From 31dce1f08bdf8df7eb5be487cb6f3d320e52385d Mon Sep 17 00:00:00 2001
From: Sebastian Schuster <sebastian.schuster@bosch-si.com>
Date: Thu, 12 Jan 2017 13:17:52 +0100
Subject: [PATCH 1/5] Removed version from created war and added maven jetty
 plugin with context so URLs are prefixed correctly in uma-server-webapp

---
 uma-server-webapp/pom.xml | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/uma-server-webapp/pom.xml b/uma-server-webapp/pom.xml
index 9a82d26121..a934f6eb12 100644
--- a/uma-server-webapp/pom.xml
+++ b/uma-server-webapp/pom.xml
@@ -53,6 +53,7 @@
 				<groupId>org.apache.maven.plugins</groupId>
 				<artifactId>maven-war-plugin</artifactId>
 				<configuration>
+					<warName>uma-server-webapp</warName>
 					<overlays>
 						<overlay>
 							<groupId>org.mitre</groupId>
@@ -61,6 +62,16 @@
 					</overlays>
 				</configuration>
 			</plugin>
+			<plugin>
+				<groupId>org.eclipse.jetty</groupId>
+				<artifactId>jetty-maven-plugin</artifactId>
+				<configuration>
+					<war>${project.build.directory}/uma-server-webapp.war</war>
+					<webAppConfig>
+						<contextPath>/uma-server-webapp</contextPath>
+					</webAppConfig>
+				</configuration>
+			</plugin>
 		</plugins>
 		<pluginManagement>
 			<plugins>

From 98db2e234549466f126d9c19af15d60b966c624a Mon Sep 17 00:00:00 2001
From: Sebastian Schuster <sebastian.schuster@bosch-si.com>
Date: Thu, 12 Jan 2017 13:21:33 +0100
Subject: [PATCH 2/5] Adapted overlayed application-context.xml in
 uma-server-webapp to base file

---
 .../src/main/webapp/WEB-INF/application-context.xml       | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/uma-server-webapp/src/main/webapp/WEB-INF/application-context.xml b/uma-server-webapp/src/main/webapp/WEB-INF/application-context.xml
index ea0d0fa031..7de114acb1 100644
--- a/uma-server-webapp/src/main/webapp/WEB-INF/application-context.xml
+++ b/uma-server-webapp/src/main/webapp/WEB-INF/application-context.xml
@@ -216,14 +216,14 @@
 	<bean id="clientAssertionAuthenticationProvider" class="org.mitre.openid.connect.assertion.JWTBearerAuthenticationProvider" />
 
 	<!-- Configure locale information -->
-	<bean id="messageSource" class="org.mitre.openid.connect.config.JsonMessageSource">
-		<property name="baseDirectory" value="/resources/js/locale/" />
-		<property name="useCodeAsDefaultMessage" value="true" />
-	</bean>
+	<import resource="locale-config.xml" />
 
 	<!-- user services -->
 	<import resource="user-context.xml" />
 
+	<!-- assertion processing -->
+	<import resource="assertion-config.xml" />
+
 	<!-- End Spring Security configuration -->
 
 	<!-- JPA -->

From 89812d285fc84ae9109fe10a16dfa500d3db6a32 Mon Sep 17 00:00:00 2001
From: Sebastian Schuster <sebastian.schuster@bosch-si.com>
Date: Thu, 12 Jan 2017 13:27:30 +0100
Subject: [PATCH 3/5] Adapted changes from base admin.js to overlayed admin.js
 in uma-server-webapp

---
 .../src/main/webapp/resources/js/admin.js     | 65 ++++++++++++++++++-
 1 file changed, 64 insertions(+), 1 deletion(-)

diff --git a/uma-server-webapp/src/main/webapp/resources/js/admin.js b/uma-server-webapp/src/main/webapp/resources/js/admin.js
index 1eb6848d89..6f09706e50 100644
--- a/uma-server-webapp/src/main/webapp/resources/js/admin.js
+++ b/uma-server-webapp/src/main/webapp/resources/js/admin.js
@@ -366,6 +366,66 @@ var UserProfileView = Backbone.View.extend({
 	}
 });
 
+// error handler
+var ErrorHandlerView = Backbone.View.extend({
+
+	initialize:function(options) {
+		this.options = options;
+        if (!this.template) {
+            this.template = _.template($('#tmpl-error-box').html());
+        }
+        if (!this.headerTemplate) {
+			this.headerTemplate = _.template($('#tmpl-error-header').html());
+        }
+	},
+
+	reloadPage:function(event) {
+		event.preventDefault();
+		window.location.reload(true);
+	},
+
+	handleError:function(message) {
+
+		if (!message) {
+			message = {};
+		}
+
+		if (message.log) {
+			console.log(message.log);
+		}
+
+		var _self = this;
+
+		return function(model, response, options) {
+
+			_self.showErrorMessage(
+					_self.headerTemplate({message: message, model: model, response: response, options: options}),
+					_self.template({message: message, model: model, response: response, options: options})
+					);
+
+			$('#modalAlert .modal-body .page-reload').on('click', _self.reloadPage);
+
+		}
+	},
+
+	showErrorMessage:function(header, message) {
+		// hide the sheet if it's visible
+		$('#loadingbox').sheet('hide');
+
+		$('#modalAlert').i18n();
+		$('#modalAlert div.modal-header').html(header);
+		$('#modalAlert .modal-body').html(message);
+
+		$('#modalAlert').modal({
+			'backdrop': 'static',
+			'keyboard': true,
+			'show': true
+		});
+
+	}
+});
+
+
 // Router
 var AppRouter = Backbone.Router.extend({
 
