spring-security.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
	xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
	xmlns:sec="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xmlns:context="http://www.springframework.org/schema/context"
	xsi:schemaLocation="http://www.springframework.org/schema/beans 
	http://www.springframework.org/schema/beans/spring-beans.xsd
	http://www.springframework.org/schema/security/oauth2 
	http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd
	http://www.springframework.org/schema/security
	http://www.springframework.org/schema/security/spring-security-3.1.xsd
	http://www.springframework.org/schema/context 
	http://www.springframework.org/schema/context/spring-context.xsd">

	<oauth:resource-server id="resourceServerFilter"
		resource-id="custom_app" token-services-ref="tokenServices" />
	<!-- ==================================== OAuth provider configurations 
		==================================== -->
	<oauth:authorization-server
		client-details-service-ref="clientDetails" token-services-ref="tokenServices"
		user-approval-handler-ref="userApprovalHandler">
		<oauth:authorization-code />
		<oauth:implicit />
		<oauth:refresh-token />
		<oauth:client-credentials />
		<oauth:password />
	</oauth:authorization-server>

	<!-- clients service -->
	<oauth:client-details-service id="clientDetails">
		<oauth:client client-id="mobile_iphone"
			authorized-grant-types="password,refresh_token,implicit" secret="custom_app_iphone"
			authorities="ROLE_CLIENT" />

		<oauth:client client-id="mobile_android"
			authorized-grant-types="password,refresh_token,implicit" secret="custom_android"
			authorities="ROLE_CLIENT" />

		<oauth:client client-id="web_liferay"
			authorized-grant-types="password,refresh_token,implicit" secret="custom_liferay"
			authorities="ROLE_CLIENT" />
	</oauth:client-details-service>

	<oauth:expression-handler id="oauthExpressionHandler" />
	<oauth:web-expression-handler id="oauthWebExpressionHandler" />

	<!-- 
	Token configurations 
	<bean id="tokenStore" class="org.springframework.security.oauth2.provider.token.InMemoryTokenStore" /> 
	-->
	
	<bean id="jdbcTokenStore"
		class="org.springframework.security.oauth2.provider.token.JdbcTokenStore">
		<constructor-arg ref="secDataSource" />
	</bean>

	<bean id="tokenServices"
		class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
		<property name="tokenStore" ref="jdbcTokenStore" />
		<property name="supportRefreshToken" value="true" />
		<property name="clientDetailsService" ref="clientDetails" />
	</bean>
	<!-- token obtaining URL configurations -->
	<http pattern="/oauth/token/**" create-session="stateless"
		authentication-manager-ref="clientAuthenticationManager"
		xmlns="http://www.springframework.org/schema/security">

		<intercept-url pattern="/oauth/token/**" access="IS_AUTHENTICATED_FULLY" />
		<anonymous enabled="false" />
		<http-basic entry-point-ref="clientAuthenticationEntryPoint" />
		<!-- include this only if you need to authenticate clients via request 
			parameters -->
		<custom-filter ref="clientCredentialsTokenEndpointFilter"
			after="BASIC_AUTH_FILTER" />
		<access-denied-handler ref="oauthAccessDeniedHandler" />
	</http>

	<!-- OAuth 2 related beans -->
	<bean id="oauthAccessDeniedHandler"
		class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />

	<bean id="clientCredentialsTokenEndpointFilter"
		class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
		<property name="authenticationManager" ref="clientAuthenticationManager" />
	</bean>

	<bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased"
		xmlns="http://www.springframework.org/schema/beans">
		<constructor-arg>
			<list>
				<bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter" />
				<bean class="org.springframework.security.access.vote.RoleVoter" />
				<!-- required to use ACL expressions like : hasRole('..') -->
				<bean
					class="org.springframework.security.web.access.expression.WebExpressionVoter" />

				<bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
			</list>
		</constructor-arg>
	</bean>

	<!-- Entry points -->
	<bean id="oauthAuthenticationEntryPoint"
		class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
		<property name="realmName" value="custom" />
	</bean>

	<bean id="clientAuthenticationEntryPoint"
		class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
		<property name="realmName" value="custom_app/client" />
		<property name="typeName" value="Basic" />
	</bean>

	<!-- User approval handler -->
	<bean id="userApprovalHandler"
		class="org.springframework.security.oauth2.provider.approval.TokenServicesUserApprovalHandler">
		<property name="tokenServices" ref="tokenServices" />
	</bean>


	<!-- ========================= OAuth protected urls config ============================== -->


	<http pattern="/ws/(.*)" request-matcher="regex"
		authentication-manager-ref="clientAuthenticationManager"
		create-session="never" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint"
		access-decision-manager-ref="accessDecisionManager"
		xmlns="http://www.springframework.org/schema/security">

		<sec:anonymous enabled="true" />
		<intercept-url pattern="/ws/(.*)\?(wsdl|xsd)(.*)"
			access="permitAll" />
		<!--<intercept-url pattern="/ws/(.*)" access="hasRole('ROLE_USER')" /> -->

		<custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
		<access-denied-handler ref="oauthAccessDeniedHandler" />
	</http>

	<http pattern="/rest/eidentity/**" security="none"
		xmlns="http://www.springframework.org/schema/security" />

	<http pattern="/rest/**" authentication-manager-ref="clientAuthenticationManager"
		create-session="never" entry-point-ref="oauthAuthenticationEntryPoint"
		access-decision-manager-ref="accessDecisionManager"
		xmlns="http://www.springframework.org/schema/security">

		<anonymous enabled="false" />
		<intercept-url pattern="/rest/register" access="IS_AUTHENTICATED_ANONYMOUSLY" />
		<intercept-url pattern="/rest/**" access="ROLE_USER" />
		<custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
		<access-denied-handler ref="oauthAccessDeniedHandler" />
	</http>
	<!--==================================== Authentication managers ==================================== -->

	<bean id="clientDetailsUserService"
		class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
		<constructor-arg ref="clientDetails" />
	</bean>

	<authentication-manager id="clientAuthenticationManager"
		xmlns="http://www.springframework.org/schema/security">
		<authentication-provider user-service-ref="clientDetailsUserService" />
	</authentication-manager>

	<authentication-manager alias="authenticationManager"
		xmlns="http://www.springframework.org/schema/security">
		<authentication-provider ref="customAuthenticationProvider"></authentication-provider>
		<!-- TODO: FOR TEST ONLY !! REMOVE IN PRODUCTION ENVIRONMENT -->
		<authentication-provider>
			<user-service id="userDetailsService">
				<user name="user" password="password" authorities="ROLE_USER" />
			</user-service>
		</authentication-provider>
	</authentication-manager>

	<bean id="customAuthenticationProvider"
		class="com.blabadi.sec.oauth.provider.CustomAuthenticationProvider" />

	<!--==================================== Enable Standard Pre/Post annotations 
		====================================== -->

	<sec:global-method-security
		pre-post-annotations="enabled" proxy-target-class="true">
		<!--you could also wire in the expression handler up at the layer of the 
			http filters. See https://jira.springsource.org/browse/SEC-1452 -->
		<sec:expression-handler ref="oauthExpressionHandler" />
	</sec:global-method-security>

</beans>