I am implementing the control of concurrent session by Spring Security.
But when I login in the system by a Chrome with a User and after on the FireFox with the same User, does not display the error message. Also I get no exception in my console.
my web.xml :
<!-- ... -->
<listener>
<listener-class>
org.springframework.security.web.session.HttpSessionEventPublisher
</listener-class>
</listener>
<!-- .... -->
my security.xml :
<-- .... -->
<security:http auto-config="true" use-expressions="true">
<security:intercept-url pattern="/**" access="isAuthenticated()" />
<security:form-login login-page="/login" default-target-url="/home"
authentication-failure-url="/login?logout=true"
authentication-success-handler-ref="authenticationSuccessHandler"
authentication-failure-handler-ref="authenticationFailureHandler"/>
<security:logout logout-url="/j_spring_security_logout" invalidate-session="true" success-handler-ref="logoutHandler"/>
<security:custom-filter ref="concurrencyFilter" position="CONCURRENT_SESSION_FILTER"/>
<security:session-management session-authentication-strategy-ref="concurrentSessionManager" session-authentication-error-url="/login?msg=SessionError"/>
</security:http>
<bean id="authenticationFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="sessionAuthenticationStrategy" ref="concurrentSessionManager"/>
</bean>
<!-- Authentication Manager -->
<security:authentication-manager alias="authenticationManager">
<!-- Custom Authentication provider -->
<security:authentication-provider ref="hemisphereAuthenticationProvider"/>
</security:authentication-manager>
<bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />
<bean id="concurrencyFilter" class="org.springframework.security.web.session.ConcurrentSessionFilter">
<property name="sessionRegistry" ref="sessionRegistry"/>
<property name="expiredUrl" value="/login?msg=SessionError" />
</bean>
<bean id="concurrentSessionManager" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
<property name="maximumSessions" value="1"/>
<property name="exceptionIfMaximumExceeded" value="true" />
<constructor-arg name="sessionRegistry" ref="sessionRegistry" />
</bean>
<bean id="hemisphereAuthenticationProvider" class="security.HemisphereAuthenticationProvider">
<property name="userDetailsService" ref="userDetailService"/>
</bean>
<bean id="authenticationSuccessHandler" class="security.HemisphereAuthenticationSuccessHandler">
<property name="defaultTargetUrl" value="/home" />
<property name="alwaysUseDefaultTargetUrl" value="no" />
</bean>
<bean id="authenticationFailureHandler" class="security.HemisphereAuthenticationFailureHandler">
<property name="defaultFailureUrl" value="/login" />
</bean>
<bean id="logoutHandler" class="security.HemisphereLogoutHandler"/>
what am I doing wrong?
Thanks for your attention!
Related
I am trying to create Oauth server with spring security and I am new to both of them.
The flow is, when I browse the following URL
http://localhost:8080/OAuthServer/oauth/authorize?response_type=code&redirect_uri=http://localhost:8080/client/handler&client_id=test
Problem 1 :I am being redirected to login
http://localhost:8080/OAuthServer/login
but after login authenticates my user is redirected to welcome page http://localhost:8080/OAuthServer/ instead of authorization page
Problem 2(strange): After I logout from welcome page and again do the same process again: broswe on OAuthServer/oauth/authorize?, it shows login page and after login,it is getting redirected to authorization page as expected. But this did not work on first try.
Problem 3 : Now, every time I browse OAuthServer/oauth/authorize? it shows authorization page instead of showing login page. This time I want to authenticate some other user but goes directly to authorization page.
In all the case, there is no error and I am getting authorization code and from code, I am getting access code and refresh code and able to access my resource \employee\list using access code
I am sure some config is wrong here. Please help me out.
Security.xml
<!-- Entry Url -->
<sec:http pattern="/oauth/token**" create-session="stateless"
entry-point-ref="oauthAuthenticationEntryPoint"
authentication-manager-ref="authenticationManager">
<sec:intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY" />
<sec:anonymous enabled="false" />
<sec:custom-filter ref="clientCredentialsTokenEndpointFilter"
before="BASIC_AUTH_FILTER" />
<sec:access-denied-handler ref="oauthAccessDeniedHandler" />
</sec:http>
<sec:http pattern="/oauth/authorize**" create-session="never"
entry-point-ref="LoginEntry">
<sec:anonymous enabled="false" />
<sec:intercept-url pattern="/oauth/authorize"
access="IS_AUTHENTICATED_FULLY" />
</sec:http>
<bean id="LoginEntry"
class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<constructor-arg value="/login" />
</bean>
<sec:http pattern="/employee/**" create-session="never"
entry-point-ref="oauthAuthenticationEntryPoint" >
<sec:anonymous enabled="false" />
<sec:intercept-url pattern="/employee/**" access="ROLE_USER" />
<sec:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<sec:access-denied-handler ref="oauthAccessDeniedHandler" />
</sec:http>
<sec:http pattern="/oauth/me**" create-session="never"
entry-point-ref="oauthAuthenticationEntryPoint">
<sec:anonymous enabled="false" />