@@ -431,6 +491,8 @@ var AppRouter = Backbone.Router.extend({
 
         this.breadCrumbView.render();
 
+        this.errorHandlerView = new ErrorHandlerView();
+
         var base = $('base').attr('href');
         $.getJSON(base + '.well-known/openid-configuration', function(data) {
         	app.serverConfiguration = data;
@@ -1142,9 +1204,10 @@ $(function () {
     		});
     
     window.onerror = function ( message, filename, lineno, colno, error ){
+		console.log(message);
 		//Display an alert with an error message
 		$('#modalAlert div.modal-header').html($.t('error.title'));
-		$('#modalAlert div.modal-body').html($.t('error.message') + ' <br /> ' [filename, lineno, colno, error]);
+		$('#modalAlert div.modal-body').html($.t('error.message') + message + ' <br /> ' + [filename, lineno, colno, error]);
 		
 		 $("#modalAlert").modal({ // wire up the actual modal functionality and show the dialog
 			 "backdrop" : "static",

From ddee7debd864e87c6da1366d833660134d3682bb Mon Sep 17 00:00:00 2001
From: Sebastian Schuster <sebastian.schuster@bosch-si.com>
Date: Thu, 12 Jan 2017 18:00:36 +0100
Subject: [PATCH 4/5] Adapted uma-webapp-server database initialization scripts
 to base changes

---
 .../main/resources/db/{ => hsql}/clients.sql  |  2 +-
 .../main/resources/db/{ => hsql}/scopes.sql   |  2 +-
 .../src/main/resources/db/mysql/clients.sql   | 69 +++++++++++++++++
 .../src/main/resources/db/mysql/scopes.sql    | 33 +++++++++
 .../resources/db/oracle/clients_oracle.sql    | 61 +++++++++++++++
 .../resources/db/oracle/scopes_oracle.sql     | 31 ++++++++
 .../src/main/resources/db/psql/clients.sql    | 74 +++++++++++++++++++
 .../src/main/resources/db/psql/scopes.sql     | 33 +++++++++
 8 files changed, 303 insertions(+), 2 deletions(-)
 rename uma-server-webapp/src/main/resources/db/{ => hsql}/clients.sql (99%)
 mode change 100644 => 100755
 rename uma-server-webapp/src/main/resources/db/{ => hsql}/scopes.sql (98%)
 mode change 100644 => 100755
 create mode 100755 uma-server-webapp/src/main/resources/db/mysql/clients.sql
 create mode 100755 uma-server-webapp/src/main/resources/db/mysql/scopes.sql
 create mode 100755 uma-server-webapp/src/main/resources/db/oracle/clients_oracle.sql
 create mode 100755 uma-server-webapp/src/main/resources/db/oracle/scopes_oracle.sql
 create mode 100755 uma-server-webapp/src/main/resources/db/psql/clients.sql
 create mode 100755 uma-server-webapp/src/main/resources/db/psql/scopes.sql

diff --git a/uma-server-webapp/src/main/resources/db/clients.sql b/uma-server-webapp/src/main/resources/db/hsql/clients.sql
old mode 100644
new mode 100755
similarity index 99%
rename from uma-server-webapp/src/main/resources/db/clients.sql
rename to uma-server-webapp/src/main/resources/db/hsql/clients.sql
index cb8a6c2367..8d41bcad94
--- a/uma-server-webapp/src/main/resources/db/clients.sql
+++ b/uma-server-webapp/src/main/resources/db/hsql/clients.sql
@@ -28,7 +28,7 @@ INSERT INTO client_scope_TEMP (owner_id, scope) VALUES
 INSERT INTO client_redirect_uri_TEMP (owner_id, redirect_uri) VALUES
 	('client', 'http://localhost/'),
 	('client', 'http://localhost:8080/');
-	
+
 INSERT INTO client_grant_type_TEMP (owner_id, grant_type) VALUES
 	('client', 'authorization_code'),
 	('client', 'urn:ietf:params:oauth:grant_type:redelegate'),
diff --git a/uma-server-webapp/src/main/resources/db/scopes.sql b/uma-server-webapp/src/main/resources/db/hsql/scopes.sql
old mode 100644
new mode 100755
similarity index 98%
rename from uma-server-webapp/src/main/resources/db/scopes.sql
rename to uma-server-webapp/src/main/resources/db/hsql/scopes.sql
index e0345dce04..9b0446af51
--- a/uma-server-webapp/src/main/resources/db/scopes.sql
+++ b/uma-server-webapp/src/main/resources/db/hsql/scopes.sql
@@ -32,4 +32,4 @@ MERGE INTO system_scope
 
