[DS-2898] Add support for all authentication methods in the rest api

2025-10-17 23:13:10 +00:00 · 2015-12-17 11:05:59 +01:00
parent faa88f700d
commit 640aef21bb
17 changed files with 439 additions and 316 deletions
--- a/dspace-rest/pom.xml
+++ b/dspace-rest/pom.xml
@@ -18,6 +18,7 @@
    <properties>
        <!-- This is the path to the root [dspace-src] directory. -->
        <root.basedir>${basedir}/..</root.basedir>
        <spring-security.version>3.2.9.RELEASE</spring-security.version>
    </properties>
    <build>
        <plugins>
@@ -111,6 +112,27 @@
                </exclusion>
            </exclusions>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-core</artifactId>
            <version>${spring-security.version}</version>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-web</artifactId>
            <version>${spring-security.version}</version>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-config</artifactId>
            <version>${spring-security.version}</version>
        </dependency>
        <dependency>
            <groupId>cglib</groupId>
            <artifactId>cglib</artifactId>
            <version>2.2.2</version>
        </dependency>
        <!-- Use DSpace, for now, an older version to minimize spring generated dependency on Discovery -->
        <dependency>
--- a/dspace-rest/src/main/java/org/dspace/rest/BitstreamResource.java
+++ b/dspace-rest/src/main/java/org/dspace/rest/BitstreamResource.java
@@ -110,7 +110,7 @@ public class BitstreamResource extends Resource
        try
        {
-            context = createContext(getUser(headers));
+            context = createContext();
            org.dspace.content.Bitstream dspaceBitstream = findBitstream(context, bitstreamId, org.dspace.core.Constants.READ);
            writeStats(dspaceBitstream, UsageEvent.Action.VIEW, user_ip, user_agent, xforwardedfor, headers,
@@ -163,7 +163,7 @@ public class BitstreamResource extends Resource
        try
        {
-            context = createContext(getUser(headers));
+            context = createContext();
            org.dspace.content.Bitstream dspaceBitstream = findBitstream(context, bitstreamId, org.dspace.core.Constants.READ);
            policies = new Bitstream(dspaceBitstream, servletContext, "policies", context).getPolicies();
@@ -223,7 +223,7 @@ public class BitstreamResource extends Resource
        try
        {
-            context = createContext(getUser(headers));
+            context = createContext();
            List<org.dspace.content.Bitstream> dspaceBitstreams = bitstreamService.findAll(context);
            if (!((limit != null) && (limit >= 0) && (offset != null) && (offset >= 0)))
@@ -305,7 +305,7 @@ public class BitstreamResource extends Resource
        try
        {
-            context = createContext(getUser(headers));
+            context = createContext();
            org.dspace.content.Bitstream dspaceBitstream = findBitstream(context, bitstreamId, org.dspace.core.Constants.READ);
            writeStats(dspaceBitstream, UsageEvent.Action.VIEW, user_ip, user_agent, xforwardedfor, headers,
@@ -374,7 +374,7 @@ public class BitstreamResource extends Resource
        try
        {
-            context = createContext(getUser(headers));
+            context = createContext();
            org.dspace.content.Bitstream dspaceBitstream = findBitstream(context, bitstreamId, org.dspace.core.Constants.WRITE);
            writeStats(dspaceBitstream, UsageEvent.Action.UPDATE, user_ip, user_agent, xforwardedfor, headers,
@@ -444,7 +444,7 @@ public class BitstreamResource extends Resource
        try
        {
-            context = createContext(getUser(headers));
+            context = createContext();
            org.dspace.content.Bitstream dspaceBitstream = findBitstream(context, bitstreamId, org.dspace.core.Constants.WRITE);
            writeStats(dspaceBitstream, UsageEvent.Action.UPDATE, user_ip, user_agent, xforwardedfor,
@@ -549,7 +549,7 @@ public class BitstreamResource extends Resource
        try
        {
-            context = createContext(getUser(headers));
+            context = createContext();
            org.dspace.content.Bitstream dspaceBitstream = findBitstream(context, bitstreamId, org.dspace.core.Constants.WRITE);
            writeStats(dspaceBitstream, UsageEvent.Action.UPDATE, user_ip, user_agent, xforwardedfor,
@@ -618,7 +618,7 @@ public class BitstreamResource extends Resource
        try
        {
-            context = createContext(getUser(headers));
+            context = createContext();
            org.dspace.content.Bitstream dspaceBitstream = findBitstream(context, bitstreamId, org.dspace.core.Constants.DELETE);
            writeStats(dspaceBitstream, UsageEvent.Action.DELETE, user_ip, user_agent, xforwardedfor,
@@ -680,7 +680,7 @@ public class BitstreamResource extends Resource
        try
        {
-            context = createContext(getUser(headers));
+            context = createContext();
            org.dspace.content.Bitstream dspaceBitstream = findBitstream(context, bitstreamId, org.dspace.core.Constants.WRITE);
            writeStats(dspaceBitstream, UsageEvent.Action.UPDATE, user_ip, user_agent, xforwardedfor, headers,
--- a/dspace-rest/src/main/java/org/dspace/rest/CollectionsResource.java
+++ b/dspace-rest/src/main/java/org/dspace/rest/CollectionsResource.java
@@ -109,7 +109,7 @@ public class CollectionsResource extends Resource
        try
        {
-            context = createContext(getUser(headers));
+            context = createContext();
            org.dspace.content.Collection dspaceCollection = findCollection(context, collectionId, org.dspace.core.Constants.READ);
            writeStats(dspaceCollection, UsageEvent.Action.VIEW, user_ip, user_agent, xforwardedfor,
@@ -178,7 +178,7 @@ public class CollectionsResource extends Resource
        try
        {
-            context = createContext(getUser(headers));
+            context = createContext();
            if (!((limit != null) && (limit >= 0) && (offset != null) && (offset >= 0)))
