From e16f369b63ad9403b445fd8402060e768277c1f8 Mon Sep 17 00:00:00 2001
From: Justin Richer <jricher@mit.edu>
Date: Fri, 18 Apr 2014 23:01:49 -0400
Subject: [PATCH 1/2] updated to spring 4, spring security 3.2, and secoauth
 2.0 (RC)

---
 openid-connect-common/pom.xml                 |  4 +--
 .../webapp/WEB-INF/application-context.xml    | 18 ++++++------
 .../src/main/webapp/WEB-INF/authz-config.xml  | 10 +++----
 .../src/main/webapp/WEB-INF/crypto-config.xml | 12 +++++++-
 .../src/main/webapp/WEB-INF/data-context.xml  | 18 +++++++++---
 .../src/main/webapp/WEB-INF/jpa-config.xml    | 28 ++++++++++++++++++-
 .../src/main/webapp/WEB-INF/local-config.xml  | 12 +++++++-
 .../src/main/webapp/WEB-INF/server-config.xml | 17 +++++------
 .../main/webapp/WEB-INF/spring-servlet.xml    | 12 +++++++-
 .../src/main/webapp/WEB-INF/task-config.xml   | 14 ++++++++--
 .../src/main/webapp/WEB-INF/user-context.xml  | 21 +++++++-------
 .../connect/ConnectOAuth2RequestFactory.java  |  2 +-
 .../token/TofuUserApprovalHandler.java        | 12 ++++++++
 pom.xml                                       |  6 ++--
 14 files changed, 137 insertions(+), 49 deletions(-)

diff --git a/openid-connect-common/pom.xml b/openid-connect-common/pom.xml
index dad212bf61..dffc3d24e7 100644
--- a/openid-connect-common/pom.xml
+++ b/openid-connect-common/pom.xml
@@ -56,11 +56,11 @@
         <dependency>
             <groupId>org.apache.httpcomponents</groupId>
             <artifactId>httpclient</artifactId>
-            <version>4.2.3</version>
+            <version>4.3.3</version>
         </dependency>
     	<dependency>
       		<groupId>org.springframework.security.oauth</groupId>
- 		 	<version>2.0.0.M2</version>
+ 		 	<version>2.0.0.RC1</version>
       		<artifactId>spring-security-oauth2</artifactId>
 		</dependency>
         <dependency>
diff --git a/openid-connect-server-webapp/src/main/webapp/WEB-INF/application-context.xml b/openid-connect-server-webapp/src/main/webapp/WEB-INF/application-context.xml
index 9c5bd926b0..68311e6c79 100644
--- a/openid-connect-server-webapp/src/main/webapp/WEB-INF/application-context.xml
+++ b/openid-connect-server-webapp/src/main/webapp/WEB-INF/application-context.xml
@@ -23,18 +23,18 @@
 	xmlns:security="http://www.springframework.org/schema/security"
 	xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
 	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
-		http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.2.xsd
-		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd
-		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
-		http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.2.xsd
-		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.2.xsd">
+		http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.0.xsd
+		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd
+		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
+		http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.0.xsd
+		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.0.xsd">
 
 	<!-- Scan for components -->
 	<context:component-scan annotation-config="true" base-package="org.mitre" />
 
