Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Fix #3 Provide URL mappings in plugin itself as well as install confirm

view.

Added a dependency on spring security crypto as well.  This plugin
should now be self contained and install everything needed to get it
going without further configuration (besides client config).
  • Loading branch information...
commit a5bcaa9f07b90fa7df01d91cb15d2aea19cc8daf 1 parent 876f976
Brian Saville authored February 07, 2012
303  README.md
Source Rendered
... ...
@@ -1,154 +1,151 @@
1  
-This plugin is an OAuth2 Provider based on the spring security libraries.  It is based off of Burt Beckwith's OAuth Provider plugin (never officially released).
2  
-
3  
-NOTE: This plugin is incomplete still and does not provide full functionality.  Teh following works and has been at least partially tested:
4  
-* The full flow of logging in with both users and clients using tokens and authorization codes
5  
-However, the following items have not been tested and may or may not work:
6  
-* Grant types besides `authorization_code` and `client_credentials`
7  
-* Protected resources via spring OAuth2 protection - this is simply done with the Spring Security core methods as of now
8  
-
9  
-## Setup
10  
-
11  
-A few steps are required before the plugin is ready for use.  First, add the necessary URL mappings to URLMappings.groovy:
12  
-
13  
-```groovy
14  
-"/oauth/authorize"(uri:"/oauth/authorize.dispatch")
15  
-"/oauth/token"(uri:"/oauth/token.dispatch")
16  
-```
17  
-
18  
-Note that these URLs should match the `tokenEndpointUrl` and `authorizationEndpointUrl` settings discussed below.
19  
-Additionally, the confirm.gsp view should exist in `views/oauth/confirm.gsp`.
20  
-
21  
-## How to Use
22  
-
23  
-### OAuth Controller/View
24  
-
25  
-The `userApprovalEndpointUrl` setting controls where the user will be redirected to confirm access to a certain client
26  
-
27  
-### Register Clients
28  
-
29  
-This is an example of registering a client (to be run in the BootStrap of your application):
30  
-def clientDetailsService
31  
-
32  
-```groovy
33  
-import org.springframework.security.oauth2.provider.BaseClientDetails;
34  
-
35  
-class BootStrap {
36  
-	def clientDetailsService
37  
-	
38  
-	def init = { servletContext ->
39  
-		def client = new BaseClientDetails()
40  
-		client.clientId = "clientId"
41  
-		client.clientSecret = "clientSecret"
42  
-		client.authorizedGrantTypes = ["authorization_code", "refresh_token", "client_credentials", "password", "implicit"]
43  
-		clientDetailsService.clientDetailsStore = [
44  
-			"clientId":client
45  
-		]
46  
-	}
47  
-```
48  
-
49  
-## Login Flows
50  
-
51  
-### Client Login
52  
-
53  
-The client may login with the URL given in the `tokenEndpointUrl` setting (`/oauth/token` by default) by using the following syntax.
54  
-Notice the `grant_type` of `client_credentials` and that the client credentials from the example above are used.
55  
-
56  
-```
57  
-http://localhost:8080/app/oauth/token?grant_type=client_credentials&client_id=clientId&client_secret=clientSecret
58  
-```
59  
-
60  
-The response from a login such as this is the following JSON.  The `access_token` is the important piece here.
61  
-
62  
-```javascript
63  
-{
64  
-  "access_token": "449acfe6-663f-4fde-b1f8-414c867a4cb5",
65  
-  "expires_in": 43200,
66  
-  "refresh_token": "ab12ce7a-de9d-48db-a674-0044897074b0"
67  
-}
68  
-```
69  
-
70  
-### User Approval of Clients
71  
-
72  
-The following URLs or configuration options show a typical flow authorizing a client for a certain user.
73  
-
74  
-* The client must first be logged in using the URL above.