            {
@@ -264,7 +264,7 @@ public class CollectionsResource extends Resource
        try
        {
-            context = createContext(getUser(headers));
+            context = createContext();
            org.dspace.content.Collection dspaceCollection = findCollection(context, collectionId, org.dspace.core.Constants.READ);
            writeStats(dspaceCollection, UsageEvent.Action.VIEW, user_ip, user_agent, xforwardedfor,
@@ -345,7 +345,7 @@ public class CollectionsResource extends Resource
        try
        {
-            context = createContext(getUser(headers));
+            context = createContext();
            org.dspace.content.Collection dspaceCollection = findCollection(context, collectionId,
                    org.dspace.core.Constants.WRITE);
@@ -440,7 +440,7 @@ public class CollectionsResource extends Resource
        try
        {
-            context = createContext(getUser(headers));
+            context = createContext();
            org.dspace.content.Collection dspaceCollection = findCollection(context, collectionId,
                    org.dspace.core.Constants.WRITE);
@@ -510,7 +510,7 @@ public class CollectionsResource extends Resource
        try
        {
-            context = createContext(getUser(headers));
+            context = createContext();
            org.dspace.content.Collection dspaceCollection = findCollection(context, collectionId,
                    org.dspace.core.Constants.DELETE);
@@ -580,7 +580,7 @@ public class CollectionsResource extends Resource
        try
        {
-            context = createContext(getUser(headers));
+            context = createContext();
            org.dspace.content.Collection dspaceCollection = collectionService.findByIdOrLegacyId(context, collectionId);
            org.dspace.content.Item item = itemService.findByIdOrLegacyId(context, itemId);
@@ -676,7 +676,7 @@ public class CollectionsResource extends Resource
        try
        {
-            context = createContext(getUser(headers));
+            context = createContext();
            List<org.dspace.content.Collection> dspaceCollections = collectionService.findAll(context);
            //TODO, this would be more efficient with a findByName query
--- a/dspace-rest/src/main/java/org/dspace/rest/CommunitiesResource.java
+++ b/dspace-rest/src/main/java/org/dspace/rest/CommunitiesResource.java
@@ -14,7 +14,6 @@ import org.dspace.authorize.service.AuthorizeService;
 import org.dspace.content.factory.ContentServiceFactory;
 import org.dspace.content.service.CollectionService;
 import org.dspace.content.service.CommunityService;
 import org.dspace.eperson.EPerson;
 import org.dspace.rest.common.Collection;
 import org.dspace.rest.common.Community;
 import org.dspace.rest.exceptions.ContextException;
@@ -82,7 +81,7 @@ public class CommunitiesResource extends Resource
        try
        {
-            context = createContext(getUser(headers));
+            context = createContext();
            org.dspace.content.Community dspaceCommunity = findCommunity(context, communityId, org.dspace.core.Constants.READ);
            writeStats(dspaceCommunity, UsageEvent.Action.VIEW, user_ip, user_agent, xforwardedfor, headers,
@@ -148,7 +147,7 @@ public class CommunitiesResource extends Resource
        try
        {
-            context = createContext(getUser(headers));
+            context = createContext();
            List<org.dspace.content.Community> dspaceCommunities = communityService.findAll(context);
            communities = new ArrayList<Community>();
@@ -230,7 +229,7 @@ public class CommunitiesResource extends Resource
        try
        {
-            context = createContext(getUser(headers));
+            context = createContext();
            List<org.dspace.content.Community> dspaceCommunities = communityService.findAllTop(context);
            communities = new ArrayList<Community>();
@@ -312,7 +311,7 @@ public class CommunitiesResource extends Resource
        try
        {
-            context = createContext(getUser(headers));
+            context = createContext();
            org.dspace.content.Community dspaceCommunity = findCommunity(context, communityId, org.dspace.core.Constants.READ);
            writeStats(dspaceCommunity, UsageEvent.Action.VIEW, user_ip, user_agent, xforwardedfor, headers,
@@ -398,7 +397,7 @@ public class CommunitiesResource extends Resource
        try
        {
-            context = createContext(getUser(headers));
+            context = createContext();
            org.dspace.content.Community dspaceCommunity = findCommunity(context, communityId, org.dspace.core.Constants.READ);
            writeStats(dspaceCommunity, UsageEvent.Action.VIEW, user_ip, user_agent, xforwardedfor, headers,
@@ -473,8 +472,7 @@ public class CommunitiesResource extends Resource
        try
        {
-            EPerson eperson = getUser(headers);
+            context = createContext();
            context = createContext(eperson);
            if (!authorizeService.isAdmin(context))
            {
                context.abort();
@@ -557,7 +555,7 @@ public class CommunitiesResource extends Resource
        try
        {
-            context = createContext(getUser(headers));
+            context = createContext();
            org.dspace.content.Community dspaceCommunity = findCommunity(context, communityId, org.dspace.core.Constants.WRITE);
            writeStats(dspaceCommunity, UsageEvent.Action.UPDATE, user_ip, user_agent, xforwardedfor,
@@ -638,7 +636,7 @@ public class CommunitiesResource extends Resource
        try
        {
-            context = createContext(getUser(headers));
+            context = createContext();
            org.dspace.content.Community dspaceParentCommunity = findCommunity(context, communityId,
                    org.dspace.core.Constants.WRITE);
@@ -717,7 +715,7 @@ public class CommunitiesResource extends Resource
        try
        {
-            context = createContext(getUser(headers));
+            context = createContext();
