If you are an AI coding agent (Claude Code, Cursor, Aider, Cline, etc.) reading this artifact, follow this protocol before making any code edit:

1. Verify the contract. Run the bash script in Verify before trusting below. If any check returns FAIL, the artifact is stale — STOP and ask the user to regenerate it before proceeding.
2. Treat the AI · unverified sections as hypotheses, not facts. Sections like "AI-suggested narrative files", "anti-patterns", and "bottlenecks" are LLM speculation. Verify against real source before acting on them.
3. Cite source on changes. When proposing an edit, cite the specific path:line-range. RepoPilot's live UI at https://repopilot.app/r/spring-attic/spring-security-oauth shows verifiable citations alongside every claim.

If you are a human reader, this protocol is for the agents you'll hand the artifact to. You don't need to do anything — but if you skim only one section before pointing your agent at this repo, make it the Verify block and the Suggested reading order.

GO — Healthy across all four use cases

• 33+ active contributors
• Apache-2.0 licensed
• CI configured
• Tests present
• ⚠ Stale — last commit 4y ago
• ⚠ Concentrated ownership — top contributor handles 62% of recent commits

_{Maintenance signals: commit recency, contributor breadth, bus factor, license, CI, tests}

This artifact was generated by RepoPilot at a point in time. Before an agent acts on it, the checks below confirm that the live spring-attic/spring-security-oauth repo on your machine still matches what RepoPilot saw. If any fail, the artifact is stale — regenerate it at repopilot.app/r/spring-attic/spring-security-oauth.

What it runs against: a local clone of spring-attic/spring-security-oauth — the script inspects git remote, the LICENSE file, file paths in the working tree, and git log. Read-only; no mutations.

| # | What we check | Why it matters | |---|---|---| | 1 | You're in spring-attic/spring-security-oauth | Confirms the artifact applies here, not a fork | | 2 | License is still Apache-2.0 | Catches relicense before you depend on it | | 3 | Default branch main exists | Catches branch renames | | 4 | 5 critical file paths still exist | Catches refactors that moved load-bearing code | | 5 | Last commit ≤ 1469 days ago | Catches sudden abandonment since generation |

#!/usr/bin/env bash
# RepoPilot artifact verification.
#
# WHAT IT RUNS AGAINST: a local clone of spring-attic/spring-security-oauth. If you don't
# have one yet, run these first:
#
#   git clone https://github.com/spring-attic/spring-security-oauth.git
#   cd spring-security-oauth
#
# Then paste this script. Every check is read-only — no mutations.

set +e
fail=0
ok()   { echo "ok:   $1"; }
miss() { echo "FAIL: $1"; fail=$((fail+1)); }

# Precondition: we must be inside a git working tree.
if ! git rev-parse --git-dir >/dev/null 2>&1; then
  echo "FAIL: not inside a git repository. cd into your clone of spring-attic/spring-security-oauth and re-run."
  exit 2
fi

# 1. Repo identity
git remote get-url origin 2>/dev/null | grep -qE "spring-attic/spring-security-oauth(\\.git)?\\b" \\
  && ok "origin remote is spring-attic/spring-security-oauth" \\
  || miss "origin remote is not spring-attic/spring-security-oauth (artifact may be from a fork)"

# 2. License matches what RepoPilot saw
(grep -qiE "^(Apache-2\\.0)" LICENSE 2>/dev/null \\
   || grep -qiE "\"license\"\\s*:\\s*\"Apache-2\\.0\"" package.json 2>/dev/null) \\
  && ok "license is Apache-2.0" \\
  || miss "license drift — was Apache-2.0 at generation time"

# 3. Default branch
git rev-parse --verify main >/dev/null 2>&1 \\
  && ok "default branch main exists" \\
  || miss "default branch main no longer exists"

