+++ /dev/null
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
- ================================================================================
- eCOMP Portal
- ================================================================================
- Copyright (C) 2017 AT&T Intellectual Property
- ================================================================================
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
- ================================================================================
- -->
-
-<beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:mvc="http://www.springframework.org/schema/mvc"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xmlns:tx="http://www.springframework.org/schema/tx"
- xmlns:context="http://www.springframework.org/schema/context"
- xmlns:security="http://www.springframework.org/schema/security"
- xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
- xmlns:util="http://www.springframework.org/schema/util"
- xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
- http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.1.xsd
- http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd
- http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
- http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-4.1.xsd
- http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.1.xsd
- http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.1.xsd">
-
- <!-- DispatcherServlet Context: defines this servlet's request-processing
- infrastructure -->
-
-
- <bean
- class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
- <property name="location">
- <value>classpath:openid-connect.properties</value>
- </property>
- </bean>
-
-
- <!-- Enables the Spring MVC @Controller programming model -->
- <mvc:annotation-driven />
-
- <mvc:interceptors>
- <!-- Inject the UserInfo into the current context -->
- <bean id="userInfoInterceptor" class="org.mitre.openid.connect.web.UserInfoInterceptor" />
- </mvc:interceptors>
-
- <!-- Handles HTTP GET requests for /resources/** by efficiently serving
- up static resources in the ${webappRoot}/resources directory -->
- <mvc:resources mapping="/resources/**" location="/resources/" />
-
- <!-- Resolves views selected for rendering by @Controllers to .jsp resources
- in the /WEB-INF/views directory -->
- <bean
- class="org.springframework.web.servlet.view.InternalResourceViewResolver">
- <property name="prefix" value="/WEB-INF/views/" />
- <property name="suffix" value=".jsp" />
- </bean>
-
- <context:component-scan base-package="org.openecomp.portalapp.security.openid.controllers" />
-
- <security:global-method-security pre-post-annotations="enabled" proxy-target-class="true" authentication-manager-ref="authenticationManager"/>
-
- <security:http auto-config="false" use-expressions="true" disable-url-rewriting="true" entry-point-ref="authenticationEntryPoint" pattern="/**">
- <security:custom-filter before="PRE_AUTH_FILTER" ref="openIdConnectAuthenticationFilter" />
- <security:logout />
- </security:http>
-
- <bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
- <property name="loginFormUrl" value="/openid_connect_login" />
- </bean>
-
- <security:authentication-manager alias="authenticationManager">
- <security:authentication-provider ref="openIdConnectAuthenticationProvider" />
- </security:authentication-manager>
-
- <bean id="openIdConnectAuthenticationProvider" class="org.mitre.openid.connect.client.OIDCAuthenticationProvider">
- <property name="authoritiesMapper">
- <bean class="org.mitre.openid.connect.client.NamedAdminAuthoritiesMapper">
- <property name="admins" ref="namedAdmins" />
- </bean>
- </property>
- </bean>
-
- <util:set id="namedAdmins" value-type="org.mitre.openid.connect.client.SubjectIssuerGrantedAuthority">
- <!--
- This is an example of how to set up a user as an administrator: they'll be given ROLE_ADMIN in addition to ROLE_USER.
- Note that having an administrator role on the IdP doesn't grant administrator access on this client.
-
- These are values from the demo "openid-connect-server-webapp" project of MITREid Connect.
- -->
- <bean class="org.mitre.openid.connect.client.SubjectIssuerGrantedAuthority">
- <constructor-arg name="subject" value="90342.ASDFJWFA" />
- <constructor-arg name="issuer" value="${authentication_server_url}" />
- </bean>
- </util:set>
-
-
- <!--
- -
- - The authentication filter
- -
- -->
- <bean id="openIdConnectAuthenticationFilter" class="org.mitre.openid.connect.client.OIDCAuthenticationFilter">
- <property name="authenticationManager" ref="authenticationManager" />
-
- <property name="issuerService" ref="hybridIssuerService" />
- <property name="serverConfigurationService" ref="dynamicServerConfigurationService" />
- <property name="clientConfigurationService" ref="dynamicClientConfigurationService" />
- <property name="authRequestOptionsService" ref="staticAuthRequestOptionsService" />
- <property name="authRequestUrlBuilder" ref="plainAuthRequestUrlBuilder" />
-
- </bean>
-
-
-
- <!--
- -
- - Issuer Services: Determine which identity provider issuer is used.