75  
-* Separately, the client must be logged into the application protected by this plugin.  Alternatively, they will be logged in
76  
-on the next step since the `authorizationEndpointUrl` must be protected with Spring Security Core.  One way to accomplish this
77  
-is to use the static rules in Config.groovy:
78  
-```groovy
79  
-grails.plugins.springsecurity.controllerAnnotations.staticRules = [
80  
-	'/oauth/authorize.dispatch':['ROLE_ADMIN'],
81  
-]
82  
-```
83  
-** Note that the URL is mapped with `.dispatch` at the end.  This is essential in order to correctly protect the resource.  For
84  
-example, a `authorizationEndpointUrl` of `/custom/authorize-oauth2` would need to be protected with `/custom/authorize-oauth2.dispatch`.
85  
-* A client attempting to use a service provided by the OAuth protected application is reached by a user.  The
86  
-client then redirects the user to the `authorizationEndpointUrl` setting (`/oauth/authorize` by default).  This will actually
87  
-redirect the user to the `userApprovalEndpointUrl` setting which will present the user with an option to authorize or deny access
88  
-to the application for the client.
89  
-
90  
-```
91  
-http://localhost:8080/app/oauth/authorize?response_type=code&client_id=clientId&redirect_uri=http://localhost:8080/app/
92  
-```
93  
-
94  
-The user will then be redirected to the `redirect_uri` with the code appended as a URL parameter such as:
95  
-
96  
-```
97  
-http://localhost:8080/app/?code=YjZOa8
98  
-```
99  
-
100  
-* The client captures this code and sends it to the application at the `authorizationEndpointUrl` setting.  
101  
-This will allow the client to access the application as the user.  Notice the `grant_type` of `authorization_code` this time.
102  
-
103  
-```
104  
-http://localhost:8080/app/oauth/authorize?grant_type=authorization_code&client_id=clientId&code=OVD8SZ&redirect_uri=http://localhost:8080/app/
105  
-```
106  
-
107  
-This will then give a token to the client that can be used to access the application as the user (an example needs to go here).
108  
-
109  
-NOTE: The redirect_uri in the `code` response and the `authorization_code` grant must match!  Otherwise, the authorization will fail.
110  
-
111  
-### Protecting Resources
112  
-
113  
-If the instructions above are followed, this plugin will provide access to resources protected with the `Secured` annotation or with
114  
-static rules defined in Config.groovy.  Resources protected with request maps or other spring security configurations *should* be protected,
115  
-but is untested.  If you have tested this plugin in these configurations, please let me know and I'll update this section.
116  
-
117  
-## Configuration
118  
-
119  
-### Endpoint URLs
120  
-
121  
-By default, three endpoint URLs have been defined.  Their default values and how they would be set in Config.groovy are shown below:
122  
-
123  
-```groovy
124  
-grails.plugins.springsecurity.oauthProvider.authorizationEndpointUrl = "/oauth/authorize"
125  
-grails.plugins.springsecurity.oauthProvider.tokenEndpointUrl = "/oauth/token"	// Where the client is authorized
126  
-grails.plugins.springsecurity.oauthProvider.userApprovalEndpointUrl = "/oauth/confirm"	// Where the user confirms that they approve the client
127  
-```
128  
-
129  
-### Grant Types
130  
-
131  
-The grant types for OAuth authentication may be enabled or disabled with simple configuration options.  By default all grant types are enabled.
132  
-Set the option to false to disable it completely, regardless of client configuration.