 COMMIT;
 
-SET AUTOCOMMIT TRUE;
\ No newline at end of file
+SET AUTOCOMMIT TRUE;
diff --git a/uma-server-webapp/src/main/resources/db/mysql/clients.sql b/uma-server-webapp/src/main/resources/db/mysql/clients.sql
new file mode 100755
index 0000000000..02444c4732
--- /dev/null
+++ b/uma-server-webapp/src/main/resources/db/mysql/clients.sql
@@ -0,0 +1,69 @@
+--
+-- Turn off autocommit and start a transaction so that we can use the temp tables
+--
+
+SET AUTOCOMMIT = 0;
+
+START TRANSACTION;
+
+--
+-- Insert client information into the temporary tables. To add clients to the HSQL database, edit things here.
+-- 
+
+INSERT INTO client_details_TEMP (client_id, client_secret, client_name, dynamically_registered, refresh_token_validity_seconds, access_token_validity_seconds, id_token_validity_seconds, allow_introspection) VALUES
+	('client', 'secret', 'Test Client', false, null, 3600, 600, true),
+	('rs', 'secret', 'Test UMA RS', false, null, null, 600, false),
+	('c', 'secret', 'Test UMA Client', false, null, null, 600, false);
+
+INSERT INTO client_scope_TEMP (owner_id, scope) VALUES
+	('client', 'openid'),
+	('client', 'profile'),
+	('client', 'email'),
+	('client', 'address'),
+	('client', 'phone'),
+	('client', 'offline_access'),
+	('rs', 'uma_protection'),
+	('c', 'uma_authorization');
+
+INSERT INTO client_redirect_uri_TEMP (owner_id, redirect_uri) VALUES
+	('client', 'http://localhost/'),
+	('client', 'http://localhost:8080/');
+	
+INSERT INTO client_grant_type_TEMP (owner_id, grant_type) VALUES
+	('client', 'authorization_code'),
+	('client', 'urn:ietf:params:oauth:grant_type:redelegate'),
+	('client', 'implicit'),
+	('client', 'refresh_token'),
+	('rs', 'authorization_code'),
+	('rs', 'implicit'),
+	('c', 'authorization_code'),
+	('c', 'implicit');
+	
+--
+-- Merge the temporary clients safely into the database. This is a two-step process to keep clients from being created on every startup with a persistent store.
+--
+
+INSERT INTO client_details (client_id, client_secret, client_name, dynamically_registered, refresh_token_validity_seconds, access_token_validity_seconds, id_token_validity_seconds, allow_introspection)
+  SELECT client_id, client_secret, client_name, dynamically_registered, refresh_token_validity_seconds, access_token_validity_seconds, id_token_validity_seconds, allow_introspection FROM client_details_TEMP
+  ON DUPLICATE KEY UPDATE client_details.client_id = client_details.client_id;
+
+INSERT INTO client_scope (owner_id, scope)
+  SELECT id, scope FROM client_scope_TEMP, client_details WHERE client_details.client_id = client_scope_TEMP.owner_id
+  ON DUPLICATE KEY UPDATE client_scope.owner_id = client_scope.owner_id;
+
+INSERT INTO client_redirect_uri (owner_id, redirect_uri)
+  SELECT id, redirect_uri FROM client_redirect_uri_TEMP, client_details WHERE client_details.client_id = client_redirect_uri_TEMP.owner_id
+  ON DUPLICATE KEY UPDATE client_redirect_uri.owner_id = client_redirect_uri.owner_id;
+
+INSERT INTO client_grant_type (owner_id, grant_type)
+  SELECT id, grant_type FROM client_grant_type_TEMP, client_details WHERE client_details.client_id = client_grant_type_TEMP.owner_id
+  ON DUPLICATE KEY UPDATE client_grant_type.owner_id = client_grant_type.owner_id;
+    
+-- 
+-- Close the transaction and turn autocommit back on
+-- 
+    
+COMMIT;
+
+SET AUTOCOMMIT = 1;
+
diff --git a/uma-server-webapp/src/main/resources/db/mysql/scopes.sql b/uma-server-webapp/src/main/resources/db/mysql/scopes.sql
new file mode 100755
index 0000000000..bdcc0f6e30
--- /dev/null
+++ b/uma-server-webapp/src/main/resources/db/mysql/scopes.sql
@@ -0,0 +1,33 @@
+--
+-- Turn off autocommit and start a transaction so that we can use the temp tables
+--
+
+SET AUTOCOMMIT = 0;
+
+START TRANSACTION;
+
+--
+-- Insert scope information into the temporary tables.
+-- 
+
+INSERT INTO system_scope_TEMP (scope, description, icon, restricted, default_scope, structured, structured_param_description) VALUES
+  ('openid', 'log in using your identity', 'user', false, true, false, null),
+  ('profile', 'basic profile information', 'list-alt', false, true, false, null),
+  ('email', 'email address', 'envelope', false, true, false, null),
+  ('address', 'physical address', 'home', false, true, false, null),
+  ('phone', 'telephone number', 'bell', false, true, false, null),
