Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Commits on Feb 6, 2015
  1. @dsyer

    Fix tonr2 sample

    dsyer authored
    Broken in 2 ways:
    1) not using the session scoped OAuth2ClientContext provided by Spring
    OAuth (non fatal, but dumb).
    2) trying to use Jackson2 when Jackson1 is already on the classpath
    (error in facebook template).
Commits on Jan 29, 2015
  1. @dsyer

    Update to 2.0.7.BUILD-SNAPSHOT

    dsyer authored
  2. @dsyer

    Fix test for anonymous token

    dsyer authored
  3. @dsyer
Commits on Jan 28, 2015
  1. @dsyer
  2. @dsyer

    Allow anonymous access to oauth2 resources by default

    dsyer authored
    Sometimes it's actually useful to be able to accept an anonymous
    authentication. The default access rule still denies access, but
    at least if anonymous tokens are created all you have to change
    is the rule.
Commits on Jan 27, 2015
  1. @Trundle @dsyer

    Convert client authorities to a set of strings.

    Trundle authored dsyer committed
    Makes it the same format as user authorities.
    Fixes gh-356
  2. @ccampo133 @dsyer

    Added ability to restrict token endpoint HTTP request methods

    ccampo133 authored dsyer committed
    ... using the AuthorizationServerEndpointsConfigurer class.
    Fixes gh-334, fixes gh-327
  3. @ccampo133 @dsyer

    Restricted token endpoint to HTTP POST by default.

    ccampo133 authored dsyer committed
  4. @dsyer
  5. @JohnKim @dsyer

    Modify minor misspellings and link

    JohnKim authored dsyer committed
    Fixes gh-374
  6. @dsyer
  7. @dsyer
  8. @dsyer

    Rationalize redirect rendering in AuthorizationEndpoint

    dsyer authored
    There are 3 methods in AuthorizationEndpoint that need to build a
    redirect URI, and up to now there were 3 different methods of
    doing it. This change unifies them into a single convenience method.
    It also allows the incoming redirect URI to be either encoded or
    unencoded (fixes gh-349). An unencoded URI can easily be provided
    as part of a ClientDetails registration, and an encoded one would
    come in as a request parameter. (Actually request parameters can
    be unencoded too, but most clients will encode to avoid
  9. @dsyer

    Ensure JWT refresh tokens cannot be used as access tokens

    dsyer authored
    ... and vice-versa (not such a problem). This change adds a new claim
    to JWT refresh tokens referring back to the original access token (ati).
    Fixes gh-363
  10. @dsyer

    Optionally create refresh tokens with infinite lifetime

    dsyer authored
    If a DefaultTokenServices or a ClientDetails has a refreshTokenValidity
    less than or equal to zero, it will result in a non-expiring
    refresh token.
    Fixes gh-166
  11. @dsyer
  12. @dsyer

    Clarify CSRF and session creation policy for resource server

    dsyer authored
    It *is* possible to disable CSRF on a per-HttpSecurity basis, and
    also the same for session creation policy (I believe). So rather
    than making CRSF mandatory by default it is better to switch
    it off and also set to SessionCreationPolicy.STATELESS.
    N.B. if CRSF is *on*, even SessionCreationPolicy.STATELESS does
    not prevent the creation of a session (since the CsrfFilter itself
    has to look in the session for a token).
    Fixes gh-339
Commits on Jan 26, 2015
  1. @dsyer

    Add optional UserDetailsService to DefaultUserAuthenticationConverter

    dsyer authored
    Now authorities (and other interesting details) can be stored externally
    to the token, at least optionally. Often the token provider might have a
    different idea of user authorities than the local service decoding the
    token, so it helps to be able to extend the potential source of that
    The Principal in the resulting Authentication is the UserDetails, so
    there might also be other interesting data in there for access
    Fixes gh-358
  2. @dsyer

