diff --git a/.github/ISSUE_TEMPLATE.md b/.github/ISSUE_TEMPLATE.md new file mode 100644 index 000000000..aaeb72f2a --- /dev/null +++ b/.github/ISSUE_TEMPLATE.md @@ -0,0 +1,49 @@ + + + + +### Summary + + + +### Actual Behavior + + + +### Expected Behavior + + + +### Configuration + + + +### Version + + + +### Sample + + diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md new file mode 100644 index 000000000..570bf5e02 --- /dev/null +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -0,0 +1,16 @@ + + + + + diff --git a/.mvn/jvm.config b/.mvn/jvm.config new file mode 100644 index 000000000..0e7dabeff --- /dev/null +++ b/.mvn/jvm.config @@ -0,0 +1 @@ +-Xmx1024m -XX:CICompilerCount=1 -XX:TieredStopAtLevel=1 -Djava.security.egd=file:/dev/./urandom \ No newline at end of file diff --git a/.mvn/maven.config b/.mvn/maven.config new file mode 100644 index 000000000..3b8cf46e1 --- /dev/null +++ b/.mvn/maven.config @@ -0,0 +1 @@ +-DaltSnapshotDeploymentRepository=repo.spring.io::default::https://repo.spring.io/libs-snapshot-local -P spring diff --git a/.mvn/wrapper/maven-wrapper.jar b/.mvn/wrapper/maven-wrapper.jar new file mode 100644 index 000000000..5fd4d5023 Binary files /dev/null and b/.mvn/wrapper/maven-wrapper.jar differ diff --git a/.mvn/wrapper/maven-wrapper.properties b/.mvn/wrapper/maven-wrapper.properties new file mode 100644 index 000000000..eb9194764 --- /dev/null +++ b/.mvn/wrapper/maven-wrapper.properties @@ -0,0 +1 @@ +distributionUrl=https://repo1.maven.org/maven2/org/apache/maven/apache-maven/3.3.3/apache-maven-3.3.3-bin.zip \ No newline at end of file diff --git a/.travis.yml b/.travis.yml index 53ebd0ee7..2eeabb479 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,6 +1,19 @@ language: java -install: mvn -U install --quiet -DskipTests=true -P bootstrap -script: mvn clean test -P bootstrap +dist: trusty +jdk: + - openjdk8 + - openjdk7 +services: + - redis-server + +install: ./mvnw -U install --quiet -DskipTests=true -P bootstrap + +script: + - jdk_switcher use openjdk7 + - ./mvnw clean test -P bootstrap + - jdk_switcher use openjdk8 + - ./mvnw -U clean checkstyle:check -P spring5 + - ./mvnw -f spring-security-oauth2 -U clean test -P spring5 diff --git a/CODE_OF_CONDUCT.adoc b/CODE_OF_CONDUCT.adoc index f013d6f36..17783c7c0 100644 --- a/CODE_OF_CONDUCT.adoc +++ b/CODE_OF_CONDUCT.adoc @@ -40,5 +40,5 @@ appropriate to the circumstances. Maintainers are obligated to maintain confiden with regard to the reporter of an incident. This Code of Conduct is adapted from the -http://contributor-covenant.org[Contributor Covenant], version 1.3.0, available at -http://contributor-covenant.org/version/1/3/0/[contributor-covenant.org/version/1/3/0/] +https://contributor-covenant.org[Contributor Covenant], version 1.3.0, available at +https://contributor-covenant.org/version/1/3/0/[contributor-covenant.org/version/1/3/0/] diff --git a/README.md b/README.md index db1835093..64beaafd3 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,8 @@ -[![Build Status](https://travis-ci.org/spring-projects/spring-security-oauth.svg?branch=master)](https://travis-ci.org/spring-projects/spring-security-oauth) +# spring-security-oauth is no longer actively maintained by VMware, Inc. + +## This project has been replaced by the OAuth2 support provided by [Spring Security](https://spring.io/projects/spring-security) (client and resource server) and [Spring Authorization Server](https://spring.io/projects/spring-authorization-server). + +# About This project provides support for using Spring Security with OAuth (1a) and OAuth2. It provides features for implementing both consumers @@ -23,6 +27,10 @@ Use the `bootstrap` profile only the first time - it enables some repositories that can't be exposed in the poms by default. You may find it useful to add this profile to your local `settings.xml`. +You need to run Redis to get the build to work. You can install this +using homebrew. Without Redis running the build will lots of Jedis +connection exceptions + SpringSource ToolSuite users (or Eclipse users with the latest m2eclipse plugin) can import the projects as existing Maven projects. @@ -54,22 +62,22 @@ Lists of issues addressed per release can be found in [github](https://github.co ## Additional Resources -* [Spring Security OAuth User Guide](http://projects.spring.io/spring-security-oauth/docs/Home.html) -* [Spring Security OAuth Source](http://github.com/spring-projects/spring-security-oauth) -* [Stackoverflow](http://stackoverflow.com/questions/tagged/spring-security+spring+oauth) +* [Spring Security OAuth User Guide](https://projects.spring.io/spring-security-oauth/docs/Home.html) +* [Spring Security OAuth Source](https://github.com/spring-projects/spring-security-oauth) +* [Stackoverflow](https://stackoverflow.com/questions/tagged/spring-security+spring+oauth) # Contributing to Spring Security OAuth Here are some ways for you to get involved in the community: * Get involved with the Spring community on the Spring Community Forums. Please help out on the - [forum](http://forum.springsource.org/forumdisplay.php?f=79) by responding to questions and joining the debate. + [forum](https://forum.spring.io/forumdisplay.php?f=79) by responding to questions and joining the debate. * Create [github issues](https://github.com/spring-projects/spring-security-oauth/issues) for bugs and new features and comment and vote on the ones that you are interested in. * Github is for social coding: if you want to write code, we encourage contributions through pull requests from - [forks of this repository](http://help.github.com/forking/). If you want to contribute code this way, please + [forks of this repository](https://help.github.com/forking/). If you want to contribute code this way, please reference a github issue as well covering the specific issue you are addressing. -* Watch for upcoming articles on Spring by [subscribing](http://www.springsource.org/node/feed) to springframework.org +* Watch for upcoming articles on Spring by [subscribing](https://www.springsource.org/node/feed) to springframework.org Before we accept a non-trivial patch or pull request we will need you to sign the [contributor's agreement](https://support.springsource.com/spring_committer_signup). @@ -91,4 +99,4 @@ request but before a merge. * Add yourself as an @author to the .java files that you modify substantially (more than cosmetic changes). * Add some Javadocs and, if you change the namespace, some XSD doc elements. * A few unit tests would help a lot as well - someone has to do it. -* If no-one else is using your branch, please rebase it against the current master (or other target branch in the main project). +* If no-one else is using your branch, please rebase it against the current main (or other target branch in the main project). diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 000000000..e5a62d0ef --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,4 @@ +redis: + image: redis + ports: + - "6379:6379" diff --git a/docs/Home.md b/docs/Home.md deleted file mode 100644 index f5402ca0c..000000000 --- a/docs/Home.md +++ /dev/null @@ -1,41 +0,0 @@ ---- -title: Docs -layout: default -home: ../ ---- - - -# Welcome - -OAuth for Spring Security provides an [OAuth](http://oauth.net) -implementation for -[Spring Security](http://projects.spring.io/spring-security/). -Support is provided for the implementation of OAuth providers and -OAuth consumers. There is support for [Oauth 1(a)](oauth1.html) (including -[two-legged OAuth](twolegged.html), a.k.a. "Signed Fetch") and for -[OAuth 2.0](oauth2.md). - -Applying security to an application is not for the faint of heart, and OAuth is no exception. Before you get started, -you're going to want to make sure you understand OAuth and the problem it's designed to address. There is good -documentation at [the OAuth site](http://oauth.net). You will also want to make sure you understand how -[Spring](http://springframework.org/) and [Spring Security](http://projects.spring.io/spring-security/) work. - -You're going to want to be quite familiar with both [OAuth](http://oauth.net) (and/or [OAuth2](http://tools.ietf.org/html/draft-ietf-oauth-v2)) -and [Spring Security](http://projects.spring.io/spring-security/), to maximize the effectiveness of this developers guide. OAuth for -Spring Security is tightly tied to both technologies, so the more familiar you are with them, the more likely you'll be to recognize the terminology -and patterns that are used. - -With that, you're ready to get started. Here are some useful links: - -* For access to the binaries, use Maven ([instructions here](downloads.html)) - -* Source code is in github - [at spring-projects/spring-security-oauth](https://github.com/spring-projects/spring-security-oauth). - -* You'll want to see OAuth for Spring Security in action, so here is a -[tutorial](tutorial.html) - -* Read a more detailed explanation in the [developer's guide](devguide.html). - -* For more help and support, checkout the [support links](support.html). - diff --git a/docs/_Sidebar.md b/docs/_Sidebar.md deleted file mode 100644 index 981184225..000000000 --- a/docs/_Sidebar.md +++ /dev/null @@ -1,13 +0,0 @@ ---- -title: Docs -layout: default -home: ../ ---- - - -* [Home](Home.html) -* [Tuturial](tutorial.html) -* [OAuth 1.0](oauth1.html) -* [OAuth 2.0](oauth2.html) -* [Downloads](downloads.html) -* [Support](support.html) diff --git a/docs/devguide.md b/docs/devguide.md deleted file mode 100644 index 2c20a4938..000000000 --- a/docs/devguide.md +++ /dev/null @@ -1,28 +0,0 @@ ---- -title: Docs -layout: default -home: ../ ---- - - -# Developers Guide - -## Preparation - -You're going to want to be quite familiar with -[OAuth2](http://tools.ietf.org/html/draft-ietf-oauth-v2) (and/or -[OAuth](http://oauth.net) ) and -[Spring Security](http://projects.spring.io/spring-security/), -to maximize the effectiveness of this developers guide. OAuth for -Spring Security is tightly tied to both technologies, so the more -familiar you are with them, the more likely you'll be to recognize the -terminology and patterns that are used. - -## Options - -Your first decision is whether you need to leverage support for OAuth 1.0, OAuth 2.0, or both. - -So pick your poison: - -* [OAuth 1.0](oauth1.html) -* [OAuth 2](oauth2.html) diff --git a/docs/downloads.md b/docs/downloads.md deleted file mode 100644 index b9cfb6829..000000000 --- a/docs/downloads.md +++ /dev/null @@ -1,35 +0,0 @@ ---- -title: Docs -layout: default -home: ../ ---- - - -# Downloads - -You can download source code bundles from [Github], or clone the repository using git. OAuth for Spring Security is a Maven-based project. - -* groupId: `org.springframework.security.oauth` -* artifactId: `spring-security-oauth` for OAuth 1.0a and `spring-security-oauth2` for OAuth 2.0 - -To download the jars, just look in the [Maven repository][mavenrepo]. - -Full releases go in Maven [central], and in the SpringSource repository but milestones and snapshots go only in the SpringSource respository. For milestones: - - - spring-milestone - Spring Maven MILESTONE Repository - http://maven.springframework.org/milestone - - -and for snapshots: - - - spring-snnapshot - Spring Maven SNAPSHOT Repository - http://maven.springframework.org/snapshot - - -[mavenrepo]: http://shrub.appspot.com/maven.springframework.org/release/org/springframework/security/oauth/spring-security-oauth/ -[central]: http://repo1.maven.org/maven2/org/springframework/security/oauth/spring-security-oauth/ -[Github]: https://github.com/spring-projects/spring-security-oauth diff --git a/docs/oauth1.md b/docs/oauth1.md deleted file mode 100644 index 8d36e833c..000000000 --- a/docs/oauth1.md +++ /dev/null @@ -1,299 +0,0 @@ ---- -title: Docs -layout: default -home: ../ ---- - - -# OAuth 1 Developers Guide - -## Introduction - -This is the developers guide for the support for OAuth 1.0. For OAuth 2.0, everything is different, so [see it's developers guide](oauth2.html). - -This user guide is divided into two parts, the first for the OAuth 1.0 provider, the second for the OAuth 1.0 consumer. Here's a -TOC for quick navigation: - -## OAuth 1.0 Provider - -The OAuth 1.0 provider is responsible for managing the OAuth 1.0 consumers that can access its protected resources on behalf of -a user. The provider does this by managing and verifying the OAuth 1.0 tokens that can be used to access the protected -resources. Of course, the provider must also supply an interface for the user to confirm that a consumer can be granted -access to the protected resources (i.e. a confirmation page). - -### Managing Consumers - -The entry point into your database of consumers is defined by the [`ConsumerDetailsService`][ConsumerDetailsService]. -You must define