Gitiles
Code Review Sign In
gerrit.nordix.org / onap / portal / 4ad39a5c96dd99acf819ce189b13fec946d7506b / . / ecomp-portal-BE / war / WEB-INF / oid-context.xml
blob: 33458d6d77e3534165c2ed9ad7fbb6049861b303 [file] [log] [blame]
<?xml version="1.0" encoding="UTF-8"?>
<!--
================================================================================
eCOMP Portal
================================================================================
Copyright (C) 2017 AT&T Intellectual Property
================================================================================
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
================================================================================
-->
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
xmlns:util="http://www.springframework.org/schema/util"
xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-4.1.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.1.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.1.xsd">
<!-- DispatcherServlet Context: defines this servlet's request-processing
infrastructure -->
<bean
class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
<property name="location">
<value>classpath:openid-connect.properties</value>
</property>
</bean>
<!-- Enables the Spring MVC @Controller programming model -->
<mvc:annotation-driven />
<mvc:interceptors>
<!-- Inject the UserInfo into the current context -->
<bean id="userInfoInterceptor" class="org.mitre.openid.connect.web.UserInfoInterceptor" />
</mvc:interceptors>
<!-- Handles HTTP GET requests for /resources/** by efficiently serving
up static resources in the ${webappRoot}/resources directory -->
<mvc:resources mapping="/resources/**" location="/resources/" />
<!-- Resolves views selected for rendering by @Controllers to .jsp resources
in the /WEB-INF/views directory -->
<bean
class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="prefix" value="/WEB-INF/views/" />
<property name="suffix" value=".jsp" />
</bean>
<context:component-scan base-package="org.openecomp.portalapp.security.openid.controllers" />
<security:global-method-security pre-post-annotations="enabled" proxy-target-class="true" authentication-manager-ref="authenticationManager"/>
<security:http auto-config="false" use-expressions="true" disable-url-rewriting="true" entry-point-ref="authenticationEntryPoint" pattern="/**">
<security:custom-filter before="PRE_AUTH_FILTER" ref="openIdConnectAuthenticationFilter" />
<security:logout />
</security:http>
<bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<property name="loginFormUrl" value="/openid_connect_login" />
</bean>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="openIdConnectAuthenticationProvider" />
</security:authentication-manager>
<bean id="openIdConnectAuthenticationProvider" class="org.mitre.openid.connect.client.OIDCAuthenticationProvider">
<property name="authoritiesMapper">
<bean class="org.mitre.openid.connect.client.NamedAdminAuthoritiesMapper">
<property name="admins" ref="namedAdmins" />
</bean>
</property>
</bean>
<util:set id="namedAdmins" value-type="org.mitre.openid.connect.client.SubjectIssuerGrantedAuthority">
<!--
This is an example of how to set up a user as an administrator: they'll be given ROLE_ADMIN in addition to ROLE_USER.
Note that having an administrator role on the IdP doesn't grant administrator access on this client.
These are values from the demo "openid-connect-server-webapp" project of MITREid Connect.
-->
<bean class="org.mitre.openid.connect.client.SubjectIssuerGrantedAuthority">
<constructor-arg name="subject" value="90342.ASDFJWFA" />
<constructor-arg name="issuer" value="${authentication_server_url}" />
</bean>
</util:set>
<!--
-
- The authentication filter
-
-->
<bean id="openIdConnectAuthenticationFilter" class="org.mitre.openid.connect.client.OIDCAuthenticationFilter">
<property name="authenticationManager" ref="authenticationManager" />
<property name="issuerService" ref="hybridIssuerService" />
<property name="serverConfigurationService" ref="dynamicServerConfigurationService" />
<property name="clientConfigurationService" ref="dynamicClientConfigurationService" />
<property name="authRequestOptionsService" ref="staticAuthRequestOptionsService" />
<property name="authRequestUrlBuilder" ref="plainAuthRequestUrlBuilder" />
</bean>
<!--
-
- Issuer Services: Determine which identity provider issuer is used.
-
-->
<!--
Static issuer service, returns the same issuer for every request.
-->
<bean class="org.mitre.openid.connect.client.service.impl.StaticSingleIssuerService" id="staticIssuerService">
<property name="issuer" value="${authentication_server_url}" />
</bean>
<!--
WebFinger issuer service, does OpenID Connect Discovery on user-entered text (received from the
loginPageUrl page) to find the issuer. The login page needs to return the user-entered text
as the "identifier" parameter as a query parameter.
-->
<bean class="org.mitre.openid.connect.client.service.impl.WebfingerIssuerService" id="webfingerIssuerService">
<property name="loginPageUrl" value="login" />
</bean>
<!--
Third-party (account chooser) issuer service. Looks for the "iss" parameter on the request
and returns that as the issuer. If there is no "iss" value, redirects to the configured
account chooser URI. This URI should direct back to the login filter URL with an
"iss" value as a query parameter.
-->
<bean class="org.mitre.openid.connect.client.service.impl.ThirdPartyIssuerService">
<property name="accountChooserUrl" value="http://localhost/account-chooser/" />
</bean>
<!--
Hybrid issuer service. If an issuer is passed in directly with the "iss" parameter, it will use that. If not, it will
look for an "identifier" parameter to do Webfinger discovery on that. Failing that, it will redirect to the login
page URL.