 	<!-- Enables the Spring MVC @Controller programming model -->
 	<tx:annotation-driven transaction-manager="transactionManager" />
-	<mvc:annotation-driven ignoreDefaultModelOnRedirect="true" />
+	<mvc:annotation-driven ignore-default-model-on-redirect="true" />
 	<mvc:interceptors>
 		<!-- Inject the UserInfo into the current context -->
 		<bean id="userInfoInterceptor" class="org.mitre.openid.connect.web.UserInfoInterceptor" />
@@ -74,7 +74,7 @@
 		<security:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
 		<!-- include this only if you need to authenticate clients via request parameters -->
 		<security:custom-filter ref="clientAssertiontokenEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
-		<security:custom-filter ref="clientCredentialsTokenEndpointFilter" before="BASIC_AUTH_FILTER" />
+		<security:custom-filter ref="clientCredentialsTokenEndpointFilter" after="BASIC_AUTH_FILTER" />
 		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
 		<security:access-denied-handler ref="oauthAccessDeniedHandler" />
 	</security:http>
@@ -122,7 +122,7 @@
 		<security:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
 <!-- 		<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" /> -->
 		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
-		<security:custom-filter ref="clientCredentialsIntrospectionEndpointFilter" before="BASIC_AUTH_FILTER" />
+		<security:custom-filter ref="clientCredentialsIntrospectionEndpointFilter" after="BASIC_AUTH_FILTER" />
 	</security:http>
 
 	<security:http pattern="/revoke**"
@@ -133,7 +133,7 @@
 		<security:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
 <!-- 		<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" /> -->
 		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
-		<security:custom-filter ref="clientCredentialsRevocationEndpointFilter" before="BASIC_AUTH_FILTER" />
+		<security:custom-filter ref="clientCredentialsRevocationEndpointFilter" after="BASIC_AUTH_FILTER" />
 	</security:http>
 
 	<bean id="oauthAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
diff --git a/openid-connect-server-webapp/src/main/webapp/WEB-INF/authz-config.xml b/openid-connect-server-webapp/src/main/webapp/WEB-INF/authz-config.xml
index 1faef3cded..1a54327a72 100644
--- a/openid-connect-server-webapp/src/main/webapp/WEB-INF/authz-config.xml
+++ b/openid-connect-server-webapp/src/main/webapp/WEB-INF/authz-config.xml
@@ -23,11 +23,11 @@
 	xmlns:security="http://www.springframework.org/schema/security"
 	xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
 	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
-		http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.2.xsd
-		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd
-		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
-		http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.2.xsd
-		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.2.xsd">
+		http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.0.xsd
+		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd
+		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
+		http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.0.xsd
+		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.0.xsd">
 
 
 	<oauth:authorization-server 
diff --git a/openid-connect-server-webapp/src/main/webapp/WEB-INF/crypto-config.xml b/openid-connect-server-webapp/src/main/webapp/WEB-INF/crypto-config.xml
index 9ba022718c..2fec58bfa5 100644
--- a/openid-connect-server-webapp/src/main/webapp/WEB-INF/crypto-config.xml
+++ b/openid-connect-server-webapp/src/main/webapp/WEB-INF/crypto-config.xml
@@ -16,8 +16,18 @@
   limitations under the License.
 -->
 <beans xmlns="http://www.springframework.org/schema/beans"
+	xmlns:mvc="http://www.springframework.org/schema/mvc"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
+	xmlns:tx="http://www.springframework.org/schema/tx"
+	xmlns:context="http://www.springframework.org/schema/context"
+	xmlns:security="http://www.springframework.org/schema/security"
+	xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
+	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
+		http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.0.xsd
+		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd
+		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
+		http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.0.xsd
+		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.0.xsd">
 