your own [`ConsumerDetailsService`][ConsumerDetailsService] that will load [`ConsumerDetails`][ConsumerDetails] -by the _consumer key_. Note the existence of an [in-memory implementation][InMemoryConsumerDetailsService] of -[`ConsumerDetailsService`][ConsumerDetailsService]. - -When implementing your [`ConsumerDetailsService`][ConsumerDetailsService] consider returning instances of -[BaseConsumerDetails][BaseConsumerDetails] which contains additional information about the consumer that may be useful when -displaying a confirmation screen to the user. - -### Managing Tokens - -The [`OAuthProviderTokenServices`][OAuthProviderTokenServices] interface defines the operations that are necessary to manage -OAuth 1.0 tokens. Note the following: - -* When a request token is created, care must be taken to ensure that it is not an access token. -* When a request token is authorized, the authentication must be stored so that the subsequent access token can reference it. -* When an access token is created, it must reference the authentication that was used to authorized the request token that is used - to create the access token. - -When creating your [`OAuthProviderTokenServices`][OAuthProviderTokenServices] implementation, you may want to consider extending -the [`RandomValueProviderTokenServices`][RandomValueProviderTokenServices] which creates tokens via random value and handles -everything except for the persistence of the tokens. There is also an [in-memory implementation][InMemoryProviderTokenServices] -of the [`OAuthProviderTokenServices`][OAuthProviderTokenServices] that may be suitable, but note that when using the in-memory implementation -a separate thread is spawned to take care of the cleanup of expired tokens. - -### OAuth 1.0 Provider Request Filters - -The requests for the tokens and for access to protected resources are handled by standard Spring Security request filters. The following filters -are required in the Spring Security filter chain in order to implement OAuth 1.0: - -* The [`UnauthenticatedRequestTokenProcessingFilter`][UnauthenticatedRequestTokenProcessingFilter] is used to service the request for - an unauthenticated request token. Default URL: `/oauth_request_token`. -* The [`UserAuthorizationProcessingFilter`][UserAuthorizationProcessingFilter] is used authorize a request token. The user must be - authenticated and it is assumed that the user has been presented with the appropriate confirmation page. -* The [`AccessTokenProcessingFilter`][AccessTokenProcessingFilter] is used to service the request for an OAuth 1.0 access token. - Default URL: `/oauth_access_token`. -* The [`ProtectedResourceProcessingFilter`][ProtectedResourceProcessingFilter] is used to load the Authentication for the request given - an authenticated access token. - -### Managing Nonces - -The OAuth 1.0 spec also recommends that the nonce that is supplied on every OAuth 1.0 request be checked to ensure it isn't used twice for the -same timestamp. In order to do this, nonces must be stored and verified on every OAuth 1.0 request. The interface that is used -to validate nonces is [`OAuthNonceServices`][OAuthNonceServices]. The default implementation, [`ExpiringTimestampNonceServices`][ExpiringTimestampNonceServices], -does not adhere to this recommendation, but only validates that the timestamp isn't too old. If further assurance is required, you will need -to supply your own implementation of `OAuthNonceServices`. Note the existence of an [in-memory implementation][InMemoryNonceServices]. - -### Managing Callbacks - -With the 1.0a revision of the OAuth 1.0 specification, the callback URL is provided at the time the request is made for a request token and will be used when -redirecting the user back to the OAuth 1.0 consumer. Therefore, a means must be provided to persist the callback between requests. The interface that is used -to persist callbacks is [`OAuthCallbackServices`][OAuthCallbackServices]. The default implementation, [`InMemoryCallbackServices`][InMemoryCallbackServices] -persists the callbacks in-memory. You must supply your own implementation of `OAuthCallbackServices` if this is inadequate. - -### Managing Verifiers - -With the 1.0a revision of the OAuth 1.0 specification, the a verifier is provided to the consumer via the user that must be passed back -to the provider when requesting the access token. Therefore, a means must be provided to create and persist the verifier. The interface -that is used to this end is [`OAuthVerifierServices`][OAuthVerifierServices]. The default implementation, -[`RandomValueInMemoryVerifierServices`][RandomValueInMemoryVerifierServices], creates a small, user-friendly (6 readable ASCII characters -by default) verifier and persists the verifier in memory. You must supply your own implementation of `OAuthVerifierServices` if this is inadequate. - -### Authorization By Consumer - -It is sometimes required to limit access to a resource to a specific consumer or to a consumer that has specific roles. The classes in the -[`org.springframework.security.oauth.provider.attributes`][attributes-package] package can be used to do this. Methods can be protected using the -annotations in that package, and the [`ConsumerSecurityConfig`][ConsumerSecurityConfig] can be supplied to the standard Spring Security filter -interceptor in order to enable the annotations. Finally, the [`ConsumerSecurityVoter`][ConsumerSecurityVoter] would need to be supplied to the -Spring Security authentication manager. - -### Provider Configuration - -For the OAuth 1.0 provider, configuration is simplified using the custom spring configuration elements. The schema for these elements rests at -[http://www.springframework.org/schema/security/spring-security-oauth.xsd][oauth1.xsd]. The namespace is `http://www.springframework.org/schema/security/oauth`. - -The following configuration elements are used to supply provider configuration: - -#### The "provider" element - -The `provider` element is used to configure the OAuth 1.0 provider mechanism. The following attributes can be applied to the `provider` element: - -* `consumer-details-service-ref`: The reference to the bean that defines the consumer details service. This is required if not autowired. -* `token-services-ref`: The reference to the bean that defines the token services. -* `request-token-url`: The URL at which a request for an unauthenticated request token will be serviced. Default value: "/oauth_request_token" -* `authenticate-token-url`: The URL at which a request to authenticate a request token will be serviced. Default value: "/oauth_authenticate_token" -* `access-token-url`: The URL at which a request for an access token (using an authenticated request token) will be serviced. Default value: "/oauth_access_token" -* `access-granted-url`: The URL to which the user will be redirected upon authenticating a request token, but only if there was no callback URL supplied from the oauth consumer. Default value: "/" -* `user-approval-url`: The URL to which the user will be redirected if for some reason authentication of a request token failed. Default behavior is to just issue a "401: unauthorized" response. -* `nonce-services-ref`: The reference to the bean that defines the nonce services. Default is to supply an instance of `org.springframework.security.oauth.provider.nonce.ExpiringTimestampNonceServices` -* `callback-services-ref`: The reference to the bean that defines the callback services. Default is to supply an instance of `org.springframework.security.oauth.provider.callback.InMemoryCallbackServices` -* `verifier-services-ref`: The reference to the bean that defines the verifier services. Default is to supply an instance of `org.springframework.security.oauth.provider.verifier.RandomValueInMemoryVerifierServices` -* `auth-handler-ref`: The reference to the bean that defines the authentication handler. Default is to supply an instance of `org.springframework.security.oauth.provider.DefaultAuthenticationHandler` -* `support-ref`: The reference to the bean that defines the provider support logic. Default is to supply an instance of `org.springframework.security.oauth.provider.CoreOAuthProviderSupport` -* `token-id-param`: The name of the request parameter that specifies to the 'authenticate-token-url' the id of the token that is to be authenticated. Default value: "requestToken". -* `callback-url-param`: The name of the request parameter that specifies to the 'authenticate-token-url' the callback URL to which the user is to be redirected upon successful authentication. Default value: "callbackURL". - -#### The "consumer-details-service" element - -The `consumer-details-service` element is used to define an in-memory implementation of the consumer details service. It takes an `id` attribute and an -arbitrary number of `consumer` child elements that define the following attributes for each consumer: - -* `key`: (required) The consumer key. -* `secret`: (required) The consumer secret. -* `name`: The (display) name of the consumer. -* `authorities`: Comma-separated list of authorities (e.g. roles) that are granted to the consumer. -* `resourceName`: The name of the resource. -* `resourceDescription`: The description of the resource. -* `requiredToObtainAuthenticatedToken`: Whether this consumer is required to obtain an authenticated oauth token. If _true_, it means that the OAuth 1.0 consumer won't be granted access to the protected resource unless the user is directed to the token authorization page. If _false_, it means that the provider has an additional level of trust with the consumer. Not requiring an authenticated access token is also known as "2-legged" OAuth or "signed fetch". For more information, see [two-legged OAuth](./twolegged.html). - -#### The "token-services" element - -The `token-services` element is a simple element that can be used to provide an in-memory implementation of the provider token services. -It supports an _id_ attribute (bean id) and a _cleanupInterval_ attribute that specifies how often the cleanup thread should wake up (in seconds). - -#### The "verifier-services" element - -The `verifier-services` element is a simple element that can be used to provide an in-memory implementation of the provider verifier services. -It supports an `id` attribute (bean id) and a `verifierLengthBytes` attribute that specifies the length of the verifier. - -### Configuring An OAuth-Aware Expression Handler - -You may want to take advantage of Spring Security's [expression-based access control](http://static.springsource.org/spring-security/site/docs/3.0.x/reference/el-access.html). -You can register a oauth-aware expression handler with the `expression-handler` element. Use the id of the oauth expression handler to add oauth-aware -expressions to the built-in expressions. - -The expressions include _oauthConsumerHasRole_, _oauthConsumerHasAnyRole_, and _denyOAuthConsumer_ which can be used to provide access based on the role of the -oauth consumer. - -## OAuth 1.0 Consumer - -The OAuth 1.0 consumer logic is responsible for (1) obtaining an OAuth 1 access token and (2) signing requests for OAuth 1 -protected resources. OAuth for Spring Security provides a request filter for acquiring the access token, a request filter -for ensuring that access to certain URLs is locked down to a set of acquired access token, and utilities for making a request -for a protected resource. A consumer must be responsible for maintaing a list of protected resources that can be accessed and, -like the provider, a consumer must be responsible for managing the OAuth 1.0 tokens. - -If you were discouraged by the complexity of implementing an OAuth 1.0 provider, take heart. Implementation of an OAuth 1.0 -consumer is easier, partially because OAuth 1.0 for Spring Security provides suitable defaults for most cases. - -### Managing Protected Resources - -A database of protected resources that are accessible by a consumer must be provided through the [`ProtectedResourceDetailsService`][ProtectedResourceDetailsService]. -Each protected resource must provide all information related to obtaining access to it. This includes the URL to obtain a request token, the URL to which to -redirect the user for authorization, the URL at which to obtain an access token, etc. It also contains various properties that describe the provider of the -protected resource. Consider the existence of the [`InMemoryProtectedResourceDetailsService`][InMemoryProtectedResourceDetailsService] -and the [`BaseProtectedResourceDetails`][BaseProtectedResourceDetails] for help in creating the database of protected resources. - -### Managing Provider Tokens - -Like the provider, the consumer must be responsible for managing the OAuth tokens. The necessary