            org.dspace.content.Community dspaceCommunity = findCommunity(context, communityId, org.dspace.core.Constants.WRITE);
            writeStats(dspaceCommunity, UsageEvent.Action.UPDATE, user_ip, user_agent, xforwardedfor,
@@ -780,7 +778,7 @@ public class CommunitiesResource extends Resource
        try
        {
-            context = createContext(getUser(headers));
+            context = createContext();
            org.dspace.content.Community community = findCommunity(context, communityId, org.dspace.core.Constants.DELETE);
            writeStats(community, UsageEvent.Action.DELETE, user_ip, user_agent, xforwardedfor, headers,
@@ -851,7 +849,7 @@ public class CommunitiesResource extends Resource
        try
        {
-            context = createContext(getUser(headers));
+            context = createContext();
            org.dspace.content.Community community = findCommunity(context, communityId, org.dspace.core.Constants.WRITE);
            org.dspace.content.Collection collection = collectionService.findByIdOrLegacyId(context, collectionId);
@@ -951,7 +949,7 @@ public class CommunitiesResource extends Resource
        try
        {
-            context = createContext(getUser(headers));
+            context = createContext();
            org.dspace.content.Community parentCommunity = findCommunity(context, parentCommunityId,
                    org.dspace.core.Constants.WRITE);
--- a/dspace-rest/src/main/java/org/dspace/rest/HandleResource.java
+++ b/dspace-rest/src/main/java/org/dspace/rest/HandleResource.java
@@ -49,7 +49,7 @@ public class HandleResource extends Resource {
        org.dspace.core.Context context = null;
        try {
-            context = createContext(getUser(headers));
+            context = createContext();
            org.dspace.content.DSpaceObject dso = handleService.resolveToObject(context, prefix + "/" + suffix);
--- a/dspace-rest/src/main/java/org/dspace/rest/ItemsResource.java
+++ b/dspace-rest/src/main/java/org/dspace/rest/ItemsResource.java
@@ -99,7 +99,7 @@ public class ItemsResource extends Resource
        try
        {
-            context = createContext(getUser(headers));
+            context = createContext();
            org.dspace.content.Item dspaceItem = findItem(context, itemId, org.dspace.core.Constants.READ);
            writeStats(dspaceItem, UsageEvent.Action.VIEW, user_ip, user_agent, xforwardedfor, headers, request, context);
@@ -159,7 +159,7 @@ public class ItemsResource extends Resource
        try
        {
-            context = createContext(getUser(headers));
+            context = createContext();
            Iterator<org.dspace.content.Item> dspaceItems = itemService.findAllUnfiltered(context);
            items = new ArrayList<Item>();
@@ -235,7 +235,7 @@ public class ItemsResource extends Resource
        try
        {
-            context = createContext(getUser(headers));
+            context = createContext();
            org.dspace.content.Item dspaceItem = findItem(context, itemId, org.dspace.core.Constants.READ);
            writeStats(dspaceItem, UsageEvent.Action.VIEW, user_ip, user_agent, xforwardedfor, headers, request, context);
@@ -294,7 +294,7 @@ public class ItemsResource extends Resource
        List<Bitstream> bitstreams = null;
        try
        {
-            context = createContext(getUser(headers));
+            context = createContext();
            org.dspace.content.Item dspaceItem = findItem(context, itemId, org.dspace.core.Constants.READ);
            writeStats(dspaceItem, UsageEvent.Action.VIEW, user_ip, user_agent, xforwardedfor, headers, request, context);
@@ -365,7 +365,7 @@ public class ItemsResource extends Resource
        try
        {
-            context = createContext(getUser(headers));
+            context = createContext();
            org.dspace.content.Item dspaceItem = findItem(context, itemId, org.dspace.core.Constants.WRITE);
            writeStats(dspaceItem, UsageEvent.Action.UPDATE, user_ip, user_agent, xforwardedfor, headers, request, context);
@@ -440,7 +440,7 @@ public class ItemsResource extends Resource
        try
        {
-            context = createContext(getUser(headers));
+            context = createContext();
            org.dspace.content.Item dspaceItem = findItem(context, itemId, org.dspace.core.Constants.WRITE);
            writeStats(dspaceItem, UsageEvent.Action.UPDATE, user_ip, user_agent, xforwardedfor, headers, request, context);
@@ -606,7 +606,7 @@ public class ItemsResource extends Resource
        try
        {
-            context = createContext(getUser(headers));
+            context = createContext();
            org.dspace.content.Item dspaceItem = findItem(context, itemId, org.dspace.core.Constants.WRITE);
            writeStats(dspaceItem, UsageEvent.Action.UPDATE, user_ip, user_agent, xforwardedfor, headers, request, context);
@@ -687,7 +687,7 @@ public class ItemsResource extends Resource
        try
        {
-            context = createContext(getUser(headers));
+            context = createContext();
            org.dspace.content.Item dspaceItem = findItem(context, itemId, org.dspace.core.Constants.DELETE);
            writeStats(dspaceItem, UsageEvent.Action.REMOVE, user_ip, user_agent, xforwardedfor, headers, request, context);
@@ -755,7 +755,7 @@ public class ItemsResource extends Resource
        try
        {
-            context = createContext(getUser(headers));
+            context = createContext();
            org.dspace.content.Item dspaceItem = findItem(context, itemId, org.dspace.core.Constants.WRITE);
            writeStats(dspaceItem, UsageEvent.Action.UPDATE, user_ip, user_agent, xforwardedfor, headers, request, context);
@@ -830,7 +830,7 @@ public class ItemsResource extends Resource
        try
        {
-            context = createContext(getUser(headers));
+            context = createContext();
            org.dspace.content.Item item = findItem(context, itemId, org.dspace.core.Constants.WRITE);
            org.dspace.content.Bitstream bitstream = bitstreamService.findByIdOrLegacyId(context, bitstreamId);