133  
-
134  
-```groovy
135  
-grails.plugins.springsecurity.oauthProvider.grantTypes.authorizationCode = true
136  
-grails.plugins.springsecurity.oauthProvider.grantTypes.implicit = true
137  
-grails.plugins.springsecurity.oauthProvider.grantTypes.refreshToken = true
138  
-grails.plugins.springsecurity.oauthProvider.grantTypes.clientCredentials = true
139  
-grails.plugins.springsecurity.oauthProvider.grantTypes.password = true
140  
-```
141  
-
142  
-### Configuration
143  
-
144  
-Here are some other configuration options that can be set and their default values.  Again, these would be placed in Config.groovy:
145  
-
146  
-```groovy
147  
-grails.plugins.springsecurity.oauthProvider.active = true // Set to false to disable the provider, true in all environments but test where false is the default
148  
-grails.plugins.springsecurity.oauthProvider.filterStartPosition = SecurityFilterPosition.EXCEPTION_TRANSLATION_FILTER.order // The starting location of the filters registered
149  
-grails.plugins.springsecurity.oauthProvider.authorizationCode.approvalParameterName = "user_oauth_approval" // Used on the user confirmation page (see userApprovalEndpointUrl)
150  
-grails.plugins.springsecurity.oauthProvider.tokenServices.refreshTokenValiditySeconds = 60 * 10 //default 10 minutes
151  
-grails.plugins.springsecurity.oauthProvider.tokenServices.accessTokenValiditySeconds = 60 * 60 * 12 //default 12 hours
152  
-grails.plugins.springsecurity.oauthProvider.tokenServices.reuseRefreshToken = true
153  
-grails.plugins.springsecurity.oauthProvider.tokenServices.supportRefreshToken = true
  1
+This plugin is an OAuth2 Provider based on the spring security libraries.  It is based off of Burt Beckwith's OAuth Provider plugin (never officially released).
  2
+
  3
+NOTE: This plugin is incomplete still and does not provide full functionality.  Teh following works and has been at least partially tested:
  4
+* The full flow of logging in with both users and clients using tokens and authorization codes
  5
+However, the following items have not been tested and may or may not work:
  6
+* Grant types besides `authorization_code` and `client_credentials`
  7
+* Protected resources via spring OAuth2 protection - this is simply done with the Spring Security core methods as of now
  8
+
  9
+## Setup
  10
+
  11
+On install, a view is created at `grails-app/views/oauth/confirm.gsp`.  This view may be modified as desired, but the
  12
+location should match the `userApprovalEndpointUrl` setting discussed below.
  13
+
  14
+## How to Use
  15
+
  16
+### OAuth Controller/View
  17
+
  18
+The `userApprovalEndpointUrl` setting controls where the user will be redirected to confirm access to a certain client
  19
+
  20
+### Register Clients
  21
+
  22
+This is an example of registering a client (to be run in the BootStrap of your application):
  23
+def clientDetailsService
  24
+
  25
+```groovy
  26
+import org.springframework.security.oauth2.provider.BaseClientDetails;
  27
+
  28
+class BootStrap {
  29
+	def clientDetailsService
  30
+	
  31
+	def init = { servletContext ->
  32
+		def client = new BaseClientDetails()
  33
+		client.clientId = "clientId"
  34
+		client.clientSecret = "clientSecret"
  35
+		client.authorizedGrantTypes = ["authorization_code", "refresh_token", "client_credentials", "password", "implicit"]
  36
+		clientDetailsService.clientDetailsStore = [
  37
+			"clientId":client
  38
+		]
  39
+	}
  40
+```
  41
+
  42
+## Login Flows
  43
+
  44
+### Client Login
  45
+
  46
+The client may login with the URL given in the `tokenEndpointUrl` setting (`/oauth/token` by default) by using the following syntax.
  47
+Notice the `grant_type` of `client_credentials` and that the client credentials from the example above are used.
  48
+
  49
+```
  50
+http://localhost:8080/app/oauth/token?grant_type=client_credentials&client_id=clientId&client_secret=clientSecret
  51
+```
  52
+
  53
+The response from a login such as this is the following JSON.  The `access_token` is the important piece here.
  54
+
  55
+```javascript
  56
+{
  57
+  "access_token": "449acfe6-663f-4fde-b1f8-414c867a4cb5",
  58
+  "expires_in": 43200,
  59
+  "refresh_token": "ab12ce7a-de9d-48db-a674-0044897074b0"
  60
+}
  61
+```
  62
+
  63
+### User Approval of Clients
  64
+
  65
+The following URLs or configuration options show a typical flow authorizing a client for a certain user.
  66
+
  67
+* The client must first be logged in using the URL above.
