From 3acb71763ab54a68931ae318efd3270a006c5ab3 Mon Sep 17 00:00:00 2001
From: Justin Richer <jricher@mit.edu>
Date: Thu, 16 Feb 2017 18:23:32 -0500
Subject: [PATCH] cleaned up UMA server overlay

---
 .../webapp/WEB-INF/application-context.xml    |   8 +-
 .../main/webapp/WEB-INF/endpoint-config.xml   |  35 +++
 .../src/main/resources/db/hsql/scopes.sql     |  22 +-
 .../webapp/WEB-INF/application-context.xml    | 282 ------------------
 .../main/webapp/WEB-INF/endpoint-config.xml   |  54 ++++
 .../src/main/webapp/WEB-INF/server-config.xml |  10 +-
 .../src/main/webapp/resources/js/admin.js     | 117 +++++---
 7 files changed, 183 insertions(+), 345 deletions(-)
 create mode 100644 openid-connect-server-webapp/src/main/webapp/WEB-INF/endpoint-config.xml
 delete mode 100644 uma-server-webapp/src/main/webapp/WEB-INF/application-context.xml
 create mode 100644 uma-server-webapp/src/main/webapp/WEB-INF/endpoint-config.xml

diff --git a/openid-connect-server-webapp/src/main/webapp/WEB-INF/application-context.xml b/openid-connect-server-webapp/src/main/webapp/WEB-INF/application-context.xml
index b75074958..0727daf12 100644
--- a/openid-connect-server-webapp/src/main/webapp/WEB-INF/application-context.xml
+++ b/openid-connect-server-webapp/src/main/webapp/WEB-INF/application-context.xml
@@ -144,7 +144,7 @@
 			create-session="stateless"
 			authentication-manager-ref="clientAuthenticationManager">
 		<security:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
-<!-- 		<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" /> -->
+		<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
 		<security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
 		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
 		<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
@@ -157,7 +157,7 @@
 			create-session="stateless"
 			authentication-manager-ref="clientAuthenticationManager">
 		<security:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
-<!-- 		<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" /> -->
+		<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
 		<security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
 		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
 		<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
@@ -170,6 +170,10 @@
 
 	<bean id="http403EntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" />
 
+	<!-- Additional endpoints for extensions (such as UMA) -->
+	
+	<import resource="endpoint-config.xml" />
+
 	<!-- SECOAUTH Authorization Server -->
 
 	<import resource="authz-config.xml" />
diff --git a/openid-connect-server-webapp/src/main/webapp/WEB-INF/endpoint-config.xml b/openid-connect-server-webapp/src/main/webapp/WEB-INF/endpoint-config.xml
new file mode 100644
index 000000000..6f3e96f07
--- /dev/null
+++ b/openid-connect-server-webapp/src/main/webapp/WEB-INF/endpoint-config.xml
@@ -0,0 +1,35 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+    Copyright 2017 The MITRE Corporation
+      and the MIT Internet Trust Consortium
+   
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+   
+      http://www.apache.org/licenses/LICENSE-2.0
+   
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+ -->
+<beans xmlns="http://www.springframework.org/schema/beans"
+	xmlns:mvc="http://www.springframework.org/schema/mvc"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xmlns:tx="http://www.springframework.org/schema/tx"
+	xmlns:context="http://www.springframework.org/schema/context"
+	xmlns:security="http://www.springframework.org/schema/security"
+	xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
+	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
+		http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.3.xsd
+		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd
+		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
+		http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.3.xsd
+		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.3.xsd">
+
+
+<!-- This file allows you to define additional endpoints, it's normally empty in the OIDC server and has entries in the UMA server -->
+
+</beans>
diff --git a/uma-server-webapp/src/main/resources/db/hsql/scopes.sql b/uma-server-webapp/src/main/resources/db/hsql/scopes.sql
index 9b0446af5..c3ea0b113 100755
--- a/uma-server-webapp/src/main/resources/db/hsql/scopes.sql
+++ b/uma-server-webapp/src/main/resources/db/hsql/scopes.sql
@@ -10,25 +10,25 @@ START TRANSACTION;
 -- Insert scope information into the temporary tables.
 -- 
 