<sec:intercept-url pattern="/oauth/me" method="GET"
access="IS_AUTHENTICATED_FULLY" />
<sec:custom-filter ref="resourceServerFilter"
before="PRE_AUTH_FILTER" />
<sec:access-denied-handler ref="oauthAccessDeniedHandler" />
</sec:http>
<sec:http authentication-manager-ref="loginAuthentication"
disable-url-rewriting="true">
<sec:intercept-url pattern="/admin**" access="ROLE_USER" />
<sec:form-login login-page="/login"
authentication-failure-url="/login?error" username-parameter="username"
password-parameter="password" />
<sec:logout logout-success-url="/login?logout" />
<!-- enable csrf protection -->
<sec:csrf />
</sec:http>
<sec:authentication-manager id="loginAuthentication">
<sec:authentication-provider>
<sec:user-service>
<sec:user name="mkyong" password="123456" authorities="ROLE_USER" />
<sec:user name="test" password="1234" authorities="ROLE_USER" />
</sec:user-service>
</sec:authentication-provider>
</sec:authentication-manager>
<!-- Server -->
<oauth:authorization-server
client-details-service-ref="clientDetails" token-services-ref="tokenServices"
authorization-request-manager-ref="SECAuthorizationRequestManager"
user-approval-handler-ref="SECTokenServicesUserApprovalHandler">
<oauth:authorization-code
authorization-code-services-ref="JdbcAuthorizationCodeServices" />
<oauth:implicit />
<oauth:refresh-token />
<oauth:client-credentials />
</oauth:authorization-server>
<!-- Resource -->
<oauth:resource-server id="resourceServerFilter"
resource-id="springsec" token-services-ref="tokenServices" />
<bean id="oauthAuthenticationEntryPoint"
class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
<property name="realmName" value="springsec" />
</bean>
<bean id="oauthAccessDeniedHandler"
class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler">
</bean>
<bean id="clientCredentialsTokenEndpointFilter" class="com.server.security.SECClientCredentialToken">
<property name="authenticationManager" ref="authenticationManager" />
<property name="clientDetails" ref="clientDetails" />
</bean>
<bean id="userCredentialsTokenEndpointFilter" class="com.server.security.SECUserCredential">
<property name="authenticationManager" ref="loginAuthentication" />
</bean>
<sec:authentication-manager alias="authenticationManager">
<sec:authentication-provider
user-service-ref="clientDetailsUserService" />
</sec:authentication-manager>
<bean id="clientDetailsUserService"
class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
<constructor-arg ref="clientDetails" />
</bean>
<bean id="clientDetails" class="com.server.security.SECClientDetailsService">
<property name="id" value="test" />
<property name="secretKey" value="mycompanykey" />
</bean>
<bean id="SECTokenServicesUserApprovalHandler"
class="org.springframework.security.oauth2.provider.approval.TokenServicesUserApprovalHandler">
<property name="tokenServices" ref="tokenServices" />
</bean>
<bean id="SECAuthorizationRequestManager"
class="org.springframework.security.oauth2.provider.DefaultAuthorizationRequestManager">
<constructor-arg ref="clientDetails" />
</bean>
<bean id="tokenServices"
class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
<property name="tokenStore" ref="tokenStore" />
<property name="supportRefreshToken" value="true" />
<property name="clientDetailsService" ref="clientDetails" />
</bean>
<bean id="JdbcAuthorizationCodeServices"
class="org.springframework.security.oauth2.provider.code.JdbcAuthorizationCodeServices">
<constructor-arg ref="jdbcTemplate" />
</bean>
<bean id="tokenStore"
class="org.springframework.security.oauth2.provider.token.JdbcTokenStore">
<constructor-arg ref="jdbcTemplate" />
</bean>
<bean id="jdbcTemplate"
class="org.springframework.jdbc.datasource.DriverManagerDataSource">
<property name="driverClassName" value="com.mysql.jdbc.Driver" />
<property name="url"
value="jdbc:mysql://serverhost:7306/Oauth?useSSL=false" />
<property name="username" value="username" />
<property name="password" value="password" />
</bean>
<!-- End Persistence Layer -->
<!-- ModelViewController -->
<mvc:annotation-driven />
<mvc:default-servlet-handler />
<context:annotation-config />
<context:component-scan
base-package="com.server.security,com.server.resource,com.server.controller" />
<bean
class="org.springframework.web.servlet.view.ContentNegotiatingViewResolver">
<property name="viewResolvers">
<list>
<bean class="org.springframework.web.servlet.view.BeanNameViewResolver" />
<bean
class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="prefix" value="/WEB-INF/" />
<property name="suffix" value=".jsp" />
</bean>
</list>
</property>
<property name="defaultViews">
<list>
<bean
class="org.springframework.web.servlet.view.json.MappingJackson2JsonView" />
</list>
</property>
</bean>
Problem 1:
I think it is because of create-session="never" on "/oauth/authorize**", please check if the jsession create for first time or not and re-check for 2nd time.
Problem 2:
because you already redirected to home page so session created so it can store redirect in it
problem 3:
you have to use another session by using incognito window, or logout and login again with different user
I am trying to implement Oauth2 spring security with Spring 4.1
I am sending password, username , client_id and client_secret but still i get bad credentials.
