##### ½ºÇÁ¸µ ½ÃÅ¥¸®Æ¼ ±¸Çö&ºÐ¼® #####

##### 1. Web App ±¸Ãà & Å×½ºÆ®
- create new web project

- output : WEB-INF/classes

- index.jsp
--------------------------------------------------------------------------------
<h1>INDEX</h1>
--------------------------------------------------------------------------------

- new server

- start server

- http://localhost/index.jsp

##### 2. ½ºÇÁ¸µ ½ÃÅ¥¸®Æ¼ Àû¿ë, ·Îµù
- lib: spring, spring-security, log4j

- src: log4j.properties
--------------------------------------------------------------------------------
log4j.rootLogger=DEBUG, root

log4j.appender.root=org.apache.log4j.ConsoleAppender
log4j.appender.root.layout=org.apache.log4j.PatternLayout
log4j.appender.root.layout.ConversionPattern=%p [%d] %C{1}.%M(%L) | %m%n
--------------------------------------------------------------------------------

- web.xml
--------------------------------------------------------------------------------
	<filter>
		<filter-name>springSecurityFilterChain</filter-name>
		<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
	</filter>

	<filter-mapping>
		<filter-name>springSecurityFilterChain</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>

	<listener>
		<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
	</listener>

	<context-param>
		<param-name>contextConfigLocation</param-name>
		<param-value>WEB-INF/applicationContext.xml</param-value>
	</context-param>
--------------------------------------------------------------------------------

- applicationContext.xml
--------------------------------------------------------------------------------
<?xml version="1.0" encoding="UTF-8"?>

<beans xmlns="http://www.springframework.org/schema/beans"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xmlns:sec="http://www.springframework.org/schema/security"  
	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
              http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">

	<!-- Spring Security -->

	<sec:http auto-config="true">
		<sec:intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
	</sec:http>

	<sec:authentication-manager>
		<sec:authentication-provider>
			<sec:user-service>
				<sec:user name="user" password="user" authorities="ROLE_USER"/>
			</sec:user-service>
		</sec:authentication-provider>
	</sec:authentication-manager>

</beans>
--------------------------------------------------------------------------------

- startup server

##### 3. index.jsp ¿äû (Çѹø ´õ)
- http://localhost/index.jsp

##### 4. protected.jsp ¿äû
- index.jsp
--------------------------------------------------------------------------------
<li><a href="protected.jsp">Protected Page</a></li>
--------------------------------------------------------------------------------

- protected.jsp
--------------------------------------------------------------------------------
<h1>Protected Page!</h1>
<li><a href="index.jsp">Index Page</a></li>
--------------------------------------------------------------------------------

- applicationContext.xml
--------------------------------------------------------------------------------
		<sec:intercept-url pattern="/protected.jsp" access="ROLE_USER"/>
--------------------------------------------------------------------------------

##### 5. invalid credential authentication
- nouser / nouser

##### 6. valid credential authentication
- user / user

##### 7. SecurityContext Á¢±ÙÇϱâ
- index.jsp
--------------------------------------------------------------------------------
<%@page import="org.springframework.security.core.*"%>
<%@page import="org.springframework.security.core.context.*" %>
<%@page import="org.springframework.security.core.userdetails.*" %>
<%@page import="java.util.Collection"%>

<%
	String userName = null;

	SecurityContext context = SecurityContextHolder.getContext();
	Authentication authentication = context.getAuthentication();
	Object principal = authentication.getPrincipal();
	if (principal instanceof UserDetails) {
		UserDetails userDetails = (UserDetails)principal;
		userName = userDetails.getUsername();
	} else {
		userName = (String)principal;
	}
	
	Collection<GrantedAuthority> authorities = authentication.getAuthorities();
	StringBuffer sb = new StringBuffer();
	for (GrantedAuthority authority : authorities) {
		if (sb.length() > 0) sb.append(",");
		sb.append(authority.getAuthority());
	}
	
%>
<h2>hello, <%=userName %></h2>
<h2>authorities : <%=sb.toString() %></h2>
--------------------------------------------------------------------------------