 	<bean id="defaultKeyStore" class="org.mitre.jose.keystore.JWKSetKeyStore">
 		<property name="location" value="classpath:keystore.jwks" />
diff --git a/openid-connect-server-webapp/src/main/webapp/WEB-INF/data-context.xml b/openid-connect-server-webapp/src/main/webapp/WEB-INF/data-context.xml
index a46c3c90c1..49c43e3f0e 100644
--- a/openid-connect-server-webapp/src/main/webapp/WEB-INF/data-context.xml
+++ b/openid-connect-server-webapp/src/main/webapp/WEB-INF/data-context.xml
@@ -16,10 +16,20 @@
   limitations under the License.
 -->
 <beans xmlns="http://www.springframework.org/schema/beans"
-	   xmlns:jdbc="http://www.springframework.org/schema/jdbc"
-       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
-       						http://www.springframework.org/schema/jdbc http://www.springframework.org/schema/jdbc/spring-jdbc-3.0.xsd">
+	xmlns:mvc="http://www.springframework.org/schema/mvc"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xmlns:tx="http://www.springframework.org/schema/tx"
+	xmlns:context="http://www.springframework.org/schema/context"
+	xmlns:security="http://www.springframework.org/schema/security"
+	xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
+	xmlns:jdbc="http://www.springframework.org/schema/jdbc"
+	xsi:schemaLocation="http://www.springframework.org/schema/jdbc http://www.springframework.org/schema/jdbc/spring-jdbc-4.0.xsd
+		http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
+		http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.0.xsd
+		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd
+		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
+		http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.0.xsd
+		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.0.xsd">
 
 	<bean id="dataSource" class="org.apache.commons.dbcp.BasicDataSource" destroy-method="close">
 		<property name="driverClassName" value="org.hsqldb.jdbcDriver" />
diff --git a/openid-connect-server-webapp/src/main/webapp/WEB-INF/jpa-config.xml b/openid-connect-server-webapp/src/main/webapp/WEB-INF/jpa-config.xml
index aca6bf8d14..a0d9e29111 100644
--- a/openid-connect-server-webapp/src/main/webapp/WEB-INF/jpa-config.xml
+++ b/openid-connect-server-webapp/src/main/webapp/WEB-INF/jpa-config.xml
@@ -1,7 +1,33 @@
 <?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Copyright 2014 The MITRE Corporation 
+    and the MIT Kerberos and Internet Trust Consortium
+  
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+  
+    http://www.apache.org/licenses/LICENSE-2.0
+  
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
 <beans xmlns="http://www.springframework.org/schema/beans"
+	xmlns:mvc="http://www.springframework.org/schema/mvc"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
+	xmlns:tx="http://www.springframework.org/schema/tx"
+	xmlns:context="http://www.springframework.org/schema/context"
+	xmlns:security="http://www.springframework.org/schema/security"
+	xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
+	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
+		http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.0.xsd
+		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd
+		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
+		http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.0.xsd
+		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.0.xsd">
 
 	<bean id="transactionManager" class="org.springframework.orm.jpa.JpaTransactionManager">
 		<property name="entityManagerFactory" ref="entityManagerFactory" />
diff --git a/openid-connect-server-webapp/src/main/webapp/WEB-INF/local-config.xml b/openid-connect-server-webapp/src/main/webapp/WEB-INF/local-config.xml
index e8558403b1..06b5da2631 100644
--- a/openid-connect-server-webapp/src/main/webapp/WEB-INF/local-config.xml
+++ b/openid-connect-server-webapp/src/main/webapp/WEB-INF/local-config.xml
@@ -16,8 +16,18 @@
   limitations under the License.
 -->
 <beans xmlns="http://www.springframework.org/schema/beans"
+	xmlns:mvc="http://www.springframework.org/schema/mvc"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
+	xmlns:tx="http://www.springframework.org/schema/tx"
+	xmlns:context="http://www.springframework.org/schema/context"
+	xmlns:security="http://www.springframework.org/schema/security"
+	xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
+	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
+		http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.0.xsd
+		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd
+		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
+		http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.0.xsd
+		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.0.xsd">
 