-INSERT INTO system_scope_TEMP (scope, description, icon, restricted, default_scope, structured, structured_param_description) VALUES
-  ('openid', 'log in using your identity', 'user', false, true, false, null),
-  ('profile', 'basic profile information', 'list-alt', false, true, false, null),
-  ('email', 'email address', 'envelope', false, true, false, null),
-  ('address', 'physical address', 'home', false, true, false, null),
-  ('phone', 'telephone number', 'bell', false, true, false, null),
-  ('offline_access', 'offline access', 'time', false, false, false, null),
-  ('uma_protection', 'manage protected resources', 'briefcase', false, false, false, null),
-  ('uma_authorization', 'request access to protected resources', 'share', false, false, false, null);
+INSERT INTO system_scope_TEMP (scope, description, icon, restricted, default_scope) VALUES
+  ('openid', 'log in using your identity', 'user', false, true),
+  ('profile', 'basic profile information', 'list-alt', false, true),
+  ('email', 'email address', 'envelope', false, true),
+  ('address', 'physical address', 'home', false, true),
+  ('phone', 'telephone number', 'bell', false, true),
+  ('offline_access', 'offline access', 'time', false, false),
+  ('uma_protection', 'manage protected resources', 'briefcase', false, false),
+  ('uma_authorization', 'request access to protected resources', 'share', false, false);
   
 --
 -- Merge the temporary scopes safely into the database. This is a two-step process to keep scopes from being created on every startup with a persistent store.
 --
 
 MERGE INTO system_scope
-	USING (SELECT scope, description, icon, restricted, default_scope, structured, structured_param_description FROM system_scope_TEMP) AS vals(scope, description, icon, restricted, default_scope, structured, structured_param_description)
+	USING (SELECT scope, description, icon, restricted, default_scope  FROM system_scope_TEMP) AS vals(scope, description, icon, restricted, default_scope)
 	ON vals.scope = system_scope.scope
 	WHEN NOT MATCHED THEN
-	  INSERT (scope, description, icon, restricted, default_scope, structured, structured_param_description) VALUES(vals.scope, vals.description, vals.icon, vals.restricted, vals.default_scope, vals.structured, vals.structured_param_description);
+	  INSERT (scope, description, icon, restricted, default_scope) VALUES(vals.scope, vals.description, vals.icon, vals.restricted, vals.default_scope);
 
 COMMIT;
 
