/*
* Copyright 2008-2009 Web Cohesion
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
* an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
* specific language governing permissions and limitations under the License.
*/
package org.springframework.security.oauth2.config.xml;
import org.springframework.beans.BeanMetadataElement;
import org.springframework.beans.factory.config.RuntimeBeanReference;
import org.springframework.beans.factory.config.TypedStringValue;
import org.springframework.beans.factory.support.AbstractBeanDefinition;
import org.springframework.beans.factory.support.BeanDefinitionBuilder;
import org.springframework.beans.factory.support.ManagedList;
import org.springframework.beans.factory.support.ManagedMap;
import org.springframework.beans.factory.xml.ParserContext;
import org.springframework.security.config.BeanIds;
import org.springframework.security.oauth2.provider.CompositeTokenGranter;
import org.springframework.security.oauth2.provider.approval.DefaultUserApprovalHandler;
import org.springframework.security.oauth2.provider.client.ClientCredentialsTokenGranter;
import org.springframework.security.oauth2.provider.code.AuthorizationCodeTokenGranter;
import org.springframework.security.oauth2.provider.code.InMemoryAuthorizationCodeServices;
import org.springframework.security.oauth2.provider.endpoint.*;
import org.springframework.security.oauth2.provider.implicit.ImplicitTokenGranter;
import org.springframework.security.oauth2.provider.password.ResourceOwnerPasswordTokenGranter;
import org.springframework.security.oauth2.provider.refresh.RefreshTokenGranter;
import org.springframework.security.oauth2.provider.request.DefaultOAuth2RequestFactory;
import org.springframework.security.oauth2.provider.request.DefaultOAuth2RequestValidator;
import org.springframework.util.StringUtils;
import org.springframework.util.xml.DomUtils;
import org.w3c.dom.Element;
import java.util.List;
/**
* Parser for the OAuth "provider" element.
*
* @author Ryan Heaton
* @author Dave Syer
*/
public class AuthorizationServerBeanDefinitionParser
extends ProviderBeanDefinitionParser {
@Override
protected AbstractBeanDefinition parseEndpointAndReturnFilter(Element element,
ParserContext parserContext, String tokenServicesRef, String serializerRef) {
String clientDetailsRef = element.getAttribute("client-details-service-ref");
String oAuth2RequestFactoryRef = element
.getAttribute("authorization-request-manager-ref");
String tokenEndpointUrl = element.getAttribute("token-endpoint-url");
String checkTokenUrl = element.getAttribute("check-token-endpoint-url");
String enableCheckToken = element.getAttribute("check-token-enabled");
String authorizationEndpointUrl = element
.getAttribute("authorization-endpoint-url");
String tokenGranterRef = element.getAttribute("token-granter-ref");
String redirectStrategyRef = element.getAttribute("redirect-strategy-ref");
String userApprovalHandlerRef = element.getAttribute("user-approval-handler-ref");
String approvalPage = element.getAttribute("user-approval-page");
String errorPage = element.getAttribute("error-page");
String approvalParameter = element.getAttribute("approval-parameter-name");
String redirectResolverRef = element.getAttribute("redirect-resolver-ref");
String oAuth2RequestValidatorRef = element.getAttribute("request-validator-ref");
// Create a bean definition speculatively for the auth endpoint
BeanDefinitionBuilder authorizationEndpointBean = BeanDefinitionBuilder
.rootBeanDefinition(AuthorizationEndpoint.class);
if (!StringUtils.hasText(clientDetailsRef)) {