interface for managing the consumer tokens is -[`OAuthConsumerTokenServices`][OAuthConsumerTokenServices]. Assuming that the consumer can leverage an active HTTP session, the default -[`HttpSessionBasedTokenServices`][HttpSessionBasedTokenServices] might be adequate, but if you'd like to persist access tokens longer than a user -session, you'll have to implement your own persistent implementation of the token services. - -### OAuth 1.0 Consumer Request Filters - -There are two request filters that are applicable to the OAuth consumer logic. The first filter, [`OAuthConsumerContextFilter`][OAuthConsumerContextFilter], -is responsible for establishing an OAuth-specific security context, very similar to Spring Security's `SecurityContext`. The security -context simply contains a set of access tokens that have been obtained for the current user. This security context is leveraged when making requests -for protected resources. - -There is another request filter, [`OAuthConsumerProcessingFilter`][OAuthConsumerProcessingFilter], that can be applied to specific URLs or -URL patterns that require access to a remote protected resource. Putting this filter in Spring Security's filter chain -will ensure that any access tokens needed for the specified URL patters will be obtained before allowing access to the resources. - -### Requesting Protected Resources - -The [`OAuthRestTemplate`][OAuthRestTemplate] can be used to make REST-like requests to resources protected by OAuth. It's used just like a standard -RestTemplate (new in Spring 3), but is supplied with a specific `ProtectedResourcDetails` so it can sign its requests. - -### Consumer Configuration - -For the OAuth 1.0 consumer, configuration is simplified using the custom spring configuration elements. The schema for these elements rests at -[http://www.springframework.org/schema/security/spring-security-oauth.xsd][oauth1.xsd]. -The namespace is `http://www.springframework.org/schema/security/oauth`. - -Two custom configuration elements are used to supply provider configuration: - -#### The "consumer" element - -The `consumer` element configures the OAuth 1.0 consumer mechanism. This element is used to set up the security filter(s) that will handle -the OAuth consumer logic. The OAuth context filter establishes a context for the OAuth consumer logic. The OAuth access filter is used to -apply OAuth constraints on specified URLs (request paths) in your application. The access filter is applied by specified one or more `url` -child elements to the `consumer` element. - -The `url` element supports the following attributes: - -* `pattern`: (required) The URL pattern. -* `resources`: (required) Comma-separated list of the ids of the protected resources that the URL requires access to. -* `httpMethod`: The HTTP method that requires access. Default is all methods. - -The `consumer` element also supports the following attributes: - -* `resource-details-service-ref`: The reference to the resource details service. This is required if not autowired. -* `oauth-failure-page`: The page to which to redirect the user if a problem happens during OAuth 1.0 authentication. -* `entry-point-ref`: Reference to the entry point to use if a problem happens during OAuth 1.0 authentication (overrides _oauth-failure-page_). -* `path-type`: URL path type. Default value: "ant". -* `lowercase-comparisons`: Whether to use lowercase comparisons. -* `support-ref`: Reference to the OAuth 1.0 consumer support logic. -* `token-services-factory-ref`: Reference to the token services factory. - -#### The "resource-details-service" element - -The `resource-details-service` element configures an in-memory implementation of the resource details. It supports an "id" attribute -and an arbitrary number of `resource` child elements which are used to define the protected resources and support the following attributes: - -* `id`: (required) The resource id. -* `key`: (required) The consumer key. -* `secret`: (required) The shared secret. -* `request-token-url`: (required) The URL to use to get the OAuth 1.0 request token. -* `user-authorization-url`: (required) The URL to which to redirect the user to authorize the request token. -* `access-token-url`: (required) The URL to use to get an OAuth 1.0 access token. -* `signature-method`: The signature method to use (e.g. "HMAC-SHA1", "PLAINTEXT", etc.). Default "HMAC-SHA1". -* `user-authorization-token-param`: Name of the request parameter to use to pass the value of the request token when redirecting the user to the authorization page. Default value: "requestToken" -* `user-authorization-callback-param`: Name of the request parameter to use to pass the value of the callback URL when redirecting the user to the authorization page. Default value: "callbackURL" -* `accepts-authorization-header`: Whether the provider accepts the HTTP authorization header. Default: "true" -* `authorization-header-realm`: The "realm" for the HTTP authorization header. -* `use10a`: Whether the resource is protected using OAuth 1.0a. Default: "true" - -## Customizations Not Explicitly Supported by Namespace - -The XML DSL has extension points for some of the most common use -cases, generally specified through strategies injected through -attributes (e.g. the `token-services-ref` in the ``), but -occasionally you may need to add customizations not supported in this -way. Other cases can be handled locally without losing the benefit of -the namespace because the bean definitions created are all designed to -be easy to override. The namespace parsers create bean definitions -with fixed bean definition names (hopefully easy to guess, but it is -not hard to verify them by reading the source code of the parsers), -and all you need to do to override one part of the namespace support -is create a bean definition with the same name. For instance, the -`` element creates an `OAuthProviderProcessingFilter` which -itself has a default `ProtectedResourceProcessingFilter`, but if you -wanted to replace it you could override the bean definition: - - - - - ... - - -In this example, the explicit bean definition overrides the one created by the `` because of the ordering in the application context declaration (this is a standard Spring bean factory feature). Bean definitions created by the namespace parsers follow the convention that they start with "oauth" and generally they are the class name of the default implementation provided by the framework. - -[ConsumerDetailsService]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/ConsumerDetailsService.html -[ConsumerDetails]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/ConsumerDetails.html -[InMemoryConsumerDetailsService]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/InMemoryConsumerDetailsService.html -[BaseConsumerDetails]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/BaseConsumerDetails.html -[OAuthProviderTokenServices]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/token/OAuthProviderTokenServices.html -[RandomValueProviderTokenServices]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/token/RandomValueProviderTokenServices.html -[InMemoryProviderTokenServices]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/token/InMemoryProviderTokenServices.html -[UnauthenticatedRequestTokenProcessingFilter]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/UnauthenticatedRequestTokenProcessingFilter.html -[UserAuthorizationProcessingFilter]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/UserAuthorizationProcessingFilter.html -[AccessTokenProcessingFilter]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/AccessTokenProcessingFilter.html -[ProtectedResourceProcessingFilter]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/ProtectedResourceProcessingFilter.html -[OAuthNonceServices]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/nonce/OAuthNonceServices.html -[ExpiringTimestampNonceServices]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/nonce/ExpiringTimestampNonceServices.html -[InMemoryNonceServices]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/nonce/InMemoryNonceServices.html -[OAuthCallbackServices]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/callback/OAuthCallbackServices.html -[InMemoryCallbackServices]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/callback/InMemoryCallbackServices.html -[OAuthVerifierServices]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/verifier/OAuthVerifierServices.html -[RandomValueInMemoryVerifierServices]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/verifier/RandomValueInMemoryVerifierServices.html -[attributes-package]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/attributes/package-summary.html -[ConsumerSecurityConfig]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/attributes/ConsumerSecurityConfig.html -[ConsumerSecurityVoter]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/attributes/ConsumerSecurityVoter.html -[ProtectedResourceDetailsService]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/consumer/ProtectedResourceDetailsService.html -[InMemoryProtectedResourceDetailsService]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/consumer/InMemoryProtectedResourceDetailsService.html -[BaseProtectedResourceDetails]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/consumer/BaseProtectedResourceDetails.html -[OAuthConsumerTokenServices]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/consumer/token/OAuthConsumerTokenServices.html -[HttpSessionBasedTokenServices]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/consumer/token/HttpSessionBasedTokenServices.html -[OAuthConsumerContextFilter]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/consumer/OAuthConsumerContextFilter.html -[OAuthConsumerProcessingFilter]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/consumer/OAuthConsumerProcessingFilter.html -[OAuthRestTemplate]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/consumer/OAuthRestTemplate.html -[oauth1.xsd]: http://www.springframework.org/schema/security/spring-security-oauth.xsd "oauth1.xsd" diff --git a/docs/oauth2.md b/docs/oauth2.md deleted file mode 100644 index 3d14228ef..000000000 --- a/docs/oauth2.md +++ /dev/null @@ -1,291 +0,0 @@ ---- -title: Docs -layout: default -home: ../ ---- - - -# OAuth 2 Developers Guide - -## Introduction - -This is the user guide for the support for [`OAuth 2.0`](http://tools.ietf.org/html/draft-ietf-oauth-v2). For OAuth 1.0, everything is different, so [see its user guide](oauth1.html). - -This user guide is divided into two parts, the first for the OAuth 2.0 provider, the second for the OAuth 2.0 client. For both the provider and the client, the best source of sample code is the [integration tests](https://github.com/spring-projects/spring-security-oauth/tree/master/tests) and [sample apps](https://github.com/spring-projects/spring-security-oauth/tree/master/samples/oauth2). - -## OAuth 2.0 Provider - -The OAuth 2.0 provider mechanism is responsible for exposing OAuth 2.0 protected resources. The configuration involves establishing the OAuth 2.0 clients that can access its protected resources independently or on behalf of a user. The provider does this by managing and verifying the OAuth 2.0 tokens used to access the protected resources. Where applicable, the provider must also supply an interface for the user to confirm that a client can be granted access to the protected resources (i.e. a confirmation page). - -## OAuth 2.0 Provider Implementation - -The provider role in OAuth 2.0 is actually split between Authorization Service and Resource Service, and while these sometimes reside in the same application, with Spring Security OAuth you have the option to split them across two applications, and also to have multiple Resource Services that share an Authorization Service. The requests for the tokens are handled by Spring MVC controller endpoints, and access to protected resources is handled by standard Spring Security request filters. The following endpoints are required in the Spring Security filter chain in order to implement OAuth 2.0 Authorization Server: - -* [`AuthorizationEndpoint`][AuthorizationEndpoint] is used to service requests for authorization. Default URL: `/oauth/authorize`. -* [`TokenEndpoint`][TokenEndpoint] is used to service requests for access tokens. Default URL: `/oauth/token`. - -The following filter is required to implement an OAuth 2.0 Resource Server: - -* The [`OAuth2AuthenticationProcessingFilter`][OAuth2AuthenticationProcessingFilter] is used to load the Authentication for the request given an authenticated access token. - -For all the OAuth 2.0 provider features, configuration is simplified using special Spring OAuth `@Configuration` adapters. There