Monday, July 28, 2014

Integrate Oauth-2.0 Security, Spring-Security And Jersey For Rest Services Using Database.

Introduction:

Hello Friends, Today we are discuss about Oauth-2.0 Integration with Spring-Security. Thanks to Spring, provide some user friendly API's for using Oauth2 with Spring-Security easily. Here we are not discuss about What is Oauth and Spring-Security, because these topics are itself so large and we assume you already have knowledge of these two topics. Here we just discuss about, how we integrate Oauth-2.0 with Spring-Security with the help of database. We Store our client Information and token information in database. Because i think, in real life we use database for store our client and token information. If you need to download the source code of example go to below link :-
https://github.com/harmeetsingh0013/oauth2-jersey-rest-spring-db

Step 1: pom.xml

<properties>
 <jdk-version>1.8</jdk-version>
 <maven-compiler-plugin>3.0</maven-compiler-plugin>
 <maven-war-pugin>2.4</maven-war-pugin>
 <org .springframework.version="">4.0.5.RELEASE</org>
 <hibernate>4.3.6.Final</hibernate>
 <spring-security-oauth2>2.0.1.RELEASE</spring-security-oauth2>
 <spring .security.version="">3.2.4.RELEASE</spring>
 <jersey-spring>1.18.1</jersey-spring>
 <servlet-version>3.0.1</servlet-version>
</properties>

<dependencies>
 <!-- Spring Dependencies -->
 <dependency>
  <groupid>org.springframework</groupid>
  <artifactid>spring-beans</artifactid>
  <version>${org.springframework.version}</version>
 </dependency>
 <dependency>
  <groupid>org.springframework</groupid>
  <artifactid>spring-expression</artifactid>
  <version>${org.springframework.version}</version>
  <exclusions>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-beans</artifactid>
   </exclusion>
  </exclusions>
 </dependency>
 <dependency>
  <groupid>org.springframework</groupid>
  <artifactid>spring-aop</artifactid>
  <version>${org.springframework.version}</version>
 </dependency>
 <!-- Spring web dependencies -->
 <dependency>
  <groupid>org.springframework</groupid>
  <artifactid>spring-web</artifactid>
  <version>${org.springframework.version}</version>
  <exclusions>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-beans</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-core</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-context</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-aop</artifactid>
   </exclusion>
  </exclusions>
 </dependency>
 <dependency>
  <groupid>org.springframework</groupid>
  <artifactid>spring-webmvc</artifactid>
  <version>${org.springframework.version}</version>
  <exclusions>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-web</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-beans</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-core</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-context</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-expression</artifactid>
   </exclusion>
  </exclusions>
 </dependency>
  <dependency>
  <groupid>org.springframework</groupid>
  <artifactid>spring-jdbc</artifactid>
  <version>${org.springframework.version}</version>
  <exclusions>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-beans</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-core</artifactid>
   </exclusion>
  </exclusions>
 </dependency>
 <dependency>
  <groupid>org.springframework</groupid>
  <artifactid>spring-context</artifactid>
  <version>${org.springframework.version}</version>
  <exclusions>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-beans</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-core</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-aop</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-expression</artifactid>
   </exclusion>
  </exclusions>
 </dependency>
 <dependency>
  <groupid>org.springframework</groupid>
  <artifactid>spring-orm</artifactid>
  <version>${org.springframework.version}</version>
 </dependency>
 <dependency>
  <groupid>org.springframework</groupid>
  <artifactid>spring-context-support</artifactid>
  <version>${org.springframework.version}</version>
 </dependency>
 <dependency>
  <groupid>org.springframework</groupid>
  <artifactid>spring-oxm</artifactid>
  <version>${org.springframework.version}</version>
  <exclusions>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-beans</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-core</artifactid>
   </exclusion>
  </exclusions>
 </dependency>
  <!-- Spring security Dependencies -->
 <dependency>
  <groupid>org.springframework.security</groupid>
  <artifactid>spring-security-core</artifactid>
  <version>${spring.security.version}</version>
  <exclusions>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-beans</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-core</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-context</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-aop</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-expression</artifactid>
   </exclusion>
  </exclusions>
 </dependency>
  <dependency>
  <groupid>org.springframework.security</groupid>
  <artifactid>spring-security-web</artifactid>
  <version>${spring.security.version}</version>
  <exclusions>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-beans</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-core</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-context</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-aop</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-web</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework.security</groupid>
    <artifactid>spring-security-core</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-expression</artifactid>
   </exclusion>
  </exclusions>
 </dependency>
 <dependency>
  <groupid>org.springframework.security</groupid>
  <artifactid>spring-security-config</artifactid>
  <version>${spring.security.version}</version>
  <exclusions>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-beans</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-core</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-context</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-aop</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework.security</groupid>
    <artifactid>spring-security-core</artifactid>
   </exclusion>
  </exclusions>
 </dependency>
 <!-- for OAuth 2.0 -->
 <dependency>
  <groupid>org.springframework.security.oauth</groupid>
  <artifactid>spring-security-oauth2</artifactid>
  <version>${spring-security-oauth2}</version>
  <exclusions>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-beans</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-core</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-context</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework.security</groupid>
    <artifactid>spring-security-core</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework.security</groupid>
    <artifactid>spring-security-config</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework.security</groupid>
    <artifactid>spring-security-web</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-webmvc</artifactid>
   </exclusion>
  </exclusions>
 </dependency>
  <!-- Hibernate Dependencies -->
 <dependency>
  <groupid>org.hibernate</groupid>
  <artifactid>hibernate-entitymanager</artifactid>
  <version>${hibernate}</version>
 </dependency>
 <dependency>
  <groupid>org.hibernate</groupid>
  <artifactid>hibernate-core</artifactid>
  <version>${hibernate}</version>
 </dependency>
 <dependency>
  <groupid>org.apache.commons</groupid>
  <artifactid>commons-dbcp2</artifactid>
  <version>2.0.1</version>
 </dependency>
 <dependency>
  <groupid>mysql</groupid>
  <artifactid>mysql-connector-java</artifactid>
  <version>5.1.31</version>
 </dependency>