##### 8. UserDetailsService À籸Çö
- applicationContext.xml
--------------------------------------------------------------------------------
	<sec:authentication-manager>
		<sec:authentication-provider user-service-ref="userService"><!--
			<sec:user-service>
				<sec:user name="user" password="user" authorities="ROLE_USER"/>
			</sec:user-service>
		--></sec:authentication-provider>
	</sec:authentication-manager>

	<bean id="userService" class="security.userdetails.MyUserDetailsService"></bean>
--------------------------------------------------------------------------------

- MyUserDetailsService
--------------------------------------------------------------------------------
package security.userdetails;

import java.util.*;

import org.springframework.dao.DataAccessException;
import org.springframework.security.core.userdetails.*;

public class MyUserDetailsService implements UserDetailsService {

	private Map<String, UserDetails> userMap;
	
	public MyUserDetailsService() {
		init();
	}
	
	private void init() {
		userMap = new HashMap<String, UserDetails>();
		userMap.put("user1", new MyUserDetails("user1", "user1", "ROLE_USER"));
	}
	
	@Override
	public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException {
		return userMap.get(username);
	}

}
--------------------------------------------------------------------------------

- MyUserDetails
--------------------------------------------------------------------------------
package security.userdetails;

import java.util.ArrayList;
import java.util.Collection;

import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.GrantedAuthorityImpl;
import org.springframework.security.core.userdetails.UserDetails;

public class MyUserDetails implements UserDetails {
	
	private Collection<GrantedAuthority> authorities;
	private String password;
	private String username;
	private boolean accountNonExpired = true;
	private boolean accountNonLocked = true;
	private boolean credentialsNonExpired = true;
	private boolean enabled = true;
	
	public MyUserDetails(String username, String password, String role) {
		this.username = username;
		this.password = password;
		
		this.authorities = new ArrayList<GrantedAuthority>();
		this.authorities.add(new GrantedAuthorityImpl(role));
	}

	@Override
	public Collection<GrantedAuthority> getAuthorities() {
		return authorities;
	}

	@Override
	public String getPassword() {
		return password;
	}

	@Override
	public String getUsername() {
		return username;
	}

	@Override
	public boolean isAccountNonExpired() {
		return accountNonExpired;
	}

	@Override
	public boolean isAccountNonLocked() {
		return accountNonLocked;
	}

	@Override
	public boolean isCredentialsNonExpired() {
		return credentialsNonExpired;
	}

	@Override
	public boolean isEnabled() {
		return enabled;
	}

}
--------------------------------------------------------------------------------

##### ½ºÇÁ¸µ ½ÃÅ¥¸®Æ¼ OAuth ±¸Çö&ºÐ¼® #####

##### 1. Web App - Security - OAuth - Spring(MVC) Setting
- create new web project: consumer, provider

(consumer, provider)
- lib: spring, spring-security, spring-security-oauth, etc

(consumer, provider)
- (log4j)

(consumer)
- web.xml
--------------------------------------------------------------------------------
	<filter>
		<filter-name>springSecurityFilterChain</filter-name>
		<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
	</filter>

	<filter-mapping>
		<filter-name>springSecurityFilterChain</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>

	<listener>
		<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
	</listener>

	<context-param>
		<param-name>contextConfigLocation</param-name>
		<param-value>WEB-INF/applicationContext.xml</param-value>
	</context-param>

	<servlet>
		<servlet-name>spring</servlet-name>
		<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
	</servlet>

	<servlet-mapping>
		<servlet-name>spring</servlet-name>
		<url-pattern>*.do</url-pattern>
	</servlet-mapping>
--------------------------------------------------------------------------------

(consumer)
- applicationContext.xml
--------------------------------------------------------------------------------
<?xml version="1.0" encoding="UTF-8"?>

<beans xmlns="http://www.springframework.org/schema/beans"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xmlns:context="http://www.springframework.org/schema/context"
	xmlns:sec="http://www.springframework.org/schema/security"  
	xmlns:oauth="http://www.springframework.org/schema/security/oauth"
	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
			  http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
              http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd
              http://www.springframework.org/schema/security/oauth http://www.springframework.org/schema/security/spring-security-oauth.xsd">

	<context:component-scan base-package="my">
		<context:exclude-filter type="annotation"
			expression="org.springframework.stereotype.Controller" />
	</context:component-scan>