is also an XML namespace for OAuth configuration, and the schema resides at [http://www.springframework.org/schema/security/spring-security-oauth2.xsd][oauth2.xsd]. The namespace is `http://www.springframework.org/schema/security/oauth2`. - -## Authorization Server Configuration - -As you configure the Authorization Server, you have to consider the grant type that the client is to use to obtain an access token from the end-user (e.g. authorization code, user credentials, refresh token). The configuration of the server is used to provide implementations of the client details service and token services and to enable or disable certain aspects of the mechanism globally. Note, however, that each client can be configured specifically with permissions to be able to use certain authorization mechanisms and access grants. I.e. just because your provider is configured to support the "client credentials" grant type, doesn't mean that a specific client is authorized to use that grant type. - -The `@EnableAuthorizationServer` annotation is used to configure the OAuth 2.0 Authorization Server mechanism, together with any `@Beans` that implement `AuthorizationServerConfigurer` (there is a handy adapter implementation with empty methods). The following features are delegated to separate configurers that are created by Spring and passed into the `AuthorizationServerConfigurer`: - -* `ClientDetailsServiceConfigurer`: a configurer that defines the client details service. Client details can be initialized, or you can just refer to an existing store. -* `AuthorizationServerSecurityConfigurer`: defines the security constraints on the token endpoint. -* `AuthorizationServerEndpointsConfigurer`: defines the authorization and token endpoints and the token services. - -An important aspect of the provider configuration is the way that an authorization code is supplied to an OAuth client (in the authorization code grant). An authorization code is obtained by the OAuth client by directing the end-user to an authorization page where the user can enter her credentials, resulting in a redirection from the provider authorization server back to the OAuth client with the authorization code. Examples of this are elaborated in the OAuth 2 specification. - -In XML there is an `` element that is used in a similar way to configure the OAuth 2.0 Authorization Server. - -### Configuring Client Details - -The `ClientDetailsServiceConfigurer` (a callback from your `AuthorizationServerConfigurer`) can be used to define an in-memory or JDBC implementation of the client details service. Important attributes of a client are - -* `clientId`: (required) the client id. -* `secret`: (required for trusted clients) the client secret, if any. -* `scope`: The scope to which the client is limited. If scope is undefined or empty (the default) the client is not limited by scope. -* `authorizedGrantTypes`: Grant types that are authorized for the client to use. Default value is empty. -* `authorities`: Authorities that are granted to the client (regular Spring Security authorities). - -Client details can be updated in a running application by access the underlying store directly (e.g. database tables in the case of `JdbcClientDetailsService`) or through the `ClientDetailsManager` interface (which both implementations of `ClientDetailsService` also implement). - -> NOTE: the schema for the JDBC service is not packaged with the library (because there are too many variations you might like to use in practice), but there is an example you can start from in the [test code in github](https://github.com/spring-projects/spring-security-oauth/blob/master/spring-security-oauth2/src/test/resources/schema.sql). - -### Managing Tokens - -The [`AuthorizationServerTokenServices`][AuthorizationServerTokenServices] interface defines the operations that are necessary to manage OAuth 2.0 tokens. Note the following: - -* When an access token is created, the authentication must be stored so that resources accepting the access token can reference it later. -* The access token is used to load the authentication that was used to authorize its creation. - -When creating your `AuthorizationServerTokenServices` implementation, you may want to consider using the [`DefaultTokenServices`][DefaultTokenServices] which has many strategies that can be plugged in to change the format and storage of access tokens. By default it creates tokens via random value and handles everything except for the persistence of the tokens which it delegates to a `TokenStore`. The default store is an [in-memory implementation][InMemoryTokenStore], but there are some other implementations available. Here's a description with some discussion of each of them - -* The default `InMemoryTokenStore` is perfectly fine for a single server (i.e. low traffic and no hot swap to a backup server in the case of failure). Most projects can start here, and maybe operate this way in development mode, to make it easy to start a server with no dependencies. - -* The `JdbcTokenStore` is the [JDBC version](JdbcTokenStore) of the same thing, which stores token data in a relational database. Use the JDBC version if you can share a database between servers, either scaled up instances of the same server if there is only one, or the Authorization and Resources Servers if there are multiple components. To use the `JdbcTokenStore` you need "spring-jdbc" on the classpath. - -* The [JSON Web Token (JWT) version](`JwtTokenStore`) of the store encodes all the data about the grant into the token itself (so no back end store at all which is a significant advantage). One disadvantage is that you can't easily revoke an access token, so they normally are granted with short expiry and the revocation is handled at the refresh token. Another disadvantage is that the tokens can get quite large if you are storing a lot of user credential information in them. The `JwtTokenStore` is not really a "store" in the sense that it doesn't persist any data, but it plays the same role of translating betweeen token values and authentication information in the `DefaultTokenServices`. - -> NOTE: the schema for the JDBC service is not packaged with the library (because there are too many variations you might like to use in practice), but there is an example you can start from in the [test code in github](https://github.com/spring-projects/spring-security-oauth/blob/master/spring-security-oauth2/src/test/resources/schema.sql). Be sure to `@EnableTransactionManagement` to prevent clashes between client apps competing for the same rows when tokens are created. Note also that the sample schema has explicit `PRIMARY KEY` declarations - these are also necessary in a concurrent environment. - -### JWT Tokens - -To use JWT tokens you need a `JwtTokenStore` in your Authorization Server. The Resource Server also needs to be able to decode the tokens so the `JwtTokenStore` has a dependency on a `JwtAccessTokenConverter`, and the same implementation is needed by both the Authorization Server and the Resource Server. The tokens are signed by default, and the Resource Server also has to be able to verify the signature, so it either needs the same symmetric (signing) key as the Authorization Server (shared secret, or symmetric key), or it needs the public key (verifier key) that matches the private key (signing key) in the Authorization Server (public-private or asymmetric key). The public key (if available) is exposed by the Authorization Server on the `/oauth/token_key` endpoint, which is secure by default with access rule "denyAll()". You can open it up by injecting a standard SpEL expression into the `AuthorizationServerSecurityConfigurer` (e.g. "permitAll()" is probably adequate since it is a public key). - -To use the `JwtTokenStore` you need "spring-security-jwt" on your classpath (you can find it in the same github repository as Spring OAuth but with a different release cycle). - -### Grant Types - -The grant types supported by the `AuthorizationEndpoint` can be -configured via the `AuthorizationServerEndpointsConfigurer`. By default -all grant types are supported except password (see below for details of how to switch it on). The -following properties affect grant types: - -* `authenticationManager`: password grants are switched on by injecting an `AuthenticationManager`. -* `userDetailsService`: if you inject a `UserDetailsService` or if one is configured globally anyway (e.g. in a `GlobalAuthenticationManagerConfigurer`) then a refresh token grant will contain a check on the user details, to ensure that the account is still active -* `authorizationCodeServices`: defines the authorization code services (instance of `AuthorizationCodeServices`) for the auth code grant. -* `implicitGrantService`: manages state during the imlpicit grant. -* `tokenGranter`: the `TokenGranter` (taking full control of the granting and ignoring the other properties above) - -In XML grant types are included as child elements of the `authorization-server`. - -### Configuring the Endpoint URLs - -The `AuthorizationServerEndpointsConfigurer` has a `pathMapping()` method. It takes two arguments: - -* The default (framework implementation) URL path for the endpoint -* The custom path required (starting with a "/") - -The URL paths provided by the framework are `/oauth/authorize` (the authorization endpoint), `/oauth/token` (the token endpoint), `/oauth/confirm_access` (user posts approval for grants here), `/oauth/error` (used to render errors in the authorization server), `/oauth/check_token` (used by Resource Servers to decode access tokens), and `/oauth/token_key` (exposes public key for token verification if using JWT tokens). - -N.B. the Authorization endpoint `/oauth/authorize` (or its mapped alternative) should be protected using Spring Security so that it is only accessible to authenticated users. For instance using a standard Spring Security `WebSecurityConfigurer`: - -``` - @Override - protected void configure(HttpSecurity http) throws Exception { - http - .authorizeRequests().antMatchers("/login").permitAll().and() - // default protection for all resources (including /oauth/authorize) - .authorizeRequests() - .anyRequest().hasRole("USER") - // ... more configuration, e.g. for form login - } -``` - -> Note: if your Authorization Server is also a Resource Server then there is another security filter chain with lower priority controlling the API resources. Fo those requests to be protected by access tokens you need their paths *not* to be matched by the ones in the main user-facing filter chain, so be sure to include a request matcher that picks out only non-API resources in the `WebSecurityConfigurer` above. - -The token endpoint is protected for you by default by Spring OAuth in the `@Configuration` support using HTTP Basic authentication of the client secret. This is not the case in XML (so it should be protected explicitly). - -In XML the `` element has some attributes that can be used to change the default endpoint URLs in a similar way. The `/check_token` endpoint has to be explicitly enabled (with the `check-token-enabled` attribute). - -## Customizing the UI - -Most of the Authorization Server endpoints are used primarily by machines, but there are a couple of resource that need a UI and those are the GET for `/oauth/confirm_access` and the HTML response from `/oauth/error`. They are provided using whitelabel implementations in the framework, so most real-world instances of the Authorization Server will want to provide their own so they can control the styling and content. All you need to do is provide a Spring MVC controller with `@RequestMappings` for those endpoints, and the framework defaults will take a lower priority in the dispatcher. In the `/oauth/confirm_access` endpoint you can expect an `AuthorizationRequest` bound to the session carrying all the data needed to seek approval from the user (the default implementation is `WhitelabelApprovalEndpoint` so look there for a starting point to copy). You can grab all the data from that request and render it however you like, and then all the user needs to do is POST back to `/oauth/authorize` with information about approving or denying the grant. The request parameters are passed directly to a `UserApprovalHandler` in the `AuthorizationEndpoint` so you can interpret the data more or less as you please. The default `UserApprovalHandler` depends on whether or not you have supplied an `ApprovalStore` in your `AuthorizationServerEndpointsConfigurer` (in which case it is an `ApprovalStoreUserApprovalHandler`) or not (in which case it is a `TokenStoreUserApprovalHandler`). The standard approval handlers accept the following: - -* `TokenStoreUserApprovalHandler`: a simple yes/no decision via `user_oauth_approval` equals to "true" or "false". - -* `ApprovalStoreUserApprovalHandler`: a set of `scope.