1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
<?xml version="1.0" encoding="UTF-8" ?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
    xmlns:sec="http://www.springframework.org/schema/security"
    xmlns:mvc="http://www.springframework.org/schema/mvc"
   
    xmlns:context="http://www.springframework.org/schema/context"    
    
    xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd
    http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.1.xsd
    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd
    http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd">

    <http pattern="/oauth/token" create-session="never" authentication-manager-ref="clientAuthenticationManager"
        xmlns="http://www.springframework.org/schema/security">
        <intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY" />
        <anonymous enabled="false" />
        <http-basic />
        <!-- include this only if you need to authenticate clients via request parameters -->
        <custom-filter ref="clientCredentialsTokenEndpointFilter"
            before="BASIC_AUTH_FILTER" />
        <access-denied-handler ref="oauthAccessDeniedHandler" />
    </http>

    <!-- The OAuth2 protected resources are separated out into their own block so we can deal with authorization 
      and error handling separately. This isn't mandatory, but it makes it easier to control the behaviour. -->

     <!-- The OAuth2 protected resources are separated out into their own block so we can deal with authorization and error handling 
    separately. This isn't mandatory, but it makes it easier to control the behaviour. -->
  <http pattern="/user/**" create-session="stateless" entry-point-ref="oauthAuthenticationEntryPoint"
     access-decision-manager-ref="accessDecisionManager" xmlns="http://www.springframework.org/schema/security" >
    <intercept-url pattern="/user/{access_token}" access="ROLE_USER,SCOPE_READ" />
    <intercept-url pattern="/user/trusted/message" access="ROLE_CLIENT,SCOPE_READ" />
    <intercept-url pattern="/user/message" access="ROLE_USER,SCOPE_READ" />
    <intercept-url pattern="/user/**" access="ROLE_USER,SCOPE_READ" />
    <custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
    <access-denied-handler ref="oauthAccessDeniedHandler" />
  </http>
    
    
    <http access-denied-page="/signin" xmlns="http://www.springframework.org/schema/security">
        <!-- This needs to be anonymous so that the auth endpoint can handle oauth errors itself -->
        <intercept-url pattern="/oauth/authorize" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <intercept-url pattern="/oauth/**" access="ROLE_USER" />
        <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />

        <form-login authentication-failure-url="/signin"
            default-target-url="/" login-page="/signin"
            login-processing-url="/login.do" />
        <logout logout-success-url="/" logout-url="/logout.do" />
        <anonymous />
    </http>

    <bean id="oauthAuthenticationEntryPoint"
        class="org.springframework.security.oauth2.provider.error.MediaTypeAwareAuthenticationEntryPoint">
        <property name="realmName" value="optimal-security" />
    </bean>

    <bean id="oauthAccessDeniedHandler"
        class="org.springframework.security.oauth2.provider.error.MediaTypeAwareAccessDeniedHandler" />

    <bean id="clientCredentialsTokenEndpointFilter"
        class="org.springframework.security.oauth2.provider.filter.ClientCredentialsTokenEndpointFilter">
        <property name="authenticationManager" ref="clientAuthenticationManager" />
    </bean>

    <bean id="accessDecisionManager"
        class="org.springframework.security.access.vote.UnanimousBased"
        xmlns="http://www.springframework.org/schema/beans">
        <constructor-arg>
            <list>
                <bean
                    class="org.springframework.security.oauth2.provider.vote.ScopeVoter" />
                <bean
                    class="org.springframework.security.access.vote.RoleVoter" />
                <bean
                    class="org.springframework.security.access.vote.AuthenticatedVoter" />
            </list>
        </constructor-arg>
    </bean>


    <!-- ************************************************************************************************************ -->
    <!-- ************************************************************************************************************ -->
    <!-- ************************************************************************************************************ -->
    <!-- ************************************************************************************************************ -->
    <!-- ************************************************************************************************************ -->

    <!-- Transaction manager for a single Hibernate SessionFactory (alternative 
        to JTA) -->
    <bean id="userSecurityTransactionManager"
        class="org.springframework.orm.hibernate3.HibernateTransactionManager">
        <property name="sessionFactory" ref="optimalSessionFactory" />
    </bean>


    <bean id="userSecurityBaseProxyTemplate" abstract="true"
        class="org.springframework.transaction.interceptor.TransactionProxyFactoryBean">
        <property name="transactionManager" ref="userSecurityTransactionManager" />
        <property name="transactionAttributes">
            <props>
                <!-- see http://static.springframework.org/spring/docs/2.5.x/api/org/springframework/transaction/TransactionDefinition.html -->
                <prop key="create*">PROPAGATION_REQUIRED</prop>
                <prop key="add*">PROPAGATION_REQUIRED</prop>
                <prop key="save*">PROPAGATION_REQUIRED</prop>
                <prop key="delete*">PROPAGATION_REQUIRED</prop>
                <prop key="remove*">PROPAGATION_REQUIRED</prop>
                <prop key="update*">PROPAGATION_REQUIRED</prop>
                <prop key="*">PROPAGATION_REQUIRED,readOnly</prop>
            </props>
        </property>
    </bean>