diff --git a/uma-server-webapp/src/main/webapp/WEB-INF/application-context.xml b/uma-server-webapp/src/main/webapp/WEB-INF/application-context.xml
deleted file mode 100644
index fe2f28a3d..000000000
--- a/uma-server-webapp/src/main/webapp/WEB-INF/application-context.xml
+++ /dev/null
@@ -1,282 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
-    Copyright 2017 The MITRE Corporation
-      and the MIT Internet Trust Consortium
-   
-    Licensed under the Apache License, Version 2.0 (the "License");
-    you may not use this file except in compliance with the License.
-    You may obtain a copy of the License at
-   
-      http://www.apache.org/licenses/LICENSE-2.0
-   
-    Unless required by applicable law or agreed to in writing, software
-    distributed under the License is distributed on an "AS IS" BASIS,
-    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-    See the License for the specific language governing permissions and
-    limitations under the License.
- -->
-<beans xmlns="http://www.springframework.org/schema/beans"
-	xmlns:mvc="http://www.springframework.org/schema/mvc"
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:tx="http://www.springframework.org/schema/tx"
-	xmlns:context="http://www.springframework.org/schema/context"
-	xmlns:security="http://www.springframework.org/schema/security"
-	xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
-	xmlns:util="http://www.springframework.org/schema/util"
-	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
-		http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.3.xsd
-		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd
-		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
-		http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-4.3.xsd
-		http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.3.xsd
-		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.3.xsd">
-
-	<!-- Scan for components -->
-	<context:component-scan annotation-config="true" base-package="org.mitre" />
-
-	<!-- Enables the Spring MVC @Controller programming model -->
-	<tx:annotation-driven transaction-manager="transactionManager" />
-	<mvc:annotation-driven ignore-default-model-on-redirect="true">
-		<mvc:message-converters>
-			<bean class="org.springframework.http.converter.StringHttpMessageConverter" />
-			<bean class="org.springframework.http.converter.json.MappingJackson2HttpMessageConverter" />
-		</mvc:message-converters>
-	</mvc:annotation-driven>
-
-	<mvc:interceptors>
-		<!-- Inject the UserInfo into the response -->
-		<bean id="userInfoInterceptor" class="org.mitre.openid.connect.web.UserInfoInterceptor" />
-		<!-- Inject the server configuration into the response -->
-		<bean id="serverConfigInterceptor" class="org.mitre.openid.connect.web.ServerConfigInterceptor" />
-	</mvc:interceptors>
-
-	<mvc:default-servlet-handler />
-
-	<!-- Bean to hold configuration properties -->
-	<import resource="server-config.xml" />
-
-	<!-- Import the data context -->
-	<import resource="data-context.xml" />
-
-	<!-- SPEL processors -->
-	<security:global-method-security pre-post-annotations="enabled" proxy-target-class="true" authentication-manager-ref="authenticationManager">
-		<!--you could also wire in the expression handler up at the layer of the http filters. See https://jira.springsource.org/browse/SEC-1452 -->
-		<security:expression-handler ref="oauthExpressionHandler" />
-	</security:global-method-security>
-
-	<oauth:expression-handler id="oauthExpressionHandler" />
-
-	<oauth:web-expression-handler id="oauthWebExpressionHandler" />
-
-	<!-- Spring Security configuration -->
-
-	<oauth:resource-server id="resourceServerFilter" token-services-ref="defaultOAuth2ProviderTokenService" />
-
-	<security:http pattern="/token" 
-		create-session="stateless"
-		authentication-manager-ref="clientAuthenticationManager"
-		entry-point-ref="oauthAuthenticationEntryPoint"
-		use-expressions="true">
-		
-		<security:intercept-url pattern="/token" access="permitAll" method="OPTIONS" /> <!-- allow OPTIONS calls without auth for CORS stuff -->
-		<security:intercept-url pattern="/token" access="isAuthenticated()" />
-		<security:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
-		<!-- include this only if you need to authenticate clients via request parameters -->
-		<security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
-		<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
-		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
-		<security:access-denied-handler ref="oauthAccessDeniedHandler" />
-		<security:csrf disabled="true"/>
-	</security:http>
-
-	<!-- Allow open access to discovery endpoints -->
-	<security:http pattern="/#{T(org.mitre.openid.connect.web.JWKSetPublishingEndpoint).URL}**" use-expressions="true" entry-point-ref="http403EntryPoint" create-session="stateless">
-		<security:intercept-url pattern="/#{T(org.mitre.openid.connect.web.JWKSetPublishingEndpoint).URL}**" access="permitAll"/>
-		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
-		<security:csrf disabled="true"/>
-	</security:http>
-	<security:http pattern="/#{T(org.mitre.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**" use-expressions="true" entry-point-ref="http403EntryPoint" create-session="stateless">
-		<security:intercept-url pattern="/#{T(org.mitre.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**" access="permitAll"/>
-		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
-		<security:csrf disabled="true"/>
-	</security:http>
-
-	<!-- Allow open access to all static resources -->	
