diff options
Diffstat (limited to 'ecomp-portal-BE-os/src/main/webapp/WEB-INF/oid-context.xml')
| -rw-r--r-- | ecomp-portal-BE-os/src/main/webapp/WEB-INF/oid-context.xml | 455 |
1 files changed, 455 insertions, 0 deletions
diff --git a/ecomp-portal-BE-os/src/main/webapp/WEB-INF/oid-context.xml b/ecomp-portal-BE-os/src/main/webapp/WEB-INF/oid-context.xml new file mode 100644 index 00000000..33458d6d --- /dev/null +++ b/ecomp-portal-BE-os/src/main/webapp/WEB-INF/oid-context.xml @@ -0,0 +1,455 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + ================================================================================ + eCOMP Portal + ================================================================================ + Copyright (C) 2017 AT&T Intellectual Property + ================================================================================ + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + ================================================================================ + --> + +<beans xmlns="http://www.springframework.org/schema/beans" + xmlns:mvc="http://www.springframework.org/schema/mvc" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xmlns:tx="http://www.springframework.org/schema/tx" + xmlns:context="http://www.springframework.org/schema/context" + xmlns:security="http://www.springframework.org/schema/security" + xmlns:oauth="http://www.springframework.org/schema/security/oauth2" + xmlns:util="http://www.springframework.org/schema/util" + xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd + http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.1.xsd + http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd + http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.1.xsd + http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-4.1.xsd + http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.1.xsd + http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.1.xsd"> + + <!-- DispatcherServlet Context: defines this servlet's request-processing + infrastructure --> + + + <bean + class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"> + <property name="location"> + <value>classpath:openid-connect.properties</value> + </property> + </bean> + + + <!-- Enables the Spring MVC @Controller programming model --> + <mvc:annotation-driven /> + + <mvc:interceptors> + <!-- Inject the UserInfo into the current context --> + <bean id="userInfoInterceptor" class="org.mitre.openid.connect.web.UserInfoInterceptor" /> + </mvc:interceptors> + + <!-- Handles HTTP GET requests for /resources/** by efficiently serving + up static resources in the ${webappRoot}/resources directory --> + <mvc:resources mapping="/resources/**" location="/resources/" /> + + <!-- Resolves views selected for rendering by @Controllers to .jsp resources + in the /WEB-INF/views directory --> + <bean + class="org.springframework.web.servlet.view.InternalResourceViewResolver"> + <property name="prefix" value="/WEB-INF/views/" /> + <property name="suffix" value=".jsp" /> + </bean> + + <context:component-scan base-package="org.openecomp.portalapp.security.openid.controllers" /> + + <security:global-method-security pre-post-annotations="enabled" proxy-target-class="true" authentication-manager-ref="authenticationManager"/> + + <security:http auto-config="false" use-expressions="true" disable-url-rewriting="true" entry-point-ref="authenticationEntryPoint" pattern="/**"> + <security:custom-filter before="PRE_AUTH_FILTER" ref="openIdConnectAuthenticationFilter" /> + <security:logout /> + </security:http> + + <bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"> + <property name="loginFormUrl" value="/openid_connect_login" /> + </bean> + + <security:authentication-manager alias="authenticationManager"> + <security:authentication-provider ref="openIdConnectAuthenticationProvider" /> + </security:authentication-manager> + + <bean id="openIdConnectAuthenticationProvider" class="org.mitre.openid.connect.client.OIDCAuthenticationProvider"> + <property name="authoritiesMapper"> + <bean class="org.mitre.openid.connect.client.NamedAdminAuthoritiesMapper"> + <property name="admins" ref="namedAdmins" /> + </bean> + </property> + </bean> + + <util:set id="namedAdmins" value-type="org.mitre.openid.connect.client.SubjectIssuerGrantedAuthority"> + <!