From: Sanjay Dalal <sanjay.dalal@berkeley.edu>
Date: Tue, 9 Feb 2010 22:32:22 +0000 (+0000)
Subject: CSPACE-870 Integrated Spring Security 3.0.2.CI-SNAPSHOT and Spring 3.0.0.RELEASE... 
X-Git-Url: https://git.aero2k.de/?a=commitdiff_plain;h=d18d5bbe493f2c69c9121e55c8e548e20ba3dbac;p=tmp%2Fjakarta-migration.git

CSPACE-870 Integrated Spring Security 3.0.2.CI-SNAPSHOT and Spring 3.0.0.RELEASE. The JAAS-based CS identity provider (CSIP) is configured successfully as a JAAS authn provider in Spring Security. Added Spring security specific AuthorityGranter and UserDetailsService (test) into authn service.
Refactored DatabaseRealm and CSpaceJBossDBLoginModule (needs package change in login-config.xml of JBoss).
ant deploy is required to copy the Spring specific jars to cspace/lib (of cspace domain). See services/common/lib/README.txt
Spring security is enabled by default. Anonymous access is also enabled by default (allows all tests to run without HTTP basic auth). Security tests could be run with client side security enabled (no need to bounce the server)

A    services/authentication/service/src/main/java/org/collectionspace/authentication/realm
A    services/authentication/service/src/main/java/org/collectionspace/authentication/realm/CSpaceRealm.java
A  + services/authentication/service/src/main/java/org/collectionspace/authentication/realm/CSpaceDbRealm.java
A    services/authentication/service/src/main/java/org/collectionspace/authentication/spring
A    services/authentication/service/src/main/java/org/collectionspace/authentication/spring/CSpaceUserDetailsService.java
A    services/authentication/service/src/main/java/org/collectionspace/authentication/spring/CSpaceAuthorityGranter.java
D    services/authentication/service/src/main/java/org/collectionspace/authentication/CSpaceJBossDBLoginModule.java
D    services/authentication/service/src/main/java/org/collectionspace/authentication/DatabaseRealm.java
A    services/authentication/service/src/main/java/org/collectionspace/authentication/jaas
A  + services/authentication/service/src/main/java/org/collectionspace/authentication/jaas/CSpaceJBossDBLoginModule.java
M    services/authentication/service/src/main/resources/config/jboss-login-config.xml
M    services/authentication/service/pom.xml
M    services/authentication/service/build.xml
M    services/JaxRsServiceProvider/src/main/webapp/WEB-INF/web.xml
A    services/JaxRsServiceProvider/src/main/webapp/WEB-INF/login.conf
A    services/JaxRsServiceProvider/src/main/webapp/WEB-INF/applicationContext-security.xml
M    services/JaxRsServiceProvider/pom.xml
M    services/JaxRsServiceProvider/build.xml
A    services/common/lib/spring
AM   services/common/lib/spring/org.springframework.asm-3.0.0.BUILD-20100208195804.jar
AM   services/common/lib/spring/org.springframework.jdbc-3.0.0.BUILD-20100208195804.jar
AM   services/common/lib/spring/spring-security-web-3.0.2.CI-SNAPSHOT.jar
AM   services/common/lib/spring/org.springframework.context-3.0.0.BUILD-20100208195804.jar
AM   services/common/lib/spring/spring-security-acl-3.0.2.CI-SNAPSHOT.jar
AM   services/common/lib/spring/org.springframework.beans-3.0.0.BUILD-20100208195804.jar
AM   services/common/lib/spring/org.springframework.core-3.0.0.BUILD-20100208195804.jar
AM   services/common/lib/spring/spring-security-config-3.0.2.CI-SNAPSHOT.jar
AM   services/common/lib/spring/org.springframework.web-3.0.0.BUILD-20100208195804.jar
AM   services/common/lib/spring/spring-security-core-3.0.2.CI-SNAPSHOT.jar
AM   services/common/lib/spring/org.springframework.expression-3.0.0.BUILD-20100208195804.jar
AM   services/common/lib/spring/org.springframework.aop-3.0.0.BUILD-20100208195804.jar
M    services/common/lib/README.txt
M    services/common/build.xml
---