-	<security:http pattern="/resources/**" use-expressions="true" entry-point-ref="http403EntryPoint" create-session="stateless">
-		<security:intercept-url pattern="/resources/**" access="permitAll"/>
-		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
-		<security:csrf disabled="true"/>
-	</security:http>
-	
-	<!-- OAuth-protect API and other endpoints -->
-	<security:http pattern="/#{T(org.mitre.openid.connect.web.DynamicClientRegistrationEndpoint).URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">
-		<security:custom-filter ref="resourceServerFilter" after="CHANNEL_FILTER" />
-		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
-		<security:expression-handler ref="oauthWebExpressionHandler" />
-		<security:intercept-url pattern="/register/**" access="permitAll"/>
-		<security:csrf disabled="true"/>
-	</security:http>
-
-	<security:http pattern="/#{T(org.mitre.openid.connect.web.ProtectedResourceRegistrationEndpoint).URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">
-		<security:custom-filter ref="resourceServerFilter" after="CHANNEL_FILTER" />
-		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
-		<security:expression-handler ref="oauthWebExpressionHandler" />
-		<security:intercept-url pattern="/resource/**" access="permitAll"/>
-		<security:csrf disabled="true"/>
-	</security:http>
-
-	<security:http pattern="/#{T(org.mitre.uma.web.ResourceSetRegistrationEndpoint).URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="never">
-		<security:custom-filter ref="resourceServerFilter" after="CHANNEL_FILTER" />
-		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
-		<security:expression-handler ref="oauthWebExpressionHandler" />
-		<security:csrf disabled="true"/>
-	</security:http>
-
-	<security:http pattern="/#{T(org.mitre.uma.web.PermissionRegistrationEndpoint).URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="never">
-		<security:custom-filter ref="resourceServerFilter" after="CHANNEL_FILTER" />
-		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
-		<security:expression-handler ref="oauthWebExpressionHandler" />
-		<security:csrf disabled="true"/>
-	</security:http>
-	
-	<security:http pattern="/#{T(org.mitre.uma.web.AuthorizationRequestEndpoint).URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="never">
-		<security:custom-filter ref="resourceServerFilter" after="CHANNEL_FILTER" />
-		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
-		<security:expression-handler ref="oauthWebExpressionHandler" />
-		<security:csrf disabled="true"/>
-	</security:http>
-
-	<security:http pattern="/#{T(org.mitre.openid.connect.web.UserInfoEndpoint).URL}**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">
-		<security:custom-filter ref="resourceServerFilter" after="CHANNEL_FILTER" />
-		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
-		<security:expression-handler ref="oauthWebExpressionHandler" />
-		<security:csrf disabled="true"/>
-	</security:http>
-
- 	<security:http pattern="/#{T(org.mitre.openid.connect.web.RootController).API_URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="never">
-		<security:custom-filter ref="resourceServerFilter" after="CHANNEL_FILTER" />
-		<security:expression-handler ref="oauthWebExpressionHandler" />
-		<security:csrf disabled="true"/>
-	</security:http>
-	
-	<security:http pattern="/#{T(org.mitre.oauth2.web.IntrospectionEndpoint).URL}**" 
-			use-expressions="true" 
-			entry-point-ref="oauthAuthenticationEntryPoint" 
-			create-session="stateless"
-			authentication-manager-ref="clientAuthenticationManager">
-		<security:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
-<!-- 		<security:custom-filter ref="resourceServerFilter" after="CHANNEL_FILTER" /> -->
-		<security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
-		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
-		<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
-		<security:csrf disabled="true"/>
-	</security:http>
-
-	<security:http pattern="/#{T(org.mitre.oauth2.web.RevocationEndpoint).URL}**"
-			use-expressions="true" 
-			entry-point-ref="oauthAuthenticationEntryPoint" 
-			create-session="stateless"
-			authentication-manager-ref="clientAuthenticationManager">
-		<security:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
-<!-- 		<security:custom-filter ref="resourceServerFilter" after="CHANNEL_FILTER" /> -->
-		<security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
-		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
-		<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
-		<security:csrf disabled="true"/>
-	</security:http>
-
-	<bean id="oauthAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
-		<property name="realmName" value="openidconnect" />
-	</bean>
-
-	<bean id="http403EntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" />
-
-	<!-- SECOAUTH Authorization Server -->
-
-	<import resource="authz-config.xml" />
-
-	<bean id="oauth2ExceptionTranslator" class="org.springframework.security.oauth2.provider.error.DefaultWebResponseExceptionTranslator" />
-
-	<bean id="clientAuthMatcher" class="org.mitre.openid.connect.filter.MultiUrlRequestMatcher">
-		<constructor-arg name="filterProcessesUrls">
-			<set>
-				<value>/introspect</value>
-				<value>/revoke</value>
-				<value>/token</value>
-			</set>
-		</constructor-arg>
-	</bean>
-
-	<bean id="clientCredentialsEndpointFilter" class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
-		<property name="authenticationManager" ref="clientAuthenticationManager" />
-		<property name="requiresAuthenticationRequestMatcher" ref="clientAuthMatcher" />