parserContext.getReaderContext()
.error("ClientDetailsService must be provided", element);
return null;
}
if (!StringUtils.hasText(oAuth2RequestValidatorRef)) {
oAuth2RequestValidatorRef = "defaultOAuth2RequestValidator";
BeanDefinitionBuilder oAuth2RequestValidator = BeanDefinitionBuilder
.rootBeanDefinition(DefaultOAuth2RequestValidator.class);
parserContext.getRegistry().registerBeanDefinition(oAuth2RequestValidatorRef,
oAuth2RequestValidator.getBeanDefinition());
}
authorizationEndpointBean.addPropertyReference("oAuth2RequestValidator",
oAuth2RequestValidatorRef);
if (!StringUtils.hasText(oAuth2RequestFactoryRef)) {
oAuth2RequestFactoryRef = "oAuth2AuthorizationRequestManager";
BeanDefinitionBuilder oAuth2RequestManager = BeanDefinitionBuilder
.rootBeanDefinition(DefaultOAuth2RequestFactory.class);
oAuth2RequestManager.addConstructorArgReference(clientDetailsRef);
parserContext.getRegistry().registerBeanDefinition(oAuth2RequestFactoryRef,
oAuth2RequestManager.getBeanDefinition());
}
ManagedList<BeanMetadataElement> tokenGranters = null;
if (!StringUtils.hasText(tokenGranterRef)) {
tokenGranterRef = "oauth2TokenGranter";
BeanDefinitionBuilder tokenGranterBean = BeanDefinitionBuilder
.rootBeanDefinition(CompositeTokenGranter.class);
parserContext.getRegistry().registerBeanDefinition(tokenGranterRef,
tokenGranterBean.getBeanDefinition());
tokenGranters = new ManagedList<BeanMetadataElement>();
tokenGranterBean.addConstructorArgValue(tokenGranters);
}
authorizationEndpointBean.addPropertyReference("tokenGranter", tokenGranterRef);
boolean registerAuthorizationEndpoint = false;
Element authorizationCodeElement = DomUtils.getChildElementByTagName(element,
"authorization-code");
if (authorizationCodeElement != null && !"true"
.equalsIgnoreCase(authorizationCodeElement.getAttribute("disabled"))) {
// authorization code grant configuration.
String authorizationCodeServices = authorizationCodeElement
.getAttribute("authorization-code-services-ref");
String clientTokenCacheRef = authorizationCodeElement
.getAttribute("client-token-cache-ref");
BeanDefinitionBuilder authorizationCodeTokenGranterBean = BeanDefinitionBuilder
.rootBeanDefinition(AuthorizationCodeTokenGranter.class);
if (StringUtils.hasText(tokenServicesRef)) {
authorizationCodeTokenGranterBean
.addConstructorArgReference(tokenServicesRef);
}
if (!StringUtils.hasText(authorizationCodeServices)) {
authorizationCodeServices = "oauth2AuthorizationCodeServices";
BeanDefinitionBuilder authorizationCodeServicesBean = BeanDefinitionBuilder
.rootBeanDefinition(InMemoryAuthorizationCodeServices.class);
parserContext.getRegistry().registerBeanDefinition(
authorizationCodeServices,
authorizationCodeServicesBean.getBeanDefinition());
}
authorizationEndpointBean.addPropertyReference("authorizationCodeServices",
authorizationCodeServices);
authorizationCodeTokenGranterBean
.addConstructorArgReference(authorizationCodeServices);
authorizationCodeTokenGranterBean
.addConstructorArgReference(clientDetailsRef);
authorizationCodeTokenGranterBean
.addConstructorArgReference(oAuth2RequestFactoryRef);
if (StringUtils.hasText(clientTokenCacheRef)) {
authorizationEndpointBean.addPropertyReference("clientTokenCache",
clientTokenCacheRef);
}
if (StringUtils.hasText(oAuth2RequestFactoryRef)) {
authorizationEndpointBean.addPropertyReference("oAuth2RequestFactory",
oAuth2RequestFactoryRef);
}
if (tokenGranters != null) {
tokenGranters.add(authorizationCodeTokenGranterBean.getBeanDefinition());
}
// end authorization code provider configuration.