 <!-- Jersey Spring Integration -->
 <dependency>
  <groupid>com.sun.jersey.contribs</groupid>
  <artifactid>jersey-spring</artifactid>
  <version>${jersey-spring}</version>
  <exclusions>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-beans</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-core</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-context</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-web</artifactid>
   </exclusion>
   <exclusion>
    <groupid>org.springframework</groupid>
    <artifactid>spring-aop</artifactid>
   </exclusion>
  </exclusions>
 </dependency>
 <dependency>
  <groupid>com.sun.jersey</groupid>
  <artifactid>jersey-server</artifactid>
  <version>${jersey-spring}</version>
 </dependency>
  <!--Start Servlet Dependencies -->
 <dependency>
  <groupid>javax.servlet</groupid>
  <artifactid>javax.servlet-api</artifactid>
  <version>${servlet-version}</version>
 </dependency>
</dependencies>

Step 2: db.sql

DROP TABLE IF EXISTS oauth_client_details;

CREATE TABLE oauth_client_details (
  client_id varchar(256) NOT NULL,
  resource_ids varchar(256) DEFAULT NULL,
  client_secret varchar(256) DEFAULT NULL,
  scope varchar(256) DEFAULT NULL,
  authorized_grant_types varchar(256) DEFAULT NULL,
  web_server_redirect_uri varchar(256) DEFAULT NULL,
  authorities varchar(256) DEFAULT NULL,
  access_token_validity int(11) DEFAULT NULL,
  refresh_token_validity int(11) DEFAULT NULL,
  additional_information varchar(4096) DEFAULT NULL,
  autoapprove varchar(4096) DEFAULT NULL,
  PRIMARY KEY (client_id)
);


INSERT INTO oauth_client_details(client_id, resource_ids, client_secret, scope, authorized_grant_types, authorities, access_token_validity, refresh_token_validity)
VALUES ('harmeet', 'rest_api', '$2a$11$gxpnezmYfNJRYnw/EpIK5Oe08TlwZDmcmUeKkrGcSGGHXvWaxUwQ2', 'trust,read,write', 'client_credentials,authorization_code,implicit,password,refresh_token', 'ROLE_USER', '4500', '45000');

