1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
|
<?xml version="1.0" encoding="UTF-8"?>
<!--
============LICENSE_START==========================================
ONAP Portal
===================================================================
Copyright (C) 2017 AT&T Intellectual Property. All rights reserved.
===================================================================
Unless otherwise specified, all software contained herein is licensed
under the Apache License, Version 2.0 (the "License");
you may not use this software except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
Unless otherwise specified, all documentation contained herein is licensed
under the Creative Commons License, Attribution 4.0 Intl. (the "License");
you may not use this documentation except in compliance with the License.
You may obtain a copy of the License at
https://creativecommons.org/licenses/by/4.0/
Unless required by applicable law or agreed to in writing, documentation
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
============LICENSE_END============================================
ECOMP is a trademark and service mark of AT&T Intellectual Property.
-->
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
xmlns:util="http://www.springframework.org/schema/util"
xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.2.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.2.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-4.2.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.2.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.2.xsd">
<!-- DispatcherServlet Context: defines this servlet's request-processing
infrastructure -->
<bean
class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
<property name="location">
<value>classpath:openid-connect.properties</value>
</property>
</bean>
<!-- Enables the Spring MVC @Controller programming model -->
<mvc:annotation-driven />
<mvc:interceptors>
<!-- Inject the UserInfo into the current context -->
<bean id="userInfoInterceptor" class="org.mitre.openid.connect.web.UserInfoInterceptor" />
</mvc:interceptors>
<!-- Handles HTTP GET requests for /resources/** by efficiently serving
up static resources in the ${webappRoot}/resources directory -->
<mvc:resources mapping="/resources/**" location="/resources/" />
<!-- Resolves views selected for rendering by @Controllers to .jsp resources
in the /WEB-INF/views directory -->
<bean
class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="prefix" value="/WEB-INF/views/" />
<property name="suffix" value=".jsp" />
</bean>
<context:component-scan base-package="org.openecomp.portalapp.security.openid.controllers" />
<security:global-method-security pre-post-annotations="enabled" proxy-target-class="true" authentication-manager-ref="authenticationManager"/>
<security:http auto-config="false" use-expressions="true" disable-url-rewriting="true" entry-point-ref="authenticationEntryPoint" pattern="/**">
<security:custom-filter before="PRE_AUTH_FILTER" ref="openIdConnectAuthenticationFilter" />
<security:logout />
</security:http>
<bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<constructor-arg name="loginFormUrl" value="/openid_connect_login" />
</bean>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="openIdConnectAuthenticationProvider" />
</security:authentication-manager>
<bean id="openIdConnectAuthenticationProvider" class="org.mitre.openid.connect.client.OIDCAuthenticationProvider">
<property name="authoritiesMapper">
<bean class="org.mitre.openid.connect.client.NamedAdminAuthoritiesMapper">
<property name="admins" ref="namedAdmins" />
</bean>
</property>
</bean>
<util:set id="namedAdmins" value-type="org.mitre.openid.connect.client.SubjectIssuerGrantedAuthority">
<!--
This is an example of how to set up a user as an administrator: they'll be given ROLE_ADMIN in addition to ROLE_USER.
Note that having an administrator role on the IdP doesn't grant administrator access on this client.
These are values from the demo "openid-connect-server-webapp" project of MITREid Connect.
-->
<bean class="org.mitre.openid.connect.client.SubjectIssuerGrantedAuthority">
<constructor-arg name="subject" value="90342.ASDFJWFA" />
<constructor-arg name="issuer" value="${authentication_server_url}" />
</bean>
</util:set>
<!--
-
- The authentication filter
-
-->
<bean id="openIdConnectAuthenticationFilter" class="org.mitre.openid.connect.client.OIDCAuthenticationFilter">
<property name="authenticationManager" ref="authenticationManager" />
<property name="issuerService" ref="hybridIssuerService" />
<property name="serverConfigurationService" ref="dynamicServerConfigurationService" />
<property name="clientConfigurationService" ref="dynamicClientConfigurationService" />
<property name="authRequestOptionsService" ref="staticAuthRequestOptionsService" />
<property name="authRequestUrlBuilder" ref="plainAuthRequestUrlBuilder" />
</bean>
<!--
-
- Issuer Services: Determine which identity provider issuer is used.
-
-->
<!--
Static issuer service, returns the same issuer for every request.
-->
<bean class="org.mitre.openid.connect.client.service.impl.StaticSingleIssuerService" id="staticIssuerService">
<property name="issuer" value="${authentication_server_url}" />
</bean>
<!--
WebFinger issuer service, does OpenID Connect Discovery on user-entered text (received from the
loginPageUrl page) to find the issuer. The login page needs to return the user-entered text
as the "identifier" parameter as a query parameter.
-->
<bean class="org.mitre.openid.connect.client.service.impl.WebfingerIssuerService" id="webfingerIssuerService">
<property name="loginPageUrl" value="login" />
</bean>
<!--
Third-party (account chooser) issuer service. Looks for the "iss" parameter on the request
and returns that as the issuer. If there is no "iss" value, redirects to the configured
account chooser URI. This URI should direct back to the login filter URL with an
"iss" value as a query parameter.