    <!-- ********************************************************************************** 
        This is for transaction template holder where more application detailed transaction 
        and interception mechanism can added to the template. Such as pre-interceptor 
        to check for user authorization.
         ************************************************************************************ -->
    <bean id="userSecurityTxProxyTemplate" abstract="true"
        parent="userSecurityBaseProxyTemplate" />

    <!-- ********************************************************************************** 
        Service binding. 
        ************************************************************************************ -->
    <bean id="baseUserSecurityService"
        class="net.usersecurity.service.impl.BaseUserSecurityServiceImpl"
        parent="service" abstract="true">
        <property name="userAccountDAO" ref="userSecurityDAO" />
        <property name="roleDAO" ref="roleSecurityDAO" />
    </bean>

    <bean id="userAccountService" parent="userSecurityTxProxyTemplate">
        <property name="target">
            <bean
                class="net.usersecurity.service.impl.UserAccountServiceImpl"
                parent="baseUserSecurityService">
            </bean>
        </property>
    </bean>

    <bean id="userSecurityManager" parent="userSecurityTxProxyTemplate">
        <property name="target">
            <bean
                class="net.usersecurity.service.impl.UserSecurityManagerImpl">
                <property name="userAccountDAO" ref="userSecurityDAO" />
            </bean>
        </property>
    </bean>


    <!-- ************************************************************************************************************ -->
    <!-- ************************************************************************************************************ -->
    <!-- ************************************************************************************************************ -->
    <!-- ************************************************************************************************************ -->

    <authentication-manager id="clientAuthenticationManager" xmlns="http://www.springframework.org/schema/security">
        <authentication-provider
            user-service-ref="clientDetailsUserService" />
    </authentication-manager>

    <!-- <bean id="myDataSource" class="org.apache.commons.dbcp.BasicDataSource" 
        destroy-method="close"> <property name="driverClassName" value="com.mysql.jdbc.Driver" 
        /> <property name="url" value="jdbc:mysql://localhost:3306/optimal" /> <property 
        name="username" value="optimal" /> <property name="password" value="optimal" 
        /> <property name="validationQuery" value="select * from user_account limit 
        1;" /> </bean> -->

    <bean id="passwordEncoder"
        class="org.springframework.security.authentication.encoding.ShaPasswordEncoder" />

    <authentication-manager alias="authenticationManager"
        xmlns="http://www.springframework.org/schema/security">

        <authentication-provider
            user-service-ref="userSecurityManager">
            <password-encoder ref="passwordEncoder" />
        </authentication-provider>

        <!-- optimalDataSource -->
        <!-- <autentication-provider user-service-ref="UserSecurityManagerImpl"> -->
        <!-- <authentication-provider> <password-encoder hash="sha" /> <jdbc-user-service 
            data-source-ref="myDataSource" users-by-username-query="select username, 
            password, account_enabled from user_account where username=?" authorities-by-username-query="select 
            username, password, account_enabled from user_account where username=?" /> 
            </authentication-provider> -->

    </authentication-manager>

    <bean id="clientDetailsUserService"
        class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
        <constructor-arg ref="clientDetails" />
    </bean>

    <bean id="tokenServices"
        class="org.springframework.security.oauth2.provider.token.RandomValueTokenServices">
        <property name="tokenStore">
            <bean
                class="org.springframework.security.oauth2.provider.token.InMemoryTokenStore" />
        </property>
        <property name="supportRefreshToken" value="true" />
    </bean>

    <oauth:authorization-server
        client-details-service-ref="clientDetails" token-services-ref="tokenServices">
        <oauth:authorization-code />
        <oauth:implicit />
        <oauth:refresh-token />
        <oauth:client-credentials />
        <oauth:password />
    </oauth:authorization-server>

    <oauth:resource-server id="resourceServerFilter"
        resource-id="optimal-security" token-services-ref="tokenServices" />