    Add token type to OAuth2AuthenticationDetails

    dsyer authored
    Clients that rely on the OAuth2AuthenticationDetails to figure out the
    way to send authentication to a server could not, before this change,
    take into account the token type to use in the header. Defaulting to
    "bearer" sometimes fails (e.g. apparently on Facebook). There are no
    such clients in Spring OAuth as it happens, but other projects are using
    this feature so now we make the data available.
    It's a little bit messy in the OAuth2ClientAuthenticationProcessingFilter
    since the TokenExtractor implementation we have has protected methods
    whose signatures do not permit the token type to be determined. Maybe
    in 2.1 we can break those methods and make their function clearer.
    Fixes gh-354
Commits on Jan 25, 2015
  1. @dsyer

    Add catchall @ExceptionHandler to TokenEndpoint

    dsyer authored
    Because it is always a machine client, it's a good idea to
    have a consistent response for errors in the TokenEndpoint,
    instead of falling through to the container's own handler.
    Fixes gh-347
Commits on Jan 23, 2015
  1. @dsyer

    Make exception translator pluggable in @Configuration

    dsyer authored
    Adds exceptionTranslator() convenience methods to configurers (should
    get injected into TokenEndpoint, AuthorizationEndpoint and CheckTokenEndpoint.
    Fixes gh-343
  2. @dsyer
  3. @dsyer
  4. @dsyer

    Add "stateless" flag to resource server configuration

    dsyer authored
    Default to true, so that security context is cleared if no access token
    is presented. Useful default in mixed servers where some resources are
    not stateless, or where they might accept anonymous authentication.
    Using default=true changes the behaviour of existing applications, but
    in a way that makes them more secure (it's better to opt into anything
    with a risk of authenticating accidentally).
    Fixes gh-360
  5. @dsyer

    Register AccessDeniedHandler earlier so that it gets used

    dsyer authored
    This is baffling (might need help from @rwinch to understand), but
    there is an integration test in sparklr2 that fails without this
    change. As far as I can tell it registers the right access denied
    handler even before this change, but it never gets called.
    See gh-315
  6. @dsyer

    Fix customization of expression handler

    dsyer authored
    Re-ordering the calls to HttpSecurity seems to make sense.
    The ResourceServerConfigurers get a chance to provide
    exception handlers and expression handlers now.
    Fixes gh-315
  7. @dsyer

    Remove unused security filter chain

    dsyer authored
    Fixes gh-364
Commits on Jan 8, 2015
  1. @dsyer

    Switch to 2.0.6 snapshots

    dsyer authored
  2. @dsyer
Commits on Dec 17, 2014
  1. @dsyer

    Remove builder convenience method for ClientDetailsService

    dsyer authored
    The AuthorizationServerEndpointsConfigurer had a clientDetails() method
    that was supposed to be for internal use (but unfortunately had to
    be public so it can be called by a class in another package). Without
    changing the packaging, the safest change at this point (even though
    it's a public API) is to change the method signature and document it
    to make it clear that it's not public.
    Fixes gh-336
  2. @dsyer

    Remove the @Bean TokenStore from default configuration

    dsyer authored
    Previously the AuthorizationServerConfiguration had exposed a
    TokenStore as a @Bean, mainly as a convenience for a
    ResourceServerConfiguration that happened to be in the same context.
    The problem is that there's a potential cycle if the user defines
    their own @Bean TokenStore, and uses it to configure a
    Resource Server, when it also happens to be part of an Authorization
    Fixes gh-338
Commits on Dec 16, 2014
  1. @dsyer

    Add convenience method for reuseRefreshToken()

    dsyer authored
    Longer term (2.1.0) we should pull out the toke service builing into
    a separate builder. It's too big a change for a point release though.
    Fixes gh-318
Commits on Dec 1, 2014
  1. @dsyer

    Remove unecessary GlobalAuthenticationConfigurer

    dsyer authored
    The client details authentication configuration as it was confuses
    Spring Boot autoconfig. It looks unecessary anyway, so this change removes
    the GlobalAuthenticationConfigurer and upgrades Spring Boot in the tests.
Commits on Nov 21, 2014
  1. @dsyer

    first commit

    Josh Long authored dsyer committed
Something went wrong with that request. Please try again.