  DROP TABLE IF EXISTS oauth_access_token;

  CREATE TABLE oauth_access_token (
  token_id varchar(256) DEFAULT NULL,
  token blob,
  authentication_id varchar(256) DEFAULT NULL,
  user_name varchar(256) DEFAULT NULL,
  client_id varchar(256) DEFAULT NULL,
  authentication blob,
  refresh_token varchar(256) DEFAULT NULL
) ENGINE=InnoDB DEFAULT CHARSET=latin1;


DROP TABLE IF EXISTS oauth_refresh_token;

CREATE TABLE oauth_refresh_token (
  token_id varchar(256) DEFAULT NULL,
  token blob,
  authentication blob
) ENGINE=InnoDB DEFAULT CHARSET=latin1;

Step 3: db-config.xml

<beans xmlns:context="http://www.springframework.org/schema/context" xmlns:mvc="http://www.springframework.org/schema/mvc" xmlns:tx="http://www.springframework.org/schema/tx" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://www.springframework.org/schema/beans" xsi:schemalocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
  http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd
  http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">

 <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
  <property name="location">
   <value>classpath:properties/database.properties</value>
  </property>
 </bean>

 <bean class="org.apache.commons.dbcp2.BasicDataSource" id="dataSource">
  <property name="driverClassName" value="${jdbc.driverClassName}">
  <property name="url" value="${jdbc.url}">
  <property name="username" value="${jdbc.username}">
  <property name="password" value="${jdbc.password}">
 </property></property></property></property></bean>

 <bean class="org.springframework.orm.hibernate4.LocalSessionFactoryBean" id="sessionFactory">
  <property name="dataSource" ref="dataSource">
  <property name="hibernateProperties">
   <props>
    <prop key="hibernate.dialect">org.hibernate.dialect.MySQLDialect</prop>
    <prop key="hibernate.show_sql">true</prop>
    <prop key="hibernate.hbm2ddl.auto">create</prop>
    <prop key="hibernate.hbm2ddl.import_files_sql_extractor">org.hibernate.tool.hbm2ddl.MultipleLinesSqlCommandExtractor
    </prop>
   </props>
  </property>
 </property></bean>

 <bean class="org.springframework.orm.hibernate4.HibernateTransactionManager" id="transactionManager">
  <property name="sessionFactory" ref="sessionFactory">
</property></bean></beans><h3 style="text-align: left;">
<beans xmlns:context="http://www.springframework.org/schema/context" xmlns:mvc="http://www.springframework.org/schema/mvc" xmlns:tx="http://www.springframework.org/schema/tx" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://www.springframework.org/schema/beans" xsi:schemalocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
  http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd
  http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd"><bean class="org.springframework.orm.hibernate4.HibernateTransactionManager"><property name="sessionFactory" ref="sessionFactory"></property></bean></beans></h3>
<beans xmlns:context="http://www.springframework.org/schema/context" xmlns:mvc="http://www.springframework.org/schema/mvc" xmlns:tx="http://www.springframework.org/schema/tx" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://www.springframework.org/schema/beans" xsi:schemalocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
  http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd
  http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">
 <tx:annotation-driven transaction-manager="transactionManager">

 <bean class="org.springframework.transaction.interceptor.TransactionInterceptor" id="transactionInterceptor">
  <property name="transactionManager" ref="transactionManager">
  <property name="transactionAttributeSource"></property>
 </property></bean>
</tx:annotation-driven></beans>