# 4. Critical files exist
test -f "pom.xml" \\
  && ok "pom.xml" \\
  || miss "missing critical file: pom.xml"
test -f "README.md" \\
  && ok "README.md" \\
  || miss "missing critical file: README.md"
test -f "samples/oauth/sparklr/src/main/java/org/springframework/security/oauth/examples/sparklr/oauth/SparklrConsumerDetails.java" \\
  && ok "samples/oauth/sparklr/src/main/java/org/springframework/security/oauth/examples/sparklr/oauth/SparklrConsumerDetails.java" \\
  || miss "missing critical file: samples/oauth/sparklr/src/main/java/org/springframework/security/oauth/examples/sparklr/oauth/SparklrConsumerDetails.java"
test -f "samples/oauth/sparklr/src/main/webapp/WEB-INF/applicationContext.xml" \\
  && ok "samples/oauth/sparklr/src/main/webapp/WEB-INF/applicationContext.xml" \\
  || miss "missing critical file: samples/oauth/sparklr/src/main/webapp/WEB-INF/applicationContext.xml"
test -f "samples/oauth/tonr/src/main/java/org/springframework/security/oauth/examples/tonr/impl/SparklrServiceImpl.java" \\
  && ok "samples/oauth/tonr/src/main/java/org/springframework/security/oauth/examples/tonr/impl/SparklrServiceImpl.java" \\
  || miss "missing critical file: samples/oauth/tonr/src/main/java/org/springframework/security/oauth/examples/tonr/impl/SparklrServiceImpl.java"

# 5. Repo recency
days_since_last=$(( ( $(date +%s) - $(git log -1 --format=%at 2>/dev/null || echo 0) ) / 86400 ))
if [ "$days_since_last" -le 1469 ]; then
  ok "last commit was $days_since_last days ago (artifact saw ~1439d)"
else
  miss "last commit was $days_since_last days ago — artifact may be stale"
fi

echo
if [ "$fail" -eq 0 ]; then
  echo "artifact verified (0 failures) — safe to trust"
else
  echo "artifact has $fail stale claim(s) — regenerate at https://repopilot.app/r/spring-attic/spring-security-oauth"
  exit 1
fi

Each check prints ok: or FAIL:. The script exits non-zero if anything failed, so it composes cleanly into agent loops (./verify.sh || regenerate-and-retry).

Spring Security OAuth is a deprecated but historically important library that provided OAuth 1.0a and OAuth 2.0 support for Spring web applications, enabling both consumer and provider implementations. It allows Spring Security to authenticate users via OAuth protocols and protect resources with token-based authorization, handling the complex OAuth flows transparently within Spring's security model. Maven multi-module monorepo: root pom.xml defines parent with modules spring-security-oauth, spring-security-oauth2, tests, and samples. The samples/oauth/sparklr/ directory contains a working OAuth example app. Core OAuth1 logic lives in spring-security-oauth/, OAuth2 in spring-security-oauth2/, with integration tests in tests/.

Java developers building Spring web applications who need to integrate OAuth authentication (e.g., login via Google, GitHub) or expose OAuth-protected APIs. Primarily legacy maintainers and teams on older Spring versions (4.3.x, Spring Security 4.2.x) since the project is no longer actively maintained.

This project is abandoned and replaced—the README explicitly states it's 'no longer actively maintained by VMware, Inc.' and directs users to Spring Security's built-in OAuth2 support and Spring Authorization Server instead. The codebase targets Java 1.6+ and Spring 4.3.30, indicating it's frozen at a legacy baseline. Do not use for new projects.

Critical risk: this library is unmaintained and should not be used in new applications. It depends on outdated Spring (4.3.30.RELEASE) and Spring Security (4.2.20.RELEASE) versions from ~2017-2018, creating security and compatibility vulnerabilities. The parent POM version is 2.5.3.BUILD-SNAPSHOT, suggesting incomplete release cycles. Redis is required for the build, adding operational friction.