the request i send is as follows:
http://localhost:8080/asset-manager/oauth/token?grant_type=password&client_id=restapp&client_secret=restapp&username=ankita&password=ankita
I have the following files
spring-security.xml
<?xml version="1.0" encoding="UTF-8" ?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:sec="http://www.springframework.org/schema/security" xmlns:mvc="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2.xsd
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.1.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.1.xsd ">
<!-- This is default url to get a token from OAuth -->
<http pattern="/oauth/token" create-session="stateless"
authentication-manager-ref="clientAuthenticationManager"
xmlns="http://www.springframework.org/schema/security">
<intercept-url pattern="/oauth/token" access="isFullyAuthenticated()" />
<anonymous enabled="false" />
<http-basic entry-point-ref="clientAuthenticationEntryPoint" />
<!-- include this only if you need to authenticate clients via request
parameters -->
<custom-filter ref="clientCredentialsTokenEndpointFilter"
after="BASIC_AUTH_FILTER" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
<csrf disabled="true" />
</http>
<!-- This is where we tells spring security what URL should be protected
and what roles have access to them -->
<http pattern="/api/**" create-session="never"
entry-point-ref="oauthAuthenticationEntryPoint"
access-decision-manager-ref="accessDecisionManager"
xmlns="http://www.springframework.org/schema/security">
<anonymous enabled="false" />
<intercept-url pattern="/api/**" access="hasRole('ROLE_USER')" />
<custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
<csrf disabled="true" />
</http>
<bean id="oauthAuthenticationEntryPoint"
class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
<property name="realmName" value="test" />
</bean>
<bean id="requestFactory"
class="org.springframework.security.oauth2.provider.request.DefaultOAuth2RequestFactory">
<constructor-arg name="clientDetailsService" ref="clientDetails" />
</bean>
<bean id="clientAuthenticationEntryPoint"
class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
<property name="realmName" value="test/client" />
<property name="typeName" value="Basic" />
</bean>
<bean id="oauthAccessDeniedHandler"
class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />
<bean id="clientCredentialsTokenEndpointFilter"
class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
<property name="authenticationManager" ref="authenticationManager" />
</bean>
<bean id="accessDecisionManager"
class="org.springframework.security.access.vote.AffirmativeBased"
xmlns="http://www.springframework.org/schema/beans">
<constructor-arg>
<list>
<bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter" />
<bean class="org.springframework.security.access.vote.RoleVoter" />
<bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
<bean
class="org.springframework.security.web.access.expression.WebExpressionVoter"></bean>
</list>
</constructor-arg>
</bean>
<authentication-manager id="clientAuthenticationManager"
xmlns="http://www.springframework.org/schema/security">
<authentication-provider user-service-ref="clientDetailsUserService" />
</authentication-manager>
<bean id="authenticationProcessingFilter"
class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
<property name="authenticationManager" ref="authenticationManager" />
</bean>
<!-- This is simple authentication manager, with a hardcoded user/password
combination. We can replace this with a user defined service to get few users
credentials from DB -->
<authentication-manager alias="authenticationManager"
xmlns="http://www.springframework.org/schema/security">
<authentication-provider>
<user-service>
<user name="ankita" password="ankita" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
<authentication-provider user-service-ref="clientDetailsUserService" />
</authentication-manager>
<bean id="clientDetailsUserService"
class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
<constructor-arg ref="clientDetails" />
</bean>
<!-- This defined token store, we have used inmemory tokenstore for now
but this can be changed to a user defined one -->
<bean id="tokenStore"
class="org.springframework.security.oauth2.provider.token.store.InMemoryTokenStore" />
<!-- This is where we defined token based configurations, token validity
and other things -->
<bean id="tokenServices"
class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
<property name="tokenStore" ref="tokenStore" />
<property name="supportRefreshToken" value="true" />
<property name="accessTokenValiditySeconds" value="120" />
<property name="clientDetailsService" ref="clientDetails" />
</bean>
<bean id="userApprovalHandler"
class="org.springframework.security.oauth2.provider.approval.TokenStoreUserApprovalHandler">
<property name="tokenStore" ref="tokenStore" />
<property name="clientDetailsService" ref="clientDetails" />
<property name="requestFactory" ref="requestFactory" />
</bean>
<oauth:authorization-server
client-details-service-ref="clientDetails" token-services-ref="tokenServices"
user-approval-handler-ref="userApprovalHandler">
<oauth:authorization-code />
<oauth:implicit />
<oauth:refresh-token />
<oauth:client-credentials />
<oauth:password />
</oauth:authorization-server>
<oauth:resource-server id="resourceServerFilter"
resource-id="test" token-services-ref="tokenServices" />
<oauth:client-details-service id="clientDetails">
<!-- client -->
<oauth:client client-id="restapp"
authorized-grant-types="authorization_code,client_credentials"
authorities="ROLE_USER" scope="read,write,trust" secret="secret" />
<oauth:client client-id="restapp"
authorized-grant-types="password,authorization_code,refresh_token,implicit"
secret="restapp" scope="read,write,trust" authorities="ROLE_USER" />
</oauth:client-details-service>
<bean id="httpSessionSecurityContextRepository"
class='org.springframework.security.web.context.HttpSessionSecurityContextRepository'>
<property name='allowSessionCreation' value='false' />
</bean>
<bean id="securityContextPersistenceFilter"
class="org.springframework.security.web.context.SecurityContextPersistenceFilter">
<constructor-arg ref="httpSessionSecurityContextRepository" />
</bean>
<bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy">
<constructor-arg>
<list>
<sec:filter-chain pattern="/**"
filters="securityContextPersistenceFilter" />
</list>
</constructor-arg>
</bean>
<sec:global-method-security
pre-post-annotations="enabled" proxy-target-class="true"
authentication-manager-ref="authenticationManager"
secured-annotations="enabled">
<!--you could also wire in the expression handler up at the layer of the
http filters. See https://jira.springsource.org/browse/SEC-1452 -->
<sec:expression-handler ref="oauthExpressionHandler" />
</sec:global-method-security>
<oauth:expression-handler id="oauthExpressionHandler" />
<oauth:web-expression-handler id="oauthWebExpressionHandler" />
And this is my pom.xml
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5">
<servlet>
<servlet-name>mvc-dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>mvc-dispatcher</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/mvc-dispatcher-servlet.xml,
/WEB-INF/spring-security.xml
</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<!-- Spring Security -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>org.springframework.web.context.request.RequestContextListener</listener-class>
</listener>
<listener>
<listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>
Unfortunately whenever i send a request it throws this:
{
"error": "invalid_grant",
"error_description": "Bad credentials"
}
Need Help !
You only need to pass the username, password (both of these are for the user, not the client), grant_type and client_id request params.
You must send an Authorization header, containing BASIC auth using the client ID as the username and the client secret as the password.
This is how you would do it in cURL for example:
$ curl -u restapp:restapp http://localhost:8080/asset-manager/oauth/token -d grant_type=password -d client_id=restapp
I had a similar issue when upgrading from Spring Security 4.0.4 to 4.1.1.