	<!-- Spring Security -->

	<sec:http auto-config="true">
		<sec:intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
	</sec:http>

	<sec:authentication-manager>
		<sec:authentication-provider>
			<sec:user-service>
				<sec:user name="user" password="user" authorities="ROLE_USER"/>
			</sec:user-service>
		</sec:authentication-provider>
	</sec:authentication-manager>

	<oauth:consumer resource-details-service-ref="resourceDetails" oauth-failure-page="/oauth_error.jsp">
		<oauth:url pattern="/myProviderPhotos.do" resources="providerPhotos"/>
	</oauth:consumer>
	
	<oauth:resource-details-service id="resourceDetails">
		<oauth:resource id="providerPhotos"
		                key="my-consumer-key"
		                secret="my-consumer-secret"
		                request-token-url="http://localhost:8080/provider/oauth/request_token"
		                user-authorization-url="http://localhost:8080/provider/oauth/confirm_access.do"
		                access-token-url="http://localhost:8080/provider/oauth/access_token"/>
	</oauth:resource-details-service>

	<bean id="restTemplate" class="org.springframework.security.oauth.consumer.OAuthRestTemplate">
		<constructor-arg ref="providerPhotos"/>
	</bean>

</beans>
--------------------------------------------------------------------------------

(consumer)
- spring-servlet.xml
--------------------------------------------------------------------------------
<?xml version="1.0" encoding="UTF-8" ?>

<beans xmlns="http://www.springframework.org/schema/beans"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context"
	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
        http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">

	<!--Basic application beans.-->
	<bean id="viewResolver"
		class="org.springframework.web.servlet.view.InternalResourceViewResolver">
		<property name="prefix" value="/WEB-INF/jsp/" />
		<property name="suffix" value=".jsp" />
	</bean>

	<context:component-scan base-package="my">
		<context:include-filter type="annotation"
			expression="org.springframework.stereotype.Controller" />
	</context:component-scan>

</beans>
--------------------------------------------------------------------------------

(consumer)
- /index.jsp
--------------------------------------------------------------------------------
<h1>Consumer</h1>
--------------------------------------------------------------------------------

(provider)
- web.xml
--------------------------------------------------------------------------------
	<filter>
		<filter-name>springSecurityFilterChain</filter-name>
		<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
	</filter>

	<filter-mapping>
		<filter-name>springSecurityFilterChain</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>

	<listener>
		<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
	</listener>

	<context-param>
		<param-name>contextConfigLocation</param-name>
		<param-value>WEB-INF/applicationContext.xml</param-value>
	</context-param>

	<servlet>
		<servlet-name>spring</servlet-name>
		<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
	</servlet>

	<servlet-mapping>
		<servlet-name>spring</servlet-name>
		<url-pattern>*.do</url-pattern>
	</servlet-mapping>
--------------------------------------------------------------------------------

(consumer)
- applicationContext.xml
--------------------------------------------------------------------------------
<?xml version="1.0" encoding="UTF-8"?>

<beans xmlns="http://www.springframework.org/schema/beans"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xmlns:context="http://www.springframework.org/schema/context"
	xmlns:sec="http://www.springframework.org/schema/security"  
	xmlns:oauth="http://www.springframework.org/schema/security/oauth"
	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
			  http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
              http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd
              http://www.springframework.org/schema/security/oauth http://www.springframework.org/schema/security/spring-security-oauth.xsd">

	<context:component-scan base-package="my">
		<context:exclude-filter type="annotation"
			expression="org.springframework.stereotype.Controller" />
	</context:component-scan>

	<!-- Spring Security -->

	<sec:http auto-config="true">
		<sec:intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
	</sec:http>

	<sec:authentication-manager>
		<sec:authentication-provider>
			<sec:user-service>
				<sec:user name="user" password="user" authorities="ROLE_USER"/>
			</sec:user-service>
		</sec:authentication-provider>
	</sec:authentication-manager>