  68
+* Separately, the client must be logged into the application protected by this plugin.  Alternatively, they will be logged in
  69
+on the next step since the `authorizationEndpointUrl` must be protected with Spring Security Core.  One way to accomplish this
  70
+is to use the static rules in Config.groovy:
  71
+```groovy
  72
+grails.plugins.springsecurity.controllerAnnotations.staticRules = [
  73
+	'/oauth/authorize.dispatch':['ROLE_ADMIN'],
  74
+]
  75
+```
  76
+** Note that the URL is mapped with `.dispatch` at the end.  This is essential in order to correctly protect the resource.  For
  77
+example, a `authorizationEndpointUrl` of `/custom/authorize-oauth2` would need to be protected with `/custom/authorize-oauth2.dispatch`.
  78
+* A client attempting to use a service provided by the OAuth protected application is reached by a user.  The
  79
+client then redirects the user to the `authorizationEndpointUrl` setting (`/oauth/authorize` by default).  This will actually
  80
+redirect the user to the `userApprovalEndpointUrl` setting which will present the user with an option to authorize or deny access
  81
+to the application for the client.
  82
+
  83
+```
  84
+http://localhost:8080/app/oauth/authorize?response_type=code&client_id=clientId&redirect_uri=http://localhost:8080/app/
  85
+```
  86
+
  87
+The user will then be redirected to the `redirect_uri` with the code appended as a URL parameter such as:
  88
+
  89
+```
  90
+http://localhost:8080/app/?code=YjZOa8
  91
+```
  92
+
  93
+* The client captures this code and sends it to the application at the `authorizationEndpointUrl` setting.  
  94
+This will allow the client to access the application as the user.  Notice the `grant_type` of `authorization_code` this time.
  95
+
  96
+```
  97
+http://localhost:8080/app/oauth/authorize?grant_type=authorization_code&client_id=clientId&code=OVD8SZ&redirect_uri=http://localhost:8080/app/
  98
+```
  99
+
  100
+This will then give a token to the client that can be used to access the application as the user (an example needs to go here).
  101
+
  102
+NOTE: The redirect_uri in the `code` response and the `authorization_code` grant must match!  Otherwise, the authorization will fail.
  103
+
  104
+### Protecting Resources
  105
+
  106
+If the instructions above are followed, this plugin will provide access to resources protected with the `Secured` annotation or with
  107
+static rules defined in Config.groovy.  Resources protected with request maps or other spring security configurations *should* be protected,
  108
+but is untested.  If you have tested this plugin in these configurations, please let me know and I'll update this section.
  109
+
  110
+## Configuration
  111
+
  112
+### Endpoint URLs
  113
+
  114
+By default, three endpoint URLs have been defined.  Note that default URLMappings are provided for the 
  115
+`authorizationEndpointUrl` and the `tokenEndpointUrl`.  If these are modified, additional URLMappings will have to
  116
+be set.  Their default values and how they would be set in Config.groovy are shown below:
  117
+
  118
+```groovy
  119
+grails.plugins.springsecurity.oauthProvider.authorizationEndpointUrl = "/oauth/authorize"
  120
+grails.plugins.springsecurity.oauthProvider.tokenEndpointUrl = "/oauth/token"	// Where the client is authorized
  121
+grails.plugins.springsecurity.oauthProvider.userApprovalEndpointUrl = "/oauth/confirm"	// Where the user confirms that they approve the client
  122
+```
  123
+
  124
+NOTE: The `userApprovalEndpointUrl` never is actually redirected to, but is simply used to load the `confirm.gsp` view.
  125
+
  126
+### Grant Types
  127
+
  128
+The grant types for OAuth authentication may be enabled or disabled with simple configuration options.  By default all grant types are enabled.
  129
+Set the option to false to disable it completely, regardless of client configuration.
