From dbd563f3f24bf75b8a52fa5ee328c6e5097071a2 Mon Sep 17 00:00:00 2001
From: Justin Richer <jricher@mitre.org>
Date: Thu, 5 Jul 2012 18:21:52 -0400
Subject: [PATCH] attempting to allow make use of SPEL

---
 openid-connect-server/.springBeans               |  3 ++-
 .../openid/connect/web/UserInfoEndpoint.java     |  2 +-
 .../main/webapp/WEB-INF/application-context.xml  |  7 +++++++
 .../src/main/webapp/WEB-INF/tags/topbar.tag      |  2 +-
 .../src/main/webapp/WEB-INF/user-context.xml     | 16 ++++++++++++----
 .../src/main/webapp/WEB-INF/web.xml              | 13 +++++++++++++
 6 files changed, 36 insertions(+), 7 deletions(-)
 create mode 100644 openid-connect-server/src/main/webapp/WEB-INF/application-context.xml

diff --git a/openid-connect-server/.springBeans b/openid-connect-server/.springBeans
index 3a424e222..2d41e0cb6 100644
--- a/openid-connect-server/.springBeans
+++ b/openid-connect-server/.springBeans
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <beansProjectDescription>
 	<version>1</version>
-	<pluginVersion><![CDATA[2.8.1.201111220115-RELEASE]]></pluginVersion>
+	<pluginVersion><![CDATA[2.9.2.201205070117-RELEASE]]></pluginVersion>
 	<configSuffixes>
 		<configSuffix><![CDATA[xml]]></configSuffix>
 	</configSuffixes>
@@ -12,6 +12,7 @@
 		<config>src/main/webapp/WEB-INF/local-config.xml</config>
 		<config>src/main/webapp/WEB-INF/data-context.xml</config>
 		<config>src/main/webapp/WEB-INF/crypto-config.xml</config>
+		<config>src/main/webapp/WEB-INF/application-context.xml</config>
 	</configs>
 	<configSets>
 	</configSets>
diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/web/UserInfoEndpoint.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/UserInfoEndpoint.java
index 8b3646963..3c5f1ff4c 100644
--- a/openid-connect-server/src/main/java/org/mitre/openid/connect/web/UserInfoEndpoint.java
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/UserInfoEndpoint.java
@@ -63,7 +63,7 @@ public class UserInfoEndpoint {
 	 * @throws UsernameNotFoundException		if the user does not exist or cannot be found
 	 * @throws UnknownUserInfoSchemaException	if an unknown schema is used
 	 */
-	@PreAuthorize("hasRole('ROLE_USER')") // TODO: need to add the check for the "openid" scope, which is REQUIRED
+	@PreAuthorize("hasRole('ROLE_USER') and #oauth2.hasScope('openid')") // TODO: need to add the check for the "openid" scope, which is REQUIRED
 	@RequestMapping(value="/userinfo", method= {RequestMethod.GET, RequestMethod.POST})
 	public String getInfo(Principal p, @RequestParam("schema") String schema, Model model) {
 
diff --git a/openid-connect-server/src/main/webapp/WEB-INF/application-context.xml b/openid-connect-server/src/main/webapp/WEB-INF/application-context.xml
new file mode 100644
index 000000000..daac473bb
--- /dev/null
+++ b/openid-connect-server/src/main/webapp/WEB-INF/application-context.xml
@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
+
+
+</beans>
diff --git a/openid-connect-server/src/main/webapp/WEB-INF/tags/topbar.tag b/openid-connect-server/src/main/webapp/WEB-INF/tags/topbar.tag
index 9c98ce37c..9608ddb8d 100644
--- a/openid-connect-server/src/main/webapp/WEB-INF/tags/topbar.tag
+++ b/openid-connect-server/src/main/webapp/WEB-INF/tags/topbar.tag
@@ -20,7 +20,7 @@
                 
                 	<security:authentication property="authorities" var="roles"/>
 
-                    <security:authorize ifAnyGranted="ROLE_USER">
+                    <security:authorize access="hasRole('ROLE_USER')">
                         Logged in as <a href="#"><%= request.getUserPrincipal().getName() %></a>
                     </security:authorize>
                 </p>
diff --git a/openid-connect-server/src/main/webapp/WEB-INF/user-context.xml b/openid-connect-server/src/main/webapp/WEB-INF/user-context.xml
index 7f5ed2457..26449125d 100644
--- a/openid-connect-server/src/main/webapp/WEB-INF/user-context.xml
+++ b/openid-connect-server/src/main/webapp/WEB-INF/user-context.xml
@@ -13,7 +13,14 @@
 		http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.1.xsd">
 
 
-	<security:global-method-security pre-post-annotations="enabled" proxy-target-class="true" authentication-manager-ref="authenticationManager"/>
+	<security:global-method-security pre-post-annotations="enabled" proxy-target-class="true" authentication-manager-ref="authenticationManager">
+		<!--you could also wire in the expression handler up at the layer of the http filters. See https://jira.springsource.org/browse/SEC-1452 -->
+		<security:expression-handler ref="oauthExpressionHandler" />
+	</security:global-method-security>
+
+	<oauth2:expression-handler id="oauthExpressionHandler" />
+
+	<oauth2:web-expression-handler id="oauthWebExpressionHandler" />
 
 	<security:authentication-manager alias="authenticationManager">
 		<security:authentication-provider>
@@ -29,11 +36,12 @@
 		</security:authentication-provider>
 	</security:authentication-manager>
 		
-	<security:http auto-config="true" disable-url-rewriting="true"> <!-- authentication-manager-ref="springSecurityAuthenticationManager" -->
-		<security:intercept-url pattern="/oauth/**" access="ROLE_USER" />
-		<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
+	<security:http auto-config="true" disable-url-rewriting="true" use-expressions="true"> <!-- authentication-manager-ref="springSecurityAuthenticationManager" -->
+		<security:intercept-url pattern="/oauth/**" access="hasRole('ROLE_USER')" />
+		<security:intercept-url pattern="/**" access="permitAll" />
 		<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
 		<security:anonymous />
+		<security:expression-handler ref="oauthWebExpressionHandler" />
 	</security:http>	
 
 </beans>
diff --git a/openid-connect-server/src/main/webapp/WEB-INF/web.xml b/openid-connect-server/src/main/webapp/WEB-INF/web.xml
index 175b96026..a6b494c5c 100644
--- a/openid-connect-server/src/main/webapp/WEB-INF/web.xml
+++ b/openid-connect-server/src/main/webapp/WEB-INF/web.xml
@@ -3,6 +3,19 @@
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
 
+	<!-- The definition of the Root Spring Container shared by all Servlets and Filters -->
+	<context-param>
+		<param-name>contextConfigLocation</param-name>
+		<param-value>
+			/WEB-INF/application-context.xml
+		</param-value>
+	</context-param>
+	
+	<!-- Creates the Spring Container shared by all Servlets and Filters -->
+	<listener>
+		<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
+	</listener>
+	
 	<!-- filter through Spring Security -->
 
 	<filter>