-	</bean>
-	
-	<bean id="clientAssertionEndpointFilter" class="org.mitre.openid.connect.assertion.JWTBearerClientAssertionTokenEndpointFilter">
-		<constructor-arg name="additionalMatcher" ref="clientAuthMatcher" />
-		<property name="authenticationManager" ref="clientAssertionAuthenticationManager" />
-	</bean>
-
-	<security:authentication-manager id="clientAuthenticationManager">
-		<security:authentication-provider user-service-ref="clientUserDetailsService" />
-		<security:authentication-provider user-service-ref="uriEncodedClientUserDetailsService" />
-	</security:authentication-manager>
-
-	<security:authentication-manager id="clientAssertionAuthenticationManager">
-		<security:authentication-provider ref="clientAssertionAuthenticationProvider" />
-	</security:authentication-manager>
-	
-	<bean id="clientAssertionAuthenticationProvider" class="org.mitre.openid.connect.assertion.JWTBearerAuthenticationProvider" />
-
-	<!-- Configure locale information -->
-	<import resource="locale-config.xml" />
-
-	<!-- user services -->
-	<import resource="user-context.xml" />
-
-	<!-- assertion processing -->
-	<import resource="assertion-config.xml" />
-
-	<!-- End Spring Security configuration -->
-
-	<!-- JPA -->
-
-	<import resource="jpa-config.xml" />
-
-	<!-- End JPA -->
-
-	<!-- Crypto -->
-
-	<import resource="crypto-config.xml" />
-
-	<!-- End Crypto -->
-
-	<!-- View configuration -->
-
-	<!-- Handles HTTP GET requests for /resources/** by efficiently serving 
-		up static resources in the ${webappRoot}/resources directory -->
-	<mvc:resources mapping="/resources/**" location="/resources/" />
-
-	<!-- Resolves views selected for rendering by @Controllers to .jsp resources 
-		in the /WEB-INF/views directory -->
-	<bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
-		<property name="viewClass" value="org.springframework.web.servlet.view.JstlView" />
-		<property name="prefix" value="/WEB-INF/views/" />
-		<property name="suffix" value=".jsp" />
-		<property name="order" value="2" />
-	</bean>
-
-	<!-- Resolve views based on string names -->
-	<bean class="org.springframework.web.servlet.view.BeanNameViewResolver">
-		<property name="order" value="1" />
-	</bean>
-
-	<!-- End view configuration -->
-
-	<!--Import scheduled task configuration -->
-	<import resource="task-config.xml" />
-
-	<!-- import application-local configuration information (such as bean definitions) -->
-	<import resource="local-config.xml" />
-
-</beans>
diff --git a/uma-server-webapp/src/main/webapp/WEB-INF/endpoint-config.xml b/uma-server-webapp/src/main/webapp/WEB-INF/endpoint-config.xml
new file mode 100644
index 000000000..dc4cb15cf
--- /dev/null
+++ b/uma-server-webapp/src/main/webapp/WEB-INF/endpoint-config.xml
@@ -0,0 +1,54 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+    Copyright 2017 The MITRE Corporation
+      and the MIT Internet Trust Consortium
+   
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+   
+      http://www.apache.org/licenses/LICENSE-2.0
+   
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+ -->
+<beans xmlns="http://www.springframework.org/schema/beans"
+	xmlns:mvc="http://www.springframework.org/schema/mvc"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xmlns:tx="http://www.springframework.org/schema/tx"
+	xmlns:context="http://www.springframework.org/schema/context"
+	xmlns:security="http://www.springframework.org/schema/security"
+	xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
+	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
+		http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.3.xsd
+		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd
+		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
+		http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.3.xsd
+		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.3.xsd">
+
+
+	<security:http pattern="/#{T(org.mitre.uma.web.ResourceSetRegistrationEndpoint).URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="never">
+		<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
+		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
+		<security:expression-handler ref="oauthWebExpressionHandler" />
+		<security:csrf disabled="true"/>
+	</security:http>
+
+	<security:http pattern="/#{T(org.mitre.uma.web.PermissionRegistrationEndpoint).URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="never">
+		<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
+		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
+		<security:expression-handler ref="oauthWebExpressionHandler" />
+		<security:csrf disabled="true"/>
+	</security:http>
+	
+	<security:http pattern="/#{T(org.mitre.uma.web.AuthorizationRequestEndpoint).URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="never">
+		<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
+		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
+		<security:expression-handler ref="oauthWebExpressionHandler" />
+		<security:csrf disabled="true"/>
+	</security:http>
+
+</beans>
diff --git a/uma-server-webapp/src/main/webapp/WEB-INF/server-config.xml b/uma-server-webapp/src/main/webapp/WEB-INF/server-config.xml
index afaadc309..f4ea0603b 100644
--- a/uma-server-webapp/src/main/webapp/WEB-INF/server-config.xml
+++ b/uma-server-webapp/src/main/webapp/WEB-INF/server-config.xml
@@ -43,7 +43,7 @@
 		<!-- This property sets the lifetime of registration access tokens, in seconds. Leave it unset (null) for no rotation. -->
 		<!-- <property name="regTokenLifeTime" value="172800" /> -->
 		