    <oauth:client-details-service id="clientDetails">
        <oauth:client client-id="test-client"
            authorized-grant-types="password,authorization_code,refresh_token,implicit"
            authorities="ROLE_CLIENT, ROLE_TRUSTED_CLIENT" scope="read,write,trust" />
        <oauth:client client-id="my-trusted-client"
            authorized-grant-types="password,authorization_code,refresh_token,implicit"
            authorities="ROLE_CLIENT, ROLE_TRUSTED_CLIENT" scope="read,write,trust" />
        <oauth:client client-id="my-trusted-client-with-secret"
            authorized-grant-types="password,authorization_code,refresh_token,implicit"
            secret="somesecret" authorities="ROLE_CLIENT, ROLE_TRUSTED_CLIENT" />
        <oauth:client client-id="my-less-trusted-client"
            authorized-grant-types="authorization_code,implicit"
            authorities="ROLE_CLIENT" />
        <oauth:client client-id="my-client-with-registered-redirect"
            authorized-grant-types="authorization_code,client_credentials"
            authorities="ROLE_CLIENT" redirect-uri="http://anywhere"
            scope="read,trust" />
        <oauth:client client-id="my-untrusted-client-with-registered-redirect"
            authorized-grant-types="authorization_code" authorities="ROLE_CLIENT"
            redirect-uri="http://anywhere" scope="read" />
        <oauth:client client-id="tonr" resource-ids="optimal-security"
            authorized-grant-types="authorization_code" authorities="ROLE_CLIENT"
            scope="read,write" secret="secret" />
            
    <!-- <oauth:client client-id="optimal-application" resource-ids="sparklr" authorized-grant-types="authorization_code"
      authorities="ROLE_CLIENT" scope="read,write" secret="secret" />-->            
            
        <!--  secret; redirect_uri etc -->
    <oauth:client client-id="optimal-application" resource-ids="optimal-security"
            authorized-grant-types="password,authorization_code,refresh_token,implicit"
            authorities="ROLE_CLIENT, ROLE_TRUSTED_CLIENT" scope="read,write,trust" />            
            
                        
    </oauth:client-details-service>

    <mvc:annotation-driven />

    <mvc:default-servlet-handler />

    <sec:global-method-security
        pre-post-annotations="enabled" proxy-target-class="true">
        <!--you could also wire in the expression handler up at the layer of the http filters. See https://jira.springsource.org/browse/SEC-1452 -->
        <sec:expression-handler ref="oauthExpressionHandler" />
    </sec:global-method-security>

    <oauth:expression-handler id="oauthExpressionHandler" />

    <mvc:view-controller path="/signin" view-name="security/signin" />

    <!-- LOCALE SUPPORT -->
    <mvc:interceptors>
        <bean
            class="org.springframework.web.servlet.i18n.LocaleChangeInterceptor" />
    </mvc:interceptors>

    <!-- STATIC RESOURCES -->
    <mvc:resources mapping="/resources/**" location="/resources/" />

    <!-- MESSAGE BUNDLES -->
    <bean id="messageSource"
        class="org.springframework.context.support.ReloadableResourceBundleMessageSource">
        <property name="basename" value="/resources/properties/messages" />
        <property name="cacheSeconds" value="0" />
    </bean>
    <bean id="localeResolver"
        class="org.springframework.web.servlet.i18n.CookieLocaleResolver" />

    <!-- CONTROLLER MAPPINGS -->
    <bean id="filenameController"
        class="org.springframework.web.servlet.mvc.UrlFilenameViewController" />

    <bean
        class="org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter" />
    <bean
        class="org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter" />

    <bean id="defaultMapping"
        class="org.springframework.web.servlet.mvc.annotation.DefaultAnnotationHandlerMapping">
        <property name="order" value="1" />
        <property name="alwaysUseFullPath" value="false" />
    </bean>

    <bean id="beanMapping "
        class="org.springframework.web.servlet.handler.BeanNameUrlHandlerMapping">
        <property name="order" value="2" />
        <property name="alwaysUseFullPath" value="false" />
    </bean>

    <bean
        class="org.springframework.web.servlet.handler.SimpleUrlHandlerMapping">
        <property name="order" value="3" />
        <property name="mappings">
            <value>
                <!-- see controller annotations -->
                /test=filenameController
            </value>
        </property>
    </bean>

    <!-- VIEW RESOLUTION -->
    <bean id="nameViewResolver"
        class="org.springframework.web.servlet.view.BeanNameViewResolver" />
    <bean id="multipartResolver"
        class="org.springframework.web.multipart.commons.CommonsMultipartResolver">
    </bean>

    <bean id="viewResolver"
        class="org.springframework.web.servlet.view.InternalResourceViewResolver">
        <property name="requestContextAttribute" value="rc" />
        <property name="viewClass"
            value="org.springframework.web.servlet.view.JstlView" />
        <property name="prefix" value="/WEB-INF/pages/" />
        <property name="suffix" value=".jsp" />
    </bean>

    <bean id="accessConfirmationController"
        class="net.sec.apps.security.web.controllers.AccessConfirmationController">
        <property name="clientDetailsService" ref="clientDetails" />
    </bean>

    <bean id="userController"
        class="net.sec.apps.security.web.controllers.UserController">
    </bean>
    
    
    <bean id="accountController" class="net.sec.apps.security.web.controllers.AccountController">
  </bean>  

</beans>