Try changing "alias" in your authentication-manager bean definition to "id":
<authentication-manager id="authenticationManager"
xmlns="http://www.springframework.org/schema/security">
<authentication-provider>
<user-service>
<user name="ankita" password="ankita" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
<authentication-provider user-service-ref="clientDetailsUserService" />
I found that for some reason the "alias" definition in the custom "authenticationManager" does not get recognized. When I changed "alias" to "id", my custom AuthenticationManager worked again.
I saw this issue when testing Spring Security 4.1.0, so I'm not sure what changed between Spring Security 4.0.4 and 4.1.0 that caused this to break.
I tried to search the release notes and issues in the Spring Security github, but couldn't find anything related to this. All I know is that this small fix worked for me.
Hope this helps.
I had to change some of the properties in spring-security.xml file with updated functionalities and also i override some of classes such as AuthenticationProvider and ClientDetailsService according to my use case, also i have used redis as my token store , you can replace it in memory token store
My updated spring-security.xml is:
<?xml version="1.0" encoding="UTF-8" ?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:sec="http://www.springframework.org/schema/security" xmlns:mvc="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2.xsd
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.1.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.1.xsd ">
<!-- This is default url to get a token from OAuth -->
<http pattern="/oauth/token" create-session="stateless"
authentication-manager-ref="clientAuthenticationManager"
xmlns="http://www.springframework.org/schema/security">
<intercept-url pattern="/oauth/token" access="isFullyAuthenticated()" method="POST"/>
<intercept-url pattern="/v1/access_token" access="isFullyAuthenticated()" method="POST"/>
<anonymous enabled="false" />
<http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
<!-- include this only if you need to authenticate clients via request
userService parameters -->
<custom-filter ref="clientCredentialsTokenEndpointFilter"
after="BASIC_AUTH_FILTER" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
<csrf disabled="true" />
</http>
<!-- This is where we tells spring security what URL should be protected
and what roles have access to them -->
<http pattern="/v1/**" create-session="stateless"
entry-point-ref="oauthAuthenticationEntryPoint"
access-decision-manager-ref="accessDecisionManager"
xmlns="http://www.springframework.org/schema/security">
<anonymous enabled="false" />
<intercept-url pattern="/v1/application/register" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/v1/application/{clientId}" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')" />
<custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
<csrf disabled="true" />
</http>
<bean id="oauthAuthenticationEntryPoint"
class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
<property name="realmName" value="test" />
</bean>
<bean id="clientAuthenticationEntryPoint"
class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
<property name="realmName" value="test/client" />
<property name="typeName" value="Basic" />
</bean>
<bean id="oauthAccessDeniedHandler"
class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />
<bean id="clientCredentialsTokenEndpointFilter"
class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
<property name="authenticationManager" ref="authenticationManager" />
</bean>
<bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased"
xmlns="http://www.springframework.org/schema/beans">
<constructor-arg>
<list>
<bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter" />
<bean class="org.springframework.security.access.vote.RoleVoter" />
<bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
<bean
class="org.springframework.security.web.access.expression.WebExpressionVoter" />
</list>
</constructor-arg>
</bean>
<authentication-manager id="clientAuthenticationManager"
xmlns="http://www.springframework.org/schema/security">
<!-- <authentication-provider user-service-ref="clientDetailsUserService"
/> -->
<authentication-provider ref="AuthenticationProvider" />
</authentication-manager>
<bean id="clientDetailsUserService"
class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
<constructor-arg ref="clientDetailsService" />
</bean>
<authentication-manager
xmlns="http://www.springframework.org/schema/security" alias="authenticationManager">
<authentication-provider ref="AuthenticationProvider" />
</authentication-manager>
<bean id="AuthenticationProvider"
class="com.timeinc.security.biz.client.security.impl.AuthenticationProviderImpl">
<property name="userService" ref="userService"></property>
</bean>
<bean id="tokenStore"
class="org.springframework.security.oauth2.provider.token.store.redis.RedisTokenStore">
<constructor-arg name="connectionFactory" ref="redisConnectionFactory" />
</bean>
<!--create redis connection factory and set db 1 -->
<bean id="redisConnectionFactory"
class="org.springframework.data.redis.connection.jedis.JedisConnectionFactory">
<property name="hostName" value="${redisHost}" />
<property name="port" value="${redisPort}" />
<property name="password" value="${redisPassword}" />
<property name="database" value="${redisDatabase}" />
</bean>
<bean id="tokenServices" class="com.timeinc.security.biz.client.security.impl.DefaultTokenServicesImpl">
<property name="tokenStore" ref="tokenStore" />
<property name="supportRefreshToken" value="true" />
<property name="accessTokenValiditySeconds" value="${accessTokenValiditySeconds}" />
<property name="refreshTokenValiditySeconds" value="${refreshTokenValiditySeconds}"></property>
<property name="clientDetailsService" ref="clientDetailsService" />
</bean>
<bean id="requestFactory"
class="org.springframework.security.oauth2.provider.request.DefaultOAuth2RequestFactory">
<constructor-arg name="clientDetailsService" ref="clientDetailsService" />
</bean>
<bean id="userApprovalHandler"
class="org.springframework.security.oauth2.provider.approval.TokenStoreUserApprovalHandler">
<property name="tokenStore" ref="tokenStore" />
<property name="clientDetailsService" ref="clientDetailsService" />
<property name="requestFactory" ref="requestFactory" />
</bean>
<oauth:authorization-server
client-details-service-ref="clientDetailsService" token-services-ref="tokenServices"
user-approval-handler-ref="userApprovalHandler">
<oauth:authorization-code />
<oauth:implicit />
<oauth:refresh-token />
<oauth:client-credentials />
<oauth:password />
</oauth:authorization-server>
<oauth:resource-server id="resourceServerFilter"
resource-id="test" token-services-ref="tokenServices" />
<bean id="clientDetailsService" class="com.timeinc.security.biz.client.security.impl.ClientDetailsServiceImpl">
<property name="appClient" ref="appClient"></property>
</bean>
<bean id="httpSessionSecurityContextRepository"
class='org.springframework.security.web.context.HttpSessionSecurityContextRepository'>
<property name='allowSessionCreation' value='false' />
</bean>
<bean id="userService" class="com.timeinc.security.biz.client.security.impl.UserDetailsServiceImpl">
<property name="appClient" ref="appClient"></property>
</bean>
<bean id="securityContextPersistenceFilter"
class="org.springframework.security.web.context.SecurityContextPersistenceFilter">
<constructor-arg ref="httpSessionSecurityContextRepository" />
</bean>
<bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy">
<constructor-arg>
<list>
<sec:filter-chain pattern="/**"
filters="securityContextPersistenceFilter" />
</list>
</constructor-arg>
</bean>
<sec:global-method-security
pre-post-annotations="enabled" proxy-target-class="true">
<!--you could also wire in the expression handler up at the layer of the
http filters. See https://jira.springsource.org/browse/SEC-1452 -->
<sec:expression-handler ref="oauthExpressionHandler" />
</sec:global-method-security>
<oauth:expression-handler id="oauthExpressionHandler" />
<oauth:web-expression-handler id="oauthWebExpressionHandler" />
</beans>
I am adding spring security oauth2 to my spring boot application. I have followed a few of the examples on the web and in github from the spring team (had to make some mods for my use case), but I am still not able to return an oauth2 access token from the /oauth/token endpoint. I have been working on this for several days and started off trying to do it in JavaConfig, but then switched to xml config and was able to make some progress. I should note the only config I am doing in xml is the security config and related security beans, all other config is done via JavaConfig.