-		<!-- This property forces the issuer value to start with "https" -->
+		<!-- This property forces the issuer value to start with "https", recommended on production servers -->
 		<!-- <property name="forceHttps" value="true" /> -->
 		
 		<!-- This property sets the locale for server text -->
@@ -56,6 +56,14 @@
 				<value>messages</value>
 			</list>
 		</property>
+
+		<!-- This property indicates if a dynamically registered client supports dual flows, such as client_credentials
+		at the same time with authorization_code or implicit -->
+		<!-- <property name="dualClient" value="true" /> -->
+		
+		<!-- This property turns on HEART compliance mode -->
+		<!-- <property name="heartMode" value="true" /> -->
+
 	</bean>
 	
 </beans>
diff --git a/uma-server-webapp/src/main/webapp/resources/js/admin.js b/uma-server-webapp/src/main/webapp/resources/js/admin.js
index 0020d3dc6..c21e3a143 100644
--- a/uma-server-webapp/src/main/webapp/resources/js/admin.js
+++ b/uma-server-webapp/src/main/webapp/resources/js/admin.js
@@ -94,22 +94,7 @@ var ListWidgetChildView = Backbone.View.extend({
         
         this.model.destroy({
         	dataType: false, processData: false,
-        	error:function (error, response) {
-        		console.log("An error occurred when deleting from a list widget");
-
-				//Pull out the response text.
-				var responseJson = JSON.parse(response.responseText);
-        		
-        		//Display an alert with an error message
-				$('#modalAlert div.modal-header').html(responseJson.error);
-        		$('#modalAlert div.modal-body').html(responseJson.error_description);
-        		
-    			 $("#modalAlert").modal({ // wire up the actual modal functionality and show the dialog
-    				 "backdrop" : "static",
-    				 "keyboard" : true,
-    				 "show" : true // ensure the modal is shown immediately
-    			 });
-        	}
+        	error:app.errorHandlerView.handleError()
         });
         
     },
@@ -390,14 +375,14 @@ var ErrorHandlerView = Backbone.View.extend({
 			message = {};
 		}
 
-		if (message.log) {
-			console.log(message.log);
-		}
-
 		var _self = this;
 
 		return function(model, response, options) {
-
+			
+			if (message.log) {
+				console.log(message.log);
+			}
+			
 			_self.showErrorMessage(
 					_self.headerTemplate({message: message, model: model, response: response, options: options}),
 					_self.template({message: message, model: model, response: response, options: options})
@@ -406,8 +391,8 @@ var ErrorHandlerView = Backbone.View.extend({
 			$('#modalAlert .modal-body .page-reload').on('click', _self.reloadPage);
 
 		}
-	},
-
+	}, 
+	
 	showErrorMessage:function(header, message) {
 		// hide the sheet if it's visible
 		$('#loadingbox').sheet('hide');
@@ -554,21 +539,42 @@ var AppRouter = Backbone.Router.extend({
     			contacts.push(userInfo.email);
     		}
     		
