1 <?xml version="1.0" encoding="UTF-8"?>
3 ================================================================================
5 ================================================================================
6 Copyright (C) 2017 AT&T Intellectual Property
7 ================================================================================
8 Licensed under the Apache License, Version 2.0 (the "License");
9 you may not use this file except in compliance with the License.
10 You may obtain a copy of the License at
12 http://www.apache.org/licenses/LICENSE-2.0
14 Unless required by applicable law or agreed to in writing, software
15 distributed under the License is distributed on an "AS IS" BASIS,
16 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17 See the License for the specific language governing permissions and
18 limitations under the License.
19 ================================================================================
22 <beans xmlns="http://www.springframework.org/schema/beans"
23 xmlns:mvc="http://www.springframework.org/schema/mvc"
24 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
25 xmlns:tx="http://www.springframework.org/schema/tx"
26 xmlns:context="http://www.springframework.org/schema/context"
27 xmlns:security="http://www.springframework.org/schema/security"
28 xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
29 xmlns:util="http://www.springframework.org/schema/util"
30 xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
31 http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.1.xsd
32 http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd
33 http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
34 http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-4.1.xsd
35 http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.1.xsd
36 http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.1.xsd">
38 <!-- DispatcherServlet Context: defines this servlet's request-processing
43 class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
44 <property name="location">
45 <value>classpath:openid-connect.properties</value>
50 <!-- Enables the Spring MVC @Controller programming model -->
51 <mvc:annotation-driven />
54 <!-- Inject the UserInfo into the current context -->
55 <bean id="userInfoInterceptor" class="org.mitre.openid.connect.web.UserInfoInterceptor" />
58 <!-- Handles HTTP GET requests for /resources/** by efficiently serving
59 up static resources in the ${webappRoot}/resources directory -->
60 <mvc:resources mapping="/resources/**" location="/resources/" />
62 <!-- Resolves views selected for rendering by @Controllers to .jsp resources
63 in the /WEB-INF/views directory -->
65 class="org.springframework.web.servlet.view.InternalResourceViewResolver">
66 <property name="prefix" value="/WEB-INF/views/" />
67 <property name="suffix" value=".jsp" />
70 <context:component-scan base-package="org.openecomp.portalapp.security.openid.controllers" />
72 <security:global-method-security pre-post-annotations="enabled" proxy-target-class="true" authentication-manager-ref="authenticationManager"/>
74 <security:http auto-config="false" use-expressions="true" disable-url-rewriting="true" entry-point-ref="authenticationEntryPoint" pattern="/**">
75 <security:custom-filter before="PRE_AUTH_FILTER" ref="openIdConnectAuthenticationFilter" />
79 <bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
80 <property name="loginFormUrl" value="/openid_connect_login" />
83 <security:authentication-manager alias="authenticationManager">
84 <security:authentication-provider ref="openIdConnectAuthenticationProvider" />
85 </security:authentication-manager>
87 <bean id="openIdConnectAuthenticationProvider" class="org.mitre.openid.connect.client.OIDCAuthenticationProvider">
88 <property name="authoritiesMapper">
89 <bean class="org.mitre.openid.connect.client.NamedAdminAuthoritiesMapper">
90 <property name="admins" ref="namedAdmins" />
95 <util:set id="namedAdmins" value-type="org.mitre.openid.connect.client.SubjectIssuerGrantedAuthority">
97 This is an example of how to set up a user as an administrator: they'll be given ROLE_ADMIN in addition to ROLE_USER.
98 Note that having an administrator role on the IdP doesn't grant administrator access on this client.
100 These are values from the demo "openid-connect-server-webapp" project of MITREid Connect.
102 <bean class="org.mitre.openid.connect.client.SubjectIssuerGrantedAuthority">
103 <constructor-arg name="subject" value="90342.ASDFJWFA" />
104 <constructor-arg name="issuer" value="${authentication_server_url}" />
111 - The authentication filter
114 <bean id="openIdConnectAuthenticationFilter" class="org.mitre.openid.connect.client.OIDCAuthenticationFilter">
115 <property name="authenticationManager" ref="authenticationManager" />
117 <property name="issuerService" ref="hybridIssuerService" />
118 <property name="serverConfigurationService" ref="dynamicServerConfigurationService" />
119 <property name="clientConfigurationService" ref="dynamicClientConfigurationService" />
120 <property name="authRequestOptionsService" ref="staticAuthRequestOptionsService" />
121 <property name="authRequestUrlBuilder" ref="plainAuthRequestUrlBuilder" />
129 - Issuer Services: Determine which identity provider issuer is used.
135 Static issuer service, returns the same issuer for every request.
137 <bean class="org.mitre.openid.connect.client.service.impl.StaticSingleIssuerService" id="staticIssuerService">
138 <property name="issuer" value="${authentication_server_url}" />
142 WebFinger issuer service, does OpenID Connect Discovery on user-entered text (received from the
143 loginPageUrl page) to find the issuer. The login page needs to return the user-entered text
144 as the "identifier" parameter as a query parameter.