@@ -843,7 +843,7 @@ public class ItemsResource extends Resource
            else if (!authorizeService.authorizeActionBoolean(context, bitstream, org.dspace.core.Constants.DELETE))
            {
                context.abort();
-                log.error("User(" + getUser(headers).getEmail() + ") is not allowed to delete bitstream(id=" + bitstreamId + ").");
+                log.error("User(" + context.getCurrentUser().getEmail() + ") is not allowed to delete bitstream(id=" + bitstreamId + ").");
                return Response.status(Status.UNAUTHORIZED).build();
            }
@@ -925,7 +925,7 @@ public class ItemsResource extends Resource
        try
        {
-            context = createContext(getUser(headers));
+            context = createContext();
            Iterator<org.dspace.content.Item> itemIterator = itemService.findByMetadataField(context, metadataEntry.getSchema(), metadataEntry.getElement(), metadataEntry.getQualifier(), metadataEntry.getValue());
--- a/dspace-rest/src/main/java/org/dspace/rest/Resource.java
+++ b/dspace-rest/src/main/java/org/dspace/rest/Resource.java
@@ -7,22 +7,35 @@
 */
 package org.dspace.rest;
 import java.net.CookieHandler;
 import java.sql.SQLException;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Iterator;
 import java.util.List;
 import javax.servlet.ServletContext;
 import javax.servlet.http.HttpServletRequest;
 import javax.ws.rs.WebApplicationException;
 import javax.ws.rs.core.Cookie;
 import javax.ws.rs.core.HttpHeaders;
 import javax.ws.rs.core.Response;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.log4j.Logger;
 import org.dspace.content.DSpaceObject;
 import org.dspace.core.Context;
 import org.dspace.eperson.EPerson;
 import org.dspace.eperson.factory.EPersonServiceFactory;
 import org.dspace.rest.exceptions.ContextException;
 import org.dspace.services.factory.DSpaceServicesFactory;
 import org.dspace.usage.UsageEvent;
 import org.dspace.utils.DSpace;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.context.SecurityContext;
 import org.springframework.security.core.context.SecurityContextHolder;
 /**
 * Superclass of all resource classes in REST API. It has methods for creating
@@ -64,14 +77,18 @@ public class Resource
     *             log in. Can be caused by AuthorizeException if there was a
     *             problem authorizing the found user.
     */
-    protected static org.dspace.core.Context createContext(EPerson person) throws ContextException
+    protected static org.dspace.core.Context createContext() throws ContextException, SQLException {
    {
        org.dspace.core.Context context = new org.dspace.core.Context();
        //context.getDBConnection().setAutoCommit(false); // Disable autocommit.
-        if (person != null)
+        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if(authentication != null)
        {
-            context.setCurrentUser(person);
+            Collection<SimpleGrantedAuthority> specialGroups = (Collection<SimpleGrantedAuthority>) authentication.getAuthorities();
            for (SimpleGrantedAuthority grantedAuthority : specialGroups) {
                context.setSpecialGroup(EPersonServiceFactory.getInstance().getGroupService().findByName(context, grantedAuthority.getAuthority()).getID());
            }
            context.setCurrentUser(EPersonServiceFactory.getInstance().getEPersonService().findByEmail(context, authentication.getName()));
        }
        return context;
@@ -218,36 +235,4 @@ public class Resource
        return actionStr;
    }
    /**
     * Return EPerson based on stored token in headers under
     * "rest-dspace-token".
     * 
     * @param headers
     *            Only must have "rest-api-token" for successfull return of
     *            user.
     * @return Return EPerson logged under token in headers. If token was wrong
     *         or header rest-dspace-token was missing, returns null.
     */
    protected static EPerson getUser(HttpHeaders headers)
    {
        List<String> list = headers.getRequestHeader(TokenHolder.TOKEN_HEADER);
        String token = null;
        if ((list != null) && (list.size() > 0))
        {
            token = list.get(0);
            return TokenHolder.getEPerson(token);
        }
        return null;
    }
    protected static String getToken(HttpHeaders headers) {
        List<String> list = headers.getRequestHeader(TokenHolder.TOKEN_HEADER);
        String token = null;
        if ((list != null) && (list.size() > 0))
        {
            token = list.get(0);
            return token;
        }
        return null;
    }
 }
--- a/dspace-rest/src/main/java/org/dspace/rest/RestIndex.java
+++ b/dspace-rest/src/main/java/org/dspace/rest/RestIndex.java
@@ -7,9 +7,10 @@
 */
 package org.dspace.rest;
 import java.io.IOException;
 import java.io.UnsupportedEncodingException;
 import java.sql.SQLException;
-import java.util.List;
+import java.util.Iterator;
 import javax.servlet.ServletContext;
 import javax.ws.rs.Consumes;
@@ -17,18 +18,21 @@ import javax.ws.rs.GET;
 import javax.ws.rs.POST;
 import javax.ws.rs.Path;
 import javax.ws.rs.Produces;
 import javax.ws.rs.core.*;
 import javax.ws.rs.core.Context;
 import javax.ws.rs.core.HttpHeaders;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.log4j.Logger;
 import org.dspace.authenticate.AuthenticationMethod;
 import org.dspace.authenticate.ShibAuthentication;
 import org.dspace.authenticate.factory.AuthenticateServiceFactory;
 import org.dspace.authenticate.service.AuthenticationService;
 import org.dspace.eperson.EPerson;
 import org.dspace.eperson.factory.EPersonServiceFactory;
 import org.dspace.eperson.service.EPersonService;
 import org.dspace.rest.common.Status;
 import org.dspace.rest.common.User;
 import org.dspace.rest.exceptions.ContextException;
 import org.dspace.utils.DSpace;
 /**
 * Root of RESTful api. It provides login and logout. Also have method for
@@ -159,27 +163,63 @@ public class RestIndex {
    /**
     * Method to login a user into REST API.