*` parameter keys with "*" equal to the scopes being requested. The value of the parameter can be "true" or "approved" (if the user approved the grant) else the user is deemed to have rejected that scope. A grant is successful if at least one scope is approved. - -> NOTE: don't forget to include CSRF protection in your form that you render for the user. Spring Security is expecting a request parameter called "_csrf" by default (and it provides the value in a request attribute). See the Spring Security user guide for more information on that, or look at the whitelabel implementation for guidance. - -### Enforcing SSL - -Plain HTTP is fine for testing but an Authorization Server should only be used over SSL in production. You can run the app in a secure container or behind a proxy and it should work fine if you set the proxy and the container up correctly (which is nothing to do with OAuth2). You might also want to secure the endpoints using Spring Security `requiresChannel()` constraints. For the `/authorize` endpoint is up to you to do that as part of your normal application security. For the `/token` endpoint there is a flag in the `AuthorizationServerEndpointsConfigurer` that you can set using the `sslOnly()` method. In both cases the secure channel setting is optional but will cause Spring Security to redirect to what it thinks is a secure channel if it detects a request on an insecure channel. - -## Customizing the Error Handling - -Error handling in an Authorization Server uses standard Spring MVC features, namely `@ExceptionHandler` methods in the endpoints themselves. Users can also provide a `WebResponseExceptionTranslator` to the endpoints themselves which is the best way to change the content of the responses as opposed to the way they are rendered. The rendering of exceptions delegates to `HttpMesssageConverters` (which can be added to the MVC configuration) in the case of token endpoint and to the OAuth error view (`/oauth/error`) in the case of teh authorization endpoint. The whitelabel error endpoint is provided for HTML responses, but users probably need to provide a custom implementation (e.g. just add a `@Controller` with `@RequestMapping("/oauth/error")`). - -## Mapping User Roles to Scopes - -It is sometimes useful to limit the scope of tokens not only by the scopes assigned to the client, but also according to the user's own permissions. If you use a `DefaultOAuth2RequestFactory` in your `AuthorizationEndpoint` you can set a flag `checkUserScopes=true` to restrict permitted scopes to only those that match the user's roles. You can also inject an `OAuth2RequestFactory` into the `TokenEndpoint` but that only works (i.e. with password grants) if you also install a `TokenEndpointAuthenticationFilter` - you just need to add that filter after the HTTP `BasicAuthenticationFilter`. Of course, you can also implement your own rules for mapping scopes to roles and install your own version of the `OAuth2RequestFactory`. The `AuthorizationServerEndpointsConfigurer` allows you to inject a custom `OAuth2RequestFactory` so you can use that feature to set up a factory if you use `@EnableAuthorizationServer`. - -## Resource Server Configuration - -A Resource Server (can be the same as the Authorization Server or a separate application) serves resources that are protected by the OAuth2 token. Spring OAuth provides a Spring Security authentication filter that implements this protection. You can switch it on with `@EnableResourceServer` on an `@Configuration` class, and configure it (as necessary) using a `ResourceServerConfigurer`. The following features can be configured: - -* `tokenServices`: the bean that defines the token services (instance of `ResourceServerTokenServices`). -* `resourceId`: the id for the resource (optional, but recommended and will be validated by the auth server if present). -* other extension points for the resourecs server (e.g. `tokenExtractor` for extracting the tokens from incoming requests) -* request matchers for protected resources (defaults to all) -* access rules for protected resources (defaults to plain "authenticated") -* other customizations for the protected resources permitted by the `HttpSecurity` configurer in Spring Security - -The `@EnableResourceServer` annotation adds a filter of type `OAuth2AuthenticationProcessingFilter` automatically to the Spring Security filter chain. - -In XML there is a `` element with an `id` attribute - this is the bean id for a servlet `Filter` that can then be added manually to the standard Spring Security chain. - -Your `ResourceServerTokenServices` is the other half of a contract with the Authorization Server. If the Resource Server and Authorization Server are in the same application and you use `DefaultTokenServices` then you don't have to think too hard about this because it implements all the necessary interfaces so it is automatically consistent. If your Resource Server is a separate application then you have to make sure you match the capabilities of the Authorization Server and provide a `ResourceServerTokenServices` that knows how to decode the tokens correctly. As with the Authorization Server, you can often use the `DefaultTokenServices` and the choices are mostly expressed through the `TokenStore` (backend storage or local encoding). An alternative is the `RemoteTokenServices` which is a Spring OAuth features (not part of the spec) allowing Resource Servers to decode tokens through an HTTP resource on the Authorization Server (`/oauth/check_token`). `RemoteTokenServices` are convenient if there is not a huge volume of traffic in the Resource Servers (every request has to be verified with the Authorization Server), or if you can afford to cache the results. To use the `/oauth/check_token` endpoint you need to expose it by changing its access rule (default is "denyAll()") in the `AuthorizationServerSecurityConfigurer`, e.g. - -``` - @Override - public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception { - oauthServer.tokenKeyAccess("isAnonymous() || hasAuthority('ROLE_TRUSTED_CLIENT')").checkTokenAccess( - "hasAuthority('ROLE_TRUSTED_CLIENT')"); - } - -``` - -In this example we are configuring both the `/oauth/check_token` endpoint and the `/oauth/token_key` endpoint (so trusted resources can obtain the public key for JWT verification). These two endpoints are protected by HTTP Basic authentication using client credentials. - -### Configuring An OAuth-Aware Expression Handler - -You may want to take advantage of Spring Security's [expression-based access control][expressions]. An expression handler will be registered by default in the `@EnableResourceServer` setup. The expressions include _#oauth2.clientHasRole_, _#oauth2.clientHasAnyRole_, and _#oath2.denyClient_ which can be used to provide access based on the role of the oauth client (see `OAuth2SecurityExpressionMethods` for a comprehensive list). In XML you can register a oauth-aware expression handler with the `expression-handler` element of the regular `` security configuration. - -## OAuth 2.0 Client - -The OAuth 2.0 client mechanism is responsible for access the OAuth 2.0 protected resources of other servers. The configuration involves establishing the relevant protected resources to which users might have access. The client may also need to be supplied with mechanisms for storing authorization codes and access tokens for users. - -### Protected Resource Configuration - -Protected resources (or "remote resources") can be defined using bean definitions of type [`OAuth2ProtectedResourceDetails`][OAuth2ProtectedResourceDetails]. A protected resource has the following properties: - -* `id`: The id of the resource. The id is only used by the client to lookup the resource; it's never used in the OAuth protocol. It's also used as the id of the bean. -* `clientId`: The OAuth client id. This is the id by which the OAuth provider identifies your client. -* `clientSecret`: The secret associated with the resource. By default, no secret is empty. -* `accessTokenUri`: The URI of the provider OAuth endpoint that provides the access token. -* `scope`: Comma-separted list of strings specifying the scope of the access to the resource. By default, no scope will be specified. -* `clientAuthenticationScheme`: The scheme used by your client to authenticate to the access token endpoint. Suggested values: "http\_basic" and "form". Default: "http\_basic". See section 2.1 of the OAuth 2 spec. - -Different grant types have different concrete implementations of `OAuth2ProtectedResourceDetails` (e.g. `ClientCredentialsResource` for "client_credentials" grant type). For grant types that require user authorization there is a further property: - -* `userAuthorizationUri`: The uri to which the user will be redirected if the user is ever needed to authorize access to the resource. Note that this is not always required, depending on which OAuth 2 profiles are supported. - -In XML there is a `` element that can be used to create a bean of type `OAuth2ProtectedResourceDetails`. It has attributes matching all the properties above. - - -### Client Configuration - -For the OAuth 2.0 client, configuration is simplified using `@EnableOAuth2Client`. This does 2 things: - -* Creates a filter bean (with ID `oauth2ClientContextFilter`) to store the current -request and context. In the case of needing to authenticate during a -request it manages the redirection to and from the OAuth -authentication uri. - -* Creates a bean of type `AccessTokenRequest` in request scope. This -can be used by authorization code (or implicit) grant clients to keep -state related to individual users from colliding. - -The filter has to be wired into the application (e.g. using a Servlet -initializer or `web.xml` configuration for a `DelegatingFilterProxy` -with the same name). - -The `AccessTokenRequest` can be used in an -`OAuth2RestTemplate` like this: - -``` -@Autowired -private OAuth2ClientContext oauth2Context; - -@Bean -public OAuth2RestTemplate sparklrRestTemplate() { - return new OAuth2RestTemplate(sparklr(), oauth2Context); -} -``` - -The OAuth2ClientContext is placed (for you) in session scope to keep -the state for different users separate. Without that you would have to -manage the equivalent data structure yourself on the server, mapping -incoming requests to users, and associating each user with a separate -instance of the `OAuth2ClientContext`. - -In XML there is a `` element with an `id` attribute - this is the bean id for a servlet `Filter` that must be mapped as in the `@Configuration` case to a `DelegatingFilterProxy` (with the same name). - - -### Accessing Protected Resources - -Once you've supplied all the configuration for the resources, you can now access those resources. The suggested method for accessing those resources is by using [the `RestTemplate` introduced in Spring 3][restTemplate]. OAuth for Spring Security has provided [an extension of RestTemplate][OAuth2RestTemplate] that only needs to be supplied an instance of [`OAuth2ProtectedResourceDetails`][OAuth2ProtectedResourceDetails]. To use it with user-tokens (authorization code grants) you should consider using the `@EnableOAuth2Client` configuration (or the XML equivalent ``) which creates some request and session scoped context objects so that requests for different users do not collide at runtime. - -As a general rule, a web application should not use password grants, so avoid using `ResourceOwnerPasswordResourceDetails` if you can in favour of `AuthorizationCodeResourceDetails`. If you desparately need password grants to work from a Java client, then use the same mechanism to configure your `OAuth2RestTemplate` and add the credentials to the `AccessTokenRequest` (which is a `Map` and is ephemeral) not the `ResourceOwnerPasswordResourceDetails` (which is shared between all access tokens). - -### Persisting Tokens in a Client - -A client does not *need* to persist tokens, but it can be nice for users to not be required to approve a new token grant every time the client app is restarted. The [`ClientTokenServices`](/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/ClientTokenServices.java) interface defines the operations that are necessary to persist OAuth 2.0 tokens for specific users. There is a JDBC implementation provided, but you can if you prefer implement your own service for storing the access tokens and associated authentication instances in a persistent database. -If you want to use this feature you need provide a specially configured `TokenProvider` to the `OAuth2RestTemplate` e.g. - -```java -@Bean -@Scope(value = "session", proxyMode = ScopedProxyMode.INTERFACES) -public