+  ('offline_access', 'offline access', 'time', false, false, false, null),
+  ('uma_protection', 'manage protected resources', 'briefcase', false, false, false, null),
+  ('uma_authorization', 'request access to protected resources', 'share', false, false, false, null);
+  
+--
+-- Merge the temporary scopes safely into the database. This is a two-step process to keep scopes from being created on every startup with a persistent store.
+--
+
+INSERT INTO system_scope (scope, description, icon, restricted, default_scope, structured, structured_param_description) 
+  SELECT scope, description, icon, restricted, default_scope, structured, structured_param_description FROM system_scope_TEMP
+  ON DUPLICATE KEY UPDATE system_scope.scope = system_scope.scope;
+
+COMMIT;
+
+SET AUTOCOMMIT = 1;
diff --git a/uma-server-webapp/src/main/resources/db/oracle/clients_oracle.sql b/uma-server-webapp/src/main/resources/db/oracle/clients_oracle.sql
new file mode 100755
index 0000000000..783ff2d3a4
--- /dev/null
+++ b/uma-server-webapp/src/main/resources/db/oracle/clients_oracle.sql
@@ -0,0 +1,61 @@
+--
+-- Insert client information into the temporary tables. To add clients to the Oracle database, edit things here.
+-- 
+
+INSERT INTO client_details_TEMP (client_id, client_secret, client_name, dynamically_registered, refresh_token_validity_seconds, access_token_validity_seconds, id_token_validity_seconds, allow_introspection) VALUES
+	('client', 'secret', 'Test Client', 0, null, 3600, 600, 1);
+INSERT INTO client_details_TEMP (client_id, client_secret, client_name, dynamically_registered, refresh_token_validity_seconds, access_token_validity_seconds, id_token_validity_seconds, allow_introspection) VALUES
+	('rs', 'secret', 'Test UMA RS', false, null, null, 600, false);
+INSERT INTO client_details_TEMP (client_id, client_secret, client_name, dynamically_registered, refresh_token_validity_seconds, access_token_validity_seconds, id_token_validity_seconds, allow_introspection) VALUES
+	('c', 'secret', 'Test UMA Client', false, null, null, 600, false);
+
+INSERT INTO client_scope_TEMP (owner_id, scope) VALUES ('client', 'openid');
+INSERT INTO client_scope_TEMP (owner_id, scope) VALUES ('client', 'profile');
+INSERT INTO client_scope_TEMP (owner_id, scope) VALUES ('client', 'email');
+INSERT INTO client_scope_TEMP (owner_id, scope) VALUES ('client', 'address');
+INSERT INTO client_scope_TEMP (owner_id, scope) VALUES ('client', 'phone');
+INSERT INTO client_scope_TEMP (owner_id, scope) VALUES ('client', 'offline_access');
+INSERT INTO client_scope_TEMP (owner_id, scope) VALUES ('rs', 'uma_protection');
+INSERT INTO client_scope_TEMP (owner_id, scope) VALUES ('c', 'uma_authorization');
+
+INSERT INTO client_redirect_uri_TEMP (owner_id, redirect_uri) VALUES ('client', 'http://localhost/');
+INSERT INTO client_redirect_uri_TEMP (owner_id, redirect_uri) VALUES ('client', 'http://localhost:8080/');
+
+INSERT INTO client_grant_type_TEMP (owner_id, grant_type) VALUES ('client', 'authorization_code');
+INSERT INTO client_grant_type_TEMP (owner_id, grant_type) VALUES ('client', 'urn:ietf:params:oauth:grant_type:redelegate');
+INSERT INTO client_grant_type_TEMP (owner_id, grant_type) VALUES ('client', 'implicit');
+INSERT INTO client_grant_type_TEMP (owner_id, grant_type) VALUES ('client', 'refresh_token');
+INSERT INTO client_grant_type_TEMP (owner_id, grant_type) VALUES ('rs', 'authorization_code');
+INSERT INTO client_grant_type_TEMP (owner_id, grant_type) VALUES ('rs', 'implicit');
+INSERT INTO client_grant_type_TEMP (owner_id, grant_type) VALUES ('c', 'authorization_code');
+INSERT INTO client_grant_type_TEMP (owner_id, grant_type) VALUES ('c', 'implicit');
+	
+--
+-- Merge the temporary clients safely into the database. This is a two-step process to keep clients from being created on every startup with a persistent store.
+--
+
+MERGE INTO client_details 
+  USING (SELECT client_id, client_secret, client_name, dynamically_registered, refresh_token_validity_seconds, access_token_validity_seconds, id_token_validity_seconds, allow_introspection FROM client_details_TEMP) vals
+  ON (vals.client_id = client_details.client_id)
+  WHEN NOT MATCHED THEN 
+    INSERT (id, client_id, client_secret, client_name, dynamically_registered, refresh_token_validity_seconds, access_token_validity_seconds,