diff --git a/services/JaxRsServiceProvider/build.xml b/services/JaxRsServiceProvider/build.xml
index a96d191c5..5f804c64a 100644
--- a/services/JaxRsServiceProvider/build.xml
+++ b/services/JaxRsServiceProvider/build.xml
@@ -115,8 +115,8 @@
     <target name="hotdeploy-unix" if="osfamily-unix">
         <exec executable="mvn" failonerror="true">
             <arg value="properties:read-project-properties" />
-            <arg value="cargo:undeploy" />
-            <arg value="cargo:deploy" />
+            <arg value="cargo:deployer-undeploy" />
+            <arg value="cargo:deployer-deploy" />
             <arg value="-Dmaven.test.skip=true" />
             <arg value="-f" />
             <arg value="${basedir}/pom.xml" />
@@ -129,8 +129,8 @@
             <arg value="/c" />
             <arg value="mvn.bat" />
             <arg value="properties:read-project-properties" />
-            <arg value="cargo:undeploy" />
-            <arg value="cargo:deploy" />
+            <arg value="cargo:deployer-undeploy" />
+            <arg value="cargo:deployer-deploy" />
             <arg value="-Dmaven.test.skip=true" />
             <arg value="-f" />
             <arg value="${basedir}/pom.xml" />
diff --git a/services/JaxRsServiceProvider/pom.xml b/services/JaxRsServiceProvider/pom.xml
index f3c1cd753..11e164e06 100644
--- a/services/JaxRsServiceProvider/pom.xml
+++ b/services/JaxRsServiceProvider/pom.xml
@@ -1,21 +1,23 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
-    
+
     <parent>
         <artifactId>org.collectionspace.services.main</artifactId>
         <groupId>org.collectionspace.services</groupId>
         <version>1.0</version>
     </parent>
 
-    
+
     <modelVersion>4.0.0</modelVersion>
     <groupId>org.collectionspace.services</groupId>
     <artifactId>org.collectionspace.services.jaxrs.provider</artifactId>
     <packaging>war</packaging>
     <version>1.0</version>
     <name>services.jaxrs.provider</name>
-
-
+    <properties>
+        <spring.version>3.0.0.RELEASE</spring.version>
+        <spring.security.version>3.0.2.CI-SNAPSHOT</spring.security.version>
+    </properties>
     <dependencies>
         <dependency>
             <groupId>org.collectionspace.services</groupId>
@@ -130,6 +132,57 @@
             <version>1.5.2</version>
         </dependency>
 
+        <!-- dependencies on spring security & framework are runtime deps only -->
+        <!-- the following list is kept to make sure domain has these packages -->
+        <!-- in the cspace/lib directory -->
+        <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-core</artifactId>
+            <version>${spring.security.version}</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-config</artifactId>
+            <version>${spring.security.version}</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-web</artifactId>
+            <version>${spring.security.version}</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-acl</artifactId>
+            <version>${spring.security.version}</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework</groupId>
+            <artifactId>spring-context</artifactId>
+            <version>${spring.version}</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework</groupId>
+            <artifactId>spring-web</artifactId>
+            <version>${spring.version}</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework</groupId>
+            <artifactId>spring-webmvc</artifactId>
+            <version>${spring.version}</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework</groupId>
+            <artifactId>spring-aop</artifactId>
+            <version>${spring.version}</version>
+            <scope>provided</scope>
+        </dependency>
         <!-- javax -->
 
         <!-- jboss -->
@@ -220,10 +273,11 @@
             <plugin>
                 <groupId>org.codehaus.cargo</groupId>
                 <artifactId>cargo-maven2-plugin</artifactId>
+                <version>0.3-SNAPSHOT</version>
                 <!-- Container configuration -->
                 <configuration>
                     <container>
-                        <containerId>jboss42x</containerId>
+                        <containerId>jboss4x</containerId>
                         <home>${jboss.dir}</home>
                         <type>remote</type>
                     </container>
diff --git a/services/JaxRsServiceProvider/src/main/webapp/WEB-INF/applicationContext-security.xml b/services/JaxRsServiceProvider/src/main/webapp/WEB-INF/applicationContext-security.xml
new file mode 100644
index 000000000..9570d1c97
--- /dev/null
+++ b/services/JaxRsServiceProvider/src/main/webapp/WEB-INF/applicationContext-security.xml
@@ -0,0 +1,47 @@
+<!--
+    Document   : applicationContext-security.xml
+    Created on :
+    Author     :
+    Copyright 2010 University of California at Berkeley
+    Description:
+        spring security namespace for CS service layer
+-->
+<beans xmlns="http://www.springframework.org/schema/beans"
+       xmlns:s="http://www.springframework.org/schema/security"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
+       http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
+    <s:http use-expressions="true">
+        <s:intercept-url pattern="/**" access="permitAll" />
+        <s:http-basic />
+        <s:logout />
+    </s:http>
+
+    <s:authentication-manager>
+        <s:authentication-provider ref="jaasAuthenticationProvider" user-service-ref="userDetailsService"/>
+    </s:authentication-manager>
+
+    <bean id="jaasAuthenticationProvider"
+          class="org.springframework.security.authentication.jaas.JaasAuthenticationProvider">
+        <property name="loginContextName">
+            <value>cspace</value> <!-- value should be same as in application-policy in JBoss login-config.xml -->
+        </property>
+        <property name="loginConfig">
+            <value>/WEB-INF/login.conf</value> <!-- filler, not used at runtime -->
+        </property>
+        <property name="callbackHandlers">
+            <list>
+                <bean class="org.springframework.security.authentication.jaas.JaasNameCallbackHandler"/>
+                <bean class="org.springframework.security.authentication.jaas.JaasPasswordCallbackHandler"/>
+            </list>
+        </property>
+        <property name="authorityGranters">
+            <list>
+                <bean class="org.collectionspace.authentication.spring.CSpaceAuthorityGranter"/>
+            </list>
+        </property>
+    </bean>
+
+    <bean id="userDetailsService" class="org.collectionspace.authentication.spring.CSpaceUserDetailsService">
+    </bean>
+</beans>
diff --git a/services/JaxRsServiceProvider/src/main/webapp/WEB-INF/login.conf b/services/JaxRsServiceProvider/src/main/webapp/WEB-INF/login.conf
new file mode 100644
index 000000000..e69de29bb
diff --git a/services/JaxRsServiceProvider/src/main/webapp/WEB-INF/web.xml b/services/JaxRsServiceProvider/src/main/webapp/WEB-INF/web.xml
index 5660b37af..13b44e412 100644
--- a/services/JaxRsServiceProvider/src/main/webapp/WEB-INF/web.xml
+++ b/services/JaxRsServiceProvider/src/main/webapp/WEB-INF/web.xml
@@ -21,7 +21,50 @@
         <param-value>/</param-value>
     </context-param>
 