	<oauth:provider consumer-details-service-ref="consumerDetails"
	                token-services-ref="tokenServices"
	                request-token-url="/oauth/request_token"
	                authenticate-token-url="/oauth/authorize"
	                authentication-failed-url="/oauth/confirm_access.do"
	                access-granted-url="/request_token_authorized.jsp"
	                access-token-url="/oauth/access_token"
	                require10a="false"/>
	
	<oauth:consumer-details-service id="consumerDetails">
		<oauth:consumer name="MyConsumer" key="my-consumer-key" secret="my-consumer-secret" resourceName="Your Photos" resourceDescription="Your photos that you have uploaded to myprovider.com."/>
	</oauth:consumer-details-service>
	
	<oauth:token-services id="tokenServices"/>
  
</beans>
--------------------------------------------------------------------------------

(consumer)
- spring-servlet.xml
--------------------------------------------------------------------------------
<?xml version="1.0" encoding="UTF-8" ?>

<beans xmlns="http://www.springframework.org/schema/beans"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context"
	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
        http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">

	<!--Basic application beans.-->
	<bean id="viewResolver"
		class="org.springframework.web.servlet.view.InternalResourceViewResolver">
		<property name="prefix" value="/WEB-INF/jsp/" />
		<property name="suffix" value=".jsp" />
	</bean>

	<context:component-scan base-package="my">
		<context:include-filter type="annotation"
			expression="org.springframework.stereotype.Controller" />
	</context:component-scan>

</beans>
--------------------------------------------------------------------------------

(provider)
- /index.jsp
--------------------------------------------------------------------------------
<h1>Provider</h1>
--------------------------------------------------------------------------------

- new server: localhost/consumer, localhost:8080/provider

- startup server

##### 2. index.jsp

- http://localhost/consumer/index.jsp

- http://localhost:8080/provider/index.jsp

##### 3. /consumer/myProviderPhotos.do (request-token)

(consumer)
- MyController
--------------------------------------------------------------------------------
package my.controller;

import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.RequestMapping;


@Controller
public class MyController {

	@RequestMapping("/myProviderPhotos")
	public void myProviderPhotos(Model model) {
	}
}
--------------------------------------------------------------------------------

(consumer)
- myProviderPhotos.jsp
--------------------------------------------------------------------------------
<h1>My Provider Photos</h1>
--------------------------------------------------------------------------------

(consumer)
- index.jsp
--------------------------------------------------------------------------------
<li><a href="myProviderPhotos.do">My Provider Photos</a></li>
--------------------------------------------------------------------------------

- http://localhost/consumer/myProviderPhotos.do

##### 4. authenticate & authorize

(provider)
- applicationContext.xml
--------------------------------------------------------------------------------
		<sec:intercept-url pattern="/oauth/**" access="ROLE_USER"/>
--------------------------------------------------------------------------------

(provider)
- OAuthController
--------------------------------------------------------------------------------
package my.controller;

import javax.servlet.http.HttpServletRequest;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.oauth.provider.ConsumerDetails;
import org.springframework.security.oauth.provider.ConsumerDetailsService;
import org.springframework.security.oauth.provider.token.OAuthProviderToken;
import org.springframework.security.oauth.provider.token.OAuthProviderTokenServices;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.RequestMapping;

@Controller
public class OAuthController {

	@Autowired
	private OAuthProviderTokenServices tokenServices;
	
	@Autowired
	private ConsumerDetailsService consumerDetailsService;
	
	@RequestMapping("/oauth/confirm_access")
	public void confirmAccess(HttpServletRequest request, Model model) {
	    String token = request.getParameter("oauth_token");
	    if (token == null) {
	      throw new IllegalArgumentException("A request token to authorize must be provided.");
	    }

	    OAuthProviderToken providerToken = tokenServices.getToken(token);
	    ConsumerDetails consumer = consumerDetailsService.loadConsumerByConsumerKey(providerToken.getConsumerKey());

	    String callback = request.getParameter("oauth_callback");
	    model.addAttribute("oauth_token", token);
	    if (callback != null) {
	      model.addAttribute("oauth_callback", callback);
	    }
	    model.addAttribute("consumer", consumer);
		
	}
}
--------------------------------------------------------------------------------

(provider)
- oauth/confirm_access.jsp
--------------------------------------------------------------------------------
<%@ taglib prefix="authz" uri="http://www.springframework.org/security/tags" %>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
  <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
  <title>Provider</title>
</head>

