--- /dev/null
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ ================================================================================
+ eCOMP Portal
+ ================================================================================
+ Copyright (C) 2017 AT&T Intellectual Property
+ ================================================================================
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ ================================================================================
+ -->
+
+<beans xmlns="http://www.springframework.org/schema/beans"
+ xmlns:mvc="http://www.springframework.org/schema/mvc"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xmlns:tx="http://www.springframework.org/schema/tx"
+ xmlns:context="http://www.springframework.org/schema/context"
+ xmlns:security="http://www.springframework.org/schema/security"
+ xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
+ xmlns:util="http://www.springframework.org/schema/util"
+ xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
+ http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.1.xsd
+ http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd
+ http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
+ http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-4.1.xsd
+ http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.1.xsd
+ http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.1.xsd">
+
+ <!-- DispatcherServlet Context: defines this servlet's request-processing
+ infrastructure -->
+
+
+ <bean
+ class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
+ <property name="location">
+ <value>classpath:openid-connect.properties</value>
+ </property>
+ </bean>
+
+
+ <!-- Enables the Spring MVC @Controller programming model -->
+ <mvc:annotation-driven />
+
+ <mvc:interceptors>
+ <!-- Inject the UserInfo into the current context -->
+ <bean id="userInfoInterceptor" class="org.mitre.openid.connect.web.UserInfoInterceptor" />
+ </mvc:interceptors>
+
+ <!-- Handles HTTP GET requests for /resources/** by efficiently serving
+ up static resources in the ${webappRoot}/resources directory -->
+ <mvc:resources mapping="/resources/**" location="/resources/" />
+
+ <!-- Resolves views selected for rendering by @Controllers to .jsp resources
+ in the /WEB-INF/views directory -->
+ <bean
+ class="org.springframework.web.servlet.view.InternalResourceViewResolver">
+ <property name="prefix" value="/WEB-INF/views/" />
+ <property name="suffix" value=".jsp" />
+ </bean>
+
+ <context:component-scan base-package="org.openecomp.portalapp.security.openid.controllers" />
+
+ <security:global-method-security pre-post-annotations="enabled" proxy-target-class="true" authentication-manager-ref="authenticationManager"/>
+
+ <security:http auto-config="false" use-expressions="true" disable-url-rewriting="true" entry-point-ref="authenticationEntryPoint" pattern="/**">
+ <security:custom-filter before="PRE_AUTH_FILTER" ref="openIdConnectAuthenticationFilter" />
+ <security:logout />
+ </security:http>
+
+ <bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
+ <property name="loginFormUrl" value="/openid_connect_login" />
+ </bean>
+
+ <security:authentication-manager alias="authenticationManager">
+ <security:authentication-provider ref="openIdConnectAuthenticationProvider" />
+ </security:authentication-manager>
+
+ <bean id="openIdConnectAuthenticationProvider" class="org.mitre.openid.connect.client.OIDCAuthenticationProvider">
+ <property name="authoritiesMapper">
+ <bean class="org.mitre.openid.connect.client.NamedAdminAuthoritiesMapper">
+ <property name="admins" ref="namedAdmins" />
+ </bean>
+ </property>
+ </bean>
+
+ <util:set id="namedAdmins" value-type="org.mitre.openid.connect.client.SubjectIssuerGrantedAuthority">
+ <!--
+ This is an example of how to set up a user as an administrator: they'll be given ROLE_ADMIN in addition to ROLE_USER.
+ Note that having an administrator role on the IdP doesn't grant administrator access on this client.
+
+ These are values from the demo "openid-connect-server-webapp" project of MITREid Connect.
+ -->
+ <bean class="org.mitre.openid.connect.client.SubjectIssuerGrantedAuthority">
+ <constructor-arg name="subject" value="90342.ASDFJWFA" />
+ <constructor-arg name="issuer" value="${authentication_server_url}" />
+ </bean>
+ </util:set>
+
+
+ <!--
+ -
+ - The authentication filter
+ -
+ -->
+ <bean id="openIdConnectAuthenticationFilter" class="org.mitre.openid.connect.client.OIDCAuthenticationFilter">
+ <property name="authenticationManager" ref="authenticationManager" />
+
+ <property name="issuerService" ref="hybridIssuerService" />
+ <property name="serverConfigurationService" ref="dynamicServerConfigurationService" />
+ <property name="clientConfigurationService" ref="dynamicClientConfigurationService" />
+ <property name="authRequestOptionsService" ref="staticAuthRequestOptionsService" />
+ <property name="authRequestUrlBuilder" ref="plainAuthRequestUrlBuilder" />
+
+ </bean>
+
+
+
+ <!--
+ -
+ - Issuer Services: Determine which identity provider issuer is used.