OAuth2RestOperations restTemplate() { - OAuth2RestTemplate template = new OAuth2RestTemplate(resource(), new DefaultOAuth2ClientContext(accessTokenRequest)); - AccessTokenProviderChain provider = new AccessTokenProviderChain(Arrays.asList(new AuthorizationCodeAccessTokenProvider())); - provider.setClientTokenServices(clientTokenServices()); - return template; -} -``` - -## Customizations for Clients of External OAuth2 Providers - -Some external OAuth2 providers (e.g. [Facebook][Facebook]) do not quite implement the specification correctly, or else they are just stuck on an older version of the spec than Spring Security OAuth. To use those providers in your client application you might need to adapt various parts of the client-side infrastructure. - -To use Facebook as an example, there is a Facebook feature in the `tonr2` application (you need to change the configuration to add your own, valid, client id and secret - they are easy to generate on the Facebook website). - -Facebook token responses also contain a non-compliant JSON entry for the expiry time of the token (they use `expires` instead of `expires_in`), so if you want to use the expiry time in your application you will have to decode it manually using a custom `OAuth2SerializationService`. - - [AuthorizationEndpoint]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth2/provider/endpoint/AuthorizationEndpoint.html "AuthorizationEndpoint" - [TokenEndpoint]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth2/provider/endpoint/TokenEndpoint.html "TokenEndpoint" - [DefaultTokenServices]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth2/provider/token/DefaultTokenServices.html "DefaultTokenServices" - [InMemoryTokenStore]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth2/provider/token/store/InMemoryTokenStore.html "InMemoryTokenStore" - [JdbcTokenStore]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth2/provider/token/store/JdbcTokenStore.html "JdbcTokenStore" - [ClientDetailsService]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth2/provider/ClientDetailsService.html "ClientDetailsService" - [ClientDetails]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth2/provider/ClientDetails.html "ClientDetails" - [InMemoryClientDetailsService]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth2/provider/InMemoryClientDetailsService.html "InMemoryClientDetailsService" - [BaseClientDetails]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth2/provider/BaseClientDetails.html "BaseClientDetails" - [AuthorizationServerTokenServices]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth2/provider/token/AuthorizationServerTokenServices.html "AuthorizationServerTokenServices" - [OAuth2AuthenticationProcessingFilter]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth2/provider/authentication/OAuth2AuthenticationProcessingFilter.html "OAuth2AuthenticationProcessingFilter" - [oauth2.xsd]: http://www.springframework.org/schema/security/spring-security-oauth2.xsd "oauth2.xsd" - [expressions]: http://docs.spring.io/spring-security/site/docs/3.2.5.RELEASE/reference/htmlsingle/#el-access "Expression Access Control" - - [AccessTokenProviderChain]: /spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/AccessTokenProviderChain.java - [OAuth2RestTemplate]: /spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/OAuth2RestTemplate.java - [OAuth2ProtectedResourceDetails]: /spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/resource/OAuth2ProtectedResourceDetails.java - [restTemplate]: http://docs.spring.io/spring/docs/current/javadoc-api/org/springframework/web/client/RestTemplate.html "RestTemplate" - [Facebook]: http://developers.facebook.com/docs/authentication "Facebook" diff --git a/docs/support.md b/docs/support.md deleted file mode 100644 index 36817adbf..000000000 --- a/docs/support.md +++ /dev/null @@ -1,20 +0,0 @@ ---- -title: Docs -layout: default -home: ../ ---- - - -# Support - -Questions about OAuth for Spring Security can be posed on -[Stackoverflow](http://stackoverflow.com/questions/tagged/spring-security+spring+oauth) -using tags 'spring', 'spring-security' and 'oauth'. (There is also a -[Spring Forum](http://forum.springsource.org/forumdisplay.php?f=79) -that might be useful, but most people prefer the interface at -Stackoverflow). To report bugs, submit enchancement requests or add -something to the wish list, use -[Github](https://github.com/spring-projects/spring-security-oauth/issues). - -Commercial support is available from [Pivotal](http://gopivotal.com) -or through [Web Cohesion](http://www.webcohesion.com). diff --git a/docs/tutorial.md b/docs/tutorial.md deleted file mode 100644 index bad04c0b2..000000000 --- a/docs/tutorial.md +++ /dev/null @@ -1,96 +0,0 @@ ---- -title: Docs -layout: default -home: ../ ---- - - -# Tutorial - -## Introduction - -There's a good [getting started guide](http://www.hueniverse.com/hueniverse/2007/10/beginners-gui-1.html) that illustrates OAuth -1.0 by describing two different (but related) services. One is a photo-sharing application. The other is a photo-printing -application. In OAuth terms, the photo sharing application is the OAuth _provider_ and the photo printing application -is the OAuth _consumer_ or _client_. - -For this tutorial, we will see OAuth for Spring Security in action by deploying a photo-sharing application and a -photo-printing application on our local machine. We'll name the photo-sharing application "Sparklr" and the -photo-printing application "Tonr". A user named "Marissa" (who has an account at both Sparkr and Tonr) will use Tonr -to access her photos on Sparklr without ever giving Tonr her credentials to Sparklr. - -There is a Sparklr application for both OAuth 1.0 and for OAuth 2.0, -likewise Tonr. The best way to run them is to clone or download the -[repo on github](https://github.com/spring-projects/spring-security-oauth) -and run from source code See the -[samples/README.md](https://github.com/spring-projects/spring-security-oauth/tree/master/samples) -for detailed instructions. - -OAuth 1.0|OAuth 2.0 ----------|--------- -Sparklr 1 | Sparklr 2 -Tonr 1 | Tonr 2 - -Each application is a standard [Maven](http://maven.apache.org/) project, so you will need Maven installed. Each -application is also a Spring MVC application with Spring Security integrated. If you are familiar with Spring and Spring -Security, the configuration files will look familiar to you (the OAuth2 samples use a single application context whereas -many MVC applications use a root context and a child for the DispatcherServlet). - -## Setup - -Checkout the Sparklr and Tonr applications, and take a look around. Note especially the Spring configuration files in `src/main/webapp/WEB-INF`. - -For Sparklr, you'll notice the definition of the OAuth provider mechanism and the consumer/client details along with the -[standard spring security configuration](http://docs.spring.io/spring-security/site/docs/4.0.x/reference/html/ns-config.html) elements. For Tonr, -you'll notice the definition of the OAuth consumer/client mechanism and the resource details. For more information about the necessary -components of an OAuth provider and consumer, see the [developers guide](devguide.html). - -You'll also notice the Spring Security filter chain in `applicationContext.xml` and how it's configured for OAuth support. - -### Deploy Sparklr - -{% highlight text %} - mvn install - cd samples/oauth(2)/sparklr - mvn tomcat7:run -{% endhighlight %} - -Sparklr should be started on port 8080. Go ahead and browse to [http://localhost:8080/sparklr](http://localhost:8080/sparklr). Note the basic -login page and the page that can be used to browse Marissa's photos. Logout to ensure Marissa's session is no longer valid. (Of course, -the logout isn't mandatory; an active Sparklr session will simply bypass the step that prompts for Marissa's credentials before -confirming authorization for Marissa's protected resources.) - -### Start Tonr. - -Shutdown sparklr (it will be launched in the same container when tonr runs), then - -{% highlight text %} - mvn install - cd samples/oauth(2)/tonr - mvn tomcat7:run -{% endhighlight %} - -Tonr should be started on port 8080. Browse to [http://localhost:8080/tonr(2)](http://localhost:8080/tonr). Note Tonr's home page has a '2' on the end if it is the oauth2 version. - -### Observe... - -Now that you've got both applications deployed, you're ready to observe OAuth in action. - -1. Login to Tonr. - - Marissa's credentials are already hardcoded into the login form. - -2. Click to view Marissa's Sparklr photos. - - You will be redirected to the Sparklr site where you will be prompted for Marissa's credentials. - -3. Login to Sparklr. - - Upon successful login, you will be prompted with a confirmation screen to authorize access to Tonr - for Marissa's pictures. - -4. Click "authorize". - - Upon authorization, you should be redirected back to Tonr where Marissa's Sparklr photos are displayed - (presumably to be printed). - diff --git a/docs/twolegged.md b/docs/twolegged.md deleted file mode 100644 index 1ca6356c0..000000000 --- a/docs/twolegged.md +++ /dev/null @@ -1,33 +0,0 @@ ---- -title: Docs -layout: default -home: ../ ---- - - -# 2-Legged OAuth - -Two-legged OAuth (also known as "signed fetch") is basically OAuth without the user. It's a way for a consumer (i.e. client) to make a signed request -to a provider (i.e. server) by leveraging the OAuth signature algorithm. This means that the provider has an extra level of trust with the consumer and will -therefore provide data to the consumer without making an end-user authorize a token. - -This has particular applicability to gadget frameworks. For example, [OpenSocial](http://www.opensocial.org/) platforms often use 2-legged OAuth so gadget -developers can have the gadget (the OAuth consumer) make Web service requests to their remote server (the OAuth provider). Since the gadget developer and -the server developer are often the same entity, the server can trust the gadget without the need for the gadget to obtain special permission from the user to -access the user's data. - -To implement 2-legged OAuth using _OAuth for Spring Security_, all that is needed is for the provider to indicate that a specific consumer has an extra -level of trust. To do this, make sure your implementation of [`ConsumerDetailsService`][ConsumerDetailsService] returns instances of -[`ConsumerDetails`][ConsumerDetails] that implement [`ExtraTrustConsumerDetails`][ExtraTrustConsumerDetails]. Then, for each consumer -that doesn't need to obtain a user-authorized token, make sure [`ExtraTrustConsumerDetails.isRequiredToObtainAuthenticatedToken()`][isRequiredToObtainAuthenticatedToken] -returns `false`. - -In many instances, providers may want to manage the authentication that is set up in the security context. By default for 2-legged OAuth, only the consumer's -authentication will be set up in the context. However, if a user authentication is needed in the context, provide an alternate implementation of -`org.springframework.security.oauth.provider.OAuthAuthenticationHandler` that loads the user authentication, and provide a reference to the alternate -implementation using the "auth-handler-ref" attribute of the "provider" configuration element. - -[ConsumerDetailsService]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/ConsumerDetailsService.html -[ConsumerDetails]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/ConsumerDetails.html -[ExtraTrustConsumerDetails]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/ExtraTrustConsumerDetails.html -[isRequiredToObtainAuthenticatedToken]: http://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/ExtraTrustConsumerDetails.html#isRequiredToObtainAuthenticatedToken() diff --git a/etc/nohttp/checkstyle.xml b/etc/nohttp/checkstyle.xml new file mode 100644 index 000000000..4b2ef2e48 --- /dev/null +++ b/etc/nohttp/checkstyle.xml @@ -0,0 +1,26 @@ + + + + + + + + + + + \ No newline at end of file diff --git a/etc/nohttp/whitelist.lines b/etc/nohttp/whitelist.lines new file mode 100644 index 000000000..55860ea4f --- /dev/null +++ b/etc/nohttp/whitelist.lines @@ -0,0 +1 @@ +http://junit.sourceforge.net/javadoc/ \ No newline at end of file diff --git a/license.txt b/license.txt index 261eeb9e9..20e4bd856 100755 --- a/license.txt +++ b/license.txt @@ -1,6 +1,6 @@ Apache License Version 2.0, January 2004 - http://www.apache.org/licenses/ + https://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION @@ -192,7 +192,7 @@ you may not use this file except in compliance with the License. You may obtain a copy of the License at - http://www.apache.org/licenses/LICENSE-2.0 + https://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, diff --git a/mvnw b/mvnw new file mode 100755 index 000000000..02f96acef --- /dev/null +++ b/mvnw @@ -0,0 +1,243 @@ +#!