Merge branch 'march9'

server/src/main/java/org/mitre/openid/connect/token/ConnectAuthCodeTokenGranter.java

@@ -9,7 +9,6 @@ import java.util.Set;
 import org.mitre.oauth2.model.OAuth2AccessTokenEntity;
 import org.mitre.oauth2.service.impl.DefaultOAuth2ProviderTokenService;
 import org.mitre.openid.connect.model.IdToken;
-import org.mitre.util.Utility;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.oauth2.common.OAuth2AccessToken;
@@ -22,8 +21,8 @@ import org.springframework.security.oauth2.provider.ClientCredentialsChecker;
 import org.springframework.security.oauth2.provider.ClientDetailsService;
 import org.springframework.security.oauth2.provider.OAuth2Authentication;
 import org.springframework.security.oauth2.provider.TokenGranter;
+import org.springframework.security.oauth2.provider.code.AuthorizationCodeServices;
 import org.springframework.security.oauth2.provider.code.AuthorizationRequestHolder;
-import org.springframework.security.oauth2.provider.code.JdbcAuthorizationCodeServices;
 import org.springframework.stereotype.Component;
 
 /**
@@ -42,7 +41,7 @@ public class ConnectAuthCodeTokenGranter implements TokenGranter {
 	private static final String GRANT_TYPE = "authorization_code";
 	
 	@Autowired
-	private JdbcAuthorizationCodeServices authorizationCodeServices;
+	private AuthorizationCodeServices authorizationCodeServices;
 
 	@Autowired
 	private ClientCredentialsChecker clientCredentialsChecker;
@@ -70,7 +69,7 @@ public class ConnectAuthCodeTokenGranter implements TokenGranter {
 	 */
 	public ConnectAuthCodeTokenGranter(
 			DefaultOAuth2ProviderTokenService tokenServices,
-			JdbcAuthorizationCodeServices authorizationCodeServices,
+			AuthorizationCodeServices authorizationCodeServices,
 			ClientDetailsService clientDetailsService) {
 		
 		setTokenServices(tokenServices);
@@ -156,14 +155,14 @@ public class ConnectAuthCodeTokenGranter implements TokenGranter {
 	/**
 	 * @return the authorizationCodeServices
 	 */
-	public JdbcAuthorizationCodeServices getAuthorizationCodeServices() {
+	public AuthorizationCodeServices getAuthorizationCodeServices() {
 		return authorizationCodeServices;
 	}
 
 	/**
 	 * @param authorizationCodeServices the authorizationCodeServices to set
 	 */
-	public void setAuthorizationCodeServices(JdbcAuthorizationCodeServices authorizationCodeServices) {
+	public void setAuthorizationCodeServices(AuthorizationCodeServices authorizationCodeServices) {
 		this.authorizationCodeServices = authorizationCodeServices;
 	}
 

server/src/main/webapp/WEB-INF/spring/appServlet/servlet-context.xml

@@ -4,18 +4,18 @@
 	xmlns:beans="http://www.springframework.org/schema/beans"
 	xmlns:context="http://www.springframework.org/schema/context"
 	xmlns:security="http://www.springframework.org/schema/security"
+	xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
 	xsi:schemaLocation="http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.0.xsd
 		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd
 		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
-		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd">
+		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd
+		http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2.xsd">
 
 	<!-- DispatcherServlet Context: defines this servlet's request-processing infrastructure -->
 	
 	<!-- Enables the Spring MVC @Controller programming model -->
 	<annotation-driven />
 
-	<security:global-method-security pre-post-annotations="enabled" proxy-target-class="true"/>
-
 	<!-- Handles HTTP GET requests for /resources/** by efficiently serving up static resources in the ${webappRoot}/resources directory -->
 	<resources mapping="/resources/**" location="/resources/" />
 
@@ -41,5 +41,12 @@
 <!-- 	<beans:bean id="jsonIdTokenView" class="org.mitre.openid.connect.view.JSONIdTokenView"/> -->
 	