 
 <!-- Empty: Override this file in your local project to change configuration options. -->
diff --git a/openid-connect-server-webapp/src/main/webapp/WEB-INF/server-config.xml b/openid-connect-server-webapp/src/main/webapp/WEB-INF/server-config.xml
index 491bfd93a6..9acf366400 100644
--- a/openid-connect-server-webapp/src/main/webapp/WEB-INF/server-config.xml
+++ b/openid-connect-server-webapp/src/main/webapp/WEB-INF/server-config.xml
@@ -16,17 +16,18 @@
   limitations under the License.
 -->
 <beans xmlns="http://www.springframework.org/schema/beans"
+	xmlns:mvc="http://www.springframework.org/schema/mvc"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:oauth2="http://www.springframework.org/schema/security/oauth2"
-	xmlns:p="http://www.springframework.org/schema/p"
-	xmlns:security="http://www.springframework.org/schema/security"
 	xmlns:tx="http://www.springframework.org/schema/tx"
-	xmlns:util="http://www.springframework.org/schema/util"
-	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
-		http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2.xsd
+	xmlns:context="http://www.springframework.org/schema/context"
+	xmlns:security="http://www.springframework.org/schema/security"
+	xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
+	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
+		http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.0.xsd
 		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd
-		http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.2.xsd
-		http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.2.xsd">
+		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
+		http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.0.xsd
+		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.0.xsd">
 
 	<bean id="configBean" class="org.mitre.openid.connect.config.ConfigurationPropertiesBean">
 		<property name="issuer" value="http://localhost:8080/openid-connect-server-webapp/" />
diff --git a/openid-connect-server-webapp/src/main/webapp/WEB-INF/spring-servlet.xml b/openid-connect-server-webapp/src/main/webapp/WEB-INF/spring-servlet.xml
index 172b63cec1..f37503b801 100644
--- a/openid-connect-server-webapp/src/main/webapp/WEB-INF/spring-servlet.xml
+++ b/openid-connect-server-webapp/src/main/webapp/WEB-INF/spring-servlet.xml
@@ -16,8 +16,18 @@
   limitations under the License.
 -->
 <beans xmlns="http://www.springframework.org/schema/beans"
+	xmlns:mvc="http://www.springframework.org/schema/mvc"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
+	xmlns:tx="http://www.springframework.org/schema/tx"
+	xmlns:context="http://www.springframework.org/schema/context"
+	xmlns:security="http://www.springframework.org/schema/security"
+	xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
+	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
+		http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.0.xsd
+		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd
+		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
+		http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.0.xsd
+		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.0.xsd">
 
 <!-- This file has been left blank -->
 <!-- Feel free to override this by using a maven overlay. -->
diff --git a/openid-connect-server-webapp/src/main/webapp/WEB-INF/task-config.xml b/openid-connect-server-webapp/src/main/webapp/WEB-INF/task-config.xml
index adffe8786a..78c5a40608 100644
--- a/openid-connect-server-webapp/src/main/webapp/WEB-INF/task-config.xml
+++ b/openid-connect-server-webapp/src/main/webapp/WEB-INF/task-config.xml
@@ -16,10 +16,20 @@
   limitations under the License.
 -->
 <beans xmlns="http://www.springframework.org/schema/beans"
+	xmlns:mvc="http://www.springframework.org/schema/mvc"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xmlns:tx="http://www.springframework.org/schema/tx"
+	xmlns:context="http://www.springframework.org/schema/context"
+	xmlns:security="http://www.springframework.org/schema/security"
+	xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
 	xmlns:task="http://www.springframework.org/schema/task"
-	xsi:schemaLocation="http://www.springframework.org/schema/task http://www.springframework.org/schema/task/spring-task-3.2.xsd
-		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
+	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
+		http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.0.xsd
+		http://www.springframework.org/schema/task http://www.springframework.org/schema/task/spring-task-4.0.xsd
+		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd
+		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
+		http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.0.xsd
+		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.0.xsd">
 