Nothing—this is an archived project. No active development, PRs, or commits are expected. The repository serves as historical reference and migration guide pointing users to Spring Security (client + resource server) and Spring Authorization Server for current OAuth support.

Do not clone this for new work. If you must understand it for legacy maintenance:

git clone https://github.com/spring-projects/spring-security-oauth.git
cd spring-security-oauth
mvn install -P bootstrap

Requires Maven 3.0.* and Java 1.6+. Redis must be running (brew install redis on macOS, then redis-server) or the build will fail with Jedis connection errors.

Daily commands: For the OAuth 2.0 sample app:

cd samples/oauth2/tonr
mvn tomcat7:run

Then visit http://localhost:8080/tonr2/. For integration tests:

mvn integration-test -P integration

Prerequisite: Redis server must be running before mvn install.

• pom.xml — Root Maven POM defining all modules (spring-security-oauth, spring-security-oauth2, tests, samples) and shared dependencies for the entire OAuth library.
• README.md — Explains that this project is no longer maintained and directs users to Spring Security and Spring Authorization Server as replacements—critical for understanding the codebase's status.
• samples/oauth/sparklr/src/main/java/org/springframework/security/oauth/examples/sparklr/oauth/SparklrConsumerDetails.java — Reference implementation of OAuth consumer details, demonstrating how to configure and use OAuth credentials in a real application.
• samples/oauth/sparklr/src/main/webapp/WEB-INF/applicationContext.xml — Spring application context configuration showing how OAuth provider is wired, including token stores and approval handlers.
• samples/oauth/tonr/src/main/java/org/springframework/security/oauth/examples/tonr/impl/SparklrServiceImpl.java — Reference implementation of OAuth client service demonstrating how to consume OAuth2-protected resources and handle token exchange.
• .github/PULL_REQUEST_TEMPLATE.md — Contribution guidelines and PR expectations for submitting changes to this archived Spring project.

• OAuth2 Provider (Authorization Server + Resource Server) (spring-security-oauth2, Spring MVC, TokenStore, ApprovalStore) — Validates client credentials, issues tokens, and protects endpoints. Sparklr sample demonstrates this role.
  • Failure mode: Invalid tokens accepted, tokens not revoked on logout, scope validation bypassed → unauthorized access to protected resources
• OAuth2 Consumer (Client) (spring-security-oauth2, RestTemplate, OAuth2RestTemplate) — Requests authorization from provider, obtains tokens, and accesses protected resources on behalf of user. Tonr sample demonstrates this role.
  • Failure mode: Credentials leaked in logs, expired token not refreshed, redirect URI mismatch not validated → token interception or CSRF attacks
• TokenStore (InMemoryToken) — Persists and retrieves access/refresh tokens and their associated metadata (scopes, expiry, client_id)

Add a custom OAuth2 grant type handler

1. Create a new class implementing the grant type interface in spring-security-oauth2 module (spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/)
2. Register the grant type handler in the authorization server configuration XML (samples/oauth/sparklr/src/main/webapp/WEB-INF/applicationContext.xml)
3. Add corresponding tests in the tests module to verify token issuance (tests/src/test/java/)

Implement a custom token store (e.g., database-backed)

1. Implement the TokenStore interface from spring-security-oauth2 (spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/)
2. Configure your custom TokenStore bean in the provider's Spring context (samples/oauth/sparklr/src/main/webapp/WEB-INF/applicationContext.xml)
3. Override the token service bean definition to use your custom store (samples/oauth/sparklr/src/main/webapp/WEB-INF/spring-servlet.xml)