<body>

  <h1>Provider Access Confirm</h1>

  <div id="content">

    <authz:authorize ifAllGranted="ROLE_USER">
      <h2>Please Confirm</h2>

      <p>You hereby authorize "<c:out value="${consumer.consumerName}"/>" to access the following resource:</p>

      <ul>
          <li><c:out value="${consumer.resourceName}"/> &mdash; <c:out value="${consumer.resourceDescription}"/></li>
      </ul>

      <form action="<c:url value="/oauth/authorize"/>" method="post">
        <input name="requestToken" value="<c:out value="${oauth_token}"/>" type="hidden"/>
        <c:if test="${!empty oauth_callback}">
        <input name="callbackURL" value="<c:out value="${oauth_callback}"/>" type="hidden"/>
        </c:if>
        <label><input name="authorize" value="Authorize" type="submit"></label>
      </form>
    </authz:authorize>
  </div>

</body>
</html>
--------------------------------------------------------------------------------

- http://localhost/consumer/myProviderPhotos.do

##### 5. redirect: /consumer/myProviderPhotos.do?verifier= (access-token, get resources)

(consumer)
- MyService
--------------------------------------------------------------------------------
package my.service;

import java.net.URI;
import java.util.ArrayList;
import java.util.List;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.oauth.consumer.OAuthRestTemplate;
import org.springframework.stereotype.Service;

@Service
public class MyService {

	@Autowired
	private OAuthRestTemplate restTemplate;

	public List<String> getMyPhotoIds() {
		List<String> photoIds = new ArrayList<String>();
		
		String myPhotoIds = restTemplate.getForObject(URI.create("http://localhost:8080/provider/rest/myPhotoIds.do"), String.class);
		
		if (myPhotoIds != null && myPhotoIds.length() > 0) {
			String[] arr = myPhotoIds.split(",");
			for (String photoId : arr) {
				photoIds.add(photoId);
			}
		}
		
		return photoIds;
	}

}
--------------------------------------------------------------------------------

(consumer)
- MyController
--------------------------------------------------------------------------------
	@Autowired
	private MyService service;
	
		model.addAttribute("myPhotoIds", service.getMyPhotoIds());
--------------------------------------------------------------------------------

(consumer)
- myProviderPhotos.jsp
--------------------------------------------------------------------------------
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>

<c:forEach var="photoId" items="${myPhotoIds }">
<li>${photoId }</li>
</c:forEach>
--------------------------------------------------------------------------------

(provider)
- applicationContext.xml
--------------------------------------------------------------------------------
		<sec:intercept-url pattern="/rest/**" access="ROLE_USER"/>
--------------------------------------------------------------------------------

(provider)
- PhotoService
--------------------------------------------------------------------------------
package my.service;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;

@Service
public class PhotoService {

	@Autowired
	private SecurityService security;
	
	public String getMyPhotoIds() {
		String photoIds = null;
		
		String userId = security.getCurrentUserId(); 
		
		if ("user".equals(userId)) {
			photoIds = "photo1,photo2";
		}
		
		return photoIds;
	}

}
--------------------------------------------------------------------------------

(provider)
- SecurityService
--------------------------------------------------------------------------------
package my.service;

import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.stereotype.Service;

@Service
public class SecurityService {

	public String getCurrentUserId() {
		String userId = null;
		
	    Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
	    if (authentication.getPrincipal() instanceof UserDetails) {
	      UserDetails details = (UserDetails) authentication.getPrincipal();
	      userId = details.getUsername();
	    }
	    
		return userId;
	}

}
--------------------------------------------------------------------------------

(provider)
- PhotoController
--------------------------------------------------------------------------------
package my.controller;

import java.io.BufferedWriter;
import java.io.OutputStreamWriter;

import javax.servlet.http.HttpServletResponse;

import my.service.PhotoService;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;

@Controller
public class PhotoController {

	@Autowired
	private PhotoService service;
	
	@RequestMapping("/rest/myPhotoIds")
	public void myPhotoIds(HttpServletResponse response) {
		response.setContentType("text/plain");
		
