling telling you that you screwed up the "/login" page configuration
William Gorder
@wgorder
Jan 14 2015 15:54
2015-01-14 10:52:40.238 DEBUG 16775 --- [nio-8083-exec-8] o.s.s.web.util.matcher.OrRequestMatcher : Trying to match using org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfiguration$NotOAuthRequestMatcher@6d32d2aa
2015-01-14 10:52:40.238 DEBUG 16775 --- [nio-8083-exec-8] o.s.s.web.util.matcher.OrRequestMatcher : matched
2015-01-14 10:52:40.238 DEBUG 16775 --- [nio-8083-exec-8] o.s.security.web.FilterChainProxy : /login at position 1 of 11 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2015-01-14 10:52:40.238 DEBUG 16775 --- [nio-8083-exec-8] o.s.security.web.FilterChainProxy : /login at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2015-01-14 10:52:40.246 DEBUG 16775 --- [nio-8083-exec-8] w.c.HttpSessionSecurityContextRepository : HttpSession returned null object for SPRING_SECURITY_CONTEXT
2015-01-14 10:52:40.246 DEBUG 16775 --- [nio-8083-exec-8] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: org.springframework.session.web.http.SessionRepositoryFilter$SessionRepositoryRequestWrapper$HttpSessionWrapper@43efb3bf. A new one will be created.
2015-01-14 10:52:40.246 DEBUG 16775 --- [nio-8083-exec-8] o.s.security.web.FilterChainProxy : /login at position 3 of 11 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2015-01-14 10:52:40.247 DEBUG 16775 --- [nio-8083-exec-8] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@3bb5f681
2015-01-14 10:52:40.247 DEBUG 16775 --- [nio-8083-exec-8] o.s.security.web.FilterChainProxy : /login at position 4 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
2015-01-14 10:52:40.247 DEBUG 16775 --- [nio-8083-exec-8] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/login'; against '/logout'
2015-01-14 10:52:40.247 DEBUG 16775 --- [nio-8083-exec-8] o.s.security.web.FilterChainProxy : /login at position 5 of 11 in additional filter chain; firing Filter: 'OAuth2AuthenticationProcessingFilter'
2015-01-14 10:52:40.247 DEBUG 16775 --- [nio-8083-exec-8] o.s.s.o.p.a.BearerTokenExtractor : Token not found in headers. Trying request parameters.
2015-01-14 10:52:40.247 DEBUG 16775 --- [nio-8083-exec-8] o.s.s.o.p.a.BearerTokenExtractor : Token not found in request parameters. Not an OAuth2 request.
2015-01-14 10:52:40.247 DEBUG 16775 --- [nio-8083-exec-8] p.a.OAuth2AuthenticationProcessingFilter : No token in request, will continue chain.
2015-01-14 10:52:40.247 DEBUG 16775 --- [nio-8083-exec-8] o.s.security.web.FilterChainProxy : /login at position 6 of 11 in additional filter chain; firing Filter: ''
2015-01-14 10:52:40.247 DEBUG 16775 --- [nio-8083-exec-8] o.s.s.o.p.a.BearerTokenExtractor : Token not found in headers. Trying request parameters.
2015-01-14 10:52:40.247 DEBUG 16775 --- [nio-8083-exec-8] o.s.s.o.p.a.BearerTokenExtractor : Token not found in request parameters. Not an OAuth2 request.
