From efff49afbeadd48b1b9bd188c38a2f7f50302d2e Mon Sep 17 00:00:00 2001
From: Li Shengzhao <shengzhan@uwantsoft.com>
Date: Mon, 9 Nov 2015 15:08:37 +0800
Subject: [PATCH] =?UTF-8?q?109=20=09=E5=8D=87=E7=BA=A7=20spring-security-o?=
 =?UTF-8?q?auth2=20=E7=9A=84=E7=89=88=E6=9C=AC=E5=88=B0=202.0.6=E4=BB=A5?=
 =?UTF-8?q?=E4=B8=8A,=20=E7=9B=AE=E5=89=8D=E6=98=AF1.0.5=20113=20=09Upgrad?=
 =?UTF-8?q?e=20spring,=20spring=20security=20version=20to=20>=204.0=20vers?=
 =?UTF-8?q?ion:=200.4-beta?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 others/database/oauth.ddl                     |  3 +-
 pom.xml                                       | 59 ++++++++++---------
 .../oauth/CustomJdbcClientDetailsService.java |  4 +-
 src/main/java/cc/wdcy/web/WebUtils.java       | 34 +++++++----
 .../controller/mobile/MobileController.java   | 12 ++--
 .../web/controller/unity/UnityController.java | 12 ++--
 .../web/oauth/OauthUserApprovalHandler.java   |  4 +-
 src/main/resources/spring/context.xml         |  4 +-
 src/main/resources/spring/security.xml        | 29 ++++++---
 src/main/resources/spring/transaction.xml     |  2 +-
 src/main/webapp/WEB-INF/wdcy-servlet.xml      |  7 +--
 src/main/webapp/login.jsp                     |  4 +-
 12 files changed, 95 insertions(+), 79 deletions(-)

diff --git a/others/database/oauth.ddl b/others/database/oauth.ddl
index 5b83f63..fcc9fd0 100644
--- a/others/database/oauth.ddl
+++ b/others/database/oauth.ddl
@@ -16,7 +16,8 @@ create table oauth_client_details (
   additional_information VARCHAR(4096),
   create_time timestamp default now(),
   archived tinyint(1) default '0',
-  trusted tinyint(1) default '0'
+  trusted tinyint(1) default '0',
+  autoapprove VARCHAR (255) default 'false'
 );
 
 Drop table  if exists oauth_client_token;
diff --git a/pom.xml b/pom.xml
index 3dce283..901fcfd 100644
--- a/pom.xml
+++ b/pom.xml
@@ -6,18 +6,20 @@
 
     <groupId>wdcy.cc</groupId>
     <artifactId>spring-oauth-server</artifactId>
-    <version>0.3</version>
+    <version>0.4-beta</version>
     <name>spring-oauth-server</name>
     <packaging>war</packaging>
     <description>Spring Oauth Server</description>
 
     <properties>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-        <spring.version>3.1.1.RELEASE</spring.version>
-        <spring.security.version>3.1.0.RELEASE</spring.security.version>
-        <!--Next branch version:  2.0.7.RELEASE-->
-        <spring.security.oauth.version>1.0.5.RELEASE</spring.security.oauth.version>
-        <aspectj.version>1.6.10</aspectj.version>
+
+        <spring.version>4.1.6.RELEASE</spring.version>
+        <spring.security.version>4.0.1.RELEASE</spring.security.version>
+        <spring.security.oauth.version>2.0.7.RELEASE</spring.security.oauth.version>
+        <fasterxml.jackson.version>2.5.4</fasterxml.jackson.version>
+
+        <aspectj.version>1.8.6</aspectj.version>
         <mybatis.version>3.2.1</mybatis.version>
 
         <!--jdbc execute sql config-->
@@ -196,11 +198,17 @@
             <version>${aspectj.version}</version>
             <scope>compile</scope>
         </dependency>
+        
         <dependency>
             <groupId>commons-dbcp</groupId>
             <artifactId>commons-dbcp</artifactId>
             <version>1.4</version>
         </dependency>
+        <dependency>
+            <groupId>commons-lang</groupId>
+            <artifactId>commons-lang</artifactId>
+            <version>2.6</version>
+        </dependency>
 