+ -
+ -->
+
+
+ <!--
+ Static issuer service, returns the same issuer for every request.
+ -->
+ <bean class="org.mitre.openid.connect.client.service.impl.StaticSingleIssuerService" id="staticIssuerService">
+ <property name="issuer" value="${authentication_server_url}" />
+ </bean>
+
+ <!--
+ WebFinger issuer service, does OpenID Connect Discovery on user-entered text (received from the
+ loginPageUrl page) to find the issuer. The login page needs to return the user-entered text
+ as the "identifier" parameter as a query parameter.
+ -->
+ <bean class="org.mitre.openid.connect.client.service.impl.WebfingerIssuerService" id="webfingerIssuerService">
+ <property name="loginPageUrl" value="login" />
+ </bean>
+
+ <!--
+ Third-party (account chooser) issuer service. Looks for the "iss" parameter on the request
+ and returns that as the issuer. If there is no "iss" value, redirects to the configured
+ account chooser URI. This URI should direct back to the login filter URL with an
+ "iss" value as a query parameter.
+ -->
+ <bean class="org.mitre.openid.connect.client.service.impl.ThirdPartyIssuerService">
+ <property name="accountChooserUrl" value="http://localhost/account-chooser/" />
+ </bean>
+
+ <!--
+ Hybrid issuer service. If an issuer is passed in directly with the "iss" parameter, it will use that. If not, it will
+ look for an "identifier" parameter to do Webfinger discovery on that. Failing that, it will redirect to the login
+ page URL.
+ -->
+ <bean class="org.mitre.openid.connect.client.service.impl.HybridIssuerService" id="hybridIssuerService">
+ <property name="loginPageUrl" value="login" />
+ <property name="forceHttps" value="false" /> <!-- this default property forces the webfinger issuer URL to be HTTPS, turn off for development work -->
+ </bean>
+
+ <!--
+ -
+ - Server configuration: determines the parameters and URLs of the server to talk to.
+ -
+ -->
+
+ <!--
+ Static server configuration, contains a map of server configuration objects keyed by the issuer URL.
+ -->
+ <bean class="org.mitre.openid.connect.client.service.impl.StaticServerConfigurationService">
+ <property name="servers">
+ <map>
+ <entry key="${authentication_server_url}">
+ <bean class="org.mitre.openid.connect.config.ServerConfiguration">
+ <property name="issuer" value="${authentication_server_url}" />
+ <property name="authorizationEndpointUri" value="${authentication_server_url}authorize" />
+ <property name="tokenEndpointUri" value="${authentication_server_url}token" />
+ <property name="userInfoUri" value="${authentication_server_url}userinfo" />
+ <property name="jwksUri" value="${authentication_server_url}jwk" />
+ </bean>
+ </entry>
+ </map>
+ </property>
+ </bean>
+
+ <!--
+ Dynamic server configuration, fetches the server's information using OIDC Discovery.
+ -->
+ <bean class="org.mitre.openid.connect.client.service.impl.DynamicServerConfigurationService" id="dynamicServerConfigurationService" />
+
+ <!--
+ Hybrid server configuration. Tries to look up a statically configured server in the map, does
+ dynamic OIDC Discovery if the static lookup fails.
+ -->
+ <bean class="org.mitre.openid.connect.client.service.impl.HybridServerConfigurationService">
+ <property name="servers">
+ <map>
+ <entry key="${authentication_server_url}">
+ <bean class="org.mitre.openid.connect.config.ServerConfiguration">
+ <property name="issuer" value="${authentication_server_url}" />
+ <property name="authorizationEndpointUri" value="${authentication_server_url}authorize" />
+ <property name="tokenEndpointUri" value="${authentication_server_url}token" />
+ <property name="userInfoUri" value="${authentication_server_url}userinfo" />
+ <property name="jwksUri" value="${authentication_server_url}jwk" />
+ </bean>
+ </entry>
+ </map>
+ </property>
+ </bean>
+
+
+ <!--
+ -
+ - Client Configuration: Determine which client identifier and credentials are used.