		BufferedWriter bw = null;
		try {
			bw = new BufferedWriter(new OutputStreamWriter(response.getOutputStream()));
			bw.write(service.getMyPhotoIds());
		} catch (Exception e) {
			e.printStackTrace();
		} finally {
			try {bw.close();} catch (Exception e) {	}
		}
	}
}
--------------------------------------------------------------------------------

- http://localhost/consumer/myProviderPhotos.do



##### (Appendix: Namespace "<sec:http auto-config="true">" -> XML Configuration)
--------------------------------------------------------------------------------
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" 
	xmlns:sec="http://www.springframework.org/schema/security"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xmlns:context="http://www.springframework.org/schema/context"
	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
           http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd
           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd">

	<bean id="springSecurityFilterChain" class="org.springframework.security.web.FilterChainProxy">
		<sec:filter-chain-map path-type="ant">
			<sec:filter-chain pattern="/**" filters="
			      securityContextPersistenceFilter,
			      logoutFilter,
	          authenticationFilter,
			      exceptionTranslationFilter,
			      filterSecurityInterceptor" />
		</sec:filter-chain-map>
	</bean>

	<bean id="securityContextPersistenceFilter"
		class="org.springframework.security.web.context.SecurityContextPersistenceFilter">
		<property name="securityContextRepository">
			<bean class="org.springframework.security.web.context.HttpSessionSecurityContextRepository"/>
		</property>
	</bean>
	
	<bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
		<constructor-arg><bean class="org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler"/></constructor-arg>
		<constructor-arg><bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"/></constructor-arg>
		<property name="filterProcessesUrl" value="/j_spring_security_logout"></property>
	</bean>

	<bean id="authenticationFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
		<property name="authenticationManager" ref="authenticationManager"/>
		<property name="filterProcessesUrl" value="/j_spring_security_check"/>
		<property name="authenticationSuccessHandler">
			<bean class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler">
				<property name="defaultTargetUrl" value="/"></property>
				<property name="alwaysUseDefaultTargetUrl" value="true"></property>
			</bean>
		</property>
		<property name="authenticationFailureHandler">
			<bean class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
				<property name="defaultFailureUrl" value="/login.jsp?login_error"></property>
			</bean>
		</property>
		<property name="sessionAuthenticationStrategy">
			<bean class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
				<constructor-arg>
					<bean class="org.springframework.security.core.session.SessionRegistryImpl"></bean>
				</constructor-arg>
				<property name="maximumSessions" value="1"></property>
			</bean>
		</property>
	</bean> 

	<bean id="exceptionTranslationFilter"
	     class="org.springframework.security.web.access.ExceptionTranslationFilter">
		<property name="authenticationEntryPoint">
			<bean class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
				<property name="loginFormUrl" value="/login.jsp"/>
			</bean>
		</property>
		<property name="accessDeniedHandler">
			<bean class="org.springframework.security.web.access.AccessDeniedHandlerImpl">
				<property name="errorPage" value="/noAuthorized.jsp"/>
			</bean>
		</property>
	</bean>

	<bean id="filterSecurityInterceptor"
	        class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
		<property name="authenticationManager" ref="authenticationManager"/>
		<property name="accessDecisionManager">
    	<bean class="org.springframework.security.access.vote.AffirmativeBased">
    		<property name="decisionVoters">
    			<list>
    				<bean class="org.springframework.security.access.vote.RoleVoter"></bean>
    			</list>
    		</property>
    	</bean>
		</property>
		<property name="securityMetadataSource">
			<sec:filter-security-metadata-source>
				<sec:intercept-url pattern="/admin/**" access="ROLE_ADMIN" />
				<sec:intercept-url pattern="/**" access="ROLE_USER" />
			</sec:filter-security-metadata-source>
		</property>
	</bean>

	<bean id="authenticationManager"
		class="org.springframework.security.authentication.ProviderManager">
		<property name="providers">
			<bean class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
				<property name="userDetailsService" ref="userService" />
			</bean>
		</property>
	</bean>
	
	<sec:user-service id="userService">
		<sec:user name="user" password="user" authorities="ROLE_USER"/>
	</sec:user-service>
	

</beans>
--------------------------------------------------------------------------------