-- + This is an example of how to set up a user as an administrator: they'll be given ROLE_ADMIN in addition to ROLE_USER. + Note that having an administrator role on the IdP doesn't grant administrator access on this client. + + These are values from the demo "openid-connect-server-webapp" project of MITREid Connect. + --> + <bean class="org.mitre.openid.connect.client.SubjectIssuerGrantedAuthority"> + <constructor-arg name="subject" value="90342.ASDFJWFA" /> + <constructor-arg name="issuer" value="${authentication_server_url}" /> + </bean> + </util:set> + + + <!-- + - + - The authentication filter + - + --> + <bean id="openIdConnectAuthenticationFilter" class="org.mitre.openid.connect.client.OIDCAuthenticationFilter"> + <property name="authenticationManager" ref="authenticationManager" /> + + <property name="issuerService" ref="hybridIssuerService" /> + <property name="serverConfigurationService" ref="dynamicServerConfigurationService" /> + <property name="clientConfigurationService" ref="dynamicClientConfigurationService" /> + <property name="authRequestOptionsService" ref="staticAuthRequestOptionsService" /> + <property name="authRequestUrlBuilder" ref="plainAuthRequestUrlBuilder" /> + + </bean> + + + + <!-- + - + - Issuer Services: Determine which identity provider issuer is used. + - + --> + + + <!-- + Static issuer service, returns the same issuer for every request. + --> + <bean class="org.mitre.openid.connect.client.service.impl.StaticSingleIssuerService" id="staticIssuerService"> + <property name="issuer" value="${authentication_server_url}" /> + </bean> + + <!-- + WebFinger issuer service, does OpenID Connect Discovery on user-entered text (received from the + loginPageUrl page) to find the issuer. The login page needs to return the user-entered text + as the "identifier" parameter as a query parameter. + --> + <bean class="org.mitre.openid.connect.client.service.impl.WebfingerIssuerService" id="webfingerIssuerService"> + <property name="loginPageUrl" value="login" /> + </bean> + + <!-- + Third-party (account chooser) issuer service. Looks for the "iss" parameter on the request + and returns that as the issuer. If there is no "iss" value, redirects to the configured + account chooser URI. This URI should direct back to the login filter URL with an + "iss" value as a query parameter. + --> + <bean class="org.mitre.openid.connect.client.service.impl.ThirdPartyIssuerService"> + <property name="accountChooserUrl" value="http://localhost/account-chooser/" /> + </bean> + + <!-- + Hybrid issuer service. If an issuer is passed in directly with the "iss" parameter, it will use that. If not, it will + look for an "identifier" parameter to do Webfinger discovery on that. Failing that, it will redirect to the login + page URL. + --> + <bean class="org.mitre.openid.connect.client.service.impl.HybridIssuerService" id="hybridIssuerService"> + <property name="loginPageUrl" value="login" /> + <property name="forceHttps" value="false" /> <!-- this default property forces the webfinger issuer URL to be HTTPS, turn off for development work --> + </bean> + + <!-- + - + - Server configuration: determines the parameters and URLs of the server to talk to. + - + --> + + <!-- + Static server configuration, contains a map of server configuration objects keyed by the issuer URL. + --> + <bean class="org.mitre.openid.connect.client.service.impl.StaticServerConfigurationService"> + <property name="servers"> + <map> + <entry key="${authentication_server_url}"> + <bean class="org.mitre.openid.connect.config.ServerConfiguration"> + <property name="issuer" value="${authentication_server_url}" /> + <property name="authorizationEndpointUri" value="${authentication_server_url}authorize" /> + <property name="tokenEndpointUri" value="${authentication_server_url}token" /> + <property name="userInfoUri" value="${authentication_server_url}userinfo" /> + <property name="jwksUri" value="${authentication_server_url}jwk" /> + </bean> + </entry> + </map> + </property> + </bean> + + <!-- + Dynamic server configuration, fetches the server's information using OIDC Discovery. + --> + <bean class="org.mitre.openid.connect.client.service.impl.DynamicServerConfigurationService" id="dynamicServerConfigurationService" /> + + <!