+    <!--
+      - Location of the XML file that defines the root application context
+      - Applied by ContextLoaderListener.
+      -->
+    <context-param>
+        <param-name>contextConfigLocation</param-name>
+        <param-value>
+            /WEB-INF/applicationContext-security.xml
+        </param-value>
+    </context-param>
+    
+    <filter>
+        <filter-name>springSecurityFilterChain</filter-name>
+        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
+    </filter>
+
+    <filter-mapping>
+      <filter-name>springSecurityFilterChain</filter-name>
+      <url-pattern>/*</url-pattern>
+    </filter-mapping>
+
     <!-- Listeners -->
+    
+    <!--
+      - Loads the root application context of this web app at startup.
+      - The application context is then available via
+      - WebApplicationContextUtils.getWebApplicationContext(servletContext).
+    -->
+    <listener>
+        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
+    </listener>
+
+    <!--
+      - Publishes events for session creation and destruction through the application
+      - context. Optional unless concurrent session control is being used.
+      -->
+    <listener>
+      <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
+    </listener>
+
+    <listener>
+        <listener-class>org.springframework.web.util.Log4jConfigListener</listener-class>
+    </listener>
+
     <listener>
         <listener-class>
             org.jboss.resteasy.plugins.server.servlet.ResteasyBootstrap
diff --git a/services/authentication/service/build.xml b/services/authentication/service/build.xml
index 02ff80cee..596d5e4c5 100644
--- a/services/authentication/service/build.xml
+++ b/services/authentication/service/build.xml
@@ -3,7 +3,7 @@
     <description>
         collectionspace authentication service
     </description>
-  <!-- set global properties for this build -->
+    <!-- set global properties for this build -->
     <property name="services.trunk" value="../../.."/>
     <!-- enviornment should be declared before reading build.properties -->
     <property environment="env" />
@@ -20,13 +20,13 @@
     </condition>
 
     <target name="init">
-    <!-- Create the time stamp -->
+        <!-- Create the time stamp -->
         <tstamp/>
     </target>
 
 
     <target name="package" depends="package-unix,package-windows"
-  description="Package CollectionSpace Services" />
+            description="Package CollectionSpace Services" />
     <target name="package-unix" if="osfamily-unix">
         <exec executable="mvn" failonerror="true">
             <arg value="package" />
@@ -51,7 +51,7 @@
     </target>
 
     <target name="install" depends="package,install-unix,install-windows"
-  description="Install" />
+            description="Install" />
     <target name="install-unix" if="osfamily-unix">
         <exec executable="mvn" failonerror="true">
             <arg value="install" />
@@ -74,9 +74,9 @@
             <arg value="${mvn.opts}" />
         </exec>
     </target>
-    
+
     <target name="clean" depends="clean-unix,clean-windows"
-  description="Delete target directories" >
+            description="Delete target directories" >
         <delete dir="${build}"/>
     </target>
     <target name="clean-unix" if="osfamily-unix">
@@ -111,7 +111,7 @@
     </target>
 
     <target name="deploy" depends="install"
-    description="deploy authentication service in ${jboss.server.cspace}">
+            description="deploy authentication service in ${jboss.server.cspace}">
         <copy file="${basedir}/target/${authentication.jar}" todir="${jboss.server.cspace}/lib"/>
         <copy todir="${jboss.server.cspace}/cspace/services">
             <fileset dir="${src}/main/resources/"/>
@@ -121,14 +121,14 @@
     </target>
 
     <target name="undeploy"
-    description="undeploy authentication service from ${jboss.server.cspace}">
+            description="undeploy authentication service from ${jboss.server.cspace}">
         <delete file="${jboss.server.cspace}/lib/${authentication.jar}"/>
         <echo message="Remove authentication-policy cspace from ${jboss.server.cspace}/conf/login-config.xml"/>
-         <echo message="See Authentication Service Configuration Guide on wiki.collectionspace.org for more details"/>
+        <echo message="See Authentication Service Configuration Guide on wiki.collectionspace.org for more details"/>
     </target>
 