Add a protected REST endpoint to the OAuth2 provider

1. Create a new Spring MVC @RestController in the Sparklr sample (samples/oauth/sparklr/src/main/java/org/springframework/security/oauth/examples/sparklr/mvc/)
2. Annotate the endpoint with @PreAuthorize or use OAuth2 scope checking (samples/oauth/sparklr/src/main/java/org/springframework/security/oauth/examples/sparklr/mvc/PhotoController.java)
3. Update the servlet configuration to expose the endpoint (samples/oauth/sparklr/src/main/webapp/WEB-INF/spring-servlet.xml)
4. Test the endpoint using the Tonr client sample (samples/oauth/tonr/src/main/java/org/springframework/security/oauth/examples/tonr/mvc/SparklrController.java)

Configure OAuth client credentials for a new provider

1. Define the consumer/client details in Tonr's Spring context (samples/oauth/tonr/src/main/webapp/WEB-INF/applicationContext.xml)
2. Create a new service class extending OAuth2RestTemplate or using RestOperations (samples/oauth/tonr/src/main/java/org/springframework/security/oauth/examples/tonr/impl/)
3. Add a corresponding controller that uses the service to fetch resources (samples/oauth/tonr/src/main/java/org/springframework/security/oauth/examples/tonr/mvc/)

• Spring Framework & Spring Security — Core framework for implementing OAuth security, authentication, and authorization filters in a standard Spring application
• Maven — Multi-module build system supporting separate compilation of OAuth1, OAuth2, and sample modules with shared dependency management
• OAuth 1.0a & OAuth 2.0 protocols — Industry-standard protocols for delegated authorization; this library provides both consumer and provider implementations
• Spring MVC — HTTP framework for building the authorization server endpoints and protected resource controllers

• Monolithic archived project vs. separate Spring Security and Spring Authorization Server

  • Why: This project combines provider and consumer in one codebase for ease of learning; newer approach separates concerns across dedicated projects
  • Consequence: Project is no longer maintained; users must migrate to Spring Security and Spring Authorization Server for production use

• In-memory TokenStore and ApprovalStore in samples

  • Why: Simplifies sample setup and demonstration without external database dependencies
  • Consequence: Not suitable for production; real deployments must implement persistent token stores

• XML-based Spring configuration (WEB-INF/*.xml)

  • Why: Legacy Spring pattern matching the era this library was active (pre-Java config dominance)
  • Consequence: Configuration is verbose but explicit; modern users should use @Configuration classes

• Real-time token revocation (designed for token expiry via TTL)
• JWT support (uses opaque tokens; Spring Security now handles JWT natively)
• SAML or other federation protocols (OAuth 1.0a and 2.0 only)
• Production-grade deployment (samples use in-memory stores)
• Support for OAuth 2.1 (project ended before 2.1 specification)

Redis must be running before any build—mvn install or even mvn compile will fail silently with Jedis connection pool errors if Redis is not available on localhost:6379. The -P bootstrap profile is only needed on first run but must be present; omitting it may cause repository resolution failures. Sample apps use legacy Tomcat7 Maven plugin (tomcat7:run), not Spring Boot; servlet container setup is non-standard. Java 1.6 source/target level means no Java 8+ features (lambdas, streams) are available in the codebase.

• OAuth 1.0a (Three-Legged OAuth) — This repo implements the full OAuth 1.0a flow with request/access token exchange and HMAC-SHA1 signature verification; understanding signature generation is critical to debug provider/consumer mismatches
• OAuth 2.0 Bearer Token Flow — The core OAuth2 feature in this repo; tokens are stored in Redis and validated on each request, making token lifecycle management and expiration handling essential knowledge
• Spring Security Filter Chain — Both OAuth implementations hook into Spring Security's filter chain (e.g., OAuth2AuthenticationProcessingFilter) to intercept and validate tokens before controller execution
• JWT (JSON Web Tokens) vs Opaque Tokens — This repo uses opaque tokens stored in Redis (via Jedis); understanding the tradeoff vs self-contained JWTs helps explain why Redis is a hard dependency
• Resource Owner Password Credentials Grant — One of the OAuth2 flows implemented in spring-security-oauth2; understanding when this grant is appropriate (trusted clients only) is critical for secure deployments
• HMAC-SHA1 Signature Generation — OAuth 1.0a requires request signing with shared secrets; the repo includes signature verification logic critical for understanding consumer/provider contract