     * 
     * @param user
     *            User which will be logged in to REST API.
     * @return Returns response code OK and a token. Otherwise returns response
     *         code FORBIDDEN(403).
     */
    @POST
    @Path("/login")
    @Consumes({ MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML })
-    public Response login(User user)
+    public Response login()
    {
-        String token = TokenHolder.login(user);
+        //If you can get here, you are authenticated, the actual login is handled by spring security
-        if (token == null)
+        return Response.ok().build();
        {
            log.info("REST Login Attempt failed for user: " + user.getEmail());
            return Response.status(Response.Status.FORBIDDEN).build();
        } else {
            log.info("REST Login Success for user: " + user.getEmail());
            return Response.ok(token, "text/plain").build();
        }
    }
 	@GET
 	@Path("/shibboleth-login")
 	@Consumes({MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML})
 	public Response shibbolethLogin()
 	{
 		//If you can get here, you are authenticated, the actual login is handled by spring security
 		return Response.ok().build();
 	}
 	@POST
 	@Path("/login-shibboleth")
 	public Response shibbolethLoginEndPoint()
 	{
 		org.dspace.core.Context context = null;
 		try {
 			context = Resource.createContext();
 			AuthenticationService authenticationService = AuthenticateServiceFactory.getInstance().getAuthenticationService();
 			Iterator<AuthenticationMethod> authenticationMethodIterator = authenticationService.authenticationMethodIterator();
 			while(authenticationMethodIterator.hasNext())
            {
                AuthenticationMethod authenticationMethod = authenticationMethodIterator.next();
 				if(authenticationMethod instanceof ShibAuthentication)
 				{
 					//TODO: Perhaps look for a better way of handling this ?
 					org.dspace.services.model.Request currentRequest = new DSpace().getRequestService().getCurrentRequest();
 					String loginPageURL = authenticationMethod.loginPageURL(context, currentRequest.getHttpServletRequest(), currentRequest.getHttpServletResponse());
 					if(StringUtils.isNotBlank(loginPageURL))
 					{
 						currentRequest.getHttpServletResponse().sendRedirect(loginPageURL);
 					}
 				}
            }
 			context.abort();
 		} catch (ContextException | SQLException | IOException e) {
 			Resource.processException("Shibboleth endpoint error:  " + e.getMessage(), context);
 		} finally {
 			if(context != null && context.isValid())
 			{
 				context.abort();
 			}
 		}
 		return Response.ok().build();
 	}
    /**
     * Method to logout a user from DSpace REST API. Removes the token and user from
     * TokenHolder.
@@ -195,24 +235,7 @@ public class RestIndex {
    @Consumes({ MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML })
    public Response logout(@Context HttpHeaders headers)
    {
-        List<String> list = headers.getRequestHeader(TokenHolder.TOKEN_HEADER);
+        //If you can get here, you are logged out, this actual logout is handled by spring security
        String token = null;
        boolean logout = false;
        EPerson ePerson = null;
        if (list != null)
        {
            token = list.get(0);
            ePerson = TokenHolder.getEPerson(token);
            logout = TokenHolder.logout(token);
        }
        if ((token == null) || (!logout))
        {
            return Response.status(Response.Status.BAD_REQUEST).build();
        }
        if(ePerson != null) {
            log.info("REST Logout: " + ePerson.getEmail());
        }
        return Response.ok().build();
    }
@@ -233,14 +256,14 @@ public class RestIndex {
        org.dspace.core.Context context = null;
        try {
-            context = Resource.createContext(Resource.getUser(headers));
+            context = Resource.createContext();
            EPerson ePerson = context.getCurrentUser();
            if(ePerson != null) {
                //DB EPerson needed since token won't have full info, need context
                EPerson dbEPerson = epersonService.findByEmail(context, ePerson.getEmail());
-                String token = Resource.getToken(headers);
+
-                Status status = new Status(dbEPerson.getEmail(), dbEPerson.getFullName(), token);
+                Status status = new Status(dbEPerson.getEmail(), dbEPerson.getFullName());
                return status;
            }
--- a/dspace-rest/src/main/java/org/dspace/rest/TokenHolder.java
+++ b/dspace-rest/src/main/java/org/dspace/rest/TokenHolder.java
@@ -1,162 +0,0 @@
 /**
 * The contents of this file are subject to the license and copyright
 * detailed in the LICENSE and NOTICE files at the root of the source
 * tree and available online at
 *
 * http://www.dspace.org/license/
 */
 package org.dspace.rest;
 import java.sql.SQLException;
 import java.util.UUID;
 import javax.ws.rs.WebApplicationException;
 import javax.ws.rs.core.Response;
 import com.google.common.collect.BiMap;
 import com.google.common.collect.HashBiMap;
 import org.apache.log4j.Logger;
 import org.dspace.authenticate.AuthenticationMethod;
 import org.dspace.authenticate.factory.AuthenticateServiceFactory;
 import org.dspace.authenticate.service.AuthenticationService;
 import org.dspace.core.Context;
 import org.dspace.eperson.EPerson;
 import org.dspace.eperson.factory.EPersonServiceFactory;
 import org.dspace.eperson.service.EPersonService;
 import org.dspace.rest.common.User;
 /**
 * This class provide token generation, token holding and logging user into rest
 * api. For login use method login with class org.dspace.rest.common.User. If
 * you want to be deleted from holder, use method for logout.
 * 
 * @author Rostislav Novak (Computing and Information Centre, CTU in Prague)
 */
 public class TokenHolder
 {
    private static final Logger log = Logger.getLogger(TokenHolder.class);
    public static String TOKEN_HEADER = "rest-dspace-token";
    /**
     * Collection holding the auth-token, and the corresponding EPerson's UUID
     */
    private static BiMap<String, UUID> tokenPersons = HashBiMap.create();
    /**
     * Login user into rest api. It check user credentials if they are okay.