  130
+
  131
+```groovy
  132
+grails.plugins.springsecurity.oauthProvider.grantTypes.authorizationCode = true
  133
+grails.plugins.springsecurity.oauthProvider.grantTypes.implicit = true
  134
+grails.plugins.springsecurity.oauthProvider.grantTypes.refreshToken = true
  135
+grails.plugins.springsecurity.oauthProvider.grantTypes.clientCredentials = true
  136
+grails.plugins.springsecurity.oauthProvider.grantTypes.password = true
  137
+```
  138
+
  139
+### Configuration
  140
+
  141
+Here are some other configuration options that can be set and their default values.  Again, these would be placed in Config.groovy:
  142
+
  143
+```groovy
  144
+grails.plugins.springsecurity.oauthProvider.active = true // Set to false to disable the provider, true in all environments but test where false is the default
  145
+grails.plugins.springsecurity.oauthProvider.filterStartPosition = SecurityFilterPosition.EXCEPTION_TRANSLATION_FILTER.order // The starting location of the filters registered
  146
+grails.plugins.springsecurity.oauthProvider.authorizationCode.approvalParameterName = "user_oauth_approval" // Used on the user confirmation page (see userApprovalEndpointUrl)
  147
+grails.plugins.springsecurity.oauthProvider.tokenServices.refreshTokenValiditySeconds = 60 * 10 //default 10 minutes
  148
+grails.plugins.springsecurity.oauthProvider.tokenServices.accessTokenValiditySeconds = 60 * 60 * 12 //default 12 hours
  149
+grails.plugins.springsecurity.oauthProvider.tokenServices.reuseRefreshToken = true
  150
+grails.plugins.springsecurity.oauthProvider.tokenServices.supportRefreshToken = true
154 151
 ```
122  grails-app/conf/BuildConfig.groovy
... ...
@@ -1,60 +1,62 @@
1  
-grails.project.class.dir = 'target/classes'
2  
-grails.project.test.class.dir = 'target/test-classes'
3  
-grails.project.test.reports.dir	= 'target/test-reports'
4  
-grails.project.docs.output.dir = 'docs' // for backwards-compatibility, the docs are checked into gh-pages branch
5  
-
6  
-grails.release.scm.enabled = false
7  
-
8  
-// Code Narc
9  
-codenarc.reports = {
10  
-	XmlReport('xml') {
11  
-		outputFile = 'target/test-reports/CodeNarcReport.xml'
12  
-		title = 'OAuth2 Provider Plugin Report'
13  
-	}
14  
-	HtmlReport('html') {
15  
-		outputFile = 'target/test-reports/CodeNarcReport.html'
16  
-		title = 'OAuth2 Provider Plugin Report'
17  
-	}
18  
-}
19  
-
20  
-grails.project.dependency.resolution = {
21  
-	inherits 'global'
22  
-	log 'warn'
23  
-	repositories {
24  
-		grailsPlugins()
25  
-		grailsHome()
26  
-		grailsCentral()
27  
-
28  
-		mavenLocal()
29  
-		mavenRepo "http://maven.springframework.org/milestone"	// For spring-security-oauth provider
30  
-		mavenCentral()
31  
-	}
32  
-
33  
-	dependencies {
34  
-		// Exclude dependencies pulled in by spring-security-core plugin
35  
-		runtime 'org.springframework.security.oauth:spring-security-oauth2:1.0.0.M5', {
36  
-			excludes "spring-security-core", "spring-security-web", "commons-codec"
37  
-		}
38  
-		compile 'net.sf.ezmorph:ezmorph:1.0.6', {
39  
-			excludes "commons-lang"
40  
-			export = false
41  
-		}
42  
-	}
43  
-	
44  
-	plugins {
45  
-		// Testing
46  
-		test ':code-coverage:1.2.4', {
47  
-			export = false
48  
-		}
49  
-		test ':codenarc:0.15', {
50  
-			export = false
51  
-		}
52  
