Specifies that the oauth 2 authorization and token endpoints should be created in the application context. These are implemented as regular Spring @Controller beans, so as long as the default Spring MVC set up in present in the application the endpoints should work (at /oauth/authorization and /oauth/token by default). The configuration of the authorization code mechanism. This mechanism enables a way for clients to obtain an access token by obtaining an authorization code. Whether to disable the authorization code mechanism. The reference to the bean that defines the authorization code services. Default value is an instance of "org.springframework.security.oauth2.provider.authorization_code.InMemoryAuthorizationCodeServices". The reference to the bean that defines the cache for client tokens, used during the authorization code grant. The configuration of the client credentials grant type. Whether to disable the implicit grant type The configuration of the refresh token grant type. Whether to disable the refresh token grant type The configuration of the client credentials grant type. Whether to disable the refresh token grant type The configuration of the resource owner password grant type. Whether to disable the refresh token grant type A reference to an authentication manager that can be used to authenticate the resource owner The reference to the bean that defines the client details service. The URL at which a request for an access token will be serviced. Default value: "/oauth/token" The URL at which a user is redirected for authorization. Default value: "/oauth/authorize" The reference to the bean that defines the granter of different oauth token types. The reference to the bean that defines the redirect strategy for users when authenticating to other providers. Default value is an instance of "org.springframework.security.oauth.provider.DefaultRedirectStrategy". The reference to the bean that defines the token services. Default value is an instance of "org.springframework.security.oauth2.provider.token.InMemoryOAuth2ProviderTokenServices". The reference to the bean that defines the serialization service for an OAuth 2 response Default value is an instance of "org.springframework.security.oauth2.common.DefaultOAuth2SerializationService". Reference to a bean that handles user approval decisions. Using this strategy servers can selectively skip the approval process depending on decisions in the past or on the type of client. The URL of the page that handles the user approval form (if needed). The name of the form parameter that is used to indicate user approval of the client authentication request. Default value: "user_oauth_approval". The reference to the bean that defines the redirect resolver, used during the user authorization. Default value is an instance of "org.springframework.security.oauth2.provider.authorization_code.DefaultRedirectResolver". Specifies that the oauth 2 protected resource filters should be created in the application context. This element has an id which is the bean id of the filter created. The filter should in turn be added to teh Spring Security filter chain at position after="EXCEPTION_TRANSLATION_FILTER". The resource id that is protected by this filter if any. If empty or absent then all resource ids are allowed, otherwise only tokens which are granted to a client that contains this reosurce id will be legal. The reference to the bean that defines the token services. Default value is an instance of "org.springframework.security.oauth2.provider.token.InMemoryOAuth2ProviderTokenServices". The reference to the bean that defines the serialization service for an OAuth 2 response Default value is an instance of "org.springframework.security.oauth2.common.DefaultOAuth2SerializationService". Default element that contains the definition of the OAuth clients that are allowed to access this service. Definition of a client that can act on behalf of a user. The client id. The client secret. If the secret is undefined or empty (the default) the client does not require a secret. The re-direct URI established during registration (optional). The resource ids to which this client can be granted access (comma-separated). If missing or empty all resources are accessible (not recommended by the spec). The scopes to which the client is limited (comma-separated). If scope is undefined or empty (the default) the client is not limited by scope, but in that case the authorization service must explicitly accept unlimited access by not specifying any scopes itself. Grant types that are authorized for the client to use (comma-separated). Currently defined grant types include "authorization_code", "password", "assertion", and "refresh_token". Default value is "authorization_code,refresh_token". Authorities that are granted to the client (comma-separated). Distinct from the authorities granted to the user on behalf of whom the client is acting. The access token validity period in seconds (optional). If unspecified a global default will be applied by the token services. Element for declaring and configuring an expression handler for oauth security expressions. See http://static.springsource.org/spring-security/site/docs/3.0.x/reference/el-access.html Element for declaring and configuring an expression handler for oauth security expressions in http intercept urls. See http://static.springsource.org/spring-security/site/docs/3.0.x/reference/el-access.html Specifies that the oauth 2 client filter(s) should be applied to the application security policy. Specifies a url pattern that is to be "locked down" according to the availability of access tokens for the specified resources. Note that this element is not required because it may not be desirable to apply OAuth 2 security policies on a URL basis. The pattern for the URL. The resources (comma separated list of resource ids) for which the client requires access in order to service the URL. The HTTP method. The reference to the bean that services the known resource details. Default value is an instance of "org.springframework.security.oauth2.client.InMemoryOAuth2ProtectedResourceDetailsService". The reference to the bean that manages the providers that are used to obtain OAuth2 access tokens. Default value is an instance of "org.springframework.security.oauth2.client.provider.OAuth2AccessTokenProviderChain". The reference to the bean that manages "remembers" OAuth2 tokens for the current user. Default value is an instance of "org.springframework.security.oauth2.client.rememberme.HttpSessionOAuth2RememberMeServices". The reference to the bean that defines the redirect strategy, used when redirecting the user for access authorization. Default value is an instance of "org.springframework.security.web.DefaultRedirectStrategy". Flag to indicate that the filter should redirect the browser instead of re-executing the current filter chain if a proteced resource is encountered. Default is false. Defines the type of pattern used to specify URL paths (either JDK 1.4-compatible regular expressions, or Apache Ant expressions). Defaults to "ant" if unspecified. Whether test URLs should be converted to lower case prior to comparing with defined path patterns. If unspecified, defaults to "true". Definition of a resource that is protected via OAuth2 to which the application wants access. The grant type. Currently defined grant types include "authorization_code", "password", and "assertion". Default value is "authorization_code". The client id. This is the id by which the resource server will identify this application. The uri to where the access token may be obtained. Comma-separted list of string specifying the scope of the access to the resource. By default, no scope will be specified. The secret asssociated with the resource. By default, no secret will be supplied for access to the resource. The scheme that is used to pass the client secret. Suggested values: "header" and "form". Default: "header". See section 2.1 of the OAuth 2 spec. The uri to which the user will be redirected if the user is ever needed to grant an authorization code. The method for bearing the token when accessing the resource. Default value is "header". See AuthenticationScheme enum for possible values. The name of the bearer token. The default is "access_token", which is according to the spec, but some providers (e.g. Facebook) don't conform to the spec. Some resource servers may require a pre-established URI to which they will redirect users after users authorize an access token.