 	<!-- Configuration for scheduled tasks -->
 	<task:scheduler id="taskScheduler" pool-size="10" /> 
diff --git a/openid-connect-server-webapp/src/main/webapp/WEB-INF/user-context.xml b/openid-connect-server-webapp/src/main/webapp/WEB-INF/user-context.xml
index 3ec491cbe6..cf2cd627c6 100644
--- a/openid-connect-server-webapp/src/main/webapp/WEB-INF/user-context.xml
+++ b/openid-connect-server-webapp/src/main/webapp/WEB-INF/user-context.xml
@@ -16,19 +16,18 @@
   limitations under the License.
 -->
 <beans xmlns="http://www.springframework.org/schema/beans"
+	xmlns:mvc="http://www.springframework.org/schema/mvc"
 	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns:oauth2="http://www.springframework.org/schema/security/oauth2"
-	xmlns:p="http://www.springframework.org/schema/p"
-	xmlns:security="http://www.springframework.org/schema/security"
 	xmlns:tx="http://www.springframework.org/schema/tx"
-	xmlns:util="http://www.springframework.org/schema/util"
-	xmlns:mvc="http://www.springframework.org/schema/mvc"
-	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2.xsd
-		http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.2.xsd
-		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd
-		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
-		http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.2.xsd
-		http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.2.xsd">
+	xmlns:context="http://www.springframework.org/schema/context"
+	xmlns:security="http://www.springframework.org/schema/security"
+	xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
+	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
+		http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.0.xsd
+		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd
+		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
+		http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.0.xsd
+		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.0.xsd">
 
 	<security:authentication-manager alias="authenticationManager">
 		<security:authentication-provider>
diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/ConnectOAuth2RequestFactory.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/ConnectOAuth2RequestFactory.java
index 74ea5fcda9..f531bc93da 100644
--- a/openid-connect-server/src/main/java/org/mitre/openid/connect/ConnectOAuth2RequestFactory.java
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/ConnectOAuth2RequestFactory.java
@@ -36,7 +36,7 @@
 import org.springframework.security.oauth2.common.exceptions.InvalidClientException;
 import org.springframework.security.oauth2.common.util.OAuth2Utils;
 import org.springframework.security.oauth2.provider.AuthorizationRequest;
-import org.springframework.security.oauth2.provider.DefaultOAuth2RequestFactory;
+import org.springframework.security.oauth2.provider.request.DefaultOAuth2RequestFactory;
 import org.springframework.stereotype.Component;
 
 import com.google.common.base.Strings;
diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/token/TofuUserApprovalHandler.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/token/TofuUserApprovalHandler.java
index 9b87dfca7e..4c1cf7e49d 100644
--- a/openid-connect-server/src/main/java/org/mitre/openid/connect/token/TofuUserApprovalHandler.java
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/token/TofuUserApprovalHandler.java
@@ -19,6 +19,7 @@
 import java.util.Calendar;
 import java.util.Collection;
 import java.util.Date;
+import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
@@ -267,4 +268,15 @@ private void setAuthTime(AuthorizationRequest authorizationRequest) {
 		}
 	}
 
+	@Override
+	public Map<String, Object> getUserApprovalRequest(
+			AuthorizationRequest authorizationRequest,
+			Authentication userAuthentication) {
+		Map<String, Object> model = new HashMap<String, Object>();
+		// In case of a redirect we might want the request parameters to be included
+		model.putAll(authorizationRequest.getRequestParameters());
+		return model;
+
+	}
+
 }
diff --git a/pom.xml b/pom.xml
index b659791f55..40d7897692 100644
--- a/pom.xml
+++ b/pom.xml
@@ -71,9 +71,9 @@
 
     <properties>
         <java-version>1.6</java-version>
-        <org.springframework-version>3.2.3.RELEASE</org.springframework-version>
-        <org.slf4j-version>1.5.10</org.slf4j-version>
-        <spring.security.version>3.1.4.RELEASE</spring.security.version>
+        <org.springframework-version>4.0.3.RELEASE</org.springframework-version>
+        <org.slf4j-version>1.7.6</org.slf4j-version>
+        <spring.security.version>3.2.3.RELEASE</spring.security.version>
     </properties>
     <description>A reference implementation of OpenID Connect (http://openid.net/connect/) and OAuth 2.0 built on top of Java, Spring, and Spring Security. The project contains a fully functioning server, client, and utility library.</description>
     <url>https://github.com/mitreid-connect</url>

From 9b97f1691011d2b643e2b85e5149ef815a10c84a Mon Sep 17 00:00:00 2001
From: "Dr. Philipp Walter" <p.walter@infoserve.de>
Date: Sun, 20 Apr 2014 12:53:09 +0200
Subject: [PATCH 2/2] Nonce usage is now configurable in ServerConfiguration.