-- + Hybrid server configuration. Tries to look up a statically configured server in the map, does + dynamic OIDC Discovery if the static lookup fails. + --> + <bean class="org.mitre.openid.connect.client.service.impl.HybridServerConfigurationService"> + <property name="servers"> + <map> + <entry key="${authentication_server_url}"> + <bean class="org.mitre.openid.connect.config.ServerConfiguration"> + <property name="issuer" value="${authentication_server_url}" /> + <property name="authorizationEndpointUri" value="${authentication_server_url}authorize" /> + <property name="tokenEndpointUri" value="${authentication_server_url}token" /> + <property name="userInfoUri" value="${authentication_server_url}userinfo" /> + <property name="jwksUri" value="${authentication_server_url}jwk" /> + </bean> + </entry> + </map> + </property> + </bean> + + + <!-- + - + - Client Configuration: Determine which client identifier and credentials are used. + - + --> + + + <!-- + Dynamic Client Configuration, uses dynamic client registration. This version stores the registered + clients in an in-memory map. To override, add a bean to the registeredClientService property. + --> + + <bean class="org.mitre.openid.connect.client.service.impl.DynamicRegistrationClientConfigurationService" id="dynamicClientConfigurationService"> + <property name="template"> + <bean class="org.mitre.oauth2.model.RegisteredClient"> + <property name="clientName" value="ECOMP Portal OpenId Connect Client1" /> + + <property name="scope"> + <set value-type="java.lang.String"> + <value>openid</value> + <value>email</value> + <value>address</value> + <value>profile</value> + <value>phone</value> + </set> + </property> + <property name="tokenEndpointAuthMethod" value="SECRET_BASIC" /> + <property name="redirectUris"> + <set> + <value>${ecomp_openid_connect_client}</value> + </set> + </property> + </bean> + </property> + <!-- + Registered Client Service. Uncomment this to save dynamically registered clients out to a + file on disk (indicated by the filename property) or replace this with another implementation + of RegisteredClientService. This defaults to an in-memory implementation of RegisteredClientService + which will forget and re-register all clients on restart. + --> + <!-- + <property name="registeredClientService"> + <bean class="org.mitre.openid.connect.client.service.impl.JsonFileRegisteredClientService"> + <constructor-arg name="filename" value="/tmp/simple-web-app-clients.json" /> + </bean> + </property> + --> + </bean> + + <!-- + Static Client Configuration. Configures a client statically by storing configuration on a per-issuer basis. + --> + + <bean class="org.mitre.openid.connect.client.service.impl.StaticClientConfigurationService" id="staticClientConfigurationService"> + <property name="clients"> + <map> + <entry key="${authentication_server_url}"> + <bean class="org.mitre.oauth2.model.RegisteredClient"> + <property name="clientId" value="ecomp" /> + <property name="clientSecret" value="secret" /> + <property name="scope"> + <set value-type="java.lang.String"> + <value>openid</value> + <value>email</value> + <value>address</value> + <value>profile</value> + <value>phone</value> + </set> + </property> + <property name="tokenEndpointAuthMethod" value="SECRET_BASIC" /> + <property name="redirectUris"> + <set> + <value>${ecomp_openid_connect_client}</value> + </set> + </property> + </bean> + </entry> + </map> + </property> + </bean> + + <!-- + Hybrid Client Configuration. Tries to configure a client statically first, but if a client isn't found in the map, + it will dynamically configure one. + --> + <bean class="org.mitre.openid.connect.client.service.impl.HybridClientConfigurationService" id="hybridClientConfigurationService"> + <property name="clients"> + <map> + <entry key="${authentication_server_url}"> + <bean class="org.mitre.oauth2.model.RegisteredClient"> + <property name="clientId" value="client" /> + <property name="clientSecret" value="secret" /> + <property name="scope"> + <set value-type="java.lang.String"> + <value>openid</value> + <value>email</value> + <value>address</value> + <value>profile</value> + <value>phone</value> + </set> + </property> + <property name="tokenEndpointAuthMethod" value="SECRET_BASIC" /> + <property