+ -
+ -->
+
+
+ <!--
+ Dynamic Client Configuration, uses dynamic client registration. This version stores the registered
+ clients in an in-memory map. To override, add a bean to the registeredClientService property.
+ -->
+
+ <bean class="org.mitre.openid.connect.client.service.impl.DynamicRegistrationClientConfigurationService" id="dynamicClientConfigurationService">
+ <property name="template">
+ <bean class="org.mitre.oauth2.model.RegisteredClient">
+ <property name="clientName" value="ECOMP Portal OpenId Connect Client1" />
+
+ <property name="scope">
+ <set value-type="java.lang.String">
+ <value>openid</value>
+ <value>email</value>
+ <value>address</value>
+ <value>profile</value>
+ <value>phone</value>
+ </set>
+ </property>
+ <property name="tokenEndpointAuthMethod" value="SECRET_BASIC" />
+ <property name="redirectUris">
+ <set>
+ <value>${ecomp_openid_connect_client}</value>
+ </set>
+ </property>
+ </bean>
+ </property>
+ <!--
+ Registered Client Service. Uncomment this to save dynamically registered clients out to a
+ file on disk (indicated by the filename property) or replace this with another implementation
+ of RegisteredClientService. This defaults to an in-memory implementation of RegisteredClientService
+ which will forget and re-register all clients on restart.
+ -->
+ <!--
+ <property name="registeredClientService">
+ <bean class="org.mitre.openid.connect.client.service.impl.JsonFileRegisteredClientService">
+ <constructor-arg name="filename" value="/tmp/simple-web-app-clients.json" />
+ </bean>
+ </property>
+ -->
+ </bean>
+
+ <!--
+ Static Client Configuration. Configures a client statically by storing configuration on a per-issuer basis.
+ -->
+
+ <bean class="org.mitre.openid.connect.client.service.impl.StaticClientConfigurationService" id="staticClientConfigurationService">
+ <property name="clients">
+ <map>
+ <entry key="${authentication_server_url}">
+ <bean class="org.mitre.oauth2.model.RegisteredClient">
+ <property name="clientId" value="ecomp" />
+ <property name="clientSecret" value="secret" />
+ <property name="scope">
+ <set value-type="java.lang.String">
+ <value>openid</value>
+ <value>email</value>
+ <value>address</value>
+ <value>profile</value>
+ <value>phone</value>
+ </set>
+ </property>
+ <property name="tokenEndpointAuthMethod" value="SECRET_BASIC" />
+ <property name="redirectUris">
+ <set>
+ <value>${ecomp_openid_connect_client}</value>
+ </set>
+ </property>
+ </bean>
+ </entry>
+ </map>
+ </property>
+ </bean>
+
+ <!--
+ Hybrid Client Configuration. Tries to configure a client statically first, but if a client isn't found in the map,
+ it will dynamically configure one.
+ -->
+ <bean class="org.mitre.openid.connect.client.service.impl.HybridClientConfigurationService" id="hybridClientConfigurationService">
+ <property name="clients">
+ <map>
+ <entry key="${authentication_server_url}">
+ <bean class="org.mitre.oauth2.model.RegisteredClient">
+ <property name="clientId" value="client" />
+ <property name="clientSecret" value="secret" />
+ <property name="scope">
+ <set value-type="java.lang.String">
+ <value>openid</value>
+ <value>email</value>
+ <value>address</value>
+ <value>profile</value>
+ <value>phone</value>
+ </set>
+ </property>
+ <property name="tokenEndpointAuthMethod" value="SECRET_BASIC" />
+ <property name="redirectUris">
+ <set>
+ <value>${ecomp_openid_connect_client}</value>
+ </set>
+ </property>
+
+ </bean>
+ </entry>
+ </map>
+ </property>
+ <property name="template">
+ <bean class="org.mitre.oauth2.model.RegisteredClient">
+ <property name="clientName" value="ECOMP Portal OpenId Connect Client2" />
+ <property name="scope">
+ <set value-type="java.lang.String">
+ <value>openid</value>
+ <value>email</value>
+ <value>address</value>
+ <value>profile</value>
+ <value>phone</value>
+ </set>
+ </property>
+ <property name="tokenEndpointAuthMethod" value="SECRET_BASIC" />
+ <property name="redirectUris">
+ <set>
+ <value>${ecomp_openid_connect_client}</value>
+ </set>
+ </property>
+ </bean>
+ </property>
+ <!--
+ Registered Client Service. Uncomment this to save dynamically registered clients out to a
+ file on disk (indicated by the filename property) or replace this with another implementation
+ of RegisteredClientService. This defaults to an in-memory implementation of RegisteredClientService
+ which will forget and re-register all clients on restart.