+    id_token_validity_seconds, allow_introspection) VALUES(client_details_seq.nextval, vals.client_id, vals.client_secret, vals.client_name, vals.dynamically_registered,
+    vals.refresh_token_validity_seconds, vals.access_token_validity_seconds, vals.id_token_validity_seconds, vals.allow_introspection);
+
+MERGE INTO client_scope 
+  USING (SELECT id, scope FROM client_scope_TEMP, client_details WHERE client_details.client_id = client_scope_TEMP.owner_id) vals
+  ON (vals.id = client_scope.owner_id AND vals.scope = client_scope.scope)
+  WHEN NOT MATCHED THEN 
+    INSERT (owner_id, scope) values (vals.id, vals.scope);
+
+MERGE INTO client_redirect_uri 
+  USING (SELECT id, redirect_uri FROM client_redirect_uri_TEMP, client_details WHERE client_details.client_id = client_redirect_uri_TEMP.owner_id) vals
+  ON (vals.id = client_redirect_uri.owner_id AND vals.redirect_uri = client_redirect_uri.redirect_uri)
+  WHEN NOT MATCHED THEN 
+    INSERT (owner_id, redirect_uri) values (vals.id, vals.redirect_uri);
+
+MERGE INTO client_grant_type 
+  USING (SELECT id, grant_type FROM client_grant_type_TEMP, client_details WHERE client_details.client_id = client_grant_type_TEMP.owner_id) vals
+  ON (vals.id = client_grant_type.owner_id AND vals.grant_type = client_grant_type.grant_type)
+  WHEN NOT MATCHED THEN 
+    INSERT (owner_id, grant_type) values (vals.id, vals.grant_type);
diff --git a/uma-server-webapp/src/main/resources/db/oracle/scopes_oracle.sql b/uma-server-webapp/src/main/resources/db/oracle/scopes_oracle.sql
new file mode 100755
index 0000000000..a52e021dea
--- /dev/null
+++ b/uma-server-webapp/src/main/resources/db/oracle/scopes_oracle.sql
@@ -0,0 +1,31 @@
+--
+-- Insert scope information into the temporary tables.
+-- 
+
+INSERT INTO system_scope_TEMP (scope, description, icon, restricted, default_scope, structured, structured_param_description) VALUES
+  ('openid', 'log in using your identity', 'user', 0, 1, 0, null);
+INSERT INTO system_scope_TEMP (scope, description, icon, restricted, default_scope, structured, structured_param_description) VALUES
+  ('profile', 'basic profile information', 'list-alt', 0, 1, 0, null);
+INSERT INTO system_scope_TEMP (scope, description, icon, restricted, default_scope, structured, structured_param_description) VALUES
+  ('email', 'email address', 'envelope', 0, 1, 0, null);
+INSERT INTO system_scope_TEMP (scope, description, icon, restricted, default_scope, structured, structured_param_description) VALUES
+  ('address', 'physical address', 'home', 0, 1, 0, null);
+INSERT INTO system_scope_TEMP (scope, description, icon, restricted, default_scope, structured, structured_param_description) VALUES
+  ('phone', 'telephone number', 'bell', 0, 1, 0, null);
+INSERT INTO system_scope_TEMP (scope, description, icon, restricted, default_scope, structured, structured_param_description) VALUES
+  ('offline_access', 'offline access', 'time', 0, 0, 0, null);
+INSERT INTO system_scope_TEMP (scope, description, icon, restricted, default_scope, structured, structured_param_description) VALUES
+  ('uma_protection', 'manage protected resources', 'briefcase', 0, 0, 0, null);
+INSERT INTO system_scope_TEMP (scope, description, icon, restricted, default_scope, structured, structured_param_description) VALUES
+  ('uma_authorization', 'request access to protected resources', 'share', 0, 0, 0, null);
+  
+--
+-- Merge the temporary scopes safely into the database. This is a two-step process to keep scopes from being created on every startup with a persistent store.
+--
+
+MERGE INTO system_scope
+	USING (SELECT scope, description, icon, restricted, default_scope, structured, structured_param_description FROM system_scope_TEMP) vals
+	ON (vals.scope = system_scope.scope)
+	WHEN NOT MATCHED THEN
+	  INSERT (id, scope, description, icon, restricted, default_scope, structured, structured_param_description) VALUES(system_scope_seq.nextval, vals.scope,
+	  vals.description, vals.icon, vals.restricted, vals.default_scope, vals.structured, vals.structured_param_description);
diff --git a/uma-server-webapp/src/main/resources/db/psql/clients.sql b/uma-server-webapp/src/main/resources/db/psql/clients.sql
new file mode 100755
index 0000000000..d4c75e7fe6
--- /dev/null
+++ b/uma-server-webapp/src/main/resources/db/psql/clients.sql