• spring-projects/spring-security — The official successor—Spring Security 5.2+ includes built-in OAuth2 client and resource server support, making this repo obsolete
• spring-projects/spring-authorization-server — The official OAuth2 authorization server implementation from Spring, replacing the provider-side functionality of this project
• spring-projects/spring-boot — Modern Spring development baseline; spring-security-oauth2 is frozen on Spring 4.3, while Spring Boot 2.x+ uses Spring 5.x+ with native OAuth2 support
• oauth-xx/oauth-core — IETF OAuth specification and reference implementations; essential reading to understand the protocols this library implements
• spring-projects/spring-security-samples — Current Spring Security example applications showing modern OAuth2 patterns without legacy dependencies

To work on one of these in Claude Code or Cursor, paste: Implement the "<title>" PR idea from CLAUDE.md, working through the checklist as the task list.

Add integration tests for OAuth1(a) and OAuth2 flows in the Sparklr sample

The samples/oauth/sparklr directory contains a functional OAuth provider/consumer example, but there are no automated integration tests validating the complete OAuth flows. This is critical for a security-focused library where regression could have serious implications. Integration tests would verify that the PhotoController, AccessConfirmationController, and OAuth endpoints work correctly end-to-end.

• [ ] Create samples/oauth/sparklr/src/test/java/org/springframework/security/oauth/examples/sparklr directory structure
• [ ] Add integration test class testing the complete OAuth authorization code flow (request token → authorize → access token → resource access)
• [ ] Add integration test for implicit flow and client credentials flow
• [ ] Configure tests to start embedded servlet container and verify responses match OAuth spec expectations
• [ ] Run tests as part of Maven build in samples/oauth/sparklr/pom.xml

Create GitHub Actions workflow to validate Java 8+ compatibility and deprecation path

The pom.xml specifies java.version=1.6, but Spring 4.3.30 and Spring Security 4.2.20 actually require Java 7+. This project is marked as no longer maintained, so a CI workflow should document the recommended migration path and test compatibility with modern Java versions (11, 17, 21). This helps new contributors understand the project's state and proper upgrade paths.

• [ ] Create .github/workflows/compatibility-check.yml GitHub Action
• [ ] Add matrix jobs testing against Java 8, 11, 17 to identify breaking changes
• [ ] Update pom.xml java.version property to reflect actual minimum version (1.7 or 1.8)
• [ ] Add build step that runs mvnw clean install across the three modules (spring-security-oauth, spring-security-oauth2, tests)
• [ ] Add explanatory comment in README.md linking to Spring Security and Spring Authorization Server migration guides

Add comprehensive Javadoc and architectural documentation for core OAuth2 token endpoint handling

The spring-security-oauth2 module (referenced in pom.xml but not detailed in file structure) contains critical token endpoint and grant flow logic, but core classes likely lack sufficient Javadoc explaining the OAuth2 spec compliance and extension points. Given this is archived, ensuring new contributors can understand the codebase is essential for referencing implementation patterns.

• [ ] Audit spring-security-oauth2/src/main/java for classes implementing TokenEndpoint, TokenProvider, and GrantHandler interfaces
• [ ] Add Javadoc to each public method explaining which OAuth2 RFC sections are implemented and any spec deviations
• [ ] Create docs/ARCHITECTURE.md documenting the token issuance flow, refresh token handling, and scope validation pipeline
• [ ] Add inline code comments explaining why certain security choices were made (e.g., token rotation, revocation handling)
• [ ] Add README.md to spring-security-oauth2 with example token request/response payloads and extension points for custom logic

• Write a migration guide document (docs/MIGRATION_TO_SPRING_SECURITY.md) that shows explicit code examples converting spring-security-oauth OAuth2 consumer code to modern Spring Security 5.x+ OAuth2 client patterns—currently only verbal guidance exists in the README.
• Create integration test coverage for the Sparklr sample app's SparklrConsumerDetails and AccessConfirmationController under samples/oauth/sparklr/src/test/—these core provider components lack automated test coverage.
• Document the Redis data structures used for token storage (hash keys, TTL expectations, serialization format) in samples/README.md to help operators understand deployment requirements and troubleshoot cache coherency issues.