- -
- -->
-
-
- <!--
- Static issuer service, returns the same issuer for every request.
- -->
- <bean class="org.mitre.openid.connect.client.service.impl.StaticSingleIssuerService" id="staticIssuerService">
- <property name="issuer" value="${authentication_server_url}" />
- </bean>
-
- <!--
- WebFinger issuer service, does OpenID Connect Discovery on user-entered text (received from the
- loginPageUrl page) to find the issuer. The login page needs to return the user-entered text
- as the "identifier" parameter as a query parameter.
- -->
- <bean class="org.mitre.openid.connect.client.service.impl.WebfingerIssuerService" id="webfingerIssuerService">
- <property name="loginPageUrl" value="login" />
- </bean>
-
- <!--
- Third-party (account chooser) issuer service. Looks for the "iss" parameter on the request
- and returns that as the issuer. If there is no "iss" value, redirects to the configured
- account chooser URI. This URI should direct back to the login filter URL with an
- "iss" value as a query parameter.
- -->
- <bean class="org.mitre.openid.connect.client.service.impl.ThirdPartyIssuerService">
- <property name="accountChooserUrl" value="http://localhost/account-chooser/" />
- </bean>
-
- <!--
- Hybrid issuer service. If an issuer is passed in directly with the "iss" parameter, it will use that. If not, it will
- look for an "identifier" parameter to do Webfinger discovery on that. Failing that, it will redirect to the login
- page URL.
- -->
- <bean class="org.mitre.openid.connect.client.service.impl.HybridIssuerService" id="hybridIssuerService">
- <property name="loginPageUrl" value="login" />
- <property name="forceHttps" value="false" /> <!-- this default property forces the webfinger issuer URL to be HTTPS, turn off for development work -->
- </bean>
-
- <!--
- -
- - Server configuration: determines the parameters and URLs of the server to talk to.
- -
- -->
-
- <!--
- Static server configuration, contains a map of server configuration objects keyed by the issuer URL.
- -->
- <bean class="org.mitre.openid.connect.client.service.impl.StaticServerConfigurationService">
- <property name="servers">
- <map>
- <entry key="${authentication_server_url}">
- <bean class="org.mitre.openid.connect.config.ServerConfiguration">
- <property name="issuer" value="${authentication_server_url}" />
- <property name="authorizationEndpointUri" value="${authentication_server_url}authorize" />
- <property name="tokenEndpointUri" value="${authentication_server_url}token" />
- <property name="userInfoUri" value="${authentication_server_url}userinfo" />
- <property name="jwksUri" value="${authentication_server_url}jwk" />
- </bean>
- </entry>
- </map>
- </property>
- </bean>
-
- <!--
- Dynamic server configuration, fetches the server's information using OIDC Discovery.
- -->
- <bean class="org.mitre.openid.connect.client.service.impl.DynamicServerConfigurationService" id="dynamicServerConfigurationService" />
-
- <!--
- Hybrid server configuration. Tries to look up a statically configured server in the map, does
- dynamic OIDC Discovery if the static lookup fails.
- -->
- <bean class="org.mitre.openid.connect.client.service.impl.HybridServerConfigurationService">
- <property name="servers">
- <map>
- <entry key="${authentication_server_url}">
- <bean class="org.mitre.openid.connect.config.ServerConfiguration">
- <property name="issuer" value="${authentication_server_url}" />
- <property name="authorizationEndpointUri" value="${authentication_server_url}authorize" />
- <property name="tokenEndpointUri" value="${authentication_server_url}token" />
- <property name="userInfoUri" value="${authentication_server_url}userinfo" />
- <property name="jwksUri" value="${authentication_server_url}jwk" />
- </bean>
- </entry>
- </map>
- </property>
- </bean>
-
-
- <!--
- -
- - Client Configuration: Determine which client identifier and credentials are used.