I am able to successfully authenticate my user (using username & password) using Basic auth, but when it comes to the next step to generate and return the bearer token, this is not happening. Note, I am using a database for storing my user credentials and to store my access tokens (once they get created).
I am making a POST request using grant_type=password with a client id and client secret.
I am under the impression spring oauth2 would handle creating the access token for me and returning it, but maybe this isn't correct or my xml config maybe wrong? Many thanks for any assistance!
Here is my security config xml below:
<http pattern="/oauth/token"
create-session="stateless"
authentication-manager-ref="authenticationManager"
xmlns="http://www.springframework.org/schema/security">
<intercept-url pattern="/**" method="GET" access="ROLE_DENY" />
<intercept-url pattern="/**" method="PUT" access="ROLE_DENY" />
<intercept-url pattern="/**" method="DELETE" access="ROLE_DENY" />
<intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
<anonymous enabled="false" />
<http-basic entry-point-ref="clientAuthenticationEntryPoint" />
<!-- include this only if you need to authenticate clients via request
parameters>
<custom-filter ref="clientCredentialsTokenEndpointFilter"
after="BASIC_AUTH_FILTER" /-->
<access-denied-handler ref="oauthAccessDeniedHandler" />
</http>
<http pattern="/**" create-session="never"
entry-point-ref="oauthAuthenticationEntryPoint"
xmlns="http://www.springframework.org/schema/security">
<!-- authentication-manager-ref="authenticationManager"
access-decision-manager-ref="accessDecisionManager" xmlns="http://www.springframework.org/schema/security"-->
<anonymous enabled="false" />
<intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
<custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
</http>
<bean id="oauthAuthenticationEntryPoint"
class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
<!-- property name="realmName" value="f2rRealm" /-->
</bean>
<bean id="clientAuthenticationEntryPoint"
class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
<property name="realmName" value="f2r/client" />
<property name="typeName" value="Basic" />
</bean>
<bean id="clientCredentialsTokenEndpointFilter"
class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
<property name="authenticationManager" ref="authenticationManager" />
</bean>
<bean id="oauthAccessDeniedHandler"
class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />
<authentication-manager alias="authenticationManager"
xmlns="http://www.springframework.org/schema/security" >
<!-- authentication-provider user-service-ref="clientDetailsUserService" /-->
<authentication-provider ref="authenticationProvider" />
</authentication-manager>
<bean id="clientDetails" class="com.f2r.security.oauth2.F2RJdbcClientDetailsService" >
<constructor-arg ref="dataSource" />
<property name="clientId" value="f2r" />
<property name="clientSecret" value="f2rsecret" />
<property name="passwordEncoder" ref="passwordEncoder" />
</bean>
<!-- bean id="clientDetailsService"
class="com.f2r.security.oauth2.F2RJdbcClientDetailsService">
<constructor-arg ref="dataSource" />
<property name="clientDetails" ref="clientDetails" />
<property name="passwordEncoder" ref="passwordEncoder" />
</bean-->
<bean id="clientDetailsUserService"
class="com.f2r.security.oauth2.F2RClientDetailsUserDetailsService">
<constructor-arg ref="clientDetails" />
<property name="passwordEncoder" ref="passwordEncoder" />
</bean>
<authentication-manager id="userAuthenticationManager"
xmlns="http://www.springframework.org/schema/security">
<!-- authentication-provider ref="customUserAuthenticationProvider" /-->
<authentication-provider ref="authenticationProvider" />
</authentication-manager>
<!-- bean id="customUserAuthenticationProvider" class="com.f2r.security.F2RAuthenticationProvider">
<property name="userDetailsService" ref="userDetailsService" />
</bean-->
<bean id="authenticationProvider" class="com.f2r.security.F2RAuthenticationProvider">
<!-- property name="userDetailsService" ref="userDetailsService" /-->
<property name="userDetailsService" ref="clientDetailsUserService" />
</bean>
<bean id="userDetailsService" class="com.f2r.security.F2RUserDetailsService" />
<bean id="userApprovalHandler"
class="org.springframework.security.oauth2.provider.approval.TokenStoreUserApprovalHandler">
<property name="tokenStore" ref="tokenStore" />
<property name="clientDetailsService" ref="clientDetails" />
<property name="requestFactory" ref="requestFactory" />
</bean>
<bean id="requestFactory"
class="org.springframework.security.oauth2.provider.request.DefaultOAuth2RequestFactory">
<constructor-arg ref="clientDetails" />
</bean>
<oauth:authorization-server
client-details-service-ref="clientDetails"
token-services-ref="tokenServices"
token-endpoint-url="/oauth/token"
authorization-endpoint-url="/oauth/authorize" >
<oauth:implicit />
<oauth:refresh-token />
<oauth:client-credentials />
<!-- oauth:password authentication-manager-ref="userAuthenticationManager" /-->
<oauth:password />
</oauth:authorization-server>
<oauth:resource-server id="resourceServerFilter"
token-services-ref="tokenServices" />
<bean id="tokenStore"
class="org.springframework.security.oauth2.provider.token.store.JdbcTokenStore" >
<constructor-arg ref="dataSource"/>
</bean>
<bean id="tokenServices"
class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