---
 .../client/OIDCAuthenticationFilter.java      | 40 ++++++++++---------
 .../impl/EncryptedAuthRequestUrlBuilder.java  |  8 ++--
 .../impl/PlainAuthRequestUrlBuilder.java      |  8 ++--
 .../impl/SignedAuthRequestUrlBuilder.java     |  6 ++-
 .../impl/TestPlainAuthRequestUrlBuilder.java  |  1 +
 .../impl/TestSignedAuthRequestUrlBuilder.java |  1 +
 .../connect/config/ServerConfiguration.java   | 20 ++++++++++
 7 files changed, 57 insertions(+), 27 deletions(-)

diff --git a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCAuthenticationFilter.java b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCAuthenticationFilter.java
index 1d0f33478e..cf62651391 100644
--- a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCAuthenticationFilter.java
+++ b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCAuthenticationFilter.java
@@ -488,25 +488,27 @@ protected ClientHttpRequest createRequest(URI url, HttpMethod method) throws IOE
 					throw new AuthenticationServiceException("Audience does not match, expected " + clientConfig.getClientId() + " got " + idClaims.getAudience());
 				}
 
-				// compare the nonce to our stored claim
-				String nonce = idClaims.getStringClaim("nonce");
-				if (Strings.isNullOrEmpty(nonce)) {
-
-					logger.error("ID token did not contain a nonce claim.");
-
-					throw new AuthenticationServiceException("ID token did not contain a nonce claim.");
-				}
-
-				String storedNonce = getStoredNonce(session);
-				if (!nonce.equals(storedNonce)) {
-					logger.error("Possible replay attack detected! The comparison of the nonce in the returned "
-							+ "ID Token to the session " + NONCE_SESSION_VARIABLE + " failed. Expected " + storedNonce + " got " + nonce + ".");
-
-					throw new AuthenticationServiceException(
-							"Possible replay attack detected! The comparison of the nonce in the returned "
-									+ "ID Token to the session " + NONCE_SESSION_VARIABLE + " failed. Expected " + storedNonce + " got " + nonce + ".");
-				}
-
+                                if(serverConfig.getNonceSupported() == null || serverConfig.getNonceSupported().equals(Boolean.TRUE)) {
+                                    // compare the nonce to our stored claim
+                                    String nonce = idClaims.getStringClaim("nonce");
+                                    if (Strings.isNullOrEmpty(nonce)) {
+
+                                            logger.error("ID token did not contain a nonce claim.");
+
+                                            throw new AuthenticationServiceException("ID token did not contain a nonce claim.");
+                                    }
+
+                                    String storedNonce = getStoredNonce(session);
+                                    if (!nonce.equals(storedNonce)) {
+                                            logger.error("Possible replay attack detected! The comparison of the nonce in the returned "
+                                                            + "ID Token to the session " + NONCE_SESSION_VARIABLE + " failed. Expected " + storedNonce + " got " + nonce + ".");
+
+                                            throw new AuthenticationServiceException(
+                                                            "Possible replay attack detected! The comparison of the nonce in the returned "
+                                                                            + "ID Token to the session " + NONCE_SESSION_VARIABLE + " failed. Expected " + storedNonce + " got " + nonce + ".");
+                                    }
+                                }
+                                
 				// pull the subject (user id) out as a claim on the id_token
 