-        	client.set({
-        		tokenEndpointAuthMethod: "SECRET_BASIC",
-        		generateClientSecret:true,
-        		displayClientSecret:false,
-        		requireAuthTime:true,
-        		defaultMaxAge:60000,
-        		scope: _.uniq(_.flatten(app.systemScopeList.defaultScopes().pluck("value"))),
-        		accessTokenValiditySeconds:3600,
-        		idTokenValiditySeconds:600,
-        		grantTypes: ["authorization_code"],
-        		responseTypes: ["code"],
-        		subjectType: "PUBLIC",
-        		jwksType: "URI",
-        		contacts: contacts
-        	}, { silent: true });
+    		// use a different set of defaults based on heart mode flag
+    		if (heartMode) {
+            	client.set({
+            		tokenEndpointAuthMethod: "PRIVATE_KEY",
+            		generateClientSecret:false,
+            		displayClientSecret:false,
+            		requireAuthTime:true,
+            		defaultMaxAge:60000,
+            		scope: _.uniq(_.flatten(app.systemScopeList.defaultScopes().pluck("value"))),
+            		accessTokenValiditySeconds:3600,
+            		refreshTokenValiditySeconds:24*3600,
+            		idTokenValiditySeconds:300,
+            		grantTypes: ["authorization_code"],
+            		responseTypes: ["code"],
+            		subjectType: "PUBLIC",
+            		jwksType: "URI",
+            		contacts: contacts
+            	}, { silent: true });
+    		} else {
+    			// set up this new client to require a secret and have us autogenerate one
+            	client.set({
+            		tokenEndpointAuthMethod: "SECRET_BASIC",
+            		generateClientSecret:true,
+            		displayClientSecret:false,
+            		requireAuthTime:true,
+            		defaultMaxAge:60000,
+            		scope: _.uniq(_.flatten(app.systemScopeList.defaultScopes().pluck("value"))),
+            		accessTokenValiditySeconds:3600,
+            		idTokenValiditySeconds:600,
+            		grantTypes: ["authorization_code"],
+            		responseTypes: ["code"],
+            		subjectType: "PUBLIC",
+            		jwksType: "URI",
+            		contacts: contacts
+            	}, { silent: true });
+    		}
         	
         	
         	$('#content').html(view.render().el);
@@ -921,17 +927,30 @@ var AppRouter = Backbone.Router.extend({
     			contacts.push(userInfo.email);
     		}
     		
-    		client.set({
-        		require_auth_time:true,
-        		default_max_age:60000,
-        		scope: _.uniq(_.flatten(app.systemScopeList.defaultUnrestrictedScopes().pluck("value"))).join(" "),
-        		token_endpoint_auth_method: 'client_secret_basic',
-        		grant_types: ["authorization_code"],
-        		response_types: ["code"],
-        		subject_type: "public",
-        		contacts: contacts
-        	}, { silent: true });
-    	
+    		if (heartMode) {
+    			client.set({
+    				require_auth_time:true,
+    				default_max_age:60000,
+    				scope: _.uniq(_.flatten(app.systemScopeList.defaultUnrestrictedScopes().pluck("value"))).join(" "),
+    				token_endpoint_auth_method: 'private_key_jwt',
+    				grant_types: ["authorization_code"],
+    				response_types: ["code"],
+    				subject_type: "public",
+    				contacts: contacts
+    			}, { silent: true });
+    		} else {
+    			client.set({
+    				require_auth_time:true,
+    				default_max_age:60000,
+    				scope: _.uniq(_.flatten(app.systemScopeList.defaultUnrestrictedScopes().pluck("value"))).join(" "),
+    				token_endpoint_auth_method: 'client_secret_basic',
+    				grant_types: ["authorization_code"],
+    				response_types: ["code"],
+    				subject_type: "public",
+    				contacts: contacts
+    			}, { silent: true });
+    		}
+    		
     		$('#content').html(view.render().el);
     		view.delegateEvents();
     		setPageTitle($.t('dynreg.new-client'));