     <target name="dist"
-    description="generate distribution for authentication service" depends="package">
+            description="generate distribution for authentication service" depends="package">
         <copy todir="${services.trunk}/${dist.lib.cspace}">
             <fileset file="${basedir}/target/${authentication.jar}"/>
         </copy>
diff --git a/services/authentication/service/pom.xml b/services/authentication/service/pom.xml
index 4ee883511..15da9a5f0 100644
--- a/services/authentication/service/pom.xml
+++ b/services/authentication/service/pom.xml
@@ -16,6 +16,7 @@
         <jboss.version>4.2.3.GA</jboss.version>
         <jboss.ejb.version>3.0</jboss.ejb.version>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+        <spring.security.version>3.0.2.CI-SNAPSHOT</spring.security.version>
     </properties>
 
     <dependencies>
@@ -53,6 +54,14 @@
             <artifactId>jbosssx</artifactId>
             <version>4.2.3.GA</version>
         </dependency>
+
+        <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-core</artifactId>
+            <version>${spring.security.version}</version>
+            <scope>provided</scope>
+        </dependency>
+
     </dependencies>
 
     <build>
diff --git a/services/authentication/service/src/main/java/org/collectionspace/authentication/CSpaceJBossDBLoginModule.java b/services/authentication/service/src/main/java/org/collectionspace/authentication/jaas/CSpaceJBossDBLoginModule.java
similarity index 93%
rename from services/authentication/service/src/main/java/org/collectionspace/authentication/CSpaceJBossDBLoginModule.java
rename to services/authentication/service/src/main/java/org/collectionspace/authentication/jaas/CSpaceJBossDBLoginModule.java
index 884cbf2fd..80aee4ef9 100644
--- a/services/authentication/service/src/main/java/org/collectionspace/authentication/CSpaceJBossDBLoginModule.java
+++ b/services/authentication/service/src/main/java/org/collectionspace/authentication/jaas/CSpaceJBossDBLoginModule.java
@@ -21,7 +21,7 @@
  *  See the License for the specific language governing permissions and
  *  limitations under the License.
  */
-package org.collectionspace.authentication;
+package org.collectionspace.authentication.jaas;
 
 import java.security.acl.Group;
 import java.util.ArrayList;
@@ -32,6 +32,7 @@ import java.util.Map;
 import javax.security.auth.Subject;
 import javax.security.auth.callback.CallbackHandler;
 import javax.security.auth.login.LoginException;
+import org.collectionspace.authentication.realm.CSpaceDbRealm;
 import org.jboss.security.auth.spi.UsernamePasswordLoginModule;
 
 /**
@@ -40,7 +41,7 @@ import org.jboss.security.auth.spi.UsernamePasswordLoginModule;
  */
 public class CSpaceJBossDBLoginModule extends UsernamePasswordLoginModule {
 
-    private DatabaseRealm realm;
+    private CSpaceDbRealm realm;
 
     /**
      * Initialize CSpaceDBLoginModule
@@ -58,7 +59,7 @@ public class CSpaceJBossDBLoginModule extends UsernamePasswordLoginModule {
     public void initialize(Subject subject, CallbackHandler callbackHandler,
             Map sharedState, Map options) {
         super.initialize(subject, callbackHandler, sharedState, options);
-        realm = new DatabaseRealm(options);
+        realm = new CSpaceDbRealm(options);
     }
     //disabled due to classloading problem
 //    private Logger logger = LoggerFactory.getLogger(CSpaceDBLoginModule.class);
diff --git a/services/authentication/service/src/main/java/org/collectionspace/authentication/DatabaseRealm.java b/services/authentication/service/src/main/java/org/collectionspace/authentication/realm/CSpaceDbRealm.java
similarity index 95%
rename from services/authentication/service/src/main/java/org/collectionspace/authentication/DatabaseRealm.java
rename to services/authentication/service/src/main/java/org/collectionspace/authentication/realm/CSpaceDbRealm.java
index 5d1f265a0..dc948e6d7 100644
--- a/services/authentication/service/src/main/java/org/collectionspace/authentication/DatabaseRealm.java
+++ b/services/authentication/service/src/main/java/org/collectionspace/authentication/realm/CSpaceDbRealm.java
@@ -47,7 +47,7 @@
  * To change this template, choose Tools | Templates
  * and open the template in the editor.
  */
-package org.collectionspace.authentication;
+package org.collectionspace.authentication.realm;
 
 import java.lang.reflect.Constructor;
 import java.security.Principal;
@@ -67,14 +67,15 @@ import javax.sql.DataSource;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.collectionspace.authentication.CSpaceTenant;
 
 /**
- * DatabaseRealm provides access to user, password, role, tenant database
+ * CSpaceDbRealm provides access to user, password, role, tenant database
  * @author 
  */
-public class DatabaseRealm {
+public class CSpaceDbRealm implements CSpaceRealm {
 