 				String userId = idClaims.getSubject();
diff --git a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/EncryptedAuthRequestUrlBuilder.java b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/EncryptedAuthRequestUrlBuilder.java
index 1d96fc877b..ada94580a9 100644
--- a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/EncryptedAuthRequestUrlBuilder.java
+++ b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/EncryptedAuthRequestUrlBuilder.java
@@ -51,9 +51,11 @@ public String buildAuthRequestUrl(ServerConfiguration serverConfig, RegisteredCl
 		// build our redirect URI
 		claims.setClaim("redirect_uri", redirectUri);
 
-		// this comes back in the id token
-		claims.setClaim("nonce", nonce);
-
+                if(serverConfig.getNonceSupported() == null || serverConfig.getNonceSupported().equals(Boolean.TRUE)) {
+                    // this comes back in the id token
+                    claims.setClaim("nonce", nonce);
+                }
+                        
 		// this comes back in the auth request return
 		claims.setClaim("state", state);
 
diff --git a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/PlainAuthRequestUrlBuilder.java b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/PlainAuthRequestUrlBuilder.java
index 7c4cccc776..8253e2e223 100644
--- a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/PlainAuthRequestUrlBuilder.java
+++ b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/PlainAuthRequestUrlBuilder.java
@@ -53,9 +53,11 @@ public String buildAuthRequestUrl(ServerConfiguration serverConfig, RegisteredCl
 			uriBuilder.addParameter("scope", Joiner.on(" ").join(clientConfig.getScope()));
 
 			uriBuilder.addParameter("redirect_uri", redirectUri);
-
-			uriBuilder.addParameter("nonce", nonce);
-
+                        
+                        if(serverConfig.getNonceSupported() == null || serverConfig.getNonceSupported().equals(Boolean.TRUE)) {
+                            uriBuilder.addParameter("nonce", nonce);
+                        }
+                        
 			uriBuilder.addParameter("state", state);
 
 			// Optional parameters:
diff --git a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/SignedAuthRequestUrlBuilder.java b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/SignedAuthRequestUrlBuilder.java
index 78fcd9bd7e..0a04b6a95f 100644
--- a/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/SignedAuthRequestUrlBuilder.java
+++ b/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/SignedAuthRequestUrlBuilder.java
@@ -60,8 +60,10 @@ public String buildAuthRequestUrl(ServerConfiguration serverConfig, RegisteredCl
 		// build our redirect URI
 		claims.setClaim("redirect_uri", redirectUri);
 
-		// this comes back in the id token
-		claims.setClaim("nonce", nonce);
+                if(serverConfig.getNonceSupported() == null || serverConfig.getNonceSupported().equals(Boolean.TRUE)) {
+                    // this comes back in the id token
+                    claims.setClaim("nonce", nonce);
+                }
 
 		// this comes back in the auth request return
 		claims.setClaim("state", state);
diff --git a/openid-connect-client/src/test/java/org/mitre/openid/connect/client/service/impl/TestPlainAuthRequestUrlBuilder.java b/openid-connect-client/src/test/java/org/mitre/openid/connect/client/service/impl/TestPlainAuthRequestUrlBuilder.java
index 6f7a735080..10a4d08e27 100644
--- a/openid-connect-client/src/test/java/org/mitre/openid/connect/client/service/impl/TestPlainAuthRequestUrlBuilder.java
+++ b/openid-connect-client/src/test/java/org/mitre/openid/connect/client/service/impl/TestPlainAuthRequestUrlBuilder.java
@@ -48,6 +48,7 @@ public void prepare() {
 
 		serverConfig = Mockito.mock(ServerConfiguration.class);
 		Mockito.when(serverConfig.getAuthorizationEndpointUri()).thenReturn("https://server.example.com/authorize");
+		Mockito.when(serverConfig.getNonceSupported()).thenReturn(null);
 
