diff --git a/server/src/main/java/org/mitre/openid/connect/token/ConnectAuthCodeTokenGranter.java b/server/src/main/java/org/mitre/openid/connect/token/ConnectAuthCodeTokenGranter.java
index c9f41014e..d6cecaad9 100644
--- a/server/src/main/java/org/mitre/openid/connect/token/ConnectAuthCodeTokenGranter.java
+++ b/server/src/main/java/org/mitre/openid/connect/token/ConnectAuthCodeTokenGranter.java
@@ -46,6 +46,7 @@ public class ConnectAuthCodeTokenGranter implements TokenGranter {
 	@Autowired
 	private ClientCredentialsChecker clientCredentialsChecker;
 
+	//TODO: Do we need to modify/update this?	
 	@Autowired
 	private DefaultOAuth2ProviderTokenService tokenServices;
 	
@@ -114,12 +115,11 @@ public class ConnectAuthCodeTokenGranter implements TokenGranter {
 			throw new InvalidClientException("Client ID mismatch");
 		}
 
-		// Secret is not required in the authorization request, so it won't be available
+		// From SECOAUTH: Secret is not required in the authorization request, so it won't be available
 		// in the unconfirmedAuthorizationCodeAuth. We do want to check that a secret is provided
 		// in the new request, but that happens elsewhere.
 
-		// Similarly scopes are not required in the authorization request, so we don't make a comparison here, just
-		// enforce validity through the ClientCredentialsChecker
+		//Validate credentials
 		AuthorizationRequest authorizationRequest = clientCredentialsChecker.validateCredentials(grantType, clientId,
 				unconfirmedAuthorizationRequest.getScope());
 		if (authorizationRequest == null) {
@@ -130,11 +130,20 @@ public class ConnectAuthCodeTokenGranter implements TokenGranter {
 		
 		OAuth2AccessTokenEntity token = tokenServices.createAccessToken(new OAuth2Authentication(authorizationRequest, userAuth));
 		
-		IdToken idToken = new IdToken();
-		
-		//TODO: build IdToken
-		
-		//TODO: insert IdToken into OAuth2AccessTokenEntity
+		/**
+		 * Authorization request scope MUST include "openid", but access token request 
+		 * may or may not include the scope parameter. As long as the AuthorizationRequest 
+		 * has the proper scope, we can consider this a valid OpenID Connect request.
+		 */
+		if (authorizationRequest.getScope().contains("openid")) {
+			IdToken idToken = new IdToken();
+			
+			//TODO: build IdToken 
+			
+			//Where does the data for the IdToken come from? 
+			
+			//TODO: insert IdToken into OAuth2AccessTokenEntity
+		}		
 		
 		return token;
 	}
diff --git a/server/src/main/webapp/WEB-INF/spring/appServlet/servlet-context.xml b/server/src/main/webapp/WEB-INF/spring/appServlet/servlet-context.xml
index 5124cf084..edd1ff712 100644
--- a/server/src/main/webapp/WEB-INF/spring/appServlet/servlet-context.xml
+++ b/server/src/main/webapp/WEB-INF/spring/appServlet/servlet-context.xml
@@ -3,7 +3,9 @@
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	xmlns:beans="http://www.springframework.org/schema/beans"
 	xmlns:context="http://www.springframework.org/schema/context"
+	xmlns:security="http://www.springframework.org/schema/security"
 	xsi:schemaLocation="http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd
+		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd
 		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
 		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd">
 
@@ -12,6 +14,8 @@
 	<!-- Enables the Spring MVC @Controller programming model -->
 	<annotation-driven />
 
+	<security:global-method-security pre-post-annotations="enabled" proxy-target-class="true"/>
+
 	<!-- Handles HTTP GET requests for /resources/** by efficiently serving up static resources in the ${webappRoot}/resources directory -->
 	<resources mapping="/resources/**" location="/resources/" />
 
diff --git a/server/src/main/webapp/WEB-INF/spring/application-context.xml b/server/src/main/webapp/WEB-INF/spring/application-context.xml
index ca35f16c2..d89f810c2 100644
--- a/server/src/main/webapp/WEB-INF/spring/application-context.xml
+++ b/server/src/main/webapp/WEB-INF/spring/application-context.xml
@@ -5,13 +5,16 @@
 	xmlns:context="http://www.springframework.org/schema/context"
 	xmlns:security="http://www.springframework.org/schema/security"
 	xmlns:task="http://www.springframework.org/schema/task"
-	xsi:schemaLocation="http://www.springframework.org/schema/task http://www.springframework.org/schema/task/spring-task-3.0.xsd
-		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd
-		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
-		http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.0.xsd
-		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">
-
-	<import resource="data-context.xml" />
+	xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
+	xsi:schemaLocation=
+	   "http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd
+		http://www.springframework.org/schema/task            http://www.springframework.org/schema/task/spring-task-3.0.xsd
+		http://www.springframework.org/schema/security        http://www.springframework.org/schema/security/spring-security-3.1.xsd
+		http://www.springframework.org/schema/beans           http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
+		http://www.springframework.org/schema/tx              http://www.springframework.org/schema/tx/spring-tx-3.0.xsd
+		http://www.springframework.org/schema/context         http://www.springframework.org/schema/context/spring-context.xsd">
+		
+	<import resource="data-context.xml" />	
 	<import resource="security-context.xml" />
 		
 	<tx:annotation-driven transaction-manager="transactionManager" />
@@ -35,6 +38,13 @@
 		</constructor-arg>
 	</bean>
 	
+	<!-- SECOAUTH Authorization Server, with our custom token granter plugged in -->
+	<oauth:authorization-server client-details-service-ref="defaultOAuth2ClientDetailsEntityService" 
+		token-services-ref="defaultOAuth2ProviderTokenService" token-granter-ref="connectAuthCodeTokenGranter"
+		authorization-endpoint-url="/openidconnect/auth*">
+		<!-- <oauth:authorization-code disabled="true"/> -->
+	</oauth:authorization-server>
+	
 	<!-- Map our custom exception classes to named views -->
 	<bean class="org.springframework.web.servlet.handler.SimpleMappingExceptionResolver">
 	   <property name="exceptionMappings">
diff --git a/server/src/main/webapp/WEB-INF/web.xml b/server/src/main/webapp/WEB-INF/web.xml
index 110172899..f2c37cb74 100644
--- a/server/src/main/webapp/WEB-INF/web.xml
+++ b/server/src/main/webapp/WEB-INF/web.xml
@@ -14,6 +14,17 @@
 		<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
 	</listener>
 
+	<!-- filter through Spring Security -->
+	<filter>
+	    <filter-name>springSecurityFilterChain</filter-name>
+	    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
+	</filter>
+
+	<filter-mapping>
+	    <filter-name>springSecurityFilterChain</filter-name>
+	    <url-pattern>/*</url-pattern>
+	</filter-mapping>
+
 	<!-- Processes application requests -->
 	<servlet>
 		<servlet-name>appServlet</servlet-name>
@@ -30,4 +41,11 @@
 		<url-pattern>/</url-pattern>
 	</servlet-mapping>
 
+	<jsp-config>
+        <jsp-property-group>
+            <url-pattern>*.jsp</url-pattern>
+            <trim-directive-whitespaces>true</trim-directive-whitespaces>
+        </jsp-property-group>
+    </jsp-config>
+
 </web-app>