 	<beans:import resource="controllers.xml" />
+
+	<!-- SECOAUTH Authorization Server, with our custom token granter plugged in -->
+	<oauth:authorization-server client-details-service-ref="defaultOAuth2ClientDetailsEntityService" 
+		token-services-ref="defaultOAuth2ProviderTokenService" token-granter-ref="connectAuthCodeTokenGranter"
+		authorization-endpoint-url="/openidconnect/auth">
+		<oauth:authorization-code authorization-code-services-ref="authCodeServices"/>
+	</oauth:authorization-server>
 	
 </beans:beans>

server/src/main/webapp/WEB-INF/spring/application-context.xml

@@ -14,21 +14,51 @@
 		http://www.mitre.org/schema/openid-connect/jwt-signer http://www.mitre.org/schema/openid-connect/jwt-signer/jwt-signer-1.0.xsd
 		http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.1.xsd
 		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd">
+	
+	<!-- Root Context: defines shared resources visible to all other web components -->
 		
 	<import resource="data-context.xml" />	
 
-	<import resource="security-context.xml" />
+	<security:global-method-security pre-post-annotations="enabled" proxy-target-class="true" authentication-manager-ref="springSecurityAuthenticationManager"/>
+	<security:http use-expressions="true" auto-config="true" authentication-manager-ref="springSecurityAuthenticationManager">
+<!-- 		<security:intercept-url pattern="/oauth/user/**" access="hasRole('ROLE_USER')"/> -->
+		<security:intercept-url pattern="/*" access="permitAll"/>
+		
+	</security:http>
+		
+	<bean id="clientCredentialsChecker" class="org.springframework.security.oauth2.provider.ClientCredentialsChecker">
+		<constructor-arg>
+			<bean class="org.mitre.oauth2.service.impl.DefaultOAuth2ClientDetailsEntityService"/>
+		</constructor-arg>
+	</bean>	
+		
+	<!-- Authorization Code Service, used by TokenGranter -->
+<!-- 	<bean id="jdbcAuthCodeServices" class="org.springframework.security.oauth2.provider.code.JdbcAuthorizationCodeServices"> -->
+<!-- 		<constructor-arg> -->
+<!-- 			<ref bean="dataSource"/> -->
+<!-- 		</constructor-arg> -->
+<!-- 	</bean> -->
+
+	
+
+	<bean id="authCodeServices" class="org.springframework.security.oauth2.provider.code.InMemoryAuthorizationCodeServices"/>
+
+	<security:authentication-manager id="springSecurityAuthenticationManager">
+		<security:authentication-provider>
+			<security:user-service id="userDetailsService">
+		    	<security:user name="jimi" password="jimispassword" authorities="ROLE_USER, ROLE_ADMIN" />
+		    	<security:user name="bob" password="bobspassword" authorities="ROLE_USER" />
+		  	</security:user-service>
+		</security:authentication-provider>
+	</security:authentication-manager>	
 		
 	<tx:annotation-driven transaction-manager="transactionManager" />
-
-	<!-- Root Context: defines shared resources visible to all other web components -->
+	
 	<bean id="jpaAdapter" class="org.springframework.orm.jpa.vendor.EclipseLinkJpaVendorAdapter">
 		<property name="databasePlatform" value="org.eclipse.persistence.platform.database.MySQLPlatform" />
 		<property name="showSql" value="true" />
 	</bean>
-	
-	
-	
+
 	<!-- Map our custom exception classes to named views -->
 	<bean class="org.springframework.web.servlet.handler.SimpleMappingExceptionResolver">
 	   <property name="exceptionMappings">
@@ -65,9 +95,9 @@
 	</jwt-signer:service>
 	 