registerAuthorizationEndpoint = true;
}
if (tokenGranters != null) {
Element refreshTokenElement = DomUtils.getChildElementByTagName(element,
"refresh-token");
if (refreshTokenElement != null && !"true"
.equalsIgnoreCase(refreshTokenElement.getAttribute("disabled"))) {
BeanDefinitionBuilder refreshTokenGranterBean = BeanDefinitionBuilder
.rootBeanDefinition(RefreshTokenGranter.class);
refreshTokenGranterBean.addConstructorArgReference(tokenServicesRef);
refreshTokenGranterBean.addConstructorArgReference(clientDetailsRef);
refreshTokenGranterBean
.addConstructorArgReference(oAuth2RequestFactoryRef);
tokenGranters.add(refreshTokenGranterBean.getBeanDefinition());
}
Element implicitElement = DomUtils.getChildElementByTagName(element,
"implicit");
if (implicitElement != null && !"true"
.equalsIgnoreCase(implicitElement.getAttribute("disabled"))) {
BeanDefinitionBuilder implicitGranterBean = BeanDefinitionBuilder
.rootBeanDefinition(ImplicitTokenGranter.class);
implicitGranterBean.addConstructorArgReference(tokenServicesRef);
implicitGranterBean.addConstructorArgReference(clientDetailsRef);
implicitGranterBean.addConstructorArgReference(oAuth2RequestFactoryRef);
tokenGranters.add(implicitGranterBean.getBeanDefinition());
registerAuthorizationEndpoint = true;
}
Element clientCredentialsElement = DomUtils.getChildElementByTagName(element,
"client-credentials");
if (clientCredentialsElement != null && !"true".equalsIgnoreCase(
clientCredentialsElement.getAttribute("disabled"))) {
BeanDefinitionBuilder clientCredentialsGranterBean = BeanDefinitionBuilder
.rootBeanDefinition(ClientCredentialsTokenGranter.class);
clientCredentialsGranterBean.addConstructorArgReference(tokenServicesRef);
clientCredentialsGranterBean.addConstructorArgReference(clientDetailsRef);
clientCredentialsGranterBean
.addConstructorArgReference(oAuth2RequestFactoryRef);
tokenGranters.add(clientCredentialsGranterBean.getBeanDefinition());
}
Element clientPasswordElement = DomUtils.getChildElementByTagName(element,
"password");
if (clientPasswordElement != null && !"true"
.equalsIgnoreCase(clientPasswordElement.getAttribute("disabled"))) {
BeanDefinitionBuilder clientPasswordTokenGranter = BeanDefinitionBuilder
.rootBeanDefinition(ResourceOwnerPasswordTokenGranter.class);
String authenticationManagerRef = clientPasswordElement
.getAttribute("authentication-manager-ref");
if (!StringUtils.hasText(authenticationManagerRef)) {
authenticationManagerRef = BeanIds.AUTHENTICATION_MANAGER;
}
clientPasswordTokenGranter
.addConstructorArgReference(authenticationManagerRef);
clientPasswordTokenGranter.addConstructorArgReference(tokenServicesRef);
clientPasswordTokenGranter.addConstructorArgReference(clientDetailsRef);
clientPasswordTokenGranter
.addConstructorArgReference(oAuth2RequestFactoryRef);
tokenGranters.add(clientPasswordTokenGranter.getBeanDefinition());
}
List<Element> customGrantElements = DomUtils
.getChildElementsByTagName(element, "custom-grant");
for (Element customGrantElement : customGrantElements) {
if (!"true"
.equalsIgnoreCase(customGrantElement.getAttribute("disabled"))) {
String customGranterRef = customGrantElement
.getAttribute("token-granter-ref");
tokenGranters.add(new RuntimeBeanReference(customGranterRef));
}
}
}
if (registerAuthorizationEndpoint) {
BeanDefinitionBuilder approvalEndpointBean = BeanDefinitionBuilder
.rootBeanDefinition(WhitelabelApprovalEndpoint.class);
parserContext.getRegistry().registerBeanDefinition("oauth2ApprovalEndpoint",
approvalEndpointBean.getBeanDefinition());
if (!StringUtils.hasText(clientDetailsRef)) {
parserContext.getReaderContext()
.error("A client details service is mandatory", element);
}
if (StringUtils.hasText(redirectStrategyRef)) {
authorizationEndpointBean.addPropertyReference("redirectStrategy",
