1 <?xml version="1.0" encoding="UTF-8"?>
3 ============LICENSE_START==========================================
5 ===================================================================
6 Copyright © 2017 AT&T Intellectual Property. All rights reserved.
7 ===================================================================
9 Unless otherwise specified, all software contained herein is licensed
10 under the Apache License, Version 2.0 (the “License”);
11 you may not use this software except in compliance with the License.
12 You may obtain a copy of the License at
14 http://www.apache.org/licenses/LICENSE-2.0
16 Unless required by applicable law or agreed to in writing, software
17 distributed under the License is distributed on an "AS IS" BASIS,
18 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
19 See the License for the specific language governing permissions and
20 limitations under the License.
22 Unless otherwise specified, all documentation contained herein is licensed
23 under the Creative Commons License, Attribution 4.0 Intl. (the “License”);
24 you may not use this documentation except in compliance with the License.
25 You may obtain a copy of the License at
27 https://creativecommons.org/licenses/by/4.0/
29 Unless required by applicable law or agreed to in writing, documentation
30 distributed under the License is distributed on an "AS IS" BASIS,
31 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
32 See the License for the specific language governing permissions and
33 limitations under the License.
35 ============LICENSE_END============================================
37 ECOMP is a trademark and service mark of AT&T Intellectual Property.
40 <beans xmlns="http://www.springframework.org/schema/beans"
41 xmlns:mvc="http://www.springframework.org/schema/mvc"
42 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
43 xmlns:tx="http://www.springframework.org/schema/tx"
44 xmlns:context="http://www.springframework.org/schema/context"
45 xmlns:security="http://www.springframework.org/schema/security"
46 xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
47 xmlns:util="http://www.springframework.org/schema/util"
48 xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
49 http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.1.xsd
50 http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd
51 http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
52 http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-4.1.xsd
53 http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.1.xsd
54 http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.1.xsd">
56 <!-- DispatcherServlet Context: defines this servlet's request-processing
61 class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
62 <property name="location">
63 <value>classpath:openid-connect.properties</value>
68 <!-- Enables the Spring MVC @Controller programming model -->
69 <mvc:annotation-driven />
72 <!-- Inject the UserInfo into the current context -->
73 <bean id="userInfoInterceptor" class="org.mitre.openid.connect.web.UserInfoInterceptor" />
76 <!-- Handles HTTP GET requests for /resources/** by efficiently serving
77 up static resources in the ${webappRoot}/resources directory -->
78 <mvc:resources mapping="/resources/**" location="/resources/" />
80 <!-- Resolves views selected for rendering by @Controllers to .jsp resources
81 in the /WEB-INF/views directory -->
83 class="org.springframework.web.servlet.view.InternalResourceViewResolver">
84 <property name="prefix" value="/WEB-INF/views/" />
85 <property name="suffix" value=".jsp" />
88 <context:component-scan base-package="org.openecomp.portalapp.security.openid.controllers" />
90 <security:global-method-security pre-post-annotations="enabled" proxy-target-class="true" authentication-manager-ref="authenticationManager"/>
92 <security:http auto-config="false" use-expressions="true" disable-url-rewriting="true" entry-point-ref="authenticationEntryPoint" pattern="/**">
93 <security:custom-filter before="PRE_AUTH_FILTER" ref="openIdConnectAuthenticationFilter" />
97 <bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
98 <property name="loginFormUrl" value="/openid_connect_login" />
101 <security:authentication-manager alias="authenticationManager">
102 <security:authentication-provider ref="openIdConnectAuthenticationProvider" />
103 </security:authentication-manager>
105 <bean id="openIdConnectAuthenticationProvider" class="org.mitre.openid.connect.client.OIDCAuthenticationProvider">
106 <property name="authoritiesMapper">
107 <bean class="org.mitre.openid.connect.client.NamedAdminAuthoritiesMapper">
108 <property name="admins" ref="namedAdmins" />
113 <util:set id="namedAdmins" value-type="org.mitre.openid.connect.client.SubjectIssuerGrantedAuthority">
115 This is an example of how to set up a user as an administrator: they'll be given ROLE_ADMIN in addition to ROLE_USER.
116 Note that having an administrator role on the IdP doesn't grant administrator access on this client.
118 These are values from the demo "openid-connect-server-webapp" project of MITREid Connect.
120 <bean class="org.mitre.openid.connect.client.SubjectIssuerGrantedAuthority">
121 <constructor-arg name="subject" value="90342.ASDFJWFA" />
122 <constructor-arg name="issuer" value="${authentication_server_url}" />
129 - The authentication filter
132 <bean id="openIdConnectAuthenticationFilter" class="org.mitre.openid.connect.client.OIDCAuthenticationFilter">
133 <property name="authenticationManager" ref="authenticationManager" />
135 <property name="issuerService" ref="hybridIssuerService" />
136 <property name="serverConfigurationService" ref="dynamicServerConfigurationService" />
137 <property name="clientConfigurationService" ref="dynamicClientConfigurationService" />
138 <property name="authRequestOptionsService" ref="staticAuthRequestOptionsService" />
139 <property name="authRequestUrlBuilder" ref="plainAuthRequestUrlBuilder" />
147 - Issuer Services: Determine which identity provider issuer is used.