@@ -0,0 +1,74 @@
+--
+-- Turn off autocommit and start a transaction so that we can use the temp tables
+--
+
+--SET AUTOCOMMIT = OFF;
+
+START TRANSACTION;
+
+--
+-- Insert client information into the temporary tables. To add clients to the HSQL database, edit things here.
+-- 
+
+INSERT INTO client_details_TEMP (client_id, client_secret, client_name, dynamically_registered, refresh_token_validity_seconds, access_token_validity_seconds, id_token_validity_seconds, allow_introspection) VALUES
+	('client', 'secret', 'Test Client', false, null, 3600, 600, true),
+	('rs', 'secret', 'Test UMA RS', false, null, null, 600, false),
+	('c', 'secret', 'Test UMA Client', false, null, null, 600, false);
+
+INSERT INTO client_scope_TEMP (owner_id, scope) VALUES
+	('client', 'openid'),
+	('client', 'profile'),
+	('client', 'email'),
+	('client', 'address'),
+	('client', 'phone'),
+	('client', 'offline_access'),
+	('rs', 'uma_protection'),
+	('c', 'uma_authorization');
+
+INSERT INTO client_redirect_uri_TEMP (owner_id, redirect_uri) VALUES
+	('client', 'http://localhost/'),
+	('client', 'http://localhost:8080/');
+	
+INSERT INTO client_grant_type_TEMP (owner_id, grant_type) VALUES
+	('client', 'authorization_code'),
+	('client', 'urn:ietf:params:oauth:grant_type:redelegate'),
+	('client', 'implicit'),
+	('client', 'refresh_token'),
+	('rs', 'authorization_code'),
+	('rs', 'implicit'),
+	('c', 'authorization_code'),
+	('c', 'implicit');
+	
+--
+-- Merge the temporary clients safely into the database. This is a two-step process to keep clients from being created on every startup with a persistent store.
+--
+
+INSERT INTO client_details (client_id, client_secret, client_name, dynamically_registered, refresh_token_validity_seconds, access_token_validity_seconds, id_token_validity_seconds, allow_introspection)
+  SELECT client_id, client_secret, client_name, dynamically_registered, refresh_token_validity_seconds, access_token_validity_seconds, id_token_validity_seconds, allow_introspection FROM client_details_TEMP
+  ON CONFLICT
+  DO NOTHING;
+
+INSERT INTO client_scope (scope)
+  SELECT scope FROM client_scope_TEMP, client_details WHERE client_details.client_id = client_scope_TEMP.owner_id
+  ON CONFLICT
+  DO NOTHING;
+
+INSERT INTO client_redirect_uri (redirect_uri)
+  SELECT redirect_uri FROM client_redirect_uri_TEMP, client_details WHERE client_details.client_id = client_redirect_uri_TEMP.owner_id
+  ON CONFLICT
+  DO NOTHING;
+
+INSERT INTO client_grant_type (grant_type)
+  SELECT grant_type FROM client_grant_type_TEMP, client_details WHERE client_details.client_id = client_grant_type_TEMP.owner_id
+  ON CONFLICT
+  DO NOTHING;
+    
+-- 
+-- Close the transaction and turn autocommit back on
+-- 
+    
+COMMIT;
+
+--SET AUTOCOMMIT = ON;
+
+
diff --git a/uma-server-webapp/src/main/resources/db/psql/scopes.sql b/uma-server-webapp/src/main/resources/db/psql/scopes.sql
new file mode 100755
index 0000000000..8b2611b832
--- /dev/null
+++ b/uma-server-webapp/src/main/resources/db/psql/scopes.sql
@@ -0,0 +1,33 @@
+--
+-- Turn off autocommit and start a transaction so that we can use the temp tables
+--
+
+--SET AUTOCOMMIT = OFF;
+
+START TRANSACTION;
+
+--
+-- Insert scope information into the temporary tables.
+-- 
+
+INSERT INTO system_scope_TEMP (scope, description, icon, restricted, default_scope, structured, structured_param_description) VALUES
+  ('openid', 'log in using your identity', 'user', false, true, false, null),
+  ('profile', 'basic profile information', 'list-alt', false, true, false, null),
+  ('email', 'email address', 'envelope', false, true, false, null),
+  ('address', 'physical address', 'home', false, true, false, null),
+  ('phone', 'telephone number', 'bell', false, true, false, null),
+  ('offline_access', 'offline access', 'time', false, false, false, null);
+  
+--
+-- Merge the temporary scopes safely into the database. This is a two-step process to keep scopes from being created on every startup with a persistent store.
+--
+
+INSERT INTO system_scope (scope, description, icon, restricted, default_scope, structured, structured_param_description)
+  SELECT scope, description, icon, restricted, default_scope, structured, structured_param_description FROM system_scope_TEMP
+  ON CONFLICT(scope)
+  DO NOTHING;
+
+COMMIT;
+
+--SET AUTOCOMMIT = ON;
+