-->
<bean class="org.mitre.openid.connect.client.service.impl.ThirdPartyIssuerService">
<property name="accountChooserUrl" value="http://localhost/account-chooser/" />
</bean>
<!--
Hybrid issuer service. If an issuer is passed in directly with the "iss" parameter, it will use that. If not, it will
look for an "identifier" parameter to do Webfinger discovery on that. Failing that, it will redirect to the login
page URL.
-->
<bean class="org.mitre.openid.connect.client.service.impl.HybridIssuerService" id="hybridIssuerService">
<property name="loginPageUrl" value="login" />
<property name="forceHttps" value="false" /> <!-- this default property forces the webfinger issuer URL to be HTTPS, turn off for development work -->
</bean>
<!--
-
- Server configuration: determines the parameters and URLs of the server to talk to.
-
-->
<!--
Static server configuration, contains a map of server configuration objects keyed by the issuer URL.
-->
<bean class="org.mitre.openid.connect.client.service.impl.StaticServerConfigurationService">
<property name="servers">
<map>
<entry key="${authentication_server_url}">
<bean class="org.mitre.openid.connect.config.ServerConfiguration">
<property name="issuer" value="${authentication_server_url}" />
<property name="authorizationEndpointUri" value="${authentication_server_url}authorize" />
<property name="tokenEndpointUri" value="${authentication_server_url}token" />
<property name="userInfoUri" value="${authentication_server_url}userinfo" />
<property name="jwksUri" value="${authentication_server_url}jwk" />
</bean>
</entry>
</map>
</property>
</bean>
<!--
Dynamic server configuration, fetches the server's information using OIDC Discovery.
-->
<bean class="org.mitre.openid.connect.client.service.impl.DynamicServerConfigurationService" id="dynamicServerConfigurationService" />
<!--
Hybrid server configuration. Tries to look up a statically configured server in the map, does
dynamic OIDC Discovery if the static lookup fails.
-->
<bean class="org.mitre.openid.connect.client.service.impl.HybridServerConfigurationService">
<property name="servers">
<map>
<entry key="${authentication_server_url}">
<bean class="org.mitre.openid.connect.config.ServerConfiguration">
<property name="issuer" value="${authentication_server_url}" />
<property name="authorizationEndpointUri" value="${authentication_server_url}authorize" />
<property name="tokenEndpointUri" value="${authentication_server_url}token" />
<property name="userInfoUri" value="${authentication_server_url}userinfo" />
<property name="jwksUri" value="${authentication_server_url}jwk" />
</bean>
</entry>
</map>
</property>
</bean>
<!--
-
- Client Configuration: Determine which client identifier and credentials are used.
-
-->
<!--
Dynamic Client Configuration, uses dynamic client registration. This version stores the registered
clients in an in-memory map. To override, add a bean to the registeredClientService property.
-->
<bean class="org.mitre.openid.connect.client.service.impl.DynamicRegistrationClientConfigurationService" id="dynamicClientConfigurationService">
<property name="template">
<bean class="org.mitre.oauth2.model.RegisteredClient">
<property name="clientName" value="ECOMP Portal OpenId Connect Client1" />
<property name="scope">
<set value-type="java.lang.String">
<value>openid</value>
<value>email</value>
<value>address</value>
<value>profile</value>
<value>phone</value>
</set>
</property>
<property name="tokenEndpointAuthMethod" value="SECRET_BASIC" />
<property name="redirectUris">
<set>
<value>${ecomp_openid_connect_client}</value>
</set>
</property>
</bean>
</property>
<!--
Registered Client Service. Uncomment this to save dynamically registered clients out to a
file on disk (indicated by the filename property) or replace this with another implementation
of RegisteredClientService. This defaults to an in-memory implementation of RegisteredClientService
which will forget and re-register all clients on restart.
-->
<!--
<property name="registeredClientService">
<bean class="org.mitre.openid.connect.client.service.impl.JsonFileRegisteredClientService">
<constructor-arg name="filename" value="/tmp/simple-web-app-clients.json" />
</bean>
</property>
-->
</bean>
<!--
Static Client Configuration. Configures a client statically by storing configuration on a per-issuer basis.
-->
<bean class="org.mitre.openid.connect.client.service.impl.StaticClientConfigurationService" id="staticClientConfigurationService">
<property name="clients">
<map>
<entry key="${authentication_server_url}">
<bean class="org.mitre.oauth2.model.RegisteredClient">
<property name="clientId" value="ecomp" />
<property name="clientSecret" value="secret" />
<property name="scope">
<set value-type="java.lang.String">
<value>openid</value>
<value>email</value>
<value>address</value>
<value>profile</value>
<value>phone</value>
</set>
</property>
<property name="tokenEndpointAuthMethod" value="SECRET_BASIC" />
<property name="redirectUris">
<set>
<value>${ecomp_openid_connect_client}</value>
</set>
</property>
</bean>
</entry>
</map>
</property>
</bean>
<!--
Hybrid Client Configuration. Tries to configure a client statically first, but if a client isn't found in the map,
it will dynamically configure one.