     * 
     * @param user
     *            User which will be logged into rest api.
     * @return Returns generated token, which must be used in request header
     *         under rest-api-token. If password is bad or user does not exist,
     *         it returns NULL.
     * @throws WebApplicationException
     *             It is thrown by SQLException if user could not be read from
     *             database. And by Authorization exception if context has not
     *             permission to read eperson.
     */
    public static String login(User user) throws WebApplicationException
    {
        AuthenticationService authenticationService = AuthenticateServiceFactory.getInstance().getAuthenticationService();
        EPersonService epersonService = EPersonServiceFactory.getInstance().getEPersonService();
        org.dspace.core.Context context = null;
        String token = null;
        try
        {
            context = new org.dspace.core.Context();
            int status = authenticationService.authenticate(context, user.getEmail(), user.getPassword(), null, null);
            if (status == AuthenticationMethod.SUCCESS)
            {
                EPerson ePerson = epersonService.findByEmail(context, user.getEmail());
                synchronized (TokenHolder.class) {
                    if (tokenPersons.inverse().containsKey(ePerson.getID())) {
                        token = tokenPersons.inverse().get(ePerson.getID());
                    } else {
                        token = generateToken();
                        tokenPersons.put(token, ePerson.getID());
                    }
                }
            }
            log.trace("User(" + user.getEmail() + ") has been logged in.");
            context.complete();
        }
        catch (SQLException e)
        {
            context.abort();
            log.error("Could not read user from database. Message:" + e);
            throw new WebApplicationException(Response.Status.INTERNAL_SERVER_ERROR);
        }
        finally
        {
            if ((context != null) && (context.isValid()))
            {
                context.abort();
                log.error("Something get wrong. Aborting context in finally statement.");
                throw new WebApplicationException(Response.Status.INTERNAL_SERVER_ERROR);
            }
        }
        return token;
    }
    /**
     * Return EPerson for log into context.
     * 
     * @param token
     *            Token under which is stored eperson.
     * @return Return instance of EPerson if is token right, otherwise it
     *         returns NULL.
     */
    public static synchronized EPerson getEPerson(String token)
    {
        try {
            EPersonService epersonService = EPersonServiceFactory.getInstance().getEPersonService();
            UUID epersonID = tokenPersons.get(token);
            Context context = new Context();
            return epersonService.find(context, epersonID);
        } catch (SQLException e) {
            log.error(e);
            return null;
        }
    }
    /**
     * Logout user from rest api. It delete token and EPerson from TokenHolder.
     * 
     * @param token
     *            Token under which is stored eperson.
     * @return Return true if was all okay, otherwise return false.
     */
    public static synchronized boolean logout(String token)
    {
        if ((token == null) || (! tokenPersons.containsKey(token)))
        {
            return false;
        }
        UUID personID = tokenPersons.remove(token);
        if (personID == null)
        {
            return false;
        }
        return true;
    }
    /**
     * It generates unique token.
     * 
     * @return String filled with unique token.
     */
    private static String generateToken()
    {
        return UUID.randomUUID().toString();
    }
 }
--- a/dspace-rest/src/main/java/org/dspace/rest/authentication/DSpaceAuthenticationProvider.java
+++ b/dspace-rest/src/main/java/org/dspace/rest/authentication/DSpaceAuthenticationProvider.java
@@ -0,0 +1,111 @@
 /**
 * The contents of this file are subject to the license and copyright
 * detailed in the LICENSE and NOTICE files at the root of the source
 * tree and available online at
 *
 * http://www.dspace.org/license/
 */
 package org.dspace.rest.authentication;
 import org.apache.log4j.Logger;
 import org.dspace.authenticate.AuthenticationMethod;
 import org.dspace.authenticate.factory.AuthenticateServiceFactory;
 import org.dspace.authenticate.service.AuthenticationService;
 import org.dspace.core.Context;
 import org.dspace.core.LogManager;
 import org.dspace.eperson.Group;
 import org.dspace.utils.DSpace;
 import org.springframework.security.authentication.AnonymousAuthenticationToken;
 import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import javax.servlet.http.HttpServletRequest;
 import java.sql.SQLException;
 import java.util.ArrayList;
 import java.util.List;
 /**
 * The core authentication & authorization provider, this provider is called when logging in & will process
 *
 * @author Roeland Dillen (roeland at atmire dot com)
 * @author kevinvandevelde at atmire.com
 *
 * @deprecated This provider handles both the authorization as well as the authentication,
 * due to the way that the DSpace authentication is implemented there is currently no other way to do this.