-    private static Log log = LogFactory.getLog(DatabaseRealm.class);
+    private static Log log = LogFactory.getLog(CSpaceDbRealm.class);
     private String datasourceName;
     private String principalsQuery;
     private String rolesQuery;
@@ -82,10 +83,10 @@ public class DatabaseRealm {
     private boolean suspendResume;
 
     /**
-     * create DatabaseRelam 
+     * CSpace Database Realm
      * @param datasourceName datasource name
      */
-    public DatabaseRealm(Map options) {
+    public CSpaceDbRealm(Map options) {
         datasourceName = (String) options.get("dsJndiName");
         if (datasourceName == null) {
             datasourceName = "java:/DefaultDS";
@@ -115,7 +116,8 @@ public class DatabaseRealm {
 
     }
 
-    String getUsersPassword(String username) throws LoginException {
+    @Override
+    public String getUsersPassword(String username) throws LoginException {
 
         String password = null;
         Connection conn = null;
@@ -174,7 +176,8 @@ public class DatabaseRealm {
      * the authenticated user.
      * @return collection containing the roles
      */
-    Collection<Group> getRoles(String username, String principalClassName, String groupClassName) throws LoginException {
+    @Override
+    public Collection<Group> getRoles(String username, String principalClassName, String groupClassName) throws LoginException {
 
         if (log.isDebugEnabled()) {
             log.debug("getRoleSets using rolesQuery: " + rolesQuery + ", username: " + username);
@@ -279,7 +282,8 @@ public class DatabaseRealm {
      * the authenticated user.
      * @return collection containing the roles
      */
-    Collection<Group> getTenants(String username, String groupClassName) throws LoginException {
+    @Override
+    public Collection<Group> getTenants(String username, String groupClassName) throws LoginException {
 