         <dependency>
             <groupId>commons-io</groupId>
@@ -269,16 +277,16 @@
             <artifactId>spring-security-taglibs</artifactId>
             <version>${spring.security.version}</version>
         </dependency>
-        <dependency>
-            <groupId>org.springframework.security</groupId>
-            <artifactId>spring-security-acl</artifactId>
-            <version>${spring.security.version}</version>
-        </dependency>
-        <dependency>
-            <groupId>org.springframework.security</groupId>
-            <artifactId>spring-security-crypto</artifactId>
-            <version>${spring.security.version}</version>
-        </dependency>
+        <!--<dependency>-->
+        <!--<groupId>org.springframework.security</groupId>-->
+        <!--<artifactId>spring-security-acl</artifactId>-->
+        <!--<version>${spring.security.version}</version>-->
+        <!--</dependency>-->
+        <!--<dependency>-->
+        <!--<groupId>org.springframework.security</groupId>-->
+        <!--<artifactId>spring-security-crypto</artifactId>-->
+        <!--<version>${spring.security.version}</version>-->
+        <!--</dependency>-->
         <dependency>
             <groupId>org.springframework.security</groupId>
             <artifactId>spring-security-config</artifactId>
@@ -291,6 +299,13 @@
             <version>${spring.security.oauth.version}</version>
         </dependency>
 
+        <!--json-->
+        <dependency>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-databind</artifactId>
+            <version>${fasterxml.jackson.version}</version>
+        </dependency>
+
         <dependency>
             <groupId>mysql</groupId>
             <artifactId>mysql-connector-java</artifactId>
@@ -312,18 +327,6 @@
             <scope>compile</scope>
         </dependency>
 
-        <dependency>
-            <groupId>net.sf.json-lib</groupId>
-            <artifactId>json-lib</artifactId>
-            <version>2.4</version>
-            <classifier>jdk15</classifier>
-            <exclusions>
-                <exclusion>
-                    <groupId>commons-logging</groupId>
-                    <artifactId>commons-logging</artifactId>
-                </exclusion>
-            </exclusions>
-        </dependency>
 
         <!--mybatis-->
         <dependency>
diff --git a/src/main/java/cc/wdcy/domain/oauth/CustomJdbcClientDetailsService.java b/src/main/java/cc/wdcy/domain/oauth/CustomJdbcClientDetailsService.java
index 337cfa3..739d10b 100644
--- a/src/main/java/cc/wdcy/domain/oauth/CustomJdbcClientDetailsService.java
+++ b/src/main/java/cc/wdcy/domain/oauth/CustomJdbcClientDetailsService.java
@@ -1,6 +1,6 @@
 package cc.wdcy.domain.oauth;
 
-import org.springframework.security.oauth2.provider.JdbcClientDetailsService;
+import org.springframework.security.oauth2.provider.client.JdbcClientDetailsService;
 
 import javax.sql.DataSource;
 
@@ -12,7 +12,7 @@ import javax.sql.DataSource;
 public class CustomJdbcClientDetailsService extends JdbcClientDetailsService {
 
     private static final String SELECT_CLIENT_DETAILS_SQL = "select client_id, client_secret, resource_ids, scope, authorized_grant_types, " +
-            "web_server_redirect_uri, authorities, access_token_validity, refresh_token_validity, additional_information " +
+            "web_server_redirect_uri, authorities, access_token_validity, refresh_token_validity, additional_information, autoapprove " +
             "from oauth_client_details where client_id = ? and archived = 0 ";
 
 
diff --git a/src/main/java/cc/wdcy/web/WebUtils.java b/src/main/java/cc/wdcy/web/WebUtils.java
index 122bd3e..fc1150d 100644
--- a/src/main/java/cc/wdcy/web/WebUtils.java
+++ b/src/main/java/cc/wdcy/web/WebUtils.java
@@ -1,10 +1,8 @@
 package cc.wdcy.web;
 
-import net.sf.json.JSON;
+import org.apache.commons.lang.StringUtils;
 
-import javax.servlet.http.HttpServletResponse;
-import java.io.IOException;
-import java.io.PrintWriter;
+import javax.servlet.http.HttpServletRequest;
 
 /**
  * @author Shengzhao Li
@@ -17,16 +15,28 @@ public abstract class WebUtils {
     }
 