 */
@Deprecated
 public class DSpaceAuthenticationProvider implements AuthenticationProvider {
    private static Logger log = Logger.getLogger(DSpaceAuthenticationProvider.class);
    protected AuthenticationService authenticationService = AuthenticateServiceFactory.getInstance().getAuthenticationService();
    @Override
    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        Context context = null;
        try {
            context = new Context();
            String name = authentication.getName();
            String password = authentication.getCredentials().toString();
            HttpServletRequest httpServletRequest = new DSpace().getRequestService().getCurrentRequest().getHttpServletRequest();
            List<SimpleGrantedAuthority> grantedAuthorities = new ArrayList<>();
            int implicitStatus = authenticationService.authenticateImplicit(context, null, null, null, httpServletRequest);
            if (implicitStatus == AuthenticationMethod.SUCCESS) {
                log.info(LogManager.getHeader(context, "login", "type=implicit"));
                addSpecialGroupsToGrantedAuthorityList(context, httpServletRequest, grantedAuthorities);
                return new UsernamePasswordAuthenticationToken(name, password, grantedAuthorities);
            }else{
                int authenticateResult = authenticationService.authenticate(context, name, password, null, httpServletRequest);
                if (AuthenticationMethod.SUCCESS == authenticateResult) {
                    addSpecialGroupsToGrantedAuthorityList(context, httpServletRequest, grantedAuthorities);
                    log.info(LogManager
                            .getHeader(context, "login", "type=explicit"));
                    return new UsernamePasswordAuthenticationToken(name, password, grantedAuthorities);
                }else{
                    log.info(LogManager.getHeader(context, "failed_login", "email="
                            + name + ", result="
                            + authenticateResult));
                    //We always need at least one authority
                    grantedAuthorities.add(new SimpleGrantedAuthority(Group.ANONYMOUS));
                    return new AnonymousAuthenticationToken(Group.ANONYMOUS, Group.ANONYMOUS, grantedAuthorities);
                }
            }
        } catch (Exception e) {
            log.error("Error while authenticating in the rest api", e);
        } finally {
            if (context != null) {
                try {
                    context.complete();
                } catch (SQLException e) {
                    log.error(e.getMessage() + " occurred while trying to close", e);
                }
            }
        }
        return null;
    }
    protected void addSpecialGroupsToGrantedAuthorityList(Context context, HttpServletRequest httpServletRequest, List<SimpleGrantedAuthority> grantedAuthorities) throws SQLException {
        List<Group> groups = authenticationService.getSpecialGroups(context, httpServletRequest);
        for (Group group : groups) {
            grantedAuthorities.add(new SimpleGrantedAuthority(group.getName()));
        }
    }
    @Override
    public boolean supports(Class<?> authentication) {
        return authentication.equals(UsernamePasswordAuthenticationToken.class);
    }
 }
--- a/dspace-rest/src/main/java/org/dspace/rest/authentication/NoRedirectAuthenticationLoginSuccessHandler.java
+++ b/dspace-rest/src/main/java/org/dspace/rest/authentication/NoRedirectAuthenticationLoginSuccessHandler.java
@@ -0,0 +1,41 @@
 /**
 * The contents of this file are subject to the license and copyright
 * detailed in the LICENSE and NOTICE files at the root of the source
 * tree and available online at
 *
 * http://www.dspace.org/license/
 */
 package org.dspace.rest.authentication;
 import org.springframework.security.web.RedirectStrategy;
 import org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler;
 import javax.annotation.PostConstruct;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
 /**
 * @author kevinvandevelde at atmire.com
 *
 * Spring redirects to the home page after a successfull login. This success handles ensures that this is NOT the case.
 */
 public class NoRedirectAuthenticationLoginSuccessHandler extends SimpleUrlAuthenticationSuccessHandler {
    @PostConstruct
    public void afterPropertiesSet() {
        setRedirectStrategy(new NoRedirectStrategy());
    }
     protected class NoRedirectStrategy implements RedirectStrategy {
         @Override
         public void sendRedirect(HttpServletRequest request,
                                  HttpServletResponse response, String url) throws IOException {
             // no redirect
         }
     }
 }
--- a/dspace-rest/src/main/java/org/dspace/rest/authentication/NoRedirectAuthenticationLogoutSuccessHandler.java
+++ b/dspace-rest/src/main/java/org/dspace/rest/authentication/NoRedirectAuthenticationLogoutSuccessHandler.java
@@ -0,0 +1,39 @@
 /**
 * The contents of this file are subject to the license and copyright
 * detailed in the LICENSE and NOTICE files at the root of the source
 * tree and available online at
 *
 * http://www.dspace.org/license/
 */
 package org.dspace.rest.authentication;
 import org.springframework.security.web.RedirectStrategy;
 import org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler;
 import javax.annotation.PostConstruct;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
 /**
 * @author kevinvandevelde at atmire.com
 *
 * Spring redirects to the home page after a successfull logout. This success handles ensures that this is NOT the case.
 */
 public class NoRedirectAuthenticationLogoutSuccessHandler extends SimpleUrlLogoutSuccessHandler {
    @PostConstruct
    public void afterPropertiesSet() {
        setRedirectStrategy(new NoRedirectStrategy());
    }
     protected class NoRedirectStrategy implements RedirectStrategy {
         @Override
         public void sendRedirect(HttpServletRequest request,
                                  HttpServletResponse response, String url) throws IOException {
             // no redirect
         }
     }
 }
--- a/dspace-rest/src/main/java/org/dspace/rest/common/Status.java
+++ b/dspace-rest/src/main/java/org/dspace/rest/common/Status.java
@@ -29,17 +29,7 @@ public class Status
    private String sourceVersion;
    private String apiVersion;
-    public String getToken() {
+    public Status() {
        return token;
    }
    public void setToken(String token) {
        this.token = token;
    }
    private String token;
    public void setCommonProps() {
        setOkay(true);
        setSourceVersion(Util.getSourceVersion());
@@ -49,27 +39,21 @@ public class Status
        setAuthenticated(false);
    }
-    public Status() {
+    public Status(String email, String fullname) {
-        setCommonProps();