         if (log.isDebugEnabled()) {
             log.debug("getTenants using tenantsQuery: " + tenantsQuery + ", username: " + username);
diff --git a/services/authentication/service/src/main/java/org/collectionspace/authentication/realm/CSpaceRealm.java b/services/authentication/service/src/main/java/org/collectionspace/authentication/realm/CSpaceRealm.java
new file mode 100644
index 000000000..d635916ef
--- /dev/null
+++ b/services/authentication/service/src/main/java/org/collectionspace/authentication/realm/CSpaceRealm.java
@@ -0,0 +1,60 @@
+/**
+ *  This document is a part of the source code and related artifacts
+ *  for CollectionSpace, an open source collections management system
+ *  for museums and related institutions:
+
+ *  http://www.collectionspace.org
+ *  http://wiki.collectionspace.org
+
+ *  Copyright 2009 University of California at Berkeley
+
+ *  Licensed under the Educational Community License (ECL), Version 2.0.
+ *  You may not use this file except in compliance with this License.
+
+ *  You may obtain a copy of the ECL 2.0 License at
+
+ *  https://source.collectionspace.org/collection-space/LICENSE.txt
+
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+/*
+ * To change this template, choose Tools | Templates
+ * and open the template in the editor.
+ */
+
+package org.collectionspace.authentication.realm;
+
+import java.security.acl.Group;
+import java.util.Collection;
+import javax.security.auth.login.LoginException;
+
+/**
+ * CSpaceRealm defines interface for CollectionSpace Realm
+ */
+public interface CSpaceRealm {
+
+        /**
+     * Obtain password for the given user
+     * @param username
+     * @return
+     * @throws LoginException
+     */
+    public String getUsersPassword(String username) throws LoginException;
+
+    /**
+     * Obtain the roles for the authenticated user.
+     * @return collection containing the roles
+     */
+    public Collection<Group> getRoles(String username, String principalClassName, String groupClassName) throws LoginException;
+
+    /**
+     * Obtain the tenants for the authenticated user.
+     * @return collection containing the roles
+     */
+    public Collection<Group> getTenants(String username, String groupClassName) throws LoginException;
+
+}
diff --git a/services/authentication/service/src/main/java/org/collectionspace/authentication/spring/CSpaceAuthorityGranter.java b/services/authentication/service/src/main/java/org/collectionspace/authentication/spring/CSpaceAuthorityGranter.java
new file mode 100644
index 000000000..b228d1074
--- /dev/null
+++ b/services/authentication/service/src/main/java/org/collectionspace/authentication/spring/CSpaceAuthorityGranter.java
@@ -0,0 +1,69 @@
+/**
+ *  This document is a part of the source code and related artifacts
+ *  for CollectionSpace, an open source collections management system
+ *  for museums and related institutions:
+
+ *  http://www.collectionspace.org
+ *  http://wiki.collectionspace.org
+
+ *  Copyright 2009 University of California at Berkeley
+
+ *  Licensed under the Educational Community License (ECL), Version 2.0.
+ *  You may not use this file except in compliance with this License.
+
+ *  You may obtain a copy of the ECL 2.0 License at
+
+ *  https://source.collectionspace.org/collection-space/LICENSE.txt
+
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *//**
+ *  This document is a part of the source code and related artifacts
+ *  for CollectionSpace, an open source collections management system
+ *  for museums and related institutions:
+
+ *  http://www.collectionspace.org
+ *  http://wiki.collectionspace.org
+
+ *  Copyright 2009 University of California at Berkeley
+
+ *  Licensed under the Educational Community License (ECL), Version 2.0.
+ *  You may not use this file except in compliance with this License.
+
+ *  You may obtain a copy of the ECL 2.0 License at
+
+ *  https://source.collectionspace.org/collection-space/LICENSE.txt
+
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+/*
+ * To change this template, choose Tools | Templates
+ * and open the template in the editor.
+ */
+
+package org.collectionspace.authentication.spring;
+import java.security.Principal;
+import java.util.HashSet;
+import java.util.Set;
+import org.springframework.security.authentication.jaas.AuthorityGranter;
+
+/**
+ *
+ * @author 
+ */
+public class CSpaceAuthorityGranter implements AuthorityGranter {
+ 
+    public Set<String> grant(Principal principal) {
+        Set<String> rtnSet = new HashSet<String>();
+
+
+        return rtnSet;
+    }
+}
diff --git a/services/authentication/service/src/main/java/org/collectionspace/authentication/spring/CSpaceUserDetailsService.java b/services/authentication/service/src/main/java/org/collectionspace/authentication/spring/CSpaceUserDetailsService.java
new file mode 100644
index 000000000..92bf5c4ad
--- /dev/null
+++ b/services/authentication/service/src/main/java/org/collectionspace/authentication/spring/CSpaceUserDetailsService.java
@@ -0,0 +1,89 @@
+/**
+ *  This document is a part of the source code and related artifacts
+ *  for CollectionSpace, an open source collections management system
+ *  for museums and related institutions:
+
+ *  http://www.collectionspace.org
+ *  http://wiki.collectionspace.org
+
+ *  Copyright 2009 University of California at Berkeley
+
+ *  Licensed under the Educational Community License (ECL), Version 2.0.
+ *  You may not use this file except in compliance with this License.
+
+ *  You may obtain a copy of the ECL 2.0 License at
+
+ *  https://source.collectionspace.org/collection-space/LICENSE.txt
+
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *//**
+ *  This document is a part of the source code and related artifacts
+ *  for CollectionSpace, an open source collections management system
+ *  for museums and related institutions:
+
+ *  http://www.collectionspace.org
+ *  http://wiki.collectionspace.org
+
+ *  Copyright 2009 University of California at Berkeley
+
+ *  Licensed under the Educational Community License (ECL), Version 2.0.
+ *  You may not use this file except in compliance with this License.
+
+ *  You may obtain a copy of the ECL 2.0 License at
+
+ *  https://source.collectionspace.org/collection-space/LICENSE.txt
+
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+/*
+ * To change this template, choose Tools | Templates
+ * and open the template in the editor.
+ */
+package org.collectionspace.authentication.spring;
+
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import org.springframework.dao.DataAccessException;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.AuthorityUtils;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.core.userdetails.UsernameNotFoundException;
+
+/**
+ * A CollectionSpace UserDetailsService for spring
+ */
+//FIXME remove test/mockup code
+public class CSpaceUserDetailsService implements UserDetailsService {
+
+    private Map<String, User> users = new HashMap<String, User>();
+    private List<GrantedAuthority> auths = AuthorityUtils.createAuthorityList("ROLE_USER");
+
+    public CSpaceUserDetailsService() {
+        users.put("test", new User("test", "", true, true, true, true, auths));
+        users.put("valid", new User("valid", "", true, true, true, true, auths));
+        users.put("locked", new User("locked", "", true, true, true, false, auths));
+        users.put("disabled", new User("disabled", "", false, true, true, true, auths));
+        users.put("credentialsExpired", new User("credentialsExpired", "", true, true, false, true, auths));
+        users.put("expired", new User("expired", "", true, false, true, true, auths));
+    }
+
+    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException {
+        if (users.get(username) == null) {
+            throw new UsernameNotFoundException("User not found: " + username);
+        }
+
+        return users.get(username);
+    }
+}
diff --git a/services/authentication/service/src/main/resources/config/jboss-login-config.xml b/services/authentication/service/src/main/resources/config/jboss-login-config.xml
index e5b0f7b81..afcc12948 100644
--- a/services/authentication/service/src/main/resources/config/jboss-login-config.xml
+++ b/services/authentication/service/src/main/resources/config/jboss-login-config.xml
@@ -18,7 +18,7 @@ copy before the "other" application-policy
 
