configuration cleanup, closes #568

openid-connect-server-webapp/src/main/webapp/WEB-INF/application-context.xml

@@ -51,7 +51,7 @@
 
 	<!-- SPEL processors -->
 	<security:global-method-security pre-post-annotations="enabled" proxy-target-class="true" authentication-manager-ref="authenticationManager">
-	<!--you could also wire in the expression handler up at the layer of the http filters. See https://jira.springsource.org/browse/SEC-1452 -->
+		<!--you could also wire in the expression handler up at the layer of the http filters. See https://jira.springsource.org/browse/SEC-1452 -->
 		<security:expression-handler ref="oauthExpressionHandler" />
 	</security:global-method-security>
 
@@ -109,7 +109,7 @@
 		<security:expression-handler ref="oauthWebExpressionHandler" />
 	</security:http>
 
- 	<security:http pattern="/api/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint">
+ 	<security:http pattern="/api/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="never">
 		<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
 		<security:expression-handler ref="oauthWebExpressionHandler" />
 	</security:http>
@@ -143,27 +143,8 @@
 	<bean id="http403EntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" />
 
 	<!-- SECOAUTH Authorization Server -->
-	<oauth:authorization-server 
-		client-details-service-ref="defaultOAuth2ClientDetailsEntityService"
-		authorization-request-manager-ref="connectOAuth2RequestFactory" 
-		token-services-ref="defaultOAuth2ProviderTokenService" 
-		user-approval-handler-ref="tofuUserApprovalHandler" 
-		request-validator-ref="oauthRequestValidator"
-		authorization-endpoint-url="/authorize" 
-		token-endpoint-url="/token">
-		
-		<oauth:authorization-code authorization-code-services-ref="defaultOAuth2AuthorizationCodeService"/>
-		<oauth:implicit />
-		<oauth:refresh-token/>
-		<oauth:client-credentials/>
-		<oauth:custom-grant token-granter-ref="chainedTokenGranter" />
-		<oauth:custom-grant token-granter-ref="jwtAssertionTokenGranter" />
 
-	</oauth:authorization-server>
-
-	<bean id="oauthAccessDeniedHandler" class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />
-
-	<bean id="oauthRequestValidator" class="org.mitre.oauth2.token.StructuredScopeAwareOAuth2RequestValidator" />
+	<import resource="authz-config.xml" />
 
 	<bean id="clientCredentialsTokenEndpointFilter" class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
 		<property name="authenticationManager" ref="clientAuthenticationManager" />

openid-connect-server-webapp/src/main/webapp/WEB-INF/authz-config.xml

@@ -0,0 +1,57 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Copyright 2014 The MITRE Corporation 
+    and the MIT Kerberos and Internet Trust Consortium
+  
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+  
+    http://www.apache.org/licenses/LICENSE-2.0
+  
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans"
+	xmlns:mvc="http://www.springframework.org/schema/mvc"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xmlns:tx="http://www.springframework.org/schema/tx"
+	xmlns:context="http://www.springframework.org/schema/context"
+	xmlns:security="http://www.springframework.org/schema/security"
+	xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
+	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
+		http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.2.xsd
+		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd
+		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
+		http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.2.xsd
+		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.2.xsd">
+
+
+	<oauth:authorization-server 
+		client-details-service-ref="defaultOAuth2ClientDetailsEntityService"
+		authorization-request-manager-ref="connectOAuth2RequestFactory" 
+		token-services-ref="defaultOAuth2ProviderTokenService" 
+		user-approval-handler-ref="tofuUserApprovalHandler" 
+		request-validator-ref="oauthRequestValidator"
+		authorization-endpoint-url="/authorize" 
+		token-endpoint-url="/token">
+		
+		<oauth:authorization-code authorization-code-services-ref="defaultOAuth2AuthorizationCodeService"/>
+		<oauth:implicit />
+		<oauth:refresh-token/>
+		<oauth:client-credentials/>
+		<oauth:custom-grant token-granter-ref="chainedTokenGranter" />
+		<oauth:custom-grant token-granter-ref="jwtAssertionTokenGranter" />
+
+	</oauth:authorization-server>
+
+	<bean id="oauthAccessDeniedHandler" class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />
+
+	<bean id="oauthRequestValidator" class="org.mitre.oauth2.token.StructuredScopeAwareOAuth2RequestValidator" />
+
+
+
+</beans>

openid-connect-server-webapp/src/main/webapp/WEB-INF/user-context.xml

@@ -42,22 +42,10 @@
 		<security:intercept-url pattern="/login**" access="permitAll"/>	
 	</security:http>
 	
-	<security:http disable-url-rewriting="true" use-expressions="true" pattern="/authorize"> 
-<!-- 		<security:intercept-url pattern="/authorize" access="IS_AUTHENTICATED_FULLY" /> -->
-		<security:form-login login-page="/login" authentication-failure-url="/login?error=failure" authentication-success-handler-ref="authenticationTimeStamper" />
-		<security:custom-filter ref="promptFilter" after="SECURITY_CONTEXT_FILTER" />
-		<security:logout logout-url="/logout" />
-		<security:anonymous />
-		<security:expression-handler ref="oauthWebExpressionHandler" />
-	</security:http>	
-
-
-
 	<security:http disable-url-rewriting="true" use-expressions="true"> 
 		<security:form-login login-page="/login" authentication-failure-url="/login?error=failure" authentication-success-handler-ref="authenticationTimeStamper" />
 		<security:intercept-url pattern="/**" access="permitAll" />
 		<security:custom-filter ref="promptFilter" after="SECURITY_CONTEXT_FILTER" />
-		<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
 		<security:logout logout-url="/logout" />
 		<security:anonymous />
 		<security:expression-handler ref="oauthWebExpressionHandler" />

openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java

@@ -392,6 +392,9 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi
 		return tokenRepository.getRefreshTokensForClient(client);
 	}
 
+	/**
+	 * Clears out expired tokens and any abandoned authentication objects
+	 */
 	@Override
 	public void clearExpiredTokens() {
 		logger.info("Cleaning out all expired tokens");

openid-connect-server/src/main/java/org/mitre/openid/connect/web/AuthenticationTimeStamper.java

@@ -67,7 +67,7 @@ public class AuthenticationTimeStamper extends SavedRequestAwareAuthenticationSu
 			session.removeAttribute(PromptFilter.PROMPT_REQUESTED);
 		}
 
-		logger.info("Successful Authentication at " + authTimestamp.toString());
+		logger.info("Successful Authentication of " + authentication.getName() + " at " + authTimestamp.toString());
 
 		super.onAuthenticationSuccess(request, response, authentication);