/bin/sh +# ---------------------------------------------------------------------------- +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# ---------------------------------------------------------------------------- + +# ---------------------------------------------------------------------------- +# Maven2 Start Up Batch script +# +# Required ENV vars: +# ------------------ +# JAVA_HOME - location of a JDK home dir +# +# Optional ENV vars +# ----------------- +# M2_HOME - location of maven2's installed home dir +# MAVEN_OPTS - parameters passed to the Java VM when running Maven +# e.g. to debug Maven itself, use +# set MAVEN_OPTS=-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000 +# MAVEN_SKIP_RC - flag to disable loading of mavenrc files +# ---------------------------------------------------------------------------- + +if [ -z "$MAVEN_SKIP_RC" ] ; then + + if [ -f /etc/mavenrc ] ; then + . /etc/mavenrc + fi + + if [ -f "$HOME/.mavenrc" ] ; then + . "$HOME/.mavenrc" + fi + +fi + +VERSION=$(awk '/ 0) {$0=$0} 1' `dirname $0`/pom.xml| grep '\(.*\)<.*/\1/') +if echo $VERSION | egrep -q 'M|RC'; then + echo Activating \"milestone\" profile for version=\"$VERSION\" + echo $MAVEN_ARGS | grep -q milestone || MAVEN_ARGS="$MAVEN_ARGS -Pmilestone" +else + echo Deactivating \"milestone\" profile for version=\"$VERSION\" + echo $MAVEN_ARGS | grep -q milestone && MAVEN_ARGS=$(echo $MAVEN_ARGS | sed -e 's/-Pmilestone//') +fi + +# OS specific support. $var _must_ be set to either true or false. +cygwin=false; +darwin=false; +mingw=false +case "`uname`" in + CYGWIN*) cygwin=true ;; + MINGW*) mingw=true;; + Darwin*) darwin=true + # + # Look for the Apple JDKs first to preserve the existing behaviour, and then look + # for the new JDKs provided by Oracle. + # + if [ -z "$JAVA_HOME" ] && [ -L /System/Library/Frameworks/JavaVM.framework/Versions/CurrentJDK ] ; then + # + # Apple JDKs + # + export JAVA_HOME=/System/Library/Frameworks/JavaVM.framework/Versions/CurrentJDK/Home + fi + + if [ -z "$JAVA_HOME" ] && [ -L /System/Library/Java/JavaVirtualMachines/CurrentJDK ] ; then + # + # Apple JDKs + # + export JAVA_HOME=/System/Library/Java/JavaVirtualMachines/CurrentJDK/Contents/Home + fi + + if [ -z "$JAVA_HOME" ] && [ -L "/Library/Java/JavaVirtualMachines/CurrentJDK" ] ; then + # + # Oracle JDKs + # + export JAVA_HOME=/Library/Java/JavaVirtualMachines/CurrentJDK/Contents/Home + fi + + if [ -z "$JAVA_HOME" ] && [ -x "/usr/libexec/java_home" ]; then + # + # Apple JDKs + # + export JAVA_HOME=`/usr/libexec/java_home` + fi + ;; +esac + +if [ -z "$JAVA_HOME" ] ; then + if [ -r /etc/gentoo-release ] ; then + JAVA_HOME=`java-config --jre-home` + fi +fi + +if [ -z "$M2_HOME" ] ; then + ## resolve links - $0 may be a link to maven's home + PRG="$0" + + # need this for relative symlinks + while [ -h "$PRG" ] ; do + ls=`ls -ld "$PRG"` + link=`expr "$ls" : '.*-> \(.*\)$'` + if expr "$link" : '/.*' > /dev/null; then + PRG="$link" + else + PRG="`dirname "$PRG"`/$link" + fi + done + + saveddir=`pwd` + + M2_HOME=`dirname "$PRG"`/.. + + # make it fully qualified + M2_HOME=`cd "$M2_HOME" && pwd` + + cd "$saveddir" + # echo Using m2 at $M2_HOME +fi + +# For Cygwin, ensure paths are in UNIX format before anything is touched +if $cygwin ; then + [ -n "$M2_HOME" ] && + M2_HOME=`cygpath --unix "$M2_HOME"` + [ -n "$JAVA_HOME" ] && + JAVA_HOME=`cygpath --unix "$JAVA_HOME"` + [ -n "$CLASSPATH" ] && + CLASSPATH=`cygpath --path --unix "$CLASSPATH"` +fi + +# For Migwn, ensure paths are in UNIX format before anything is touched +if $mingw ; then + [ -n "$M2_HOME" ] && + M2_HOME="`(cd "$M2_HOME"; pwd)`" + [ -n "$JAVA_HOME" ] && + JAVA_HOME="`(cd "$JAVA_HOME"; pwd)`" + # TODO classpath? +fi + +if [ -z "$JAVA_HOME" ]; then + javaExecutable="`which javac`" + if [ -n "$javaExecutable" ] && ! [ "`expr \"$javaExecutable\" : '\([^ ]*\)'`" = "no" ]; then + # readlink(1) is not available as standard on Solaris 10. + readLink=`which readlink` + if [ ! `expr "$readLink" : '\([^ ]*\)'` = "no" ]; then + if $darwin ; then + javaHome="`dirname \"$javaExecutable\"`" + javaExecutable="`cd \"$javaHome\" && pwd -P`/javac" + else + javaExecutable="`readlink -f \"$javaExecutable\"`" + fi + javaHome="`dirname \"$javaExecutable\"`" + javaHome=`expr "$javaHome" : '\(.*\)/bin'` + JAVA_HOME="$javaHome" + export JAVA_HOME + fi + fi +fi + +if [ -z "$JAVACMD" ] ; then + if [ -n "$JAVA_HOME" ] ; then + if [ -x "$JAVA_HOME/jre/sh/java" ] ; then + # IBM's JDK on AIX uses strange locations for the executables + JAVACMD="$JAVA_HOME/jre/sh/java" + else + JAVACMD="$JAVA_HOME/bin/java" + fi + else + JAVACMD="`which java`" + fi +fi + +if [ ! -x "$JAVACMD" ] ; then + echo "Error: JAVA_HOME is not defined correctly." >&2 + echo " We cannot execute $JAVACMD" >&2 + exit 1 +fi + +if [ -z "$JAVA_HOME" ] ; then + echo "Warning: JAVA_HOME environment variable is not set." +fi + +CLASSWORLDS_LAUNCHER=org.codehaus.plexus.classworlds.launcher.Launcher + +# For Cygwin, switch paths to Windows format before running java +if $cygwin; then + [ -n "$M2_HOME" ] && + M2_HOME=`cygpath --path --windows "$M2_HOME"` + [ -n "$JAVA_HOME" ] && + JAVA_HOME=`cygpath --path --windows "$JAVA_HOME"` + [ -n "$CLASSPATH" ] && + CLASSPATH=`cygpath --path --windows "$CLASSPATH"` +fi + +# traverses directory structure from process work directory to filesystem root +# first directory with .mvn subdirectory is considered project base directory +find_maven_basedir() { + local basedir=$(pwd) + local wdir=$(pwd) + while [ "$wdir" != '/' ] ; do + if [ -d "$wdir"/.mvn ] ; then + basedir=$wdir + break + fi + wdir=$(cd "$wdir/.."; pwd) + done + echo "${basedir}" +} + +# concatenates all lines of a file +concat_lines() { + if [ -f "$1" ]; then + echo "$(tr -s '\n' ' ' < "$1")" + fi +} + +export MAVEN_PROJECTBASEDIR=${MAVEN_BASEDIR:-$(find_maven_basedir)} +MAVEN_OPTS="$(concat_lines "$MAVEN_PROJECTBASEDIR/.mvn/jvm.config") $MAVEN_OPTS" + +# Provide a "standardized" way to retrieve the CLI args that will +# work with both Windows and non-Windows executions. +MAVEN_CMD_LINE_ARGS="$MAVEN_CONFIG $@" +export MAVEN_CMD_LINE_ARGS + +WRAPPER_LAUNCHER=org.apache.maven.wrapper.MavenWrapperMain + +exec "$JAVACMD" \ + $MAVEN_OPTS \ + -classpath "$MAVEN_PROJECTBASEDIR/.mvn/wrapper/maven-wrapper.jar" \ + "-Dmaven.home=${M2_HOME}" "-Dmaven.multiModuleProjectDirectory=${MAVEN_PROJECTBASEDIR}" \ + ${WRAPPER_LAUNCHER} ${MAVEN_ARGS} "$@" + diff --git a/mvnw.cmd b/mvnw.cmd new file mode 100644 index 000000000..eb9a292a7 --- /dev/null +++ b/mvnw.cmd @@ -0,0 +1,145 @@ +@REM ---------------------------------------------------------------------------- +@REM Licensed to the Apache Software Foundation (ASF) under one +@REM or more contributor license agreements. See the NOTICE file +@REM distributed with this work for additional information +@REM regarding copyright ownership. The ASF licenses this file +@REM to you under the Apache License, Version 2.0 (the +@REM "License"); you may not use this file except in compliance +@REM with the License. You may obtain a copy of the License at +@REM +@REM https://www.apache.org/licenses/LICENSE-2.0 +@REM +@REM Unless required by applicable law or agreed to in writing, +@REM software distributed under the License is distributed on an +@REM "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +@REM KIND, either express or implied. See the License for the +@REM specific language governing permissions and limitations +@REM under the License. +@REM ---------------------------------------------------------------------------- + +@REM ---------------------------------------------------------------------------- +@REM Maven2 Start Up Batch script +@REM +@REM Required ENV vars: +@REM JAVA_HOME - location of a JDK home dir +@REM +@REM Optional ENV vars +@REM M2_HOME - location of maven2's installed home dir +@REM MAVEN_BATCH_ECHO - set to 'on' to enable the echoing of the batch commands +@REM MAVEN_BATCH_PAUSE - set to 'on' to wait for a key stroke before ending +@REM MAVEN_OPTS - parameters passed to the Java VM when running Maven +@REM e.g. to debug Maven itself, use +@REM set MAVEN_OPTS=-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000 +@REM MAVEN_SKIP_RC - flag to disable loading of mavenrc files +@REM ---------------------------------------------------------------------------- + +@REM Begin all REM lines with '@' in case MAVEN_BATCH_ECHO is 'on' +@echo off +@REM enable echoing my setting MAVEN_BATCH_ECHO to 'on' +@if "%MAVEN_BATCH_ECHO%" == "on" echo %MAVEN_BATCH_ECHO% + +@REM set %HOME% to equivalent of $HOME +if "%HOME%" == "" (set "HOME=%HOMEDRIVE%%HOMEPATH%") + +@REM Execute a user defined script before this one +if not "%MAVEN_SKIP_RC%" == "" goto skipRcPre +@REM check for pre script, once with legacy .bat ending and once with .cmd ending +if exist "%HOME%\mavenrc_pre.bat" call "%HOME%\mavenrc_pre.bat" +if exist "%HOME%\mavenrc_pre.cmd" call "%HOME%\mavenrc_pre.cmd" +:skipRcPre + +@setlocal + +set ERROR_CODE=0 + +@REM To isolate internal variables from possible post scripts, we use another setlocal +@setlocal + +@REM ==== START VALIDATION ==== +if not "%JAVA_HOME%" == "" goto OkJHome + +echo. +echo Error: JAVA_HOME not found in your environment. >&2 +echo Please set the JAVA_HOME variable in your environment to match the >&2 +echo location of your Java installation. >&2 +echo. +goto error + +:OkJHome +if exist "%JAVA_HOME%\bin\java.exe" goto init + +echo. +echo Error: JAVA_HOME is set to an invalid directory. >&2 +echo JAVA_HOME = "%JAVA_HOME%" >&2 +echo Please set the JAVA_HOME variable in your environment to match the >&2 +echo location of your Java installation. >&2 +echo. +goto error + +@REM ==== END VALIDATION ==== + +:init + +set MAVEN_CMD_LINE_ARGS=%* + +@REM Find the project base dir, i.e. the directory that contains the folder ".mvn". +@REM Fallback to current working directory if not found. + +set MAVEN_PROJECTBASEDIR=%MAVEN_BASEDIR% +IF NOT "%MAVEN_PROJECTBASEDIR%"=="" goto endDetectBaseDir + +set EXEC_DIR=%CD% +set WDIR=%EXEC_DIR% +:findBaseDir +IF EXIST "%WDIR%"\.mvn goto baseDirFound +cd .. +IF "%WDIR%"=="%CD%" goto baseDirNotFound +set WDIR=%CD% +goto findBaseDir + +:baseDirFound +set MAVEN_PROJECTBASEDIR=%WDIR% +cd "%EXEC_DIR%" +goto endDetectBaseDir + +:baseDirNotFound +set MAVEN_PROJECTBASEDIR=%EXEC_DIR% +cd "%EXEC_DIR%" + +:endDetectBaseDir + +IF NOT EXIST "%MAVEN_PROJECTBASEDIR%\.mvn\jvm.config" goto endReadAdditionalConfig + +@setlocal EnableExtensions EnableDelayedExpansion +for /F "usebackq delims=" %%a in ("%MAVEN_PROJECTBASEDIR%\.mvn\jvm.config") do set JVM_CONFIG_MAVEN_PROPS=!JVM_CONFIG_MAVEN_PROPS! %%a +@endlocal & set JVM_CONFIG_MAVEN_PROPS=%JVM_CONFIG_MAVEN_PROPS% + +:endReadAdditionalConfig + +SET MAVEN_JAVA_EXE="%JAVA_HOME%\bin\java.exe" + +set WRAPPER_JAR="".