-		provided ':release:1.0.1', {
53  
-			export = false
54  
-		}
55  
-		provided ':svn:1.0.2', {
56  
-			export = false
57  
-		}
58  
-		compile ':spring-security-core:1.2.6'
59  
-	}
60  
-}
  1
+grails.project.class.dir = 'target/classes'
  2
+grails.project.test.class.dir = 'target/test-classes'
  3
+grails.project.test.reports.dir	= 'target/test-reports'
  4
+grails.project.docs.output.dir = 'target/docs' // for backwards-compatibility, the docs are checked into gh-pages branch
  5
+
  6
+grails.release.scm.enabled = false
  7
+
  8
+// Code Narc
  9
+codenarc.reports = {
  10
+	XmlReport('xml') {
  11
+		outputFile = 'target/test-reports/CodeNarcReport.xml'
  12
+		title = 'OAuth2 Provider Plugin Report'
  13
+	}
  14
+	HtmlReport('html') {
  15
+		outputFile = 'target/test-reports/CodeNarcReport.html'
  16
+		title = 'OAuth2 Provider Plugin Report'
  17
+	}
  18
+}
  19
+
  20
+grails.project.dependency.resolution = {
  21
+	inherits 'global'
  22
+	log 'warn'
  23
+	repositories {
  24
+		grailsPlugins()
  25
+		grailsHome()
  26
+		grailsCentral()
  27
+
  28
+		mavenLocal()
  29
+		mavenRepo "http://maven.springframework.org/milestone"	// For spring-security-oauth provider
  30
+		mavenCentral()
  31
+	}
  32
+
  33
+	dependencies {
  34
+		compile('org.springframework.security:spring-security-crypto:3.1.0.RELEASE') {
  35
+			excludes 'spring-core', 'commons-logging'
  36
+		}
  37
+		compile 'org.springframework.security.oauth:spring-security-oauth2:1.0.0.M5', {
  38
+			excludes "spring-security-core", "spring-security-web"
  39
+		}
  40
+		compile 'net.sf.ezmorph:ezmorph:1.0.6', {
  41
+			excludes "commons-lang"
  42
+			export = false
  43
+		}
  44
+	}
  45
+	
  46
+	plugins {
  47
+		// Testing
  48
+		test ':code-coverage:1.2.4', {
  49
+			export = false
  50
+		}
  51
+		test ':codenarc:0.15', {
  52
+			export = false
  53
+		}
  54
+		provided ':release:1.0.1', {
  55
+			export = false
  56
+		}
  57
+		provided ':svn:1.0.2', {
  58
+			export = false
  59
+		}
  60
+		compile ':spring-security-core:1.2.6'
  61
+	}
  62
+}
6  grails-app/conf/SpringSecurityOauth2ProviderUrlMappings.groovy
... ...
@@ -0,0 +1,6 @@
  1
+class SpringSecurityOauth2ProviderUrlMappings {
  2
+	static mappings = {
  3
+		"/oauth/authorize"(uri:"/oauth/authorize.dispatch")
  4
+		"/oauth/token"(uri:"/oauth/token.dispatch")
  5
+	}
  6
+}
15  scripts/_Install.groovy
... ...
@@ -1,12 +1,3 @@
1  
-println '''
2  
-***************************************************************
3  
-* You've installed the Spring Security OAuth2 Provider plugin.
4  
-* Please make sure to add the correct URLMappings:			  
5  
-*   														  
6  
-*	"/oauth/authorize"(uri:"/oauth/authorize.dispatch")		  
7  
-*	"/oauth/token"(uri:"/oauth/token.dispatch")				  
8  
-*															  
9  
-* Note that these should match the authorizationEndpointUrl   
10  
-*	and tokenEndpointUrl settings.							  
11  
-***************************************************************
12  
-'''
  1
+ant.mkdir dir: "$basedir/grails-app/views/oauth"
  2
+ant.copy(file:"$pluginBasedir/grails-app/views/oauth/confirm.gsp", 
  3
+	todir:"$basedir/grails-app/views/oauth", failonerror:false, overwrite:false)

0 notes on commit a5bcaa9

Please sign in to comment.
Something went wrong with that request. Please try again.