153 Static issuer service, returns the same issuer for every request.
155 <bean class="org.mitre.openid.connect.client.service.impl.StaticSingleIssuerService" id="staticIssuerService">
156 <property name="issuer" value="${authentication_server_url}" />
160 WebFinger issuer service, does OpenID Connect Discovery on user-entered text (received from the
161 loginPageUrl page) to find the issuer. The login page needs to return the user-entered text
162 as the "identifier" parameter as a query parameter.
164 <bean class="org.mitre.openid.connect.client.service.impl.WebfingerIssuerService" id="webfingerIssuerService">
165 <property name="loginPageUrl" value="login" />
169 Third-party (account chooser) issuer service. Looks for the "iss" parameter on the request
170 and returns that as the issuer. If there is no "iss" value, redirects to the configured
171 account chooser URI. This URI should direct back to the login filter URL with an
172 "iss" value as a query parameter.
174 <bean class="org.mitre.openid.connect.client.service.impl.ThirdPartyIssuerService">
175 <property name="accountChooserUrl" value="http://localhost/account-chooser/" />
179 Hybrid issuer service. If an issuer is passed in directly with the "iss" parameter, it will use that. If not, it will
180 look for an "identifier" parameter to do Webfinger discovery on that. Failing that, it will redirect to the login
183 <bean class="org.mitre.openid.connect.client.service.impl.HybridIssuerService" id="hybridIssuerService">
184 <property name="loginPageUrl" value="login" />
185 <property name="forceHttps" value="false" /> <!-- this default property forces the webfinger issuer URL to be HTTPS, turn off for development work -->
190 - Server configuration: determines the parameters and URLs of the server to talk to.
195 Static server configuration, contains a map of server configuration objects keyed by the issuer URL.
197 <bean class="org.mitre.openid.connect.client.service.impl.StaticServerConfigurationService">
198 <property name="servers">
200 <entry key="${authentication_server_url}">
201 <bean class="org.mitre.openid.connect.config.ServerConfiguration">
202 <property name="issuer" value="${authentication_server_url}" />
203 <property name="authorizationEndpointUri" value="${authentication_server_url}authorize" />
204 <property name="tokenEndpointUri" value="${authentication_server_url}token" />
205 <property name="userInfoUri" value="${authentication_server_url}userinfo" />
206 <property name="jwksUri" value="${authentication_server_url}jwk" />
214 Dynamic server configuration, fetches the server's information using OIDC Discovery.
216 <bean class="org.mitre.openid.connect.client.service.impl.DynamicServerConfigurationService" id="dynamicServerConfigurationService" />
219 Hybrid server configuration. Tries to look up a statically configured server in the map, does
220 dynamic OIDC Discovery if the static lookup fails.
222 <bean class="org.mitre.openid.connect.client.service.impl.HybridServerConfigurationService">
223 <property name="servers">
225 <entry key="${authentication_server_url}">
226 <bean class="org.mitre.openid.connect.config.ServerConfiguration">
227 <property name="issuer" value="${authentication_server_url}" />
228 <property name="authorizationEndpointUri" value="${authentication_server_url}authorize" />
229 <property name="tokenEndpointUri" value="${authentication_server_url}token" />
230 <property name="userInfoUri" value="${authentication_server_url}userinfo" />
231 <property name="jwksUri" value="${authentication_server_url}jwk" />
241 - Client Configuration: Determine which client identifier and credentials are used.
247 Dynamic Client Configuration, uses dynamic client registration. This version stores the registered
248 clients in an in-memory map. To override, add a bean to the registeredClientService property.
251 <bean class="org.mitre.openid.connect.client.service.impl.DynamicRegistrationClientConfigurationService" id="dynamicClientConfigurationService">
252 <property name="template">
253 <bean class="org.mitre.oauth2.model.RegisteredClient">
254 <property name="clientName" value="ECOMP Portal OpenId Connect Client1" />
256 <property name="scope">
257 <set value-type="java.lang.String">
258 <value>openid</value>
260 <value>address</value>
261 <value>profile</value>
265 <property name="tokenEndpointAuthMethod" value="SECRET_BASIC" />
266 <property name="redirectUris">
268 <value>${ecomp_openid_connect_client}</value>
274 Registered Client Service. Uncomment this to save dynamically registered clients out to a
275 file on disk (indicated by the filename property) or replace this with another implementation
276 of RegisteredClientService. This defaults to an in-memory implementation of RegisteredClientService
277 which will forget and re-register all clients on restart.