\.mvn\wrapper\maven-wrapper.jar"" +set WRAPPER_LAUNCHER=org.apache.maven.wrapper.MavenWrapperMain + +%MAVEN_JAVA_EXE% %JVM_CONFIG_MAVEN_PROPS% %MAVEN_OPTS% %MAVEN_DEBUG_OPTS% -classpath %WRAPPER_JAR% "-Dmaven.multiModuleProjectDirectory=%MAVEN_PROJECTBASEDIR%" %WRAPPER_LAUNCHER% %MAVEN_CMD_LINE_ARGS% +if ERRORLEVEL 1 goto error +goto end + +:error +set ERROR_CODE=1 + +:end +@endlocal & set ERROR_CODE=%ERROR_CODE% + +if not "%MAVEN_SKIP_RC%" == "" goto skipRcPost +@REM check for post script, once with legacy .bat ending and once with .cmd ending +if exist "%HOME%\mavenrc_post.bat" call "%HOME%\mavenrc_post.bat" +if exist "%HOME%\mavenrc_post.cmd" call "%HOME%\mavenrc_post.cmd" +:skipRcPost + +@REM pause the script if MAVEN_BATCH_PAUSE is set to 'on' +if "%MAVEN_BATCH_PAUSE%" == "on" pause + +if "%MAVEN_TERMINATE_CMD%" == "on" exit %ERROR_CODE% + +exit /B %ERROR_CODE% diff --git a/notice.txt b/notice.txt index 77391586a..9007f5823 100755 --- a/notice.txt +++ b/notice.txt @@ -5,16 +5,16 @@ ====================================================================== This product includes software developed by -the Apache Software Foundation (http://www.apache.org). +the Apache Software Foundation (https://www.apache.org). This product includes software developed by the Spring Framework -Project (http://www.springframework.org). +Project (https://www.springframework.org). The end-user documentation included with a redistribution, if any, must include the following acknowledgement: "This product includes software developed by Web Cohesion - (http://www.webcohesion.com)." + (https://www.webcohesion.com)." Alternately, this acknowledgement may appear in the software itself, if and wherever such third-party acknowledgements normally appear. diff --git a/pom.xml b/pom.xml index a5689e37b..c1837e581 100644 --- a/pom.xml +++ b/pom.xml @@ -1,12 +1,12 @@ - + 4.0.0 org.springframework.security.oauth spring-security-oauth-parent OAuth for Spring Security Parent Project for OAuth Support for Spring Security pom - 2.0.10.BUILD-SNAPSHOT - http://static.springframework.org/spring-security/oauth + 2.5.3.BUILD-SNAPSHOT + https://docs.spring.io/spring-security/oauth spring-security-oauth @@ -18,27 +18,31 @@ UTF-8 - 1.9 - 4.0.9.RELEASE - 3.2.8.RELEASE + 1.14 + 4.3.30.RELEASE + 4.2.20.RELEASE + 1.5.2.RELEASE + 2.6.3 + 4.12 + 1.10.19 1.6 - http://github.com/SpringSource/spring-security-oauth + https://github.com/SpringSource/spring-security-oauth scm:git:git://github.com/SpringSource/spring-security-oauth.git scm:git:ssh://git@github.com/SpringSource/spring-security-oauth.git HEAD JIRA - http://opensource.atlassian.com/projects/spring/browse/SECOAUTH + https://opensource.atlassian.com/projects/spring/browse/SECOAUTH Spring Security OAuth Forum - http://forum.springframework.org/forumdisplay.php?f=79 - http://forum.springframework.org/forumdisplay.php?f=79 + https://forum.springframework.org/forumdisplay.php?f=79 + https://forum.springframework.org/forumdisplay.php?f=79 @@ -48,10 +52,10 @@ Apache 2.0 - http://www.apache.org/licenses/LICENSE-2.0.txt + https://www.apache.org/licenses/LICENSE-2.0.txt - + stoicflame @@ -66,12 +70,6 @@ - - springNext - - 4.3.0.BUILD-SNAPSHOT - - staging @@ -98,22 +96,22 @@ repo.spring.io-milestone Spring Framework Milestone Repository - http://repo.spring.io/libs-milestone-local + https://repo.spring.io/libs-milestone-local repo.spring.io-release Spring Framework Release Repository - http://repo.spring.io/libs-release-local + https://repo.spring.io/libs-release-local repo.spring.io-snapshot Spring Framework Maven Snapshot Repository - http://repo.spring.io/libs-snapshot-local + https://repo.spring.io/libs-snapshot-local true oauth.googlecode.net - http://oauth.googlecode.com/svn/code/maven/ + https://oauth.googlecode.com/svn/code/maven/ @@ -123,7 +121,7 @@ repo.spring.io Spring Milestone Repository - http://repo.spring.io/libs-milestone-local + https://repo.spring.io/libs-milestone-local @@ -168,6 +166,122 @@ + + spring5 + + 5.0.16.RELEASE + 5.0.3.RELEASE + 2.0.5.RELEASE + 2.9.0 + + + + repo.spring.io-milestone + Spring Framework Milestone Repository + https://repo.spring.io/libs-milestone-local + + + repo.spring.io-snapshot + Spring Framework Maven Snapshot Repository + https://repo.spring.io/libs-snapshot-local + true + + + + + + org.apache.maven.plugins + maven-checkstyle-plugin + 3.1.1 + + + com.puppycrawl.tools + checkstyle + 8.31 + + + io.spring.nohttp + nohttp-checkstyle + 0.0.3.RELEASE + + + + ${maven.multiModuleProjectDirectory}/etc/nohttp/checkstyle.xml + src/**/*,* + + ./ + + + + + + check + + + + + + + + + default + + true + + + + + org.codehaus.mojo + animal-sniffer-maven-plugin + 1.6 + + + org.codehaus.mojo.signature + java16 + 1.0 + + + + + enforce-java-6 + test + + check + + + + + sun.net.www.protocol.http.* + sun.net.www.protocol.https.* + + + + + + + + + + tests-exclude-redis + + + + org.apache.maven.plugins + maven-surefire-plugin + + ${skipTests} + + **/*Tests.java + + + **/RedisTokenStorePrefixTests.java + **/RedisTokenStoreTests.java + + + + + + @@ -308,6 +422,9 @@ maven-javadoc-plugin 2.9.1 + + true + javadoc @@ -317,38 +434,10 @@ - - - org.codehaus.mojo - animal-sniffer-maven-plugin - 1.6 - - - org.codehaus.mojo.signature - java16 - 1.0 - - - - - enforce-java-6 - test - - check - - - - - sun.net.www.protocol.http.* - sun.net.www.protocol.https.* - - - - - org.apache.maven.plugins maven-eclipse-plugin @@ -378,7 +467,7 @@ org.apache.maven.plugins maven-site-plugin - 3.1 + 3.3 org.apache.maven.wagon @@ -390,12 +479,16 @@ org.apache.maven.plugins maven-surefire-plugin + 2.20 ${skipTests} **/*Tests.java - + 3 + true + -Xmx1024m -XX:MaxPermSize=256m + @@ -439,19 +532,19 @@ true true - http://java.sun.com/j2ee/1.4/docs/api - http://java.sun.com/j2se/1.5.0/docs/api - http://jakarta.apache.org/commons/collections/apidocs-COLLECTIONS_3_0/ - http://jakarta.apache.org/commons/dbcp/apidocs/ - http://jakarta.apache.org/commons/fileupload/apidocs/ - http://jakarta.apache.org/commons/httpclient/apidocs/ - http://jakarta.apache.org/commons/pool/apidocs/ - http://jakarta.apache.org/commons/logging/apidocs/ + https://java.sun.com/j2ee/1.4/docs/api + https://java.sun.com/j2se/1.5.0/docs/api + https://jakarta.apache.org/commons/collections/apidocs-COLLECTIONS_3_0/ + https://jakarta.apache.org/commons/dbcp/apidocs/ + https://jakarta.apache.org/commons/fileupload/apidocs/ + https://jakarta.apache.org/commons/httpclient/apidocs/ + https://jakarta.apache.org/commons/pool/apidocs/ + https://jakarta.apache.org/commons/logging/apidocs/ http://junit.sourceforge.net/javadoc/ - http://logging.apache.org/log4j/docs/api/ - http://jakarta.apache.org/regexp/apidocs/ - http://jakarta.apache.org/velocity/api/ - http://static.springframework.org/spring/docs/2.5.x/api/ + https://logging.apache.org/log4j/docs/api/ + https://jakarta.apache.org/regexp/apidocs/ + https://jakarta.apache.org/velocity/api/ + https://docs.spring.io/spring/docs/2.5.x/api/ example @@ -459,6 +552,7 @@ org.apache.maven.plugins maven-jxr-plugin + 2.4 @@ -466,20 +560,20 @@ - static.springframework.org - scp://static.springframework.org/var/www/domains/springframework.org/static/htdocs/spring-security/oauth + static.spring.io + scp://docs-ip.spring.io/var/www/domains/spring.io/docs/htdocs/spring-security/oauth/site/docs/${project.version} repo.spring.io Spring Release Repository - http://repo.spring.io/libs-release-local + https://repo.spring.io/libs-release-local repo.spring.io Spring Snapshot Repository - http://repo.spring.io/libs-snapshot-local + https://repo.spring.io/libs-snapshot-local diff --git a/samples/README.md b/samples/README.md index 2ba26c4b4..9140c388e 100644 --- a/samples/README.md +++ b/samples/README.md @@ -1,3 +1,9 @@ +### Deprecation Notice + +The Spring Security OAuth project is deprecated. The latest OAuth 2.0 support is provided by Spring Security. See the [OAuth 2.0 Migration Guide](https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide) for further details. + +--- + These are the Spring Security OAuth sample apps and integration tests. They are split into OAuth (1a) and OAuth2 samples. Look in the subdirectory `oauth` and `oauth2` respectively for components of the @@ -59,7 +65,7 @@ To deploy the apps in Eclipse you will need the Maven plugin (`m2e`) and the Web Tools Project (WTP) plugins. If you have SpringSource Toolsuite (STS) you should already have those, aso you can deploy the apps very simply. (Update the WTP plugin to at least version 0.12 at -http://download.eclipse.org/technology/m2e/releases if you have an older +https://download.eclipse.org/technology/m2e/releases if you have an older one, or the context roots for the apps will be wrong.) * Ensure the Spring Security OAuth dependencies are available locally diff --git a/samples/oauth/sparklr/pom.xml b/samples/oauth/sparklr/pom.xml index bd22d6f45..7d4bca68c 100644 --- a/samples/oauth/sparklr/pom.xml +++ b/samples/oauth/sparklr/pom.xml @@ -1,11 +1,11 @@ - + 4.0.0 org.springframework.security.oauth spring-security-oauth-parent - 2.0.10.BUILD-SNAPSHOT + 2.5.3.BUILD-SNAPSHOT ../../.. @@ -45,14 +45,9 @@ - spring-milestone - Spring Framework Milestone Repository - http://maven.springframework.org/milestone - - - spring-release - Spring Framework Release Repository - http://maven.springframework.org/release + spring + Spring Framework Repository + https://repo.spring.io/libs-snapshot diff --git a/samples/oauth/sparklr/src/main/java/org/springframework/security/oauth/examples/sparklr/impl/PhotoServiceImpl.java b/samples/oauth/sparklr/src/main/java/org/springframework/security/oauth/examples/sparklr/impl/PhotoServiceImpl.java index f803497ed..6b96f61e3 100644 --- a/samples/oauth/sparklr/src/main/java/org/springframework/security/oauth/examples/sparklr/impl/PhotoServiceImpl.java +++ b/samples/oauth/sparklr/src/main/java/org/springframework/security/oauth/examples/sparklr/impl/PhotoServiceImpl.java @@ -5,7 +5,7 @@ * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * - * http://www.apache.org/licenses/LICENSE-2.0 + * https://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, diff --git a/samples/oauth/sparklr/src/main/resources/simplelog.properties b/samples/oauth/sparklr/src/main/resources/simplelog.properties index dfba30062..cba65bf4c 100644 --- a/samples/oauth/sparklr/src/main/resources/simplelog.properties +++ b/samples/oauth/sparklr/src/main/resources/simplelog.properties @@ -1,2 +1,2 @@ -org.apache.commons.logging.simplelog.defaultlog=info -org.apache.commons.logging.simplelog.log.org.springframework.security=debug +org.apache.commons.logging.simplelog.defaultlog=warn +#org.apache.commons.logging.simplelog.log.org.springframework.security=debug diff --git a/samples/oauth/sparklr/src/main/webapp/WEB-INF/applicationContext.xml b/samples/oauth/sparklr/src/main/webapp/WEB-INF/applicationContext.xml index c23317603..f33670c75 100644 --- a/samples/oauth/sparklr/src/main/webapp/WEB-INF/applicationContext.xml +++ b/samples/oauth/sparklr/src/main/webapp/WEB-INF/applicationContext.xml @@ -4,9 +4,9 @@ xmlns:beans="http://www.springframework.org/schema/beans" xmlns:oauth="http://www.springframework.org/schema/security/oauth" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://www.springframework.org/schema/beans%20http://www.springframework.org/schema/beans/spring-beans.xsd-%20%20%20%20%20%20%20%20%20%20%20%20%20%20http://www.springframework.org/schema/security%20http://www.springframework.org/schema/security/spring-security.xsd-%20%20%20%20%20%20%20%20%20%20%20%20%20%20http://www.springframework.org/schema/security/oauth%20http://www.springframework.org/schema/security/spring-security-oauth-1.0.xsd"> + xsi:schemaLocation="http://www.springframework.org/schema/beans%20https://www.springframework.org/schema/beans/spring-beans.xsd+%20%20%20%20%20%20%20%20%20%20%20%20%20%20http://www.springframework.org/schema/security%20https://www.springframework.org/schema/security/spring-security.xsd+%20%20%20%20%20%20%20%20%20%20%20%20%20%20http://www.springframework.org/schema/security/oauth%20https://www.springframework.org/schema/security/spring-security-oauth-1.0.xsd"> diff --git a/samples/oauth/sparklr/src/main/webapp/WEB-INF/jsp/access_confirmation.jsp b/samples/oauth/sparklr/src/main/webapp/WEB-INF/jsp/access_confirmation.jsp index f88681b83..0937858eb 100644 --- a/samples/oauth/sparklr/src/main/webapp/WEB-INF/jsp/access_confirmation.jsp +++ b/samples/oauth/sparklr/src/main/webapp/WEB-INF/jsp/access_confirmation.jsp @@ -1,8 +1,8 @@ <%@ page import="org.springframework.security.core.AuthenticationException" %> -<%@ page import="org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter" %> +<%@ page import="org.springframework.security.web.WebAttributes" %> <%@ taglib prefix="authz" uri="http://www.springframework.org/security/tags" %> <%@ taglib prefix="c" uri="http://java.sun.com/jstl/core" %> - + @@ -20,12 +20,12 @@

Woops!

-

Access could not be granted. (<%= ((AuthenticationException) session.getAttribute(AbstractAuthenticationProcessingFilter.SPRING_SECURITY_LAST_EXCEPTION_KEY)).getMessage() %>)

+

Access could not be granted. (<%= ((AuthenticationException) session.getAttribute(WebAttributes.AUTHENTICATION_EXCEPTION)).getMessage() %>)

- +

Please Confirm

You hereby authorize "" to access the following resource:

@@ -44,7 +44,7 @@ - + diff --git a/samples/oauth/sparklr/src/main/webapp/WEB-INF/spring-servlet.xml b/samples/oauth/sparklr/src/main/webapp/WEB-INF/spring-servlet.xml index 65bcd5a97..b364e2142 100644 --- a/samples/oauth/sparklr/src/main/webapp/WEB-INF/spring-servlet.xml +++ b/samples/oauth/sparklr/src/main/webapp/WEB-INF/spring-servlet.xml @@ -2,8 +2,8 @@ + xsi:schemaLocation="http://www.springframework.org/schema/mvc%20https://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd+http://www.springframework.org/schema/beans%20https://www.springframework.org/schema/beans/spring-beans-3.0.xsd"> diff --git a/samples/oauth/sparklr/src/main/webapp/WEB-INF/web.xml b/samples/oauth/sparklr/src/main/webapp/WEB-INF/web.xml index 8492917b3..31390bf58 100644 --- a/samples/oauth/sparklr/src/main/webapp/WEB-INF/web.xml +++ b/samples/oauth/sparklr/src/main/webapp/WEB-INF/web.xml @@ -2,7 +2,7 @@ + "https://java.sun.com/dtd/web-app_2_3.dtd"> diff --git a/samples/oauth/sparklr/src/main/webapp/index.jsp b/samples/oauth/sparklr/src/main/webapp/index.jsp index 62ee6dff6..1e945d215 100644 --- a/samples/oauth/sparklr/src/main/webapp/index.jsp +++ b/samples/oauth/sparklr/src/main/webapp/index.jsp @@ -1,13 +1,13 @@ <%@ taglib prefix="authz" uri="http://www.springframework.org/security/tags" %> <%@ taglib prefix="c" uri="http://java.sun.com/jstl/core" %> - + Sparklr "/> - + +