<property name="tokenStore" ref="tokenStore" />
<property name="supportRefreshToken" value="true" />
<property name="clientDetailsService" ref="clientDetails" />
</bean>
<mvc:annotation-driven />
<mvc:default-servlet-handler />
<sec:global-method-security
pre-post-annotations="enabled" proxy-target-class="true">
<!--you could also wire in the expression handler up at the layer of the
http filters. See https://jira.springsource.org/browse/SEC-1452 -->
<sec:expression-handler ref="oauthExpressionHandler" />
</sec:global-method-security>
<oauth:expression-handler id="oauthExpressionHandler" />
<oauth:web-expression-handler id="oauthWebExpressionHandler" />
I have just upgrade spring security from 2 to 4. Some custom filters used for login,remember me and single sign on process.
Two login mechanism used in my application.
First simple form login and second SSO login.
This is my securityContext.xml
<!-- enable method-level security via annotation -->
<sec:global-method-security secured-annotations="enabled" jsr250-annotations="disabled"/>
<!-- secure the web layer -->
<sec:http pattern="/js/**" security="none" />
<sec:http pattern="/scripts/**" security="none" />
<sec:http pattern="/favicon.ico" security="none" />
<sec:http pattern="/styles/**" security="none" />
<sec:http pattern="/images/**" security="none" />
<sec:http pattern="/qlogin.jsp" security="none" />
<sec:http pattern="/qloginWait/**" security="none" />
<sec:http pattern="/contract/ServiceContractPDFView.jsp" security="none" />
<sec:http pattern="/admin/unsubscribe_sbpqm_newsletter.jsp" security="none" />
<sec:http pattern="/admin/subscription_form.jsp" security="none" />
<sec:http pattern="/admin/subscription_thankyou.jsp" security="none" />
<sec:http pattern="/admin/related_analysts.jsp" security="none" />
<sec:http pattern="/login.jsp" security="none" />
<sec:http entry-point-ref="myAuthenticationEntryPoint" use-expressions="true">
<sec:session-management session-fixation-protection="newSession">
</sec:session-management>
<sec:headers>
<sec:frame-options policy="SAMEORIGIN"/>
<sec:content-type-options disabled="true"/>
</sec:headers>
<sec:csrf disabled="true"/>
<sec:custom-filter position="REMEMBER_ME_FILTER" ref="rememberMeProcessingFilter"/>
<sec:custom-filter position="FORM_LOGIN_FILTER" ref="customizedFormLoginFilter"/>
<sec:custom-filter before="FILTER_SECURITY_INTERCEPTOR" ref="singleSignOnFilter"/>
<sec:custom-filter position="LOGOUT_FILTER" ref="logoutFilter"/>
<sec:intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
<sec:anonymous username="anonymousUser" granted-authority="ROLE_ANONYMOUS"/>
</sec:http>
<!--name of my authenticationManager is authenticationManager-->
<sec:authentication-manager alias="authenticationManager">
<sec:authentication-provider user-service-ref="myUserDetailsService" />
</sec:authentication-manager>
<bean id="customizedFormLoginFilter" class="com.myPro.test.security.CustomAuthenticationProcessingFilter" >
<!--Here it is the custom authenticationManager, login magic goes here -->
<property name="authenticationManager" ref="myAuthenticationManager"/>
<property name="usernameParameter" value="username"/>
<property name="passwordParameter" value="password"/>
<property name="filterProcessesUrl" value="/j_spring_security_check"/>
<property name="rememberMeServices" ref="rememberMeServices" />
<property name="allowSessionCreation" value="true" />
<property name="authenticationFailureHandler" ref="failureHandler"/>
<property name="authenticationSuccessHandler" ref="successHandler"/>
</bean>
<bean id="myAuthenticationManager" class="com.myPro.test.security.CustomAuthenticationManager" />
<bean id="loggerListener" class="org.springframework.security.access.event.LoggerListener"/>
<!--My authentication entry point, can be replaced easily if we are doing custom commence of invalid auths.-->
<bean id="myAuthenticationEntryPoint"
class="com.myPro.test.security.CustomAuthenticationEntryPoint" >
<constructor-arg value="/login.jsp"/>
</bean>
<bean id="successHandler" class="com.myPro.test.security.CustomSavedRequestAwareAuthenticationSuccessHandler">
<property name="alwaysUseDefaultTargetUrl" value="true"/>
<property name="defaultTargetUrl" value="/indexCustomer.jsp"/>
</bean>
<bean id="failureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<property name="defaultFailureUrl" value="/login.jsp?login_error=1"/>
</bean>
<!-- Override RememberMeProcessingFilter to allow application of other business logic (update login count when user returns to the site -->
<bean id="rememberMeProcessingFilter" class="com.myPro.test.security.CustomRememberMeProcessingFilter">
<constructor-arg ref="authenticationManager"/>
<constructor-arg ref="rememberMeServices"/>
</bean>
<bean id="signleSignOnService" class="com.myPro.sage.sso.dynamo.SsoDbStorage">
</bean>
<bean id="singleSignOnFilter"
class="com.myPro.test.spring.SingleSignOnFilter">
<property name="signleSignOnService" ref="signleSignOnService"/>
<!--<property name="authenticationProviderFacade" ref="authenticationProviderFacade"/>-->
<property name="userService" ref="myProUserServiceImpl"/>
<property name="ssoUserUrl">
<value>/sso</value>
</property>
<!-- Code Review Starts -->
<property name="ssoTargetUrl">
<value>/search/ServiceContractSearch.do</value>
</property>
<!-- Code Review Ends -->
<property name="ssoFailureUrl">
<value>/login.jsp</value>
</property>
<property name="order" value="123456"/>
</bean>