146 <bean class="org.mitre.openid.connect.client.service.impl.WebfingerIssuerService" id="webfingerIssuerService">
147 <property name="loginPageUrl" value="login" />
151 Third-party (account chooser) issuer service. Looks for the "iss" parameter on the request
152 and returns that as the issuer. If there is no "iss" value, redirects to the configured
153 account chooser URI. This URI should direct back to the login filter URL with an
154 "iss" value as a query parameter.
156 <bean class="org.mitre.openid.connect.client.service.impl.ThirdPartyIssuerService">
157 <property name="accountChooserUrl" value="http://localhost/account-chooser/" />
161 Hybrid issuer service. If an issuer is passed in directly with the "iss" parameter, it will use that. If not, it will
162 look for an "identifier" parameter to do Webfinger discovery on that. Failing that, it will redirect to the login
165 <bean class="org.mitre.openid.connect.client.service.impl.HybridIssuerService" id="hybridIssuerService">
166 <property name="loginPageUrl" value="login" />
167 <property name="forceHttps" value="false" /> <!-- this default property forces the webfinger issuer URL to be HTTPS, turn off for development work -->
172 - Server configuration: determines the parameters and URLs of the server to talk to.
177 Static server configuration, contains a map of server configuration objects keyed by the issuer URL.
179 <bean class="org.mitre.openid.connect.client.service.impl.StaticServerConfigurationService">
180 <property name="servers">
182 <entry key="${authentication_server_url}">
183 <bean class="org.mitre.openid.connect.config.ServerConfiguration">
184 <property name="issuer" value="${authentication_server_url}" />
185 <property name="authorizationEndpointUri" value="${authentication_server_url}authorize" />
186 <property name="tokenEndpointUri" value="${authentication_server_url}token" />
187 <property name="userInfoUri" value="${authentication_server_url}userinfo" />
188 <property name="jwksUri" value="${authentication_server_url}jwk" />
196 Dynamic server configuration, fetches the server's information using OIDC Discovery.
198 <bean class="org.mitre.openid.connect.client.service.impl.DynamicServerConfigurationService" id="dynamicServerConfigurationService" />
201 Hybrid server configuration. Tries to look up a statically configured server in the map, does
202 dynamic OIDC Discovery if the static lookup fails.
204 <bean class="org.mitre.openid.connect.client.service.impl.HybridServerConfigurationService">
205 <property name="servers">
207 <entry key="${authentication_server_url}">
208 <bean class="org.mitre.openid.connect.config.ServerConfiguration">
209 <property name="issuer" value="${authentication_server_url}" />
210 <property name="authorizationEndpointUri" value="${authentication_server_url}authorize" />
211 <property name="tokenEndpointUri" value="${authentication_server_url}token" />
212 <property name="userInfoUri" value="${authentication_server_url}userinfo" />
213 <property name="jwksUri" value="${authentication_server_url}jwk" />
223 - Client Configuration: Determine which client identifier and credentials are used.
229 Dynamic Client Configuration, uses dynamic client registration. This version stores the registered
230 clients in an in-memory map. To override, add a bean to the registeredClientService property.
233 <bean class="org.mitre.openid.connect.client.service.impl.DynamicRegistrationClientConfigurationService" id="dynamicClientConfigurationService">
234 <property name="template">
235 <bean class="org.mitre.oauth2.model.RegisteredClient">
236 <property name="clientName" value="ECOMP Portal OpenId Connect Client1" />
238 <property name="scope">
239 <set value-type="java.lang.String">
240 <value>openid</value>
242 <value>address</value>
243 <value>profile</value>
247 <property name="tokenEndpointAuthMethod" value="SECRET_BASIC" />
248 <property name="redirectUris">
250 <value>${ecomp_openid_connect_client}</value>
256 Registered Client Service. Uncomment this to save dynamically registered clients out to a
257 file on disk (indicated by the filename property) or replace this with another implementation
258 of RegisteredClientService. This defaults to an in-memory implementation of RegisteredClientService
259 which will forget and re-register all clients on restart.
262 <property name="registeredClientService">
263 <bean class="org.mitre.openid.connect.client.service.impl.JsonFileRegisteredClientService">
264 <constructor-arg name="filename" value="/tmp/simple-web-app-clients.json" />
271 Static Client Configuration. Configures a client statically by storing configuration on a per-issuer basis.
274 <bean class="org.mitre.openid.connect.client.service.impl.StaticClientConfigurationService" id="staticClientConfigurationService">
275 <property name="clients">
277 <entry key="${authentication_server_url}">
278 <bean class="org.mitre.oauth2.model.RegisteredClient">
279 <property name="clientId" value="ecomp" />
280 <property name="clientSecret" value="secret" />
281 <property name="scope">
282 <set value-type="java.lang.String">
283 <value>openid</value>
285 <value>address</value>
286 <value>profile</value>
290 <property name="tokenEndpointAuthMethod" value="SECRET_BASIC" />
291 <property name="redirectUris">
293 <value>${ecomp_openid_connect_client}</value>
303 Hybrid Client Configuration. Tries to configure a client statically first, but if a client isn't found in the map,
304 it will dynamically configure one.