From 939f5379d6ad136266f102612c083e358a1a8e4d Mon Sep 17 00:00:00 2001
From: Sebastian Schuster <sebastian.schuster@bosch-si.com>
Date: Thu, 12 Jan 2017 18:01:49 +0100
Subject: [PATCH 5/5] Adapted uma-server-webapp overlayed spring configuration
 files to changes in base webapp

---
 .../webapp/WEB-INF/application-context.xml    | 33 +++++++++++++------
 .../src/main/webapp/WEB-INF/server-config.xml |  2 +-
 .../src/main/webapp/WEB-INF/user-context.xml  | 22 ++++++++-----
 3 files changed, 38 insertions(+), 19 deletions(-)

diff --git a/uma-server-webapp/src/main/webapp/WEB-INF/application-context.xml b/uma-server-webapp/src/main/webapp/WEB-INF/application-context.xml
index 7de114acb1..9cb095fffe 100644
--- a/uma-server-webapp/src/main/webapp/WEB-INF/application-context.xml
+++ b/uma-server-webapp/src/main/webapp/WEB-INF/application-context.xml
@@ -25,7 +25,7 @@
 	xmlns:util="http://www.springframework.org/schema/util"
 	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
 		http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.3.xsd
-		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd
+		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd
 		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
 		http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-4.3.xsd
 		http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.3.xsd
@@ -86,66 +86,77 @@
 		<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
 		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
 		<security:access-denied-handler ref="oauthAccessDeniedHandler" />
+		<security:csrf disabled="true"/>
 	</security:http>
 
 	<!-- Allow open access to discovery endpoints -->
 	<security:http pattern="/#{T(org.mitre.openid.connect.web.JWKSetPublishingEndpoint).URL}**" use-expressions="true" entry-point-ref="http403EntryPoint" create-session="stateless">
 		<security:intercept-url pattern="/#{T(org.mitre.openid.connect.web.JWKSetPublishingEndpoint).URL}**" access="permitAll"/>
 		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
+		<security:csrf disabled="true"/>
 	</security:http>
 	<security:http pattern="/#{T(org.mitre.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**" use-expressions="true" entry-point-ref="http403EntryPoint" create-session="stateless">
 		<security:intercept-url pattern="/#{T(org.mitre.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**" access="permitAll"/>
 		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
+		<security:csrf disabled="true"/>
 	</security:http>
 
 	<!-- Allow open access to all static resources -->	
 	<security:http pattern="/resources/**" use-expressions="true" entry-point-ref="http403EntryPoint" create-session="stateless">
 		<security:intercept-url pattern="/resources/**" access="permitAll"/>
 		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
+		<security:csrf disabled="true"/>
 	</security:http>
 	
 	<!-- OAuth-protect API and other endpoints -->
 	<security:http pattern="/#{T(org.mitre.openid.connect.web.DynamicClientRegistrationEndpoint).URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">
-		<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
+		<security:custom-filter ref="resourceServerFilter" after="CHANNEL_FILTER" />
 		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
 		<security:expression-handler ref="oauthWebExpressionHandler" />
 		<security:intercept-url pattern="/register/**" access="permitAll"/>
+		<security:csrf disabled="true"/>
 	</security:http>
 
 	<security:http pattern="/#{T(org.mitre.openid.connect.web.ProtectedResourceRegistrationEndpoint).URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">
-		<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
+		<security:custom-filter ref="resourceServerFilter" after="CHANNEL_FILTER" />
 		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
 		<security:expression-handler ref="oauthWebExpressionHandler" />
 		<security:intercept-url pattern="/resource/**" access="permitAll"/>
+		<security:csrf disabled="true"/>
 	</security:http>
 
 	<security:http pattern="/#{T(org.mitre.uma.web.ResourceSetRegistrationEndpoint).URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="never">
-		<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
+		<security:custom-filter ref="resourceServerFilter" after="CHANNEL_FILTER" />
 		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
 		<security:expression-handler ref="oauthWebExpressionHandler" />
+		<security:csrf disabled="true"/>
 	</security:http>
 
 	<security:http pattern="/#{T(org.mitre.uma.web.PermissionRegistrationEndpoint).URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="never">
-		<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
+		<security:custom-filter ref="resourceServerFilter" after="CHANNEL_FILTER" />
 		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
 		<security:expression-handler ref="oauthWebExpressionHandler" />
+		<security:csrf disabled="true"/>
 	</security:http>
 	
 	<security:http pattern="/#{T(org.mitre.uma.web.AuthorizationRequestEndpoint).URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="never">
-		<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
+		<security:custom-filter ref="resourceServerFilter" after="CHANNEL_FILTER" />
 		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
 		<security:expression-handler ref="oauthWebExpressionHandler" />
+		<security:csrf disabled="true"/>
 	</security:http>
 