<!-- Remember me Authentication Defines which remember me implementation to use - in this case using a database table to log 'remembered' tokens -->
<bean id="myUserDetailsService" class="com.myPro.test.security.CustomUserDetailsService" > </bean>
<bean id="rememberMeServices" class="org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices">
<constructor-arg value="springRocks"/>
<constructor-arg ref="myUserDetailsService"/>
<constructor-arg ref="jdbcTokenRepository"/>
</bean>
<!-- Uses a database table to maintain a set of persistent login data -->
<bean id="jdbcTokenRepository" class="org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl">
<property name="createTableOnStartup" value="false" />
<property name="dataSource" ref="dataSource" />
</bean>
<bean id="rememberMeAuthenticationProvider" class="org.springframework.security.authentication.RememberMeAuthenticationProvider">
<constructor-arg value="springRocks"/>
</bean>
<bean id="securityContextLogoutHandler" class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" >
<property name="invalidateHttpSession" value="true" />
</bean>
<bean id="mySecurityContextHandler" class="com.myPro.test.security.CustomSecurityContextLogoutHandler"/>
<bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
<constructor-arg value="/login.jsp" />
<constructor-arg>
<list>
<ref bean="mySecurityContextHandler" />
<ref bean="rememberMeServices" />
<ref bean="securityContextLogoutHandler" />
</list>
</constructor-arg>
<property name="filterProcessesUrl" value="/j_spring_security_logout" />
</bean>
<bean id="authenticationLoggerListener" class="org.springframework.security.access.event.LoggerListener"/>
<bean id="_sessionFixationProtectionFilter" class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy">
<property name="migrateSessionAttributes" value="true" />
</bean>
changed securityContext.xml according spring Security 4.
if I removed this filter
sec:custom-filter before="FILTER_SECURITY_INTERCEPTOR" ref="singleSignOnF
ilter"
from http, application worked fine. All Urls accessible after login.
If I add this line then pattern (/**) not working for me. Blank page will come.
Please help to solve this problem
I use oauth2 in spring. However, the form login is not available any more. The urls ,"/j_spring_login" and "/j_spring_login_check" are not available.
springMVC.xml:
<!-- 自动扫描的包名 -->
<context:component-scan
base-package="com.sdp.hibernate.model.,com.sdp.hibernate.dao.,com.sdp.controller.,com.sdp.jsoncontroller."></context:component-scan>
<!-- 默认的注解映射的支持 -->
<mvc:annotation-driven />
<!-- 视图解释类 <bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="prefix" value="/WEB-INF/jsp/"/> <property name="suffix" value=".jsp"/>
<property name="viewClass" value="org.springframework.web.servlet.view.JstlView"
/> </bean> -->
<!-- 拦截器 <mvc:interceptors> <bean class="com.sdp.inteceptor.MyInteceptor"
/> </mvc:interceptors> -->
<!-- 对静态资源文件的访问 方案一 (二选一) <mvc:default-servlet-handler/> -->
<!-- 对静态资源文件的访问 方案二 (二选一) -->
<mvc:resources mapping="/img/**" location="/img/"
cache-period="31556926" />
<mvc:resources mapping="/js/**" location="/js/"
cache-period="31556926" />
<mvc:resources mapping="/css/**" location="/css/"
cache-period="31556926" />
<bean id="dataSource" class="org.apache.commons.dbcp2.BasicDataSource"
destroy-method="close">
<property name="driverClassName" value="com.mysql.jdbc.Driver" />
<property name="url"
value="jdbc:mysql://localhost:3306/test?useUnicode=true&characterEncoding=utf-8" />
<property name="username" value="root" />
<property name="password" value="dangerous" />
<property name="maxIdle" value="30" />
<property name="defaultAutoCommit" value="true" />
<property name="removeAbandonedTimeout" value="60" />
</bean>
<!-- Hibernate配置 -->
<bean id="sessionFactory"
class="org.springframework.orm.hibernate4.LocalSessionFactoryBean">
<property name="dataSource" ref="dataSource" />
<property name="configLocation" value="classpath:hibernate.cfg.xml" />
<property name="packagesToScan">
<list>
<value>com.sdp.hibernate.model</value>
</list>
</property>
</bean>
<bean id="transactionManager"
class="org.springframework.orm.hibernate4.HibernateTransactionManager">
<property name="sessionFactory" ref="sessionFactory" />
</bean>
<tx:annotation-driven transaction-manager="transactionManager" />
<bean id="viewResolver"
class="org.springframework.web.servlet.view.velocity.VelocityViewResolver">
<property name="cache" value="true"></property>
<property name="suffix" value=".html" />
<property name="contentType" value="text/html; charset=UTF-8" />
</bean>
<bean id="velocityConfig"
class="org.springframework.web.servlet.view.velocity.VelocityConfigurer">
<property name="resourceLoaderPath" value="/templates/" />
<!-- <property name="configLocation" value="classpath:velocity.properties"/> -->
<property name="velocityProperties">
<props>
<prop key="output.encoding">UTF-8</prop>
<prop key="input.encoding">UTF-8</prop>
</props>
</property>
</bean>
<!-- oauth -->
<import resource="spring-servlet.xml" />
here is the spring-servlet.xml:
<bean id="clientAuthenticationEntryPoint"
class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
<!-- <property name="realmName" value="springsec/client" /> -->
</bean>
<bean id="oauthAccessDeniedHandler"
class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler">
</bean>
<bean id="loginUrlAuthenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<property name="loginFormUrl" value="/login.htm"></property>