name="redirectUris"> + <set> + <value>${ecomp_openid_connect_client}</value> + </set> + </property> + + </bean> + </entry> + </map> + </property> + <property name="template"> + <bean class="org.mitre.oauth2.model.RegisteredClient"> + <property name="clientName" value="ECOMP Portal OpenId Connect Client2" /> + <property name="scope"> + <set value-type="java.lang.String"> + <value>openid</value> + <value>email</value> + <value>address</value> + <value>profile</value> + <value>phone</value> + </set> + </property> + <property name="tokenEndpointAuthMethod" value="SECRET_BASIC" /> + <property name="redirectUris"> + <set> + <value>${ecomp_openid_connect_client}</value> + </set> + </property> + </bean> + </property> + <!-- + Registered Client Service. Uncomment this to save dynamically registered clients out to a + file on disk (indicated by the filename property) or replace this with another implementation + of RegisteredClientService. This defaults to an in-memory implementation of RegisteredClientService + which will forget and re-register all clients on restart. + --> + <!-- + <property name="registeredClientService"> + <bean class="org.mitre.openid.connect.client.service.impl.JsonFileRegisteredClientService"> + <constructor-arg name="filename" value="/tmp/simple-web-app-clients.json" /> + </bean> + </property> + --> + </bean> + + + <!-- + - + - Auth request options service: returns the optional components of the request + - + --> + <bean class="org.mitre.openid.connect.client.service.impl.StaticAuthRequestOptionsService" id="staticAuthRequestOptionsService"> + <property name="options"> + <map> + <!-- Entries in this map are sent as key-value parameters to the auth request --> + <!-- + <entry key="display" value="page" /> + <entry key="max_age" value="30" /> + <entry key="prompt" value="none" /> + --> + </map> + </property> + </bean> + + <!-- + - + - Authorization URL Builders: create the URL to redirect the user to for authorization. + - + --> + + <!-- + Plain authorization request builder, puts all options as query parameters on the GET request + --> + <bean class="org.mitre.openid.connect.client.service.impl.PlainAuthRequestUrlBuilder" id="plainAuthRequestUrlBuilder" /> + + <!-- + Signed authorization request builder, puts all options as elements in a JWS-signed request object + --> + <bean class="org.mitre.openid.connect.client.service.impl.SignedAuthRequestUrlBuilder" id="signedAuthRequestUrlBuilder"> + <property name="signingAndValidationService" ref="defaultSignerService" /> + </bean> + + <!-- + Encrypted authorization request builder, puts all the options as elements in a JWE-encrypted request object + --> + <bean class="org.mitre.openid.connect.client.service.impl.EncryptedAuthRequestUrlBuilder" id="encryptedAuthRequestUrlBuilder"> + <property name="encrypterService" ref="validatorCache" /> + <property name="alg"> + <util:constant static-field="com.nimbusds.jose.JWEAlgorithm.RSA1_5"/> + </property> + <property name="enc"> + <util:constant static-field="com.nimbusds.jose.EncryptionMethod.A128GCM"/> + </property> + </bean> + + + + + <!-- + - + - Utility beans for the above classes + - + --> + + <!-- + This service fetches and caches JWK sets from URLs. + --> + + <bean id="validatorCache" class="org.mitre.jwt.signer.service.impl.JWKSetCacheService" /> + + <!-- + This service sets up a bunch of signers and validators based on our own keys. + Replace this keystore's contents for a production deployment. + --> + <bean id="defaultSignerService" class="org.mitre.jwt.signer.service.impl.DefaultJWTSigningAndValidationService"> + <constructor-arg name="keyStore"> + <bean id="defaultKeyStore" class="org.mitre.jose.keystore.JWKSetKeyStore"> + <property name="location" value="classpath:openid-keystore.jwks" /> + </bean> + </constructor-arg> + <property name="defaultSignerKeyId" value="rsa1" /> + <property name="defaultSigningAlgorithmName" value="RS256" /> + </bean> + + <!-- + This service publishes the client's public key on a the endpoint "jwk" off the root of this client. + --> + <bean id="clientKeyPublisher" class="org.mitre.openid.connect.client.keypublisher.ClientKeyPublisher"> + <property name="jwkPublishUrl" value="jwk" /> + <property name="signingAndValidationService" ref="defaultSignerService" /> + </bean> + +</beans> |