Limit UserInfoInterceptor firing

mitreid-connect / OpenID-Connect-Java-Spring-Server

An OpenID Connect reference implementation in Java on the Spring platform.

Other

1.48k stars 765 forks source link

Limit UserInfoInterceptor firing #1099

Open jricher opened 8 years ago

jricher commented 8 years ago

The UserInfoInterceptor class shouldn't be firing on calls to the token endpoint or other parts of the API that are client-facing.

ondrejvelisek commented 8 years ago

Hi,

When javascript manager client app calls api/* it response with 401. Can UserInfoInterceptor be a cause of this problem?

Request: GET /fed/oidc/api/scopes?_=1469472629805 HTTP/1.1 Response:

HTTP/1.1 401 Unauthorized
WWW-Authenticate: Bearer realm="openidconnect", error="unauthorized", error_description="Full authentication is required to access this resource"

{"error":"unauthorized","error_description":"Full authentication is required to access this resource"}

Cheers,

Ondrej

jricher commented 8 years ago

This error has nothing to do with the UserInfoInterceptor.

strangeweaver commented 8 years ago

This can be achieved by splitting out the different front end concerns into different DispatcherServlets. Web page rendering/viewresolving/exception resolution concerns are different to those of a rest web-service.

common concerns e.g. dao/service layer are then placed in the parent webapplication context and are visible to the child context, whilst child context is not visible to the parent context. Therefore an interceptor declared in one Dispatcher servlet won't interfere with an application call to which it is irrelevant.

This would be a more robust approach than say addition of an exclude mapping to the mvc:interceptor configuration.