+ -->
+ <!--
+ <property name="registeredClientService">
+ <bean class="org.mitre.openid.connect.client.service.impl.JsonFileRegisteredClientService">
+ <constructor-arg name="filename" value="/tmp/simple-web-app-clients.json" />
+ </bean>
+ </property>
+ -->
+ </bean>
+
+
+ <!--
+ -
+ - Auth request options service: returns the optional components of the request
+ -
+ -->
+ <bean class="org.mitre.openid.connect.client.service.impl.StaticAuthRequestOptionsService" id="staticAuthRequestOptionsService">
+ <property name="options">
+ <map>
+ <!-- Entries in this map are sent as key-value parameters to the auth request -->
+ <!--
+ <entry key="display" value="page" />
+ <entry key="max_age" value="30" />
+ <entry key="prompt" value="none" />
+ -->
+ </map>
+ </property>
+ </bean>
+
+ <!--
+ -
+ - Authorization URL Builders: create the URL to redirect the user to for authorization.
+ -
+ -->
+
+ <!--
+ Plain authorization request builder, puts all options as query parameters on the GET request
+ -->
+ <bean class="org.mitre.openid.connect.client.service.impl.PlainAuthRequestUrlBuilder" id="plainAuthRequestUrlBuilder" />
+
+ <!--
+ Signed authorization request builder, puts all options as elements in a JWS-signed request object
+ -->
+ <bean class="org.mitre.openid.connect.client.service.impl.SignedAuthRequestUrlBuilder" id="signedAuthRequestUrlBuilder">
+ <property name="signingAndValidationService" ref="defaultSignerService" />
+ </bean>
+
+ <!--
+ Encrypted authorization request builder, puts all the options as elements in a JWE-encrypted request object
+ -->
+ <bean class="org.mitre.openid.connect.client.service.impl.EncryptedAuthRequestUrlBuilder" id="encryptedAuthRequestUrlBuilder">
+ <property name="encrypterService" ref="validatorCache" />
+ <property name="alg">
+ <util:constant static-field="com.nimbusds.jose.JWEAlgorithm.RSA1_5"/>
+ </property>
+ <property name="enc">
+ <util:constant static-field="com.nimbusds.jose.EncryptionMethod.A128GCM"/>
+ </property>
+ </bean>
+
+
+
+
+ <!--
+ -
+ - Utility beans for the above classes
+ -
+ -->
+
+ <!--
+ This service fetches and caches JWK sets from URLs.
+ -->
+
+ <bean id="validatorCache" class="org.mitre.jwt.signer.service.impl.JWKSetCacheService" />
+
+ <!--
+ This service sets up a bunch of signers and validators based on our own keys.
+ Replace this keystore's contents for a production deployment.
+ -->
+ <bean id="defaultSignerService" class="org.mitre.jwt.signer.service.impl.DefaultJWTSigningAndValidationService">
+ <constructor-arg name="keyStore">
+ <bean id="defaultKeyStore" class="org.mitre.jose.keystore.JWKSetKeyStore">
+ <property name="location" value="classpath:openid-keystore.jwks" />
+ </bean>
+ </constructor-arg>
+ <property name="defaultSignerKeyId" value="rsa1" />
+ <property name="defaultSigningAlgorithmName" value="RS256" />
+ </bean>
+
+ <!--
+ This service publishes the client's public key on a the endpoint "jwk" off the root of this client.
+ -->
+ <bean id="clientKeyPublisher" class="org.mitre.openid.connect.client.keypublisher.ClientKeyPublisher">
+ <property name="jwkPublishUrl" value="jwk" />
+ <property name="signingAndValidationService" ref="defaultSignerService" />
+ </bean>
+
+</beans>
Code Review / portal.git / blobdiff