 	<security:http pattern="/#{T(org.mitre.openid.connect.web.UserInfoEndpoint).URL}**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">
-		<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
+		<security:custom-filter ref="resourceServerFilter" after="CHANNEL_FILTER" />
 		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
 		<security:expression-handler ref="oauthWebExpressionHandler" />
+		<security:csrf disabled="true"/>
 	</security:http>
 
  	<security:http pattern="/#{T(org.mitre.openid.connect.web.RootController).API_URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="never">
-		<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
+		<security:custom-filter ref="resourceServerFilter" after="CHANNEL_FILTER" />
 		<security:expression-handler ref="oauthWebExpressionHandler" />
+		<security:csrf disabled="true"/>
 	</security:http>
 	
 	<security:http pattern="/#{T(org.mitre.oauth2.web.IntrospectionEndpoint).URL}**" 
@@ -154,10 +165,11 @@
 			create-session="stateless"
 			authentication-manager-ref="clientAuthenticationManager">
 		<security:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
-		<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
+<!-- 		<security:custom-filter ref="resourceServerFilter" after="CHANNEL_FILTER" /> -->
 		<security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
 		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
 		<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
+		<security:csrf disabled="true"/>
 	</security:http>
 
 	<security:http pattern="/#{T(org.mitre.oauth2.web.RevocationEndpoint).URL}**"
@@ -166,10 +178,11 @@
 			create-session="stateless"
 			authentication-manager-ref="clientAuthenticationManager">
 		<security:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
-<!-- 		<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" /> -->
+<!-- 		<security:custom-filter ref="resourceServerFilter" after="CHANNEL_FILTER" /> -->
 		<security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
 		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
 		<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
+		<security:csrf disabled="true"/>
 	</security:http>
 
 	<bean id="oauthAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
diff --git a/uma-server-webapp/src/main/webapp/WEB-INF/server-config.xml b/uma-server-webapp/src/main/webapp/WEB-INF/server-config.xml
index df1fe557ff..36a2de70e6 100644
--- a/uma-server-webapp/src/main/webapp/WEB-INF/server-config.xml
+++ b/uma-server-webapp/src/main/webapp/WEB-INF/server-config.xml
@@ -24,7 +24,7 @@
 	xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
 	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
 		http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.3.xsd
-		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd
+		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd
 		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
 		http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.3.xsd
 		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.3.xsd">
diff --git a/uma-server-webapp/src/main/webapp/WEB-INF/user-context.xml b/uma-server-webapp/src/main/webapp/WEB-INF/user-context.xml
index ce4e945afe..827b53141c 100644
--- a/uma-server-webapp/src/main/webapp/WEB-INF/user-context.xml
+++ b/uma-server-webapp/src/main/webapp/WEB-INF/user-context.xml
@@ -24,7 +24,7 @@
 	xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
 	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
 		http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.3.xsd
-		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd
+		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd
 		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
 		http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.3.xsd
 		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.3.xsd">
@@ -47,7 +47,7 @@
 	</security:http>	
 
 	<bean id="externalAuthenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
-		<property name="loginFormUrl" value="/openid_connect_login" />
+		<constructor-arg type="java.lang.String" value="/openid_connect_login"/>
 	</bean>
 
 	<security:authentication-manager id="externalAuthenticationManager">
@@ -110,7 +110,7 @@
 
 	<!-- Standard configuration -->
 
-	<security:authentication-manager alias="authenticationManager">
+	<security:authentication-manager id="authenticationManager">
 		<security:authentication-provider>
 			<security:jdbc-user-service data-source-ref="dataSource"/>
 		</security:authentication-provider>
@@ -119,19 +119,25 @@
 	<mvc:view-controller path="/login" view-name="login" />
 	
 	
-	<security:http pattern="/login**" use-expressions="true" entry-point-ref="http403EntryPoint">
+	<!--<security:http pattern="/login**" use-expressions="true" entry-point-ref="http403EntryPoint">
 		<security:intercept-url pattern="/login**" access="permitAll"/>	
-	</security:http>
+	</security:http>-->
+
+	<security:http authentication-manager-ref="authenticationManager">
 
-	<security:http disable-url-rewriting="true" use-expressions="true"> 
-		<security:form-login login-page="/login" authentication-failure-url="/login?error=failure" authentication-success-handler-ref="authenticationTimeStamper" />
 		<security:intercept-url pattern="/authorize" access="hasRole('ROLE_USER')" />
 		<security:intercept-url pattern="/**" access="permitAll" />
+
+		<security:form-login login-page="/login" authentication-failure-url="/login?error=failure" authentication-success-handler-ref="authenticationTimeStamper" />
 		<security:custom-filter before="PRE_AUTH_FILTER" ref="externalAuthenticationFilter" />
 		<security:custom-filter ref="authRequestFilter" after="SECURITY_CONTEXT_FILTER" />
 		<security:logout logout-url="/logout" />
 		<security:anonymous />
 		<security:expression-handler ref="oauthWebExpressionHandler" />
-	</security:http>	
+		<security:headers>
+			<security:frame-options policy="DENY" />
+		</security:headers>
+		<security:csrf />
+	</security:http>
 
 </beans>