Step 4:  Spring-Security-Oauth-Config.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:context="http://www.springframework.org/schema/context" xmlns:oauth="http://www.springframework.org/schema/security/oauth2" xmlns:sec="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemalocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd         http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd         http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd         http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">
   <!-- Create client details bean for manage client details from database -->
   <!-- The JdbcClientDetailsService provide default implementation for fetching 
  the data from oauth_client_details table Other wise we need to create our 
  custom class that Implement ClientDetailsService Interface and override its   loadClientByClientId method -->
   <bean class="org.springframework.security.oauth2.provider.client.JdbcClientDetailsService" id="clientDetails">
      <constructor-arg index="0">
         <ref bean="dataSource" />
      </constructor-arg>
   </bean>
<!-- Configure Authentication manager -->
   <bean class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" id="passwordEncoder">
      <constructor-arg name="strength" value="11" />
   </bean>
<!-- This class is the custom implementation of UserDetailSerive Interface 
  that provide by the spring, which we Need to implement and override its method. 
  But for Oauth spring provide us ClientDetailsUserDetailsService, which already 
  implement UserDetailSerive Interface and override its method. -->
   <bean class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService" id="clientDetailsUserService">
      <constructor-arg ref="clientDetails" />
   </bean>
   <sec:authentication-manager alias="authenticationManager">
      <sec:authentication-provider user-service-ref="clientDetailsUserService">
         <sec:password-encoder ref="passwordEncoder" />
      </sec:authentication-provider>
   </sec:authentication-manager>
<!-- Oauth Token Service Using Database -->
   <!-- The JdbcTokenStore class provide the default implementation from access 
  the token from database. If we want to customize the JDBC implementation 
  we need to implement TokenStore interface and overrider its methods -->
   <bean class="org.springframework.security.oauth2.provider.token.store.JdbcTokenStore" id="tokenStore">
      <constructor-arg ref="dataSource" />
   </bean>
<!-- This the service class which is used to access the function of JdbcTokenStore 
  class. This is like MVC structure JdbcTokenStore is Dao layer and DefaultTokenServices 
  is service layer -->
   <bean class="org.springframework.security.oauth2.provider.token.DefaultTokenServices" id="tokenServices">
      <property name="tokenStore" ref="tokenStore">
         <property name="supportRefreshToken" value="true">
            <property name="clientDetailsService" ref="clientDetails">
               <property name="accessTokenValiditySeconds" value="4500" />
            </property>
         </property>
      </property>
   </bean>
<!-- A user approval handler that remembers approval decisions by consulting 
  existing tokens -->
   <bean class="org.springframework.security.oauth2.provider.request.DefaultOAuth2RequestFactory" id="oAuth2RequestFactory">
      <constructor-arg ref="clientDetails" />
   </bean>
   <bean class="org.springframework.security.oauth2.provider.approval.TokenStoreUserApprovalHandler" id="userApprovalHandler">
      <property name="requestFactory" ref="oAuth2RequestFactory">
         <property name="tokenStore" ref="tokenStore" />
      </property>
   </bean>
<!-- Authorization Server Configuration of the server is used to provide 
  implementations of the client details service and token services and to enable 
  or disable certain aspects of the mechanism globally. -->
   <oauth:authorization-server client-details-service-ref="clientDetails" token-services-ref="tokenServices" user-approval-handler-ref="userApprovalHandler">
      <oauth:authorization-code>
         <oauth:implicit>
            <oauth:refresh-token>
               <oauth:client-credentials>
                  <oauth:password authentication-manager-ref="authenticationManager" />
               </oauth:client-credentials>
            </oauth:refresh-token>
         </oauth:implicit>
      </oauth:authorization-code>
   </oauth:authorization-server>
<!-- A Resource Server serves resources that are protected by the OAuth2 
  token. Spring OAuth provides a Spring Security authentication filter that 
  implements this protection. -->
   <oauth:resource-server id="resourceServerFilter" resource-id="rest_api" token-services-ref="tokenServices">
      <!-- Grants access if only grant (or abstain) votes were received. We can 
  protect REST resource methods with JSR-250 annotations such as @RolesAllowed -->
      <bean class="org.springframework.security.access.vote.UnanimousBased" id="accessDecisionManager">
         <property name="decisionVoters">
            <list>
               <bean class="org.springframework.security.access.annotation.Jsr250Voter" />
            </list>
         </property>
      </bean>
<!-- If authentication fails and the caller has asked for a specific content 
  type response, this entry point can send one, along with a standard 401 status -->
      <bean class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint" id="clientAuthenticationEntryPoint">
         <property name="realmName" value="Authorization/client">
            <property name="typeName" value="Basic" />
         </property>
      </bean>
      <bean class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint" id="oauthAuthenticationEntryPoint">
         <property name="realmName" value="Authorization" />
      </bean>
      <bean class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" id="oauthAccessDeniedHandler">
         <!-- Allows clients to authenticate using request parameters if included 
  as a security filter. It is recommended by the specification that you permit 
  HTTP basic authentication for clients, and not use this filter at all. -->
         <bean class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter" id="clientCredentialsTokenEndpointFilter">
            <property name="authenticationManager" ref="authenticationManager" />
         </bean>
         <bean class="org.springframework.security.oauth2.client.filter.OAuth2ClientContextFilter" id="oAuth2ClientContextFilter" />
         <sec:http authentication-manager-ref="authenticationManager" create-session="stateless" pattern="/oauth/token">
            <sec:intercept-url access="IS_AUTHENTICATED_ANONYMOUSLY" pattern="/oauth/token">
               <sec:http-basic entry-point-ref="clientAuthenticationEntryPoint">
                  <sec:custom-filter before="BASIC_AUTH_FILTER" ref="clientCredentialsTokenEndpointFilter">
                     <sec:custom-filter after="EXCEPTION_TRANSLATION_FILTER " ref="oAuth2ClientContextFilter">
                        <sec:access-denied-handler ref="oauthAccessDeniedHandler" />
                     </sec:custom-filter>
                  </sec:custom-filter>
               </sec:http-basic>
            </sec:intercept-url>
         </sec:http>
         <sec:http authentication-manager-ref="authenticationManager" create-session="never" pattern="/rest/**">
            <sec:anonymous enabled="false">
               <sec:intercept-url access="ROLE_USER" method="GET" pattern="/rest/**">
                  <sec:custom-filter before="PRE_AUTH_FILTER" ref="resourceServerFilter">
                     <sec:http-basic entry-point-ref="oauthAuthenticationEntryPoint">
                        <sec:access-denied-handler ref="oauthAccessDeniedHandler" />
                     </sec:http-basic>
                  </sec:custom-filter>
               </sec:intercept-url>
            </sec:anonymous>
         </sec:http>
      </bean>
   </oauth:resource-server>
</beans>