280 <property name="registeredClientService">
281 <bean class="org.mitre.openid.connect.client.service.impl.JsonFileRegisteredClientService">
282 <constructor-arg name="filename" value="/tmp/simple-web-app-clients.json" />
289 Static Client Configuration. Configures a client statically by storing configuration on a per-issuer basis.
292 <bean class="org.mitre.openid.connect.client.service.impl.StaticClientConfigurationService" id="staticClientConfigurationService">
293 <property name="clients">
295 <entry key="${authentication_server_url}">
296 <bean class="org.mitre.oauth2.model.RegisteredClient">
297 <property name="clientId" value="ecomp" />
298 <property name="clientSecret" value="secret" />
299 <property name="scope">
300 <set value-type="java.lang.String">
301 <value>openid</value>
303 <value>address</value>
304 <value>profile</value>
308 <property name="tokenEndpointAuthMethod" value="SECRET_BASIC" />
309 <property name="redirectUris">
311 <value>${ecomp_openid_connect_client}</value>
321 Hybrid Client Configuration. Tries to configure a client statically first, but if a client isn't found in the map,
322 it will dynamically configure one.
324 <bean class="org.mitre.openid.connect.client.service.impl.HybridClientConfigurationService" id="hybridClientConfigurationService">
325 <property name="clients">
327 <entry key="${authentication_server_url}">
328 <bean class="org.mitre.oauth2.model.RegisteredClient">
329 <property name="clientId" value="client" />
330 <property name="clientSecret" value="secret" />
331 <property name="scope">
332 <set value-type="java.lang.String">
333 <value>openid</value>
335 <value>address</value>
336 <value>profile</value>
340 <property name="tokenEndpointAuthMethod" value="SECRET_BASIC" />
341 <property name="redirectUris">
343 <value>${ecomp_openid_connect_client}</value>
351 <property name="template">
352 <bean class="org.mitre.oauth2.model.RegisteredClient">
353 <property name="clientName" value="ECOMP Portal OpenId Connect Client2" />
354 <property name="scope">
355 <set value-type="java.lang.String">
356 <value>openid</value>
358 <value>address</value>
359 <value>profile</value>
363 <property name="tokenEndpointAuthMethod" value="SECRET_BASIC" />
364 <property name="redirectUris">
366 <value>${ecomp_openid_connect_client}</value>
372 Registered Client Service. Uncomment this to save dynamically registered clients out to a
373 file on disk (indicated by the filename property) or replace this with another implementation
374 of RegisteredClientService. This defaults to an in-memory implementation of RegisteredClientService
375 which will forget and re-register all clients on restart.
378 <property name="registeredClientService">
379 <bean class="org.mitre.openid.connect.client.service.impl.JsonFileRegisteredClientService">
380 <constructor-arg name="filename" value="/tmp/simple-web-app-clients.json" />
389 - Auth request options service: returns the optional components of the request
392 <bean class="org.mitre.openid.connect.client.service.impl.StaticAuthRequestOptionsService" id="staticAuthRequestOptionsService">
393 <property name="options">
395 <!-- Entries in this map are sent as key-value parameters to the auth request -->
397 <entry key="display" value="page" />
398 <entry key="max_age" value="30" />
399 <entry key="prompt" value="none" />
407 - Authorization URL Builders: create the URL to redirect the user to for authorization.
412 Plain authorization request builder, puts all options as query parameters on the GET request
414 <bean class="org.mitre.openid.connect.client.service.impl.PlainAuthRequestUrlBuilder" id="plainAuthRequestUrlBuilder" />
417 Signed authorization request builder, puts all options as elements in a JWS-signed request object
419 <bean class="org.mitre.openid.connect.client.service.impl.SignedAuthRequestUrlBuilder" id="signedAuthRequestUrlBuilder">
420 <property name="signingAndValidationService" ref="defaultSignerService" />
424 Encrypted authorization request builder, puts all the options as elements in a JWE-encrypted request object
426 <bean class="org.mitre.openid.connect.client.service.impl.EncryptedAuthRequestUrlBuilder" id="encryptedAuthRequestUrlBuilder">
427 <property name="encrypterService" ref="validatorCache" />
428 <property name="alg">
429 <util:constant static-field="com.nimbusds.jose.JWEAlgorithm.RSA1_5"/>
431 <property name="enc">
432 <util:constant static-field="com.nimbusds.jose.EncryptionMethod.A128GCM"/>
441 - Utility beans for the above classes
446 This service fetches and caches JWK sets from URLs.
449 <bean id="validatorCache" class="org.mitre.jwt.signer.service.impl.JWKSetCacheService" />
452 This service sets up a bunch of signers and validators based on our own keys.
453 Replace this keystore's contents for a production deployment.
455 <bean id="defaultSignerService" class="org.mitre.jwt.signer.service.impl.DefaultJWTSigningAndValidationService">
456 <constructor-arg name="keyStore">
457 <bean id="defaultKeyStore" class="org.mitre.jose.keystore.JWKSetKeyStore">
458 <property name="location" value="classpath:openid-keystore.jwks" />
461 <property name="defaultSignerKeyId" value="rsa1" />
462 <property name="defaultSigningAlgorithmName" value="RS256" />
466 This service publishes the client's public key on a the endpoint "jwk" off the root of this client.
468 <bean id="clientKeyPublisher" class="org.mitre.openid.connect.client.keypublisher.ClientKeyPublisher">
469 <property name="jwkPublishUrl" value="jwk" />
470 <property name="signingAndValidationService" ref="defaultSignerService" />