 	<!-- scheduled tasks -->
-	<task:scheduler id="taskScheduler" pool-size="10" />
-	<task:executor id="taskExecutor" pool-size="5" />
-	<task:annotation-driven scheduler="taskScheduler" executor="taskExecutor" />
+<!-- 	<task:scheduler id="taskScheduler" pool-size="10" /> -->
+<!-- 	<task:executor id="taskExecutor" pool-size="5" /> -->
+<!-- 	<task:annotation-driven scheduler="taskScheduler" executor="taskExecutor" /> -->
 	
 	<!-- load everything except controllers (those get handled elsewhere) -->
     <context:component-scan annotation-config="true" base-package="org.mitre">

server/src/main/webapp/WEB-INF/spring/security-context.xml

@@ -1,48 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<beans xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:p="http://www.springframework.org/schema/p"
-	xmlns:oauth2="http://www.springframework.org/schema/security/oauth2"
-	xmlns="http://www.springframework.org/schema/beans"
-	xmlns:security="http://www.springframework.org/schema/security"
-	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2.xsd
-		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd
-		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd">
-
-	<security:global-method-security pre-post-annotations="enabled" proxy-target-class="true"/>
-
-	<security:http use-expressions="true" auto-config="true">
-<!-- 		<security:intercept-url pattern="/oauth/user/**" access="hasRole('ROLE_USER')"/> -->
-		<security:intercept-url pattern="/*" access="permitAll"/>
-		
-	</security:http>
-	
-	<!-- Authorization Code Service, used by TokenGranter -->
-	<bean id="jdbcAuthCodeServices" class="org.springframework.security.oauth2.provider.code.JdbcAuthorizationCodeServices">
-		<constructor-arg>
-			<bean class="org.apache.commons.dbcp.BasicDataSource"/>
-		</constructor-arg>
-	</bean>
-	
-	<bean id="clientCredentialsChecker" class="org.springframework.security.oauth2.provider.ClientCredentialsChecker">
-		<constructor-arg>
-			<bean class="org.mitre.oauth2.service.impl.DefaultOAuth2ClientDetailsEntityService"/>
-		</constructor-arg>
-	</bean>
-	
-	<!-- SECOAUTH Authorization Server, with our custom token granter plugged in -->
-	<oauth2:authorization-server client-details-service-ref="defaultOAuth2ClientDetailsEntityService" 
-		token-services-ref="defaultOAuth2ProviderTokenService" token-granter-ref="connectAuthCodeTokenGranter"
-		authorization-endpoint-url="/openidconnect/auth">
-		<oauth2:authorization-code />
-	</oauth2:authorization-server>
-	
-	<security:authentication-manager>
-		<security:authentication-provider>
-			<security:user-service id="userDetailsService">
-		    	<security:user name="jimi" password="jimispassword" authorities="ROLE_USER, ROLE_ADMIN" />
-		    	<security:user name="bob" password="bobspassword" authorities="ROLE_USER" />
-		  	</security:user-service>
-		</security:authentication-provider>
-	</security:authentication-manager>
-
-</beans>

server/src/main/webapp/WEB-INF/web.xml

@@ -15,13 +15,15 @@
 	<listener>
 		<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
 	</listener>
-	
-	
 
 	<!-- Since we defined a custom authorization-endpoint-url, we need an additional filter: -->
 	<filter>
 	    <filter-name>oauth2EndpointUrlFilter</filter-name>
 	    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
+	    <init-param>
+	        <param-name>contextAttribute</param-name>
+	        <param-value>org.springframework.web.servlet.FrameworkServlet.CONTEXT.appServlet</param-value>
+	    </init-param>
 	</filter>
 	
 	<filter-mapping>
@@ -33,6 +35,10 @@
 	<filter>
 	    <filter-name>springSecurityFilterChain</filter-name>
 	    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
+	     <init-param>
+	        <param-name>contextAttribute</param-name>
+	        <param-value>org.springframework.web.servlet.FrameworkServlet.CONTEXT.appServlet</param-value>
+	    </init-param>
 	</filter>
 
 	<filter-mapping>