Step 6:  RestServiceUsingJersey.java

import javax.ws.rs.GET;
import javax.ws.rs.Path;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.Response.Status;

import org.springframework.stereotype.Component;

/**
 * @author Harmeet Singh(Taara)
 *
 */

@Component
@Path(value="/")
public class RestServiceUsingJersey {

 @Path("/message")
 @GET
 public Response message() {
  return Response.status(Status.ACCEPTED).entity("Hello Jersy Rest Spring").build();
 }
}

Step 7:  web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="3.0" xsi:schemalocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
   <context-param>
      <param-name>contextConfigLocation</param-name>
      <param-value>classpath:applicationContext.xml</param-value>
   </context-param>
   <listener>
      <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
   </listener>
   <servlet>
      <servlet-name>spring</servlet-name>
      <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
      <load-on-startup>1</load-on-startup>
   </servlet>
   <servlet-mapping>
      <servlet-name>spring</servlet-name>
      <url-pattern>/</url-pattern>
   </servlet-mapping>
   <servlet>
      <servlet-name>jersey-serlvet</servlet-name>
      <servlet-class>com.sun.jersey.spi.spring.container.servlet.SpringServlet</servlet-class>
      <init-param>
         <param-name>com.sun.jersey.config.property.packages</param-name>
         <param-value>com.the13star.api</param-value>
      </init-param>
   </servlet>
   <servlet-mapping>
      <servlet-name>jersey-serlvet</servlet-name>
      <url-pattern>/rest/*</url-pattern>
   </servlet-mapping>
   <filter>
      <filter-name>springSecurityFilterChain</filter-name>
      <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
   </filter>
   <filter-mapping>
      <filter-name>springSecurityFilterChain</filter-name>
      <url-pattern>/*</url-pattern>
   </filter-mapping>
</web-app>

From The above code, i am just trying to cover main configuration for regarding Oauth-2.0. I know i really missing so many things, so please go and download the code from above mentioned link or click on the link.
For Testing you can use CURL , POSTMAN, REST-CLIENT etc are many for calling rest services. I am using POSTMAN client by Chrome. Below is the screen shots of example.