 
-    public static void writeJson(HttpServletResponse response, JSON json) {
-        response.setContentType("application/json;charset=UTF-8");
-        try {
-            PrintWriter writer = response.getWriter();
-            json.write(writer);
-            writer.flush();
-        } catch (IOException e) {
-            throw new IllegalStateException("Write json to response error", e);
+    /**
+     * Retrieve client ip address
+     *
+     * @param request HttpServletRequest
+     * @return IP
+     */
+    public static String retrieveClientIp(HttpServletRequest request) {
+        String ip = request.getHeader("x-forwarded-for");
+        if (isUnAvailableIp(ip)) {
+            ip = request.getHeader("Proxy-Client-IP");
         }
+        if (isUnAvailableIp(ip)) {
+            ip = request.getHeader("WL-Proxy-Client-IP");
+        }
+        if (isUnAvailableIp(ip)) {
+            ip = request.getRemoteAddr();
+        }
+        return ip;
+    }
 
+    private static boolean isUnAvailableIp(String ip) {
+        return (StringUtils.isEmpty(ip) || "unknown".equalsIgnoreCase(ip));
     }
 
 }
\ No newline at end of file
diff --git a/src/main/java/cc/wdcy/web/controller/mobile/MobileController.java b/src/main/java/cc/wdcy/web/controller/mobile/MobileController.java
index ebc7e65..4098a0d 100644
--- a/src/main/java/cc/wdcy/web/controller/mobile/MobileController.java
+++ b/src/main/java/cc/wdcy/web/controller/mobile/MobileController.java
@@ -2,14 +2,10 @@ package cc.wdcy.web.controller.mobile;
 
 import cc.wdcy.domain.dto.UserJsonDto;
 import cc.wdcy.service.UserService;
-import net.sf.json.JSONObject;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
-
-import javax.servlet.http.HttpServletResponse;
-
-import static cc.wdcy.web.WebUtils.writeJson;
+import org.springframework.web.bind.annotation.ResponseBody;
 
 /**
  * @author Shengzhao Li
@@ -28,9 +24,9 @@ public class MobileController {
     }
 
     @RequestMapping("user_info")
-    public void userInfo(HttpServletResponse response) throws Exception {
-        final UserJsonDto jsonDto = userService.loadCurrentUserJsonDto();
-        writeJson(response, JSONObject.fromObject(jsonDto));
+    @ResponseBody
+    public UserJsonDto userInfo() throws Exception {
+        return userService.loadCurrentUserJsonDto();
     }
 
 }
\ No newline at end of file
diff --git a/src/main/java/cc/wdcy/web/controller/unity/UnityController.java b/src/main/java/cc/wdcy/web/controller/unity/UnityController.java
index 28fa385..8a28393 100644
--- a/src/main/java/cc/wdcy/web/controller/unity/UnityController.java
+++ b/src/main/java/cc/wdcy/web/controller/unity/UnityController.java
@@ -2,14 +2,10 @@ package cc.wdcy.web.controller.unity;
 
 import cc.wdcy.domain.dto.UserJsonDto;
 import cc.wdcy.service.UserService;
-import net.sf.json.JSONObject;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
-
-import javax.servlet.http.HttpServletResponse;
-
-import static cc.wdcy.web.WebUtils.writeJson;
+import org.springframework.web.bind.annotation.ResponseBody;
 
 /**
  * @author Shengzhao Li
@@ -29,9 +25,9 @@ public class UnityController {
     }
 
     @RequestMapping("user_info")
-    public void userInfo(HttpServletResponse response) throws Exception {
-        final UserJsonDto jsonDto = userService.loadCurrentUserJsonDto();
-        writeJson(response, JSONObject.fromObject(jsonDto));
+    @ResponseBody
+    public UserJsonDto userInfo() throws Exception {
+        return userService.loadCurrentUserJsonDto();
     }
 
 }
\ No newline at end of file
diff --git a/src/main/java/cc/wdcy/web/oauth/OauthUserApprovalHandler.java b/src/main/java/cc/wdcy/web/oauth/OauthUserApprovalHandler.java
index 236d657..5946870 100644
--- a/src/main/java/cc/wdcy/web/oauth/OauthUserApprovalHandler.java
+++ b/src/main/java/cc/wdcy/web/oauth/OauthUserApprovalHandler.java
@@ -4,12 +4,12 @@ import cc.wdcy.domain.oauth.OauthClientDetails;
 import cc.wdcy.service.OauthService;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.oauth2.provider.AuthorizationRequest;
-import org.springframework.security.oauth2.provider.approval.TokenServicesUserApprovalHandler;
+import org.springframework.security.oauth2.provider.approval.TokenStoreUserApprovalHandler;
 