</bean>
<bean id="oauthUserApprovalHandler" class="org.springframework.security.oauth2.provider.approval.DefaultUserApprovalHandler">
</bean>
<http pattern="/oauth/**" create-session="stateless" authentication-manager-ref="clientAuthenticationManager"
xmlns="http://www.springframework.org/schema/security" auto-config="true">
<anonymous enabled="false"/>
<http-basic entry-point-ref="clientAuthenticationEntryPoint"/>
<access-denied-handler ref="oauthAccessDeniedHandler"/>
</http>
<!--
<http pattern="/v1/*" create-session="never" entry-point-ref="oauthAuthenticationEntryPoint"
xmlns="http://www.springframework.org/schema/security">
<custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER"/>
<access-denied-handler ref="oauthAccessDeniedHandler"/>
</http>
-->
<http pattern="/v1/**" create-session="never" entry-point-ref="oauthAuthenticationEntryPoint" access-decision-manager-ref="accessDecisionManager"
xmlns="http://www.springframework.org/schema/security">
<intercept-url pattern='/v1/**' access="ROLE_USER"/>
<intercept-url pattern='/v1/protected/**' access="IS_AUTHENTICATED_FULLY"/>
<custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER"/>
<access-denied-handler ref="oauthAccessDeniedHandler"/>
</http>
<http pattern="/resources/**" auto-config="true"
xmlns="http://www.springframework.org/schema/security">
<intercept-url pattern='/resources/**' access="ROLE_USER"/>
</http>
<bean id="clientCredentialsTokenEndpointFilter"
class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
<property name="authenticationManager" ref="clientAuthenticationManager"/>
</bean>
<authentication-manager id="clientAuthenticationManager" xmlns="http://www.springframework.org/schema/security">
<authentication-provider user-service-ref="client-details-user-service"/>
</authentication-manager>
<bean id="client-details-user-service" class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
<constructor-arg ref="client-details-service" />
</bean>
<oauth:client-details-service id="client-details-service">
<!-- Allow access to test clients -->
<oauth:client
client-id="353b302c44574f565045687e534e7d6a"
secret="286924697e615a672a646a493545646c"
authorized-grant-types="password,refresh_token"
authorities="ROLE_USER"
access-token-validity="30000"
autoapprove = "true"
refresh-token-validity="30000"
scope="read, write"
/>
<!-- Web Application clients -->
<oauth:client
client-id="7b5a38705d7b3562655925406a652e32"
secret="655f523128212d6e70634446224c2a48"
authorized-grant-types="password,refresh_token"
authorities="ROLE_WEB"
access-token-validity="30000"
refresh-token-validity="30000"
/>
<!-- iOS clients -->
<oauth:client
client-id="5e572e694e4d61763b567059273a4d3d"
secret="316457735c4055642744596b302e2151"
authorized-grant-types="password,refresh_token"
authorities="ROLE_IOS"
access-token-validity="30000"
refresh-token-validity="30000"
/>
<!-- Android clients -->
<oauth:client
client-id="302a7d556175264c7e5b326827497349"
secret="4770414c283a20347c7b553650425773"
authorized-grant-types="password,refresh_token"
authorities="ROLE_ANDROID"
access-token-validity="30000"
refresh-token-validity="30000"
/>
</oauth:client-details-service>
<bean id="passwordEncoder" class="org.springframework.security.crypto.password.StandardPasswordEncoder"/>
<authentication-manager alias="authenticationManager"
xmlns="http://www.springframework.org/schema/security">
<!-- <authentication-provider user-service-ref="clientDetailsUserService" /> -->
<authentication-provider>
<jdbc-user-service data-source-ref="dataSource"/>
<!--
<user-service id="userDetailsService">
<user name="marissa" password="koala" authorities="ROLE_TEST" />
<user name="paul" password="emu" authorities="ROLE_GUEST" />
</user-service>
-->
</authentication-provider>
</authentication-manager>
<!-- Used for the persistenceof tokens (currently an in memory implementation) -->
<bean id="tokenStore" class="org.springframework.security.oauth2.provider.token.store.JdbcTokenStore">
<constructor-arg ref="dataSource"></constructor-arg>
</bean>
<!-- Used to create token and and every thing about them except for their persistence that is reposibility of TokenStore (Given here is a default implementation) -->
<bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
<property name="tokenStore" ref="tokenStore" />
<property name="supportRefreshToken" value="true" />
<property name="accessTokenValiditySeconds" value="300000"></property>
<property name="clientDetailsService" ref="client-details-service" />
</bean>
<oauth:resource-server id="resourceServerFilter" token-services-ref="tokenServices"/>
<sec:global-method-security pre-post-annotations="enabled" proxy-target-class="true">
<!--you could also wire in the expression handler up at the layer of the http filters. See https://jira.springsource.org/browse/SEC-1452 -->
<sec:expression-handler ref="oauthExpressionHandler" />
</sec:global-method-security>
<oauth:expression-handler id="oauthExpressionHandler" />
<oauth:web-expression-handler id="oauthWebExpressionHandler" />
<bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased" xmlns="http://www.springframework.org/schema/beans">
<constructor-arg>
<list>
<bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter" />
<bean class="org.springframework.security.access.vote.RoleVoter" />
<bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
</list>
</constructor-arg>
</bean>
thanks for any help