 		clientConfig = Mockito.mock(RegisteredClient.class);
 		Mockito.when(clientConfig.getClientId()).thenReturn("s6BhdRkqt3");
diff --git a/openid-connect-client/src/test/java/org/mitre/openid/connect/client/service/impl/TestSignedAuthRequestUrlBuilder.java b/openid-connect-client/src/test/java/org/mitre/openid/connect/client/service/impl/TestSignedAuthRequestUrlBuilder.java
index 0bbb83a823..c04277fa58 100644
--- a/openid-connect-client/src/test/java/org/mitre/openid/connect/client/service/impl/TestSignedAuthRequestUrlBuilder.java
+++ b/openid-connect-client/src/test/java/org/mitre/openid/connect/client/service/impl/TestSignedAuthRequestUrlBuilder.java
@@ -102,6 +102,7 @@ public void prepare() throws NoSuchAlgorithmException, InvalidKeySpecException {
 
 		serverConfig = Mockito.mock(ServerConfiguration.class);
 		Mockito.when(serverConfig.getAuthorizationEndpointUri()).thenReturn("https://server.example.com/authorize");
+		Mockito.when(serverConfig.getNonceSupported()).thenReturn(null);
 
 		clientConfig = Mockito.mock(RegisteredClient.class);
 		Mockito.when(clientConfig.getClientId()).thenReturn("s6BhdRkqt3");
diff --git a/openid-connect-common/src/main/java/org/mitre/openid/connect/config/ServerConfiguration.java b/openid-connect-common/src/main/java/org/mitre/openid/connect/config/ServerConfiguration.java
index 78e6599caa..bd6679ecab 100644
--- a/openid-connect-common/src/main/java/org/mitre/openid/connect/config/ServerConfiguration.java
+++ b/openid-connect-common/src/main/java/org/mitre/openid/connect/config/ServerConfiguration.java
@@ -145,6 +145,9 @@ OPTIONAL. JSON array containing a list of the JWS signing algorithms (alg values
     request_uri_parameter_supported
         OPTIONAL. Boolean value specifying whether the OP supports use of the request_uri parameter, with
         true indicating support. If omitted, the default value is true.
+    nonce_supported
+        OPTIONAL. Boolean value specifying whether the OP supports use of the nonce parameter, with true indicating
+        support. If omitted, the default value is true.
     require_request_uri_registration
         OPTIONAL. Boolean value specifying whether the OP requires any request_uri values used to be
         pre-registered using the request_uris registration parameter. Pre-registration is REQUIRED when
@@ -208,6 +211,7 @@ public void setRevocationEndpointUri(String revocationEndpointUri) {
 	private Boolean claimsParameterSupported;
 	private Boolean requestParameterSupported;
 	private Boolean requestUriParameterSupported;
+	private Boolean nonceSupported;
 	private Boolean requireRequestUriRegistration;
 	private String opPolicyUri;
 	private String opTosUri;
@@ -619,6 +623,18 @@ public Boolean getRequestUriParameterSupported() {
 	public void setRequestUriParameterSupported(Boolean requestUriParameterSupported) {
 		this.requestUriParameterSupported = requestUriParameterSupported;
 	}
+	/**
+	 * @return the nonceSupported
+	 */
+        public Boolean getNonceSupported() {
+            return nonceSupported;
+        }
+	/**
+	 * @param nonceSupported the nonceSupported to set
+	 */
+        public void setNonceSupported(Boolean nonceSupported) {
+            this.nonceSupported = nonceSupported;
+        }
 	/**
 	 * @return the requireRequestUriRegistration
 	 */
@@ -743,6 +759,10 @@ public int hashCode() {
 				* result
 				+ ((requestUriParameterSupported == null) ? 0
 						: requestUriParameterSupported.hashCode());
+		result = prime
+				* result
+				+ ((nonceSupported == null) ? 0
+						: nonceSupported.hashCode());
 		result = prime
 				* result
 				+ ((requireRequestUriRegistration == null) ? 0