2015-01-14 10:52:40.247 DEBUG 16775 --- [nio-8083-exec-8] o.s.security.web.FilterChainProxy : /login at position 7 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2015-01-14 10:52:40.247 DEBUG 16775 --- [nio-8083-exec-8] o.s.s.w.s.DefaultSavedRequest : pathInfo: both null (property equals)
2015-01-14 10:52:40.247 DEBUG 16775 --- [nio-8083-exec-8] o.s.s.w.s.DefaultSavedRequest : queryString: arg1=client_id=acme&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Flogin&response_type=code&state=SlJCmA; arg2=null (property not equals)
2015-01-14 10:52:40.247 DEBUG 16775 --- [nio-8083-exec-8] o.s.s.w.s.HttpSessionRequestCache : saved request doesn't match
2015-01-14 10:52:40.247 DEBUG 16775 --- [nio-8083-exec-8] o.s.security.web.FilterChainProxy : /login at position 8 of 11 in additional filter chain; firing Filter: '

Ok here is exactly what I am running now with your changes
Dave Syer
@dsyer
Jan 14 2015 15:57
Some errors here:
@Override
    protected void configure(HttpSecurity http) {
        http
                .formLogin().loginPage("/login").permitAll()
        .and()
                .requestMatchers().antMatchers("/oauth/authorize", "/oauth_confirm_access")
        .and()
                .authorizeRequests().antMatchers("/register", "/activate/**").permitAll()
        .and()
                .authorizeRequests().anyRequest().authenticated();
    }
You say you only want to match "/oauth/authorize", "/oauth_confirm_access" (and omit "/login")
and then you say that you want to secure "/register", "/activate/**" (which are not matched by the request matchers)
(I think Spring Security could possibly detect that error and tell us we're an idiot and why)
William Gorder
@wgorder
Jan 14 2015 16:00
I love java config but I still don't think i understand this builder properly. So in other words if I want /login and /register and /activate/** with permit all
so the request matchers need to have every url I want to match including register, activate and login
Dave Syer
@dsyer
Jan 14 2015 16:00
Yes.
It's just like the XML in fact
You have some matchers to determine if any of the rules apply
Then you have some rules (with optional matching of a subset of requests)
William Gorder
@wgorder
Jan 14 2015 16:01
yup. For some reason I had an easier time with the xml maybe I was just used to it.
Dave Syer
@dsyer
Jan 14 2015 16:01
I think that's it
William Gorder
@wgorder
Jan 14 2015 16:02
ok does the order matter on the request matchers or the authorize requests
I assume they are stored seperately and the matchers are consulted first
Dave Syer
@dsyer
Jan 14 2015 16:03
Yes
As far as the API goes, I don't think the order matters
William Gorder
@wgorder
Jan 14 2015 16:45
well @dsyer that worked. I am not really seeing much difference in behavior other then I now get a 401 accessing the /user when I am not logged in. I still need to autowire UserDetails to get the fields I need, and when I logout and press login it still seems to have access to the /user endpoint. I have even removed spring session from the auth server project completely and set spring.sessions = stateless
Ill play with it a bit more after lunch
It does appear now that principal is always an instance of Oauth2Authentication now though
I am not seeing the other variation
Dave Syer
@dsyer
Jan 14 2015 17:10
THat's progress
The 401 on /user is fine if it is "WWW-Authenticate: Bearer". I think there's a bug in the default filter orders in Spring Cloud right now that makes it "WWW-Authenticate: Basic".
Working on that now....
William Gorder
@wgorder
Jan 14 2015 19:32
so say i wanted to add social sign on to my auth server. Login with credentials or sign in with google for example.
currently if I hit login I am redirected to auth server for credentials only if I was not logged in already otherwise I am autmatically just logged back in. And there does not seem to be any way short of closing the browser to logout of the auth server so that I am asked for credentials again. Or am I missing something
Dave Syer
@dsyer
Jan 14 2015 19:48
I don't really know what you're asking
If you want to give users a choice of authentication options don't you have to provide a home page with the choices?
And the one of the choices might be /login
Then if the user is already authenticated remotely it will not require any input?
William Gorder
@wgorder
Jan 14 2015 23:29
I guess I would work it into the auth server login page.it looks like there is some good spring social SSO integrations too. I guess I'll play with that later.
I guess what my real question is, what is the easiest way to force the user to have to provide credentials again after logging out (short of closing the browser)
I have tried deleting cookies,and revoking the token on logout success both with no success