 /**
  * @author Shengzhao Li
  */
-public class OauthUserApprovalHandler extends TokenServicesUserApprovalHandler {
+public class OauthUserApprovalHandler extends TokenStoreUserApprovalHandler {
 
     private OauthService oauthService;
 
diff --git a/src/main/resources/spring/context.xml b/src/main/resources/spring/context.xml
index 57781ce..f18a430 100644
--- a/src/main/resources/spring/context.xml
+++ b/src/main/resources/spring/context.xml
@@ -3,9 +3,9 @@
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns:tx="http://www.springframework.org/schema/tx" xmlns:context="http://www.springframework.org/schema/context"
        xsi:schemaLocation="http://www.springframework.org/schema/beans
-			http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
+			http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
 		  http://www.springframework.org/schema/tx
-		  http://www.springframework.org/schema/tx/spring-tx-3.0.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd">
+		  http://www.springframework.org/schema/tx/spring-tx-4.0.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.1.xsd">
 
 
     <!--annotation configuration -->
diff --git a/src/main/resources/spring/security.xml b/src/main/resources/spring/security.xml
index ef38d36..16744ba 100644
--- a/src/main/resources/spring/security.xml
+++ b/src/main/resources/spring/security.xml
@@ -4,9 +4,9 @@
              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
              xmlns:oauth2="http://www.springframework.org/schema/security/oauth2"
              xmlns:mvc="http://www.springframework.org/schema/mvc"
-             xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
+             xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
                         http://www.springframework.org/schema/security
-                        http://www.springframework.org/schema/security/spring-security-3.1.xsd http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.1.xsd">
+                        http://www.springframework.org/schema/security/spring-security-4.0.xsd http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.0.xsd">
 
     <!--<debug/>-->
 
@@ -23,35 +23,38 @@
     <mvc:default-servlet-handler/>
 
     <http pattern="/oauth/token" create-session="stateless" authentication-manager-ref="oauth2AuthenticationManager"
-          entry-point-ref="oauth2AuthenticationEntryPoint">
+          entry-point-ref="oauth2AuthenticationEntryPoint" use-expressions="false">
         <intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY"/>
         <anonymous enabled="false"/>
         <http-basic entry-point-ref="oauth2AuthenticationEntryPoint"/>
 
         <custom-filter ref="clientCredentialsTokenEndpointFilter" before="BASIC_AUTH_FILTER"/>
         <access-denied-handler ref="oauth2AccessDeniedHandler"/>
+        <csrf disabled="true"/>
     </http>
 
     <!--unity http configuration-->
     <http pattern="/unity/**" create-session="never" entry-point-ref="oauth2AuthenticationEntryPoint"
-          access-decision-manager-ref="oauth2AccessDecisionManager">
+          access-decision-manager-ref="oauth2AccessDecisionManager" use-expressions="false">
         <anonymous enabled="false"/>
 
         <intercept-url pattern="/unity/**" access="ROLE_UNITY,SCOPE_READ"/>
 
         <custom-filter ref="unityResourceServer" before="PRE_AUTH_FILTER"/>
         <access-denied-handler ref="oauth2AccessDeniedHandler"/>
+        <csrf disabled="true"/>
     </http>
 
     <!--mobile http configuration-->
     <http pattern="/m/**" create-session="never" entry-point-ref="oauth2AuthenticationEntryPoint"
-          access-decision-manager-ref="oauth2AccessDecisionManager">
+          access-decision-manager-ref="oauth2AccessDecisionManager" use-expressions="false">
         <anonymous enabled="false"/>
 
         <intercept-url pattern="/m/**" access="ROLE_MOBILE,SCOPE_READ"/>
 
         <custom-filter ref="mobileResourceServer" before="PRE_AUTH_FILTER"/>
         <access-denied-handler ref="oauth2AccessDeniedHandler"/>
+        <csrf disabled="true"/>
     </http>
 
     <beans:bean id="clientCredentialsTokenEndpointFilter"
@@ -87,7 +90,7 @@
 
     <!--Config token services-->
     <!--<beans:bean id="tokenStore" class="org.springframework.security.oauth2.provider.token.InMemoryTokenStore"/>-->
-    <beans:bean id="tokenStore" class="org.springframework.security.oauth2.provider.token.JdbcTokenStore">
+    <beans:bean id="tokenStore" class="org.springframework.security.oauth2.provider.token.store.JdbcTokenStore">
         <beans:constructor-arg index="0" ref="dataSource"/>
     </beans:bean>
 
