<?xml version="1.0" encoding="UTF-8" ?>
<beans xmlns="http://www.springframework.org/schema/beans"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
	xmlns:sec="http://www.springframework.org/schema/security"

	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2
	    http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd
        http://www.springframework.org/schema/security
        http://www.springframework.org/schema/security/spring-security-3.2.xsd
        http://www.springframework.org/schema/beans
        http://www.springframework.org/schema/beans/spring-beans-3.1.xsd">

	<!-- protect secure resource endpoints ================================================ -->

	<sec:http pattern="/" create-session="never"
              entry-point-ref="oauthAuthenticationEntryPoint"
              access-decision-manager-ref="accessDecisionManager"
              authentication-manager-ref="authenticationManager"
              use-expressions="true">
		<sec:anonymous enabled="false" />
		<sec:intercept-url pattern="/odata/v4/**" access="isAuthenticated()" method="GET" />
		<sec:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
		<sec:access-denied-handler ref="oauthAccessDeniedHandler" />
	</sec:http>

	<bean id="oauthAuthenticationEntryPoint"
		class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
	</bean>

	<bean id="oauthWebExpressionHandler"
		class="org.springframework.security.oauth2.provider.expression.OAuth2WebSecurityExpressionHandler">
	</bean>

	<bean id="accessDecisionManager"
		class="org.springframework.security.access.vote.UnanimousBased">
		<constructor-arg>
			<list>
				<bean class="org.springframework.security.web.access.expression.WebExpressionVoter">
					<property name="expressionHandler" ref="oauthWebExpressionHandler" />
				</bean>
				<bean class="org.springframework.security.access.vote.AuthenticatedVoter"  />
			</list>
		</constructor-arg>
	</bean>

    <sec:authentication-manager alias="authenticationManager"/>

	<oauth:resource-server id="resourceServerFilter"
		resource-id="springsec" token-services-ref="offlineTokenServices" />

	<bean id="offlineTokenServices"
         class="com.sap.xs2.security.commons.SAPOfflineTokenServices">
         <property name="verificationKey" value="${xs.uaa.verificationkey}" />
         <property name="trustedClientId" value="${xs.uaa.clientid}" />
         <property name="trustedIdentityZone" value="${xs.uaa.identityzone}" />
    </bean>

	<bean id="oauthAccessDeniedHandler"
		class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />

	<!-- define properties file =========================================================== -->

	<bean class="com.sap.xs2.security.commons.SAPPropertyPlaceholderConfigurer">
		<property name="location"  value="classpath:/application.properties" />
	</bean>

</beans>