- -
- -->
-
-
- <!--
- Dynamic Client Configuration, uses dynamic client registration. This version stores the registered
- clients in an in-memory map. To override, add a bean to the registeredClientService property.
- -->
-
- <bean class="org.mitre.openid.connect.client.service.impl.DynamicRegistrationClientConfigurationService" id="dynamicClientConfigurationService">
- <property name="template">
- <bean class="org.mitre.oauth2.model.RegisteredClient">
- <property name="clientName" value="ECOMP Portal OpenId Connect Client1" />
-
- <property name="scope">
- <set value-type="java.lang.String">
- <value>openid</value>
- <value>email</value>
- <value>address</value>
- <value>profile</value>
- <value>phone</value>
- </set>
- </property>
- <property name="tokenEndpointAuthMethod" value="SECRET_BASIC" />
- <property name="redirectUris">
- <set>
- <value>${ecomp_openid_connect_client}</value>
- </set>
- </property>
- </bean>
- </property>
- <!--
- Registered Client Service. Uncomment this to save dynamically registered clients out to a
- file on disk (indicated by the filename property) or replace this with another implementation
- of RegisteredClientService. This defaults to an in-memory implementation of RegisteredClientService
- which will forget and re-register all clients on restart.
- -->
- <!--
- <property name="registeredClientService">
- <bean class="org.mitre.openid.connect.client.service.impl.JsonFileRegisteredClientService">
- <constructor-arg name="filename" value="/tmp/simple-web-app-clients.json" />
- </bean>
- </property>
- -->
- </bean>
-
- <!--
- Static Client Configuration. Configures a client statically by storing configuration on a per-issuer basis.
- -->
-
- <bean class="org.mitre.openid.connect.client.service.impl.StaticClientConfigurationService" id="staticClientConfigurationService">
- <property name="clients">
- <map>
- <entry key="${authentication_server_url}">
- <bean class="org.mitre.oauth2.model.RegisteredClient">
- <property name="clientId" value="ecomp" />
- <property name="clientSecret" value="secret" />
- <property name="scope">
- <set value-type="java.lang.String">
- <value>openid</value>
- <value>email</value>
- <value>address</value>
- <value>profile</value>
- <value>phone</value>
- </set>
- </property>
- <property name="tokenEndpointAuthMethod" value="SECRET_BASIC" />
- <property name="redirectUris">
- <set>
- <value>${ecomp_openid_connect_client}</value>
- </set>
- </property>
- </bean>
- </entry>
- </map>
- </property>
- </bean>
-
- <!--
- Hybrid Client Configuration. Tries to configure a client statically first, but if a client isn't found in the map,
- it will dynamically configure one.
- -->
- <bean class="org.mitre.openid.connect.client.service.impl.HybridClientConfigurationService" id="hybridClientConfigurationService">
- <property name="clients">
- <map>
- <entry key="${authentication_server_url}">
- <bean class="org.mitre.oauth2.model.RegisteredClient">
- <property name="clientId" value="client" />
- <property name="clientSecret" value="secret" />
- <property name="scope">
- <set value-type="java.lang.String">
- <value>openid</value>
- <value>email</value>
- <value>address</value>
- <value>profile</value>
- <value>phone</value>
- </set>
- </property>
- <property name="tokenEndpointAuthMethod" value="SECRET_BASIC" />
- <property name="redirectUris">
- <set>
- <value>${ecomp_openid_connect_client}</value>
- </set>
- </property>
-
- </bean>
- </entry>
- </map>
- </property>
- <property name="template">
- <bean class="org.mitre.oauth2.model.RegisteredClient">
- <property name="clientName" value="ECOMP Portal OpenId Connect Client2" />
- <property name="scope">
- <set value-type="java.lang.String">
- <value>openid</value>
- <value>email</value>
- <value>address</value>
- <value>profile</value>
- <value>phone</value>
- </set>
- </property>
- <property name="tokenEndpointAuthMethod" value="SECRET_BASIC" />
- <property name="redirectUris">
- <set>
- <value>${ecomp_openid_connect_client}</value>
- </set>
- </property>
- </bean>
- </property>
- <!--
- Registered Client Service. Uncomment this to save dynamically registered clients out to a
- file on disk (indicated by the filename property) or replace this with another implementation
- of RegisteredClientService. This defaults to an in-memory implementation of RegisteredClientService
- which will forget and re-register all clients on restart.