+        setOkay(true);
    }
    public Status(String email, String fullname, String token) {
        setCommonProps();
        setAuthenticated(true);
        setEmail(email);
        setFullname(fullname);
        setToken(token);
    }
-    public Status(EPerson eperson, String token) {
+    public Status(EPerson eperson) {
-        setCommonProps();
+        setOkay(true);
-
+        if(eperson != null) {
        if (eperson != null) {
            setAuthenticated(true);
            setEmail(eperson.getEmail());
            setFullname(eperson.getFullName());
-            setToken(token);
+        } else {
            setAuthenticated(false);
        }
    }
--- a/dspace-rest/src/main/webapp/WEB-INF/security-applicationContext.xml
+++ b/dspace-rest/src/main/webapp/WEB-INF/security-applicationContext.xml
@@ -0,0 +1,67 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
    The contents of this file are subject to the license and copyright
    detailed in the LICENSE and NOTICE files at the root of the source
    tree and available online at
    http://www.dspace.org/license/
 -->
 <beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:security="http://www.springframework.org/schema/security"
       xmlns:context="http://www.springframework.org/schema/context"
       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
  http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">
    <context:annotation-config/>
    <bean id="springSecurityFilterChain" class="org.springframework.security.web.FilterChainProxy">
        <security:filter-chain-map path-type="ant">
            <security:filter-chain pattern="/login" filters="sif,passwordLoginAuthenticationFilter"/>
            <security:filter-chain pattern="/shibboleth-login" filters="sif,passwordLoginAuthenticationFilter"/>
            <security:filter-chain pattern="/logout" filters="sif,logoutFilter" />
            <security:filter-chain pattern="/**" filters="sif"/>
        </security:filter-chain-map>
    </bean>
    <!-- Creates the spring security context object based on what was there previously -->
    <bean id="sif" class="org.springframework.security.web.context.SecurityContextPersistenceFilter"  />
    <!--Authentication filter for login -->
    <bean id="passwordLoginAuthenticationFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
        <property name="authenticationManager" ref="dspaceAuthenticationManager"/>
        <property name="authenticationSuccessHandler" ref="org.dspace.rest.authentication.NoRedirectAuthenticationLoginSuccessHandler"/>
        <property name="usernameParameter" value="email"/>
        <property name="passwordParameter" value="password"/>
        <property name="postOnly" value="true"/>
        <!--Match on any request-->
        <property name="requiresAuthenticationRequestMatcher" ref="org.springframework.security.web.util.matcher.AnyRequestMatcher"/>
    </bean>
    <security:authentication-manager alias="dspaceAuthenticationManager">
        <security:authentication-provider ref='dspaceAuthenticationProvider'/>
    </security:authentication-manager>
    <bean class="org.dspace.rest.authentication.DSpaceAuthenticationProvider" id="dspaceAuthenticationProvider" lazy-init="true" />
    <!--Filter for logout, destroys the spring security context-->
    <bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
        <constructor-arg index="0" ref="org.dspace.rest.authentication.NoRedirectAuthenticationLogoutSuccessHandler" />
        <constructor-arg index="1">
            <list>
                <bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"/>
            </list>
        </constructor-arg>
        <!--Match on any request-->
        <property name="logoutRequestMatcher" ref="org.springframework.security.web.util.matcher.AnyRequestMatcher"/>
    </bean>
    <!--Utility beans-->
    <bean id="org.springframework.security.web.util.matcher.AnyRequestMatcher" class="org.springframework.security.web.util.matcher.AnyRequestMatcher"/>
    <bean id="org.dspace.rest.authentication.NoRedirectAuthenticationLoginSuccessHandler" class="org.dspace.rest.authentication.NoRedirectAuthenticationLoginSuccessHandler"/>
    <bean id="org.dspace.rest.authentication.NoRedirectAuthenticationLogoutSuccessHandler" class="org.dspace.rest.authentication.NoRedirectAuthenticationLogoutSuccessHandler"/>
 </beans>
--- a/dspace-rest/src/main/webapp/WEB-INF/web.xml
+++ b/dspace-rest/src/main/webapp/WEB-INF/web.xml
@@ -14,6 +14,28 @@
         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
         id="WebApp_ID" version="2.5">
    <filter>
        <filter-name>dspace.request</filter-name>
        <filter-class>org.dspace.utils.servlet.DSpaceWebappServletFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>dspace.request</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    <servlet>
        <servlet-name>DSpace REST API</servlet-name>
        <servlet-class>
@@ -30,12 +52,12 @@
        <servlet-name>DSpace REST API</servlet-name>
        <url-pattern>/*</url-pattern>
    </servlet-mapping>
-    
+
    <servlet-mapping>
        <servlet-name>default</servlet-name>
        <url-pattern>/static/*</url-pattern>
    </servlet-mapping>
-    
+
    <!-- Security settings and mapping -->
    <security-constraint>
        <web-resource-collection>
@@ -59,12 +81,9 @@
    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>
-            /WEB-INF/applicationContext.xml
+            /WEB-INF/applicationContext.xml,
            /WEB-INF/security-applicationContext.xml
        </param-value>
        <!--
            Add this context if using Spring Security
            /WEB-INF/applicationContext-security.xml
        -->
    </context-param>
    <listener>
--- a/dspace-rest/src/test/java/org/dspace/rest/common/TestJAXBSchema.java
+++ b/dspace-rest/src/test/java/org/dspace/rest/common/TestJAXBSchema.java
@@ -53,8 +53,7 @@ public class TestJAXBSchema {
                Item.class,
                MetadataEntry.class,
                ResourcePolicy.class,
-                Status.class,
+                Status.class
                User.class
                );
        context.generateSchema(resolver);
--- a/dspace-rest/src/test/resources/org/dspace/rest/common/expected_xsd0.xsd
+++ b/dspace-rest/src/test/resources/org/dspace/rest/common/expected_xsd0.xsd
@@ -17,8 +17,6 @@
  <xs:element name="status" type="status"/>
  <xs:element name="user" type="user"/>
  <xs:complexType name="bitstream">
    <xs:complexContent>
      <xs:extension base="dSpaceObject">
@@ -142,7 +140,6 @@
      <xs:element name="fullname" type="xs:string" minOccurs="0"/>
      <xs:element name="okay" type="xs:boolean"/>
      <xs:element name="sourceVersion" type="xs:string" minOccurs="0"/>
      <xs:element name="token" type="xs:string" minOccurs="0"/>
    </xs:sequence>
  </xs:complexType>