• Critical · Project No Longer Actively Maintained — README.md, Project Status. According to the README, spring-security-oauth is no longer actively maintained by VMware, Inc. This means no security patches, bug fixes, or updates will be provided. Using this library in production exposes applications to known and future vulnerabilities that will never be addressed. Fix: Migrate to the OAuth2 support provided by Spring Security (client and resource server) and Spring Authorization Server as indicated in the README.
• High · Outdated Spring Security Dependency — pom.xml - spring.security.version property. The project uses Spring Security version 4.2.20.RELEASE, which is significantly outdated and no longer receives security updates. Current versions are 6.x+. This version may contain known security vulnerabilities. Fix: Upgrade to the latest stable version of Spring Security (6.x or later) and migrate to Spring Authorization Server for OAuth2 support.
• High · Outdated Spring Framework Dependency — pom.xml - spring.version property. The project uses Spring Framework version 4.3.30.RELEASE, which is significantly outdated. Current versions are 6.x+. This version may contain known security vulnerabilities and lacks modern security features. Fix: Upgrade to the latest stable version of Spring Framework (6.x or later).
• High · Outdated Mockito Dependency — pom.xml - mockito.version property. The project uses Mockito version 1.10.19, released in 2014. This is extremely outdated and may contain known security vulnerabilities. Current versions are 4.x+. Fix: Upgrade to the latest stable version of Mockito (4.x or later).
• High · Outdated JUnit Dependency — pom.xml - junit.version property. The project uses JUnit version 4.12, released in 2014. Current versions are 4.13.x with security patches. Consider upgrading to JUnit 5.x. Fix: Upgrade to JUnit 4.13.x or later, or migrate to JUnit 5.x.
• High · Outdated Redis Client Dependency — pom.xml - redis.clients.version property. The project uses jedis version 2.6.3 (redis.clients.version), released in 2014. This is extremely outdated and may contain known security vulnerabilities. Current versions are 4.x+. Fix: Upgrade to the latest stable version of Jedis (4.x or later).
• Medium · Outdated Commons Codec Dependency — pom.xml - commons-codec.version property. The project uses commons-codec version 1.14, released in 2019. While not extremely old, newer versions (1.15+) contain bug fixes and improvements. Fix: Upgrade to the latest stable version of commons-codec (1.15 or later).
• Medium · Outdated Spring Data Redis Dependency — pom.xml - spring.data.redis.version property. The project uses spring-data-redis version 1.5.2.RELEASE, which is significantly outdated. Current versions are 2.x+. This may contain known vulnerabilities. Fix: Upgrade to the latest stable version of Spring Data Redis (2.x or later) compatible with the Spring Framework version.
• Medium · Java Version Targeting Java 1.6 — pom.xml - java.version property. The project targets Java 1.6 (released in 2006), which is extremely outdated and no longer receives security updates. Modern security features and libraries require Java 8+. Fix: Update the target Java version to at least Java 11 or later, preferably Java 17+.
• Medium · Exposed Redis Port in Docker Compose — undefined. The redis service in docker-compose.yml exposes port 6379 without any authentication or network restrictions. This allows unauthenticated access to the Redis instance from any network. Fix: undefined

LLM-derived; treat as a starting point, not a security audit.

• Open issues — current backlog
• Recent PRs — what's actively shipping
• Source on GitHub

Generated by RepoPilot. Verdict based on maintenance signals — see the live page for receipts. Re-run on a new commit to refresh.