Does spring-security 3.1 support spring-security-oauth (for oauth2)? Is there a reference?

Question

I am working with an app that uses spring-security 3.0 and oauth2 using spring-security-oauth-1.0.0.M3. It works fine. But it looks like migrating to spring-security 3.1 will not be trivial. I have been unable to find confirmation that the oauth module is still supported.

For example, the oauth tutorial mentions 3.0 not 3.1:

https://github.com/SpringSource/spring-security-oauth/wiki/tutorial

And I have encountered a problem similar to the Mar 4, 2012 comment in the following discussion when I attempt to do a straight upgrade to 3.1 using spring-security-oauth 1.0.0.M3 or M4:

http://code.google.com/p/spring-security-social/wiki/Usage

Specifically I see this in the Tomcat logs:

org.springframework.beans.factory.parsing.BeanDefinitionParsingException: Configuration
problem: Failed to import bean definitions from URL location ...
Offending resource: class path resource [spring/applicationContext.xml]; nested
exception is org.springframework.beans.factory.BeanDefinitionStoreException: Unexpected
exception parsing XML document from URL ...; nested exception is
org.springframework.beans.FatalBeanException: Invalid NamespaceHandler class
[org.springframework.security.oauth2.config.OAuth2SecurityNamespaceHandler] for namespace
[http://www.springframework.org/schema/security/oauth2]: problem with handler class file or
dependent class; nested exception is java.lang.NoClassDefFoundError:
org/springframework/security/web/util/AntUrlPathMatcher

Can someone suggest a solution to the above problem, or point to a reference for using spring-security 3.1 and spring-security-oauth, or else suggest a better alternative to implement oauth2 using spring-security 3.1?

Or if I'm missing a fundamental point of spring-security 3.1, that would also be useful to know.

Thanks!

Answer 1

Yes, Spring Security OAuth milestone build 1.0.0.M6, and specifically the oauth2 module, supports Spring Security 3.1.0. It is not yet considered a release. The OAuth 2.0 spec itself is not final.

The 1.0.0.M6 samples appear to be the most accurate and complete reference for implementation. The full 1.0.0.M6 tag zipball is here.

The OAuth 2 Developers Guide is a good textual reference. It's not 100% accurate, at least with respect to 1.0.0.M6. For example, the attribute user-approval-page belongs to authorization-server not authorization-code.

The Maven pom.xml must refer to artifactId spring-security-oauth2 (not spring-security-oauth as in older versions such as 1.0.0.M3).