 <application-policy name="cspace">
     <authentication>
-        <login-module code="org.collectionspace.authentication.CSpaceJBossDBLoginModule"
+        <login-module code="org.collectionspace.authentication.jaas.CSpaceJBossDBLoginModule"
                       flag="required">
             <module-option name="dsJndiName">CspaceDS</module-option>
             <module-option name="hashAlgorithm">SHA-256</module-option>
diff --git a/services/common/build.xml b/services/common/build.xml
index 3a725fdfa..5c96bed25 100644
--- a/services/common/build.xml
+++ b/services/common/build.xml
@@ -3,7 +3,7 @@
     <description>
         collectionspace services common
     </description>
-  <!-- set global properties for this build -->
+    <!-- set global properties for this build -->
     <property name="services.trunk" value="../.."/>
     <!-- enviornment should be declared before reading build.properties -->
     <property environment="env" />
@@ -20,12 +20,12 @@
     </condition>
 
     <target name="init" >
-    <!-- Create the time stamp -->
+        <!-- Create the time stamp -->
         <tstamp/>
     </target>
 
     <target name="package" depends="package-unix,package-windows"
-  description="Package CollectionSpace Services" />
+            description="Package CollectionSpace Services" />
     <target name="package-unix" if="osfamily-unix">
         <exec executable="mvn" failonerror="true">
             <arg value="package" />
@@ -50,7 +50,7 @@
     </target>
 
     <target name="install" depends="package,install-unix,install-windows"
-  description="Install" />
+            description="Install" />
     <target name="install-unix" if="osfamily-unix">
         <exec executable="mvn" failonerror="true">
             <arg value="install" />
@@ -73,9 +73,9 @@
             <arg value="${mvn.opts}" />
         </exec>
     </target>
-    
+
     <target name="clean" depends="clean-unix,clean-windows"
-  description="Delete target directories" >
+            description="Delete target directories" >
         <delete dir="${build}"/>
     </target>
     <target name="clean-unix" if="osfamily-unix">
@@ -109,9 +109,9 @@
         </exec>
     </target>
 
-    <target name="jpa"
-    description="one time upgrade jpa binaries in ${jboss.server.cspace}">
-        <move todir="${jboss.server.cspace}/jpa-upgrade/lib">
+    <target name="deploy_jpa"
+            description="deploy jpa binaries in ${jboss.server.cspace}">
+        <move todir="${jboss.server.cspace}/jpa-upgrade/lib" overwrite="false">
             <filelist dir="${jboss.server.cspace}/lib">
                 <file name="hibernate-annotations.jar"/>
                 <file name="hibernate-entitymanager.jar"/>
@@ -123,20 +123,45 @@
         </copy>
     </target>
 
+    <target name="deploy_spring"
+            description="deploy spring binaries in ${jboss.server.cspace}">
+        <copy todir="${jboss.server.cspace}/lib">
+            <fileset dir="${basedir}/lib/spring"/>
+        </copy>
+    </target>
+
     <target name="deploy" depends="install"
-    description="deploy common elements in ${jboss.server.cspace}">
+            description="deploy common elements in ${jboss.server.cspace}">
+        <antcall target="deploy_jpa" />
+        <antcall target="deploy_spring" />
         <copy todir="${jboss.server.cspace}/cspace/config/services">
             <fileset dir="${basedir}/src/main/config"/>
         </copy>
     </target>
 
     <target name="undeploy"
-    description="undeploy common elements from ${jboss.server.cspace}">
+            description="undeploy common elements from ${jboss.server.cspace}">
         <delete failonerror="false" dir="${jboss.server.cspace}/cspace/config/services"/>
     </target>
 
+    <target name="dist_jpa"
+            description="dist jpa binaries in ${dist.server.cspace}">
+        <copy todir="${services.trunk}/${dist.server.cspace}/lib">
+            <fileset dir="${basedir}/lib/jpa-upgrade"/>
+        </copy>
+    </target>
+
+    <target name="dist_spring"
+            description="dist spring binaries in ${dist.server.cspace}">
+        <copy todir="${services.trunk}/${dist.server.cspace}/lib">
+            <fileset dir="${basedir}/lib/spring"/>
+        </copy>
+    </target>
+
     <target name="dist"
-    description="generate distribution for common elements" depends="package">
+            description="generate distribution for common elements" depends="package">
+        <antcall target="dist_jpa" />
+        <antcall target="dist_spring" />
         <copy todir="${services.trunk}/${dist.server.cspace}/cspace/config/services">
             <fileset dir="${basedir}/src/main/config"/>
         </copy>
diff --git a/services/common/lib/README.txt b/services/common/lib/README.txt
index 6df592750..424649fd9 100644
--- a/services/common/lib/README.txt
+++ b/services/common/lib/README.txt
@@ -1,6 +1,11 @@
 This lib directory contains binaries required to run the common layer
-in JBoss container. Corresponding binaries (if present) in JBoss domain are
+in JBoss container. Corresponding binaries (if present) in JBoss cspace domain are
 either upgraded/replaced with a one-time execution task.
 