redirectStrategyRef);
}
if (StringUtils.hasText(userApprovalHandlerRef)) {
authorizationEndpointBean.addPropertyReference("userApprovalHandler",
userApprovalHandlerRef);
}
authorizationEndpointBean.addPropertyReference("clientDetailsService",
clientDetailsRef);
if (StringUtils.hasText(redirectResolverRef)) {
authorizationEndpointBean.addPropertyReference("redirectResolver",
redirectResolverRef);
}
if (StringUtils.hasText(approvalPage)) {
authorizationEndpointBean.addPropertyValue("userApprovalPage",
approvalPage);
}
if (StringUtils.hasText(errorPage)) {
authorizationEndpointBean.addPropertyValue("errorPage", errorPage);
}
parserContext.getRegistry().registerBeanDefinition(
"oauth2AuthorizationEndpoint",
authorizationEndpointBean.getBeanDefinition());
}
// configure the token endpoint
BeanDefinitionBuilder tokenEndpointBean = BeanDefinitionBuilder
.rootBeanDefinition(TokenEndpoint.class);
tokenEndpointBean.addPropertyReference("clientDetailsService", clientDetailsRef);
tokenEndpointBean.addPropertyReference("tokenGranter", tokenGranterRef);
authorizationEndpointBean.addPropertyReference("oAuth2RequestValidator",
oAuth2RequestValidatorRef);
parserContext.getRegistry().registerBeanDefinition("oauth2TokenEndpoint",
tokenEndpointBean.getBeanDefinition());
if (StringUtils.hasText(oAuth2RequestFactoryRef)) {
tokenEndpointBean.addPropertyReference("oAuth2RequestFactory",
oAuth2RequestFactoryRef);
}
if (StringUtils.hasText(oAuth2RequestValidatorRef)) {
tokenEndpointBean.addPropertyReference("oAuth2RequestValidator",
oAuth2RequestValidatorRef);
}
// Register a handler mapping that can detect the auth server endpoints
BeanDefinitionBuilder handlerMappingBean = BeanDefinitionBuilder
.rootBeanDefinition(FrameworkEndpointHandlerMapping.class);
ManagedMap<String, TypedStringValue> mappings = new ManagedMap<String, TypedStringValue>();
if (StringUtils.hasText(tokenEndpointUrl)
|| StringUtils.hasText(authorizationEndpointUrl)) {
if (StringUtils.hasText(tokenEndpointUrl)) {
mappings.put("/oauth/token",
new TypedStringValue(tokenEndpointUrl, String.class));
}
if (StringUtils.hasText(authorizationEndpointUrl)) {
mappings.put("/oauth/authorize",
new TypedStringValue(authorizationEndpointUrl, String.class));
}
if (StringUtils.hasText(approvalPage)) {
mappings.put("/oauth/confirm_access",
new TypedStringValue(approvalPage, String.class));
}
}
if (StringUtils.hasText(enableCheckToken) && enableCheckToken.equals("true")) {
// configure the check token endpoint
BeanDefinitionBuilder checkTokenEndpointBean = BeanDefinitionBuilder
.rootBeanDefinition(CheckTokenEndpoint.class);
checkTokenEndpointBean.addConstructorArgReference(tokenServicesRef);
parserContext.getRegistry().registerBeanDefinition("oauth2CheckTokenEndpoint",
checkTokenEndpointBean.getBeanDefinition());
if (StringUtils.hasText(checkTokenUrl)) {
mappings.put("/oauth/check_token",
new TypedStringValue(checkTokenUrl, String.class));
}
}
if (!mappings.isEmpty()) {
handlerMappingBean.addPropertyValue("mappings", mappings);
}
if (StringUtils.hasText(approvalParameter) && registerAuthorizationEndpoint) {
if (!StringUtils.hasText(userApprovalHandlerRef)) {
BeanDefinitionBuilder userApprovalHandler = BeanDefinitionBuilder
.rootBeanDefinition(DefaultUserApprovalHandler.class);
userApprovalHandler.addPropertyValue("approvalParameter",
new TypedStringValue(approvalParameter, String.class));
authorizationEndpointBean.addPropertyValue("userApprovalHandler",
userApprovalHandler.getBeanDefinition());
}
handlerMappingBean.addPropertyValue("approvalParameter", approvalParameter);
}
parserContext.getRegistry().registerBeanDefinition("oauth2HandlerMapping",
handlerMappingBean.getBeanDefinition());
// We aren't defining a filter...
return null;
}
}