-->
<bean class="org.mitre.openid.connect.client.service.impl.HybridClientConfigurationService" id="hybridClientConfigurationService">
<property name="clients">
<map>
<entry key="${authentication_server_url}">
<bean class="org.mitre.oauth2.model.RegisteredClient">
<property name="clientId" value="client" />
<property name="clientSecret" value="secret" />
<property name="scope">
<set value-type="java.lang.String">
<value>openid</value>
<value>email</value>
<value>address</value>
<value>profile</value>
<value>phone</value>
</set>
</property>
<property name="tokenEndpointAuthMethod" value="SECRET_BASIC" />
<property name="redirectUris">
<set>
<value>${ecomp_openid_connect_client}</value>
</set>
</property>
</bean>
</entry>
</map>
</property>
<property name="template">
<bean class="org.mitre.oauth2.model.RegisteredClient">
<property name="clientName" value="ECOMP Portal OpenId Connect Client2" />
<property name="scope">
<set value-type="java.lang.String">
<value>openid</value>
<value>email</value>
<value>address</value>
<value>profile</value>
<value>phone</value>
</set>
</property>
<property name="tokenEndpointAuthMethod" value="SECRET_BASIC" />
<property name="redirectUris">
<set>
<value>${ecomp_openid_connect_client}</value>
</set>
</property>
</bean>
</property>
<!--
Registered Client Service. Uncomment this to save dynamically registered clients out to a
file on disk (indicated by the filename property) or replace this with another implementation
of RegisteredClientService. This defaults to an in-memory implementation of RegisteredClientService
which will forget and re-register all clients on restart.
-->
<!--
<property name="registeredClientService">
<bean class="org.mitre.openid.connect.client.service.impl.JsonFileRegisteredClientService">
<constructor-arg name="filename" value="/tmp/simple-web-app-clients.json" />
</bean>
</property>
-->
</bean>
<!--
-
- Auth request options service: returns the optional components of the request
-
-->
<bean class="org.mitre.openid.connect.client.service.impl.StaticAuthRequestOptionsService" id="staticAuthRequestOptionsService">
<property name="options">
<map>
<!-- Entries in this map are sent as key-value parameters to the auth request -->
<!--
<entry key="display" value="page" />
<entry key="max_age" value="30" />
<entry key="prompt" value="none" />
-->
</map>
</property>
</bean>
<!--
-
- Authorization URL Builders: create the URL to redirect the user to for authorization.
-
-->
<!--
Plain authorization request builder, puts all options as query parameters on the GET request
-->
<bean class="org.mitre.openid.connect.client.service.impl.PlainAuthRequestUrlBuilder" id="plainAuthRequestUrlBuilder" />
<!--
Signed authorization request builder, puts all options as elements in a JWS-signed request object
-->
<bean class="org.mitre.openid.connect.client.service.impl.SignedAuthRequestUrlBuilder" id="signedAuthRequestUrlBuilder">
<property name="signingAndValidationService" ref="defaultSignerService" />
</bean>
<!--
Encrypted authorization request builder, puts all the options as elements in a JWE-encrypted request object
-->
<bean class="org.mitre.openid.connect.client.service.impl.EncryptedAuthRequestUrlBuilder" id="encryptedAuthRequestUrlBuilder">
<property name="encrypterService" ref="validatorCache" />
<property name="alg">
<util:constant static-field="com.nimbusds.jose.JWEAlgorithm.RSA1_5"/>
</property>
<property name="enc">
<util:constant static-field="com.nimbusds.jose.EncryptionMethod.A128GCM"/>
</property>
</bean>
<!--
-
- Utility beans for the above classes
-
-->
<!--
This service fetches and caches JWK sets from URLs.
-->
<bean id="validatorCache" class="org.mitre.jwt.signer.service.impl.JWKSetCacheService" />
<!--
This service sets up a bunch of signers and validators based on our own keys.
Replace this keystore's contents for a production deployment.
-->
<bean id="defaultSignerService" class="org.mitre.jwt.signer.service.impl.DefaultJWTSigningAndValidationService">
<constructor-arg name="keyStore">
<bean id="defaultKeyStore" class="org.mitre.jose.keystore.JWKSetKeyStore">
<property name="location" value="classpath:openid-keystore.jwks" />
</bean>
</constructor-arg>
<property name="defaultSignerKeyId" value="rsa1" />
<property name="defaultSigningAlgorithmName" value="RS256" />
</bean>
<!--
This service publishes the client's public key on a the endpoint "jwk" off the root of this client.
-->
<bean id="clientKeyPublisher" class="org.mitre.openid.connect.client.keypublisher.ClientKeyPublisher">
<property name="jwkPublishUrl" value="jwk" />
<property name="signingAndValidationService" ref="defaultSignerService" />
</bean>
</beans>
|