 For jpa upgrade in mercury 0.4, the task is 'ant jpa' executed at
-service/common level.
+service/common level. From 0.5 the following tasks are added.
+
+ant deploy_jpa (replaces jpa task, deploys jpa jars to JBoss cspace domain)
+ant dist_jpa (copies required jpa jars to dist)
+ant deploy_spring (deploys spring framework and spring security jars to JBoss cspace domain)
+ant dist_spring (copies required spring framework and security jars to dist)
diff --git a/services/common/lib/spring/org.springframework.aop-3.0.0.BUILD-20100208195804.jar b/services/common/lib/spring/org.springframework.aop-3.0.0.BUILD-20100208195804.jar
new file mode 100644
index 000000000..d7da1ca9a
Binary files /dev/null and b/services/common/lib/spring/org.springframework.aop-3.0.0.BUILD-20100208195804.jar differ
diff --git a/services/common/lib/spring/org.springframework.asm-3.0.0.BUILD-20100208195804.jar b/services/common/lib/spring/org.springframework.asm-3.0.0.BUILD-20100208195804.jar
new file mode 100644
index 000000000..1875d69b4
Binary files /dev/null and b/services/common/lib/spring/org.springframework.asm-3.0.0.BUILD-20100208195804.jar differ
diff --git a/services/common/lib/spring/org.springframework.beans-3.0.0.BUILD-20100208195804.jar b/services/common/lib/spring/org.springframework.beans-3.0.0.BUILD-20100208195804.jar
new file mode 100644
index 000000000..d260aff32
Binary files /dev/null and b/services/common/lib/spring/org.springframework.beans-3.0.0.BUILD-20100208195804.jar differ
diff --git a/services/common/lib/spring/org.springframework.context-3.0.0.BUILD-20100208195804.jar b/services/common/lib/spring/org.springframework.context-3.0.0.BUILD-20100208195804.jar
new file mode 100644
index 000000000..eb86d8a01
Binary files /dev/null and b/services/common/lib/spring/org.springframework.context-3.0.0.BUILD-20100208195804.jar differ
diff --git a/services/common/lib/spring/org.springframework.core-3.0.0.BUILD-20100208195804.jar b/services/common/lib/spring/org.springframework.core-3.0.0.BUILD-20100208195804.jar
new file mode 100644
index 000000000..9c32f0d2e
Binary files /dev/null and b/services/common/lib/spring/org.springframework.core-3.0.0.BUILD-20100208195804.jar differ
diff --git a/services/common/lib/spring/org.springframework.expression-3.0.0.BUILD-20100208195804.jar b/services/common/lib/spring/org.springframework.expression-3.0.0.BUILD-20100208195804.jar
new file mode 100644
index 000000000..091bca27d
Binary files /dev/null and b/services/common/lib/spring/org.springframework.expression-3.0.0.BUILD-20100208195804.jar differ
diff --git a/services/common/lib/spring/org.springframework.jdbc-3.0.0.BUILD-20100208195804.jar b/services/common/lib/spring/org.springframework.jdbc-3.0.0.BUILD-20100208195804.jar
new file mode 100644
index 000000000..bf7b8689e
Binary files /dev/null and b/services/common/lib/spring/org.springframework.jdbc-3.0.0.BUILD-20100208195804.jar differ
diff --git a/services/common/lib/spring/org.springframework.web-3.0.0.BUILD-20100208195804.jar b/services/common/lib/spring/org.springframework.web-3.0.0.BUILD-20100208195804.jar
new file mode 100644
index 000000000..8e476b176
Binary files /dev/null and b/services/common/lib/spring/org.springframework.web-3.0.0.BUILD-20100208195804.jar differ
diff --git a/services/common/lib/spring/spring-security-acl-3.0.2.CI-SNAPSHOT.jar b/services/common/lib/spring/spring-security-acl-3.0.2.CI-SNAPSHOT.jar
new file mode 100644
index 000000000..1e0381792
Binary files /dev/null and b/services/common/lib/spring/spring-security-acl-3.0.2.CI-SNAPSHOT.jar differ
diff --git a/services/common/lib/spring/spring-security-config-3.0.2.CI-SNAPSHOT.jar b/services/common/lib/spring/spring-security-config-3.0.2.CI-SNAPSHOT.jar
new file mode 100644
index 000000000..7f945957a
Binary files /dev/null and b/services/common/lib/spring/spring-security-config-3.0.2.CI-SNAPSHOT.jar differ
diff --git a/services/common/lib/spring/spring-security-core-3.0.2.CI-SNAPSHOT.jar b/services/common/lib/spring/spring-security-core-3.0.2.CI-SNAPSHOT.jar
new file mode 100644
index 000000000..6367a824a
Binary files /dev/null and b/services/common/lib/spring/spring-security-core-3.0.2.CI-SNAPSHOT.jar differ
diff --git a/services/common/lib/spring/spring-security-web-3.0.2.CI-SNAPSHOT.jar b/services/common/lib/spring/spring-security-web-3.0.2.CI-SNAPSHOT.jar
new file mode 100644
index 000000000..aede9ebb4
Binary files /dev/null and b/services/common/lib/spring/spring-security-web-3.0.2.CI-SNAPSHOT.jar differ