@@ -104,8 +107,16 @@
     <!--<oauth2:expression-handler id="oauth2ExpressionHandler"/>-->
     <!--<oauth2:web-expression-handler id="oauth2WebExpressionHandler"/>-->
 
+    <beans:bean class="org.springframework.security.oauth2.provider.request.DefaultOAuth2RequestFactory"
+                id="oAuth2RequestFactory">
+        <beans:constructor-arg name="clientDetailsService" ref="clientDetailsService"/>
+    </beans:bean>
+
+
     <beans:bean id="oauthUserApprovalHandler" class="cc.wdcy.web.oauth.OauthUserApprovalHandler">
-        <beans:property name="tokenServices" ref="tokenServices"/>
+        <beans:property name="tokenStore" ref="tokenStore"/>
+        <beans:property name="clientDetailsService" ref="clientDetailsService"/>
+        <beans:property name="requestFactory" ref="oAuth2RequestFactory"/>
         <beans:property name="oauthService" ref="oauthService"/>
     </beans:bean>
 
@@ -156,7 +167,7 @@
                 class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler"/>
 
 
-    <http access-denied-page="/login.jsp?authorization_error=2" disable-url-rewriting="true"
+    <http disable-url-rewriting="true" use-expressions="false"
           authentication-manager-ref="authenticationManager">
         <intercept-url pattern="/oauth/**" access="ROLE_USER,ROLE_UNITY,ROLE_MOBILE"/>
         <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
@@ -164,7 +175,9 @@
         <form-login authentication-failure-url="/login.jsp?authentication_error=1" default-target-url="/index.jsp"
                     login-page="/login.jsp" login-processing-url="/login.do"/>
         <logout logout-success-url="/index.jsp" logout-url="/logout.do"/>
+        <access-denied-handler error-page="/login.jsp?authorization_error=2"/>
         <anonymous/>
+        <csrf disabled="true"/>
     </http>
 
 
diff --git a/src/main/resources/spring/transaction.xml b/src/main/resources/spring/transaction.xml
index 4db9d35..f5a7100 100644
--- a/src/main/resources/spring/transaction.xml
+++ b/src/main/resources/spring/transaction.xml
@@ -3,7 +3,7 @@
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:tx="http://www.springframework.org/schema/tx"
        xmlns:aop="http://www.springframework.org/schema/aop"
        xsi:schemaLocation="http://www.springframework.org/schema/beans
-			http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-2.5.xsd http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-2.0.xsd">
+			http://www.springframework.org/schema/beans/spring-beans-4.0.xsd http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.0.xsd http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-4.0.xsd">
 
     <!--aop-->
     <aop:config>
diff --git a/src/main/webapp/WEB-INF/wdcy-servlet.xml b/src/main/webapp/WEB-INF/wdcy-servlet.xml
index 520c1af..e6276b8 100644
--- a/src/main/webapp/WEB-INF/wdcy-servlet.xml
+++ b/src/main/webapp/WEB-INF/wdcy-servlet.xml
@@ -18,11 +18,8 @@
     <mvc:resources mapping="/index.jsp*" location="/index.jsp"/>
     <mvc:resources mapping="/resources/**" location="/resources/"/>
 
-    <bean class="org.springframework.web.servlet.mvc.annotation.DefaultAnnotationHandlerMapping">
-        <property name="order" value="2"/>
-    </bean>
-    <bean class="org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter">
-    </bean>
+    <mvc:annotation-driven/>
+    <mvc:default-servlet-handler/>
 
     <bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
         <property name="viewClass" value="org.springframework.web.servlet.view.JstlView"/>
diff --git a/src/main/webapp/login.jsp b/src/main/webapp/login.jsp
index 42e413e..6319d58 100644
--- a/src/main/webapp/login.jsp
+++ b/src/main/webapp/login.jsp
@@ -16,11 +16,11 @@
 <form action="${pageContext.request.contextPath}/login.do" method="post">
 
     <label for="username">Username:</label>
-    <input type="text" id="username" name="j_username" value="" required="required"/>
+    <input type="text" id="username" name="username" value="" required="required"/>
     <br/>
     <br/>
     <label for="password">Password:</label>
-    <input type="password" name="j_password" id="password" value="" required="required"/>
+    <input type="password" name="password" id="password" value="" required="required"/>
     <br/>
     <input type="submit" value="Login" class="btn btn-primary"/>
     <span class="text-danger">