org.springframework.security.oauth2.spring-security-oauth2-2.0.xsd Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of spring-security-oauth2 Show documentation
Show all versions of spring-security-oauth2 Show documentation
Module for providing OAuth2 support to Spring Security
Creates an OAuth2RestTemplate with all the pieces needed to connect to a remote resource from
a web
application. Injects request and session-scoped beans into the template, so can only be
used in the context of a web
request.
The OAuth2ProtectedResourceDetails governing the configuration of this client. Mandatory.
The reference to the bean that manages access token acquisition. Optional (defaults to a chain
including common grant types from the spec).
Specifies that the oauth 2 authorization and token
endpoints should be created in the application
context. These are
implemented as regular Spring @Controller beans, so as long as the
default Spring MVC set up in
present in the application
the endpoints should work (at /oauth/authorization and /oauth/token by
default).
The configuration of the authorization code
mechanism. This
mechanism enables a way for clients to
obtain an
access token by obtaining an authorization code.
Whether to disable the authorization code
mechanism.
The reference to the bean that defines the
authorization code
services. Default value is an
instance of
"org.springframework.security.oauth2.provider.authorization_code.InMemoryAuthorizationCodeServices".
The configuration of the client credentials
grant type.
Whether to disable the implicit grant type
The configuration of the refresh token grant
type.
Whether to disable the refresh token grant
type
The configuration of the client credentials
grant type.
Whether to disable the refresh token grant
type
The configuration of the resource owner password
grant type.
Whether to disable the refresh token grant
type
A reference to an authentication manager that
can be used to
authenticate the resource owner
The configuration of your custom grant type.
Whether to disable this grant
type
A reference to your token granter
The reference to the bean that defines the client
details service.
The URL at which a request for an access token
will be serviced.
Default value: "/oauth/token"
The URL at which a user is redirected for
authorization. Default
value: "/oauth/authorize"
The reference to the bean that defines the
granter of different oauth
token types.
@deprecated (since 2.0.2 this is unnecessary). The reference to the bean that defines the
implicit grant service.
The reference to the bean that defines the
OAuth2RequestValidator implementation. Default
value is an instance of
"org.springframework.security.oauth2.provider.DefaultOAuth2RequestValidator".
The reference to the bean that defines the token
services. Default
value is an instance of
"org.springframework.security.oauth2.provider.token.DefaultTokenServices".
The reference to the bean that defines the factory for
authorization requests from the input
parameters (e.g. request parameters).
Default
value is an
instance of
"org.springframework.security.oauth2.provider.request.DefaultOAuth2RequestFactory".
Reference to a bean that handles user approval decisions. Using this strategy servers can
selectively skip the approval process depending on decisions in the past or on the type of client.
The URL of the page that handles the user
approval form (if needed, depending on the grant type).
The default is "forward:/oauth/confirm_access" which is not handled
by the authorization endpoint, so normally you
will have to supply a handler
for this path.
The URL of the page that handles errors (default forward:/oauth/error).
Path for check token endpoint (defaults to /oauth/check_token).
True if the check token endpoint is to be installed (must be separately protected).
The name of the form parameter that is used to
indicate user
approval of the client
authentication
request.
Default value: "user_oauth_approval".
The reference to the bean that defines the
redirect resolver, used
during the user
authorization.
Default
value is an instance of
"org.springframework.security.oauth2.provider.authorization_code.DefaultRedirectResolver".
Specifies that there are oauth 2 protected resources in
the application context. This element
has an
id which is the bean id of the filter created. The filter
should be added to the Spring Security filter chain at
position before="PRE_AUTH_FILTER"
The resource id that is protected by this filter
if any. If empty or
absent then all resource ids
are allowed,
otherwise
only tokens which are granted to a client that contains
this reosurce
id will be legal.
The reference to the bean that defines the token
services. Default
value is an instance of
"org.springframework.security.oauth2.provider.token.DefaultTokenServices".
The reference to the bean that defines the authentication manager
for the incoming tokens. If provided then the resource id and token services
are ignored. Default
value is an instance of
"org.springframework.security.oauth2.provider.token.OAuth2AuthenticationManager".
The reference to the bean that defines the token
extractor. Default
value is an instance of
"org.springframework.security.oauth2.provider.authentication.BearerTokenExtractor".
The reference to the bean that defines the entry point for failed authentications. Defaults to
a vanilla
org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint.
The reference to the bean that defines the AuthenticationDetailsSource.
Flag to say that the resource is stateless, i.e. it handles authentication on its own and it doesn't accept incoming pre-authentication. Default true.
Default element that contains the definition of the
OAuth clients that are
allowed to access this
service.
Definition of a client that can act on behalf
of a user.
The client id.
The client secret. If the secret is
undefined or empty (the
default) the client does
not
require a
secret.
The re-direct URI(s) established during
registration (optional, comma separated).
The resource ids to which this client can be
granted access
(comma-separated). If missing or
empty all
resources are
accessible (not recommended by the spec).
The scopes to which the client is limited
(comma-separated). If
scope is undefined or empty
(the
default) the client
is not limited by scope, but in that case
the authorization
service must explicitly
accept unlimited
access by not
specifying any scopes itself.
Grant types that are authorized for the
client to use
(comma-separated). Currently defined
grant types
include
"authorization_code", "password", "assertion", and
"refresh_token". Default value is
"authorization_code,refresh_token".
Authorities that are granted to the client
(comma-separated). Distinct
from the authorities
granted to
the user on behalf
of whom the client is acting.
Scopes or scope patterns that are autoapproved (comma-separated), or just "true" to autoapprove all.
The access token validity period in seconds (optional). If unspecified a global default will
be applied by the token services.
The refresh token validity period in seconds (optional). If unspecified a global default
will
be applied by the token services.
Element for declaring and configuring an expression
handler for oauth
security expressions. See
http://static.springsource.org/spring-security/site/docs/3.0.x/reference/el-access.html
Element for declaring and configuring an expression
handler for oauth
security expressions in http
intercept urls. See
http://static.springsource.org/spring-security/site/docs/3.0.x/reference/el-access.html
Creates the oauth 2 client filter be be added to the
application security policy.
The reference to the bean that defines the
redirect strategy, used when redirecting the user for
access authorization. Default value is an instance of
"org.springframework.security.web.DefaultRedirectStrategy".
Definition of a remote resource that is protected via
OAuth2 to which this client application wants
access.
The grant type. Currently defined grant types
include
"authorization_code", "password", and
"assertion".
Default value
is "authorization_code".
The client id. This is the id by which the
resource server will
identify this application.
The uri to where the access token may be
obtained.
Comma-separted list of string specifying the
scope of the access to the
resource. By default,
no
scope will be
specified.
The secret asssociated with the resource. By
default, no secret
will be supplied for access to
the resource.
The scheme that is used to pass the client
secret. Suggested
values: "header" and "form".
Default:
"header".
See section 2.1 of the OAuth 2 spec.
The uri to which the user will be redirected if
the user is ever
needed to grant an authorization
code.
The method for bearing the token when accessing
the resource.
Default value is "header". See
AuthenticationScheme enum for possible values.
The name of the bearer token. The default is
"access_token", which
is according to the spec,
but
some providers
(e.g. Facebook) don't conform to the spec.
Some resource servers may require a
pre-established URI to which
they will redirect users after
users
authorize an access token.
Boolean flag indicating that the current URI should be used as a redirect (if available) rather
than the
registered redirect URI. Default is true.
The username for authentication, required only when type is "password".
The password for authentication, required only when type is "password".