306 <bean class="org.mitre.openid.connect.client.service.impl.HybridClientConfigurationService" id="hybridClientConfigurationService">
307 <property name="clients">
309 <entry key="${authentication_server_url}">
310 <bean class="org.mitre.oauth2.model.RegisteredClient">
311 <property name="clientId" value="client" />
312 <property name="clientSecret" value="secret" />
313 <property name="scope">
314 <set value-type="java.lang.String">
315 <value>openid</value>
317 <value>address</value>
318 <value>profile</value>
322 <property name="tokenEndpointAuthMethod" value="SECRET_BASIC" />
323 <property name="redirectUris">
325 <value>${ecomp_openid_connect_client}</value>
333 <property name="template">
334 <bean class="org.mitre.oauth2.model.RegisteredClient">
335 <property name="clientName" value="ECOMP Portal OpenId Connect Client2" />
336 <property name="scope">
337 <set value-type="java.lang.String">
338 <value>openid</value>
340 <value>address</value>
341 <value>profile</value>
345 <property name="tokenEndpointAuthMethod" value="SECRET_BASIC" />
346 <property name="redirectUris">
348 <value>${ecomp_openid_connect_client}</value>
354 Registered Client Service. Uncomment this to save dynamically registered clients out to a
355 file on disk (indicated by the filename property) or replace this with another implementation
356 of RegisteredClientService. This defaults to an in-memory implementation of RegisteredClientService
357 which will forget and re-register all clients on restart.
360 <property name="registeredClientService">
361 <bean class="org.mitre.openid.connect.client.service.impl.JsonFileRegisteredClientService">
362 <constructor-arg name="filename" value="/tmp/simple-web-app-clients.json" />
371 - Auth request options service: returns the optional components of the request
374 <bean class="org.mitre.openid.connect.client.service.impl.StaticAuthRequestOptionsService" id="staticAuthRequestOptionsService">
375 <property name="options">
377 <!-- Entries in this map are sent as key-value parameters to the auth request -->
379 <entry key="display" value="page" />
380 <entry key="max_age" value="30" />
381 <entry key="prompt" value="none" />
389 - Authorization URL Builders: create the URL to redirect the user to for authorization.
394 Plain authorization request builder, puts all options as query parameters on the GET request
396 <bean class="org.mitre.openid.connect.client.service.impl.PlainAuthRequestUrlBuilder" id="plainAuthRequestUrlBuilder" />
399 Signed authorization request builder, puts all options as elements in a JWS-signed request object
401 <bean class="org.mitre.openid.connect.client.service.impl.SignedAuthRequestUrlBuilder" id="signedAuthRequestUrlBuilder">
402 <property name="signingAndValidationService" ref="defaultSignerService" />
406 Encrypted authorization request builder, puts all the options as elements in a JWE-encrypted request object
408 <bean class="org.mitre.openid.connect.client.service.impl.EncryptedAuthRequestUrlBuilder" id="encryptedAuthRequestUrlBuilder">
409 <property name="encrypterService" ref="validatorCache" />
410 <property name="alg">
411 <util:constant static-field="com.nimbusds.jose.JWEAlgorithm.RSA1_5"/>
413 <property name="enc">
414 <util:constant static-field="com.nimbusds.jose.EncryptionMethod.A128GCM"/>
423 - Utility beans for the above classes
428 This service fetches and caches JWK sets from URLs.
431 <bean id="validatorCache" class="org.mitre.jwt.signer.service.impl.JWKSetCacheService" />
434 This service sets up a bunch of signers and validators based on our own keys.
435 Replace this keystore's contents for a production deployment.
437 <bean id="defaultSignerService" class="org.mitre.jwt.signer.service.impl.DefaultJWTSigningAndValidationService">
438 <constructor-arg name="keyStore">
439 <bean id="defaultKeyStore" class="org.mitre.jose.keystore.JWKSetKeyStore">
440 <property name="location" value="classpath:openid-keystore.jwks" />
443 <property name="defaultSignerKeyId" value="rsa1" />
444 <property name="defaultSigningAlgorithmName" value="RS256" />
448 This service publishes the client's public key on a the endpoint "jwk" off the root of this client.
450 <bean id="clientKeyPublisher" class="org.mitre.openid.connect.client.keypublisher.ClientKeyPublisher">
451 <property name="jwkPublishUrl" value="jwk" />
452 <property name="signingAndValidationService" ref="defaultSignerService" />