- -->
- <!--
- <property name="registeredClientService">
- <bean class="org.mitre.openid.connect.client.service.impl.JsonFileRegisteredClientService">
- <constructor-arg name="filename" value="/tmp/simple-web-app-clients.json" />
- </bean>
- </property>
- -->
- </bean>
-
-
- <!--
- -
- - Auth request options service: returns the optional components of the request
- -
- -->
- <bean class="org.mitre.openid.connect.client.service.impl.StaticAuthRequestOptionsService" id="staticAuthRequestOptionsService">
- <property name="options">
- <map>
- <!-- Entries in this map are sent as key-value parameters to the auth request -->
- <!--
- <entry key="display" value="page" />
- <entry key="max_age" value="30" />
- <entry key="prompt" value="none" />
- -->
- </map>
- </property>
- </bean>
-
- <!--
- -
- - Authorization URL Builders: create the URL to redirect the user to for authorization.
- -
- -->
-
- <!--
- Plain authorization request builder, puts all options as query parameters on the GET request
- -->
- <bean class="org.mitre.openid.connect.client.service.impl.PlainAuthRequestUrlBuilder" id="plainAuthRequestUrlBuilder" />
-
- <!--
- Signed authorization request builder, puts all options as elements in a JWS-signed request object
- -->
- <bean class="org.mitre.openid.connect.client.service.impl.SignedAuthRequestUrlBuilder" id="signedAuthRequestUrlBuilder">
- <property name="signingAndValidationService" ref="defaultSignerService" />
- </bean>
-
- <!--
- Encrypted authorization request builder, puts all the options as elements in a JWE-encrypted request object
- -->
- <bean class="org.mitre.openid.connect.client.service.impl.EncryptedAuthRequestUrlBuilder" id="encryptedAuthRequestUrlBuilder">
- <property name="encrypterService" ref="validatorCache" />
- <property name="alg">
- <util:constant static-field="com.nimbusds.jose.JWEAlgorithm.RSA1_5"/>
- </property>
- <property name="enc">
- <util:constant static-field="com.nimbusds.jose.EncryptionMethod.A128GCM"/>
- </property>
- </bean>
-
-
-
-
- <!--
- -
- - Utility beans for the above classes
- -
- -->
-
- <!--
- This service fetches and caches JWK sets from URLs.
- -->
-
- <bean id="validatorCache" class="org.mitre.jwt.signer.service.impl.JWKSetCacheService" />
-
- <!--
- This service sets up a bunch of signers and validators based on our own keys.
- Replace this keystore's contents for a production deployment.
- -->
- <bean id="defaultSignerService" class="org.mitre.jwt.signer.service.impl.DefaultJWTSigningAndValidationService">
- <constructor-arg name="keyStore">
- <bean id="defaultKeyStore" class="org.mitre.jose.keystore.JWKSetKeyStore">
- <property name="location" value="classpath:openid-keystore.jwks" />
- </bean>
- </constructor-arg>
- <property name="defaultSignerKeyId" value="rsa1" />
- <property name="defaultSigningAlgorithmName" value="RS256" />
- </bean>
-
- <!--
- This service publishes the client's public key on a the endpoint "jwk" off the root of this client.
- -->
- <bean id="clientKeyPublisher" class="org.mitre.openid.connect.client.keypublisher.ClientKeyPublisher">
- <property name="jwkPublishUrl" value="jwk" />
- <property name="signingAndValidationService" ref="defaultSignerService" />
- </bean>
-
-</beans>
Code Review / portal.git / blobdiff