-->
<bean class="org.mitre.openid.connect.client.service.impl.HybridIssuerService" id="hybridIssuerService">
<property name="loginPageUrl" value="login" />
<property name="forceHttps" value="false" /> <!-- this default property forces the webfinger issuer URL to be HTTPS, turn off for development work -->
</bean>
<!--
-
- Server configuration: determines the parameters and URLs of the server to talk to.
-
-->
<!--
Static server configuration, contains a map of server configuration objects keyed by the issuer URL.
-->
<bean class="org.mitre.openid.connect.client.service.impl.StaticServerConfigurationService">
<property name="servers">
<map>
<entry key="${authentication_server_url}">
<bean class="org.mitre.openid.connect.config.ServerConfiguration">
<property name="issuer" value="${authentication_server_url}" />
<property name="authorizationEndpointUri" value="${authentication_server_url}authorize" />
<property name="tokenEndpointUri" value="${authentication_server_url}token" />
<property name="userInfoUri" value="${authentication_server_url}userinfo" />
<property name="jwksUri" value="${authentication_server_url}jwk" />
</bean>
</entry>
</map>
</property>
</bean>
<!--
Dynamic server configuration, fetches the server's information using OIDC Discovery.
-->
<bean class="org.mitre.openid.connect.client.service.impl.DynamicServerConfigurationService" id="dynamicServerConfigurationService" />
<!--
Hybrid server configuration. Tries to look up a statically configured server in the map, does
dynamic OIDC Discovery if the static lookup fails.
-->
<bean class="org.mitre.openid.connect.client.service.impl.HybridServerConfigurationService">
<property name="servers">
<map>
<entry key="${authentication_server_url}">
<bean class="org.mitre.openid.connect.config.ServerConfiguration">
<property name="issuer" value="${authentication_server_url}" />
<property name="authorizationEndpointUri" value="${authentication_server_url}authorize" />
<property name="tokenEndpointUri" value="${authentication_server_url}token" />
<property name="userInfoUri" value="${authentication_server_url}userinfo" />
<property name="jwksUri" value="${authentication_server_url}jwk" />
</bean>
</entry>
</map>
</property>
</bean>
<!--
-
- Client Configuration: Determine which client identifier and credentials are used.
-
-->
<!--
Dynamic Client Configuration, uses dynamic client registration. This version stores the registered
clients in an in-memory map. To override, add a bean to the registeredClientService property.
-->
<bean class="org.mitre.openid.connect.client.service.impl.DynamicRegistrationClientConfigurationService" id="dynamicClientConfigurationService">
<property name="template">
<bean class="org.mitre.oauth2.model.RegisteredClient">
<property name="clientName" value="ECOMP Portal OpenId Connect Client1" />
<property name="scope">
<set value-type="java.lang.String">
<value>openid</value>
<value>email</value>
<value>address</value>
<value>profile</value>
<value>phone</value>
</set>
</property>
<property name="tokenEndpointAuthMethod" value="SECRET_BASIC" />
<property name="redirectUris">
<set>
<value>${ecomp_openid_connect_client}</value>
</set>
</property>
</bean>
</property>
<!--
Registered Client Service. Uncomment this to save dynamically registered clients out to a
file on disk (indicated by the filename property) or replace this with another implementation
of RegisteredClientService. This defaults to an in-memory implementation of RegisteredClientService
which will forget and re-register all clients on restart.
-->
<!--
<property name="registeredClientService">
<bean class="org.mitre.openid.connect.client.service.impl.JsonFileRegisteredClientService">
<constructor-arg name="filename" value="/tmp/simple-web-app-clients.json" />
</bean>
</property>
-->
</bean>
<!--
Static Client Configuration. Configures a client statically by storing configuration on a per-issuer basis.
-->
<bean class="org.mitre.openid.connect.client.service.impl.StaticClientConfigurationService" id="staticClientConfigurationService">
<property name="clients">
<map>
<entry key="${authentication_server_url}">
<bean class="org.mitre.oauth2.model.RegisteredClient">
<property name="clientId" value="ecomp" />
<property name="clientSecret" value="secret" />
<property name="scope">
<set value-type="java.lang.String">
<value>openid</value>
<value>email</value>
<value>address</value>
<value>profile</value>
<value>phone</value>
</set>
</property>
<property name="tokenEndpointAuthMethod" value="SECRET_BASIC" />
<property name="redirectUris">
<set>
<value>${ecomp_openid_connect_client}</value>
</set>
</property>
</bean>
</entry>
</map>
</property>
</bean>
<!--
Hybrid Client Configuration. Tries to configure a client statically first, but if a client isn't found in the map,
it will dynamically configure one.
-->
<bean class="org.mitre.openid.connect.client.service.impl.HybridClientConfigurationService" id="hybridClientConfigurationService">
<property name="clients">
<map>
<entry key="${authentication_server_url}">
<bean class="org.mitre.oauth2.model.RegisteredClient">
<property name="clientId" value="client" />
<property name="clientSecret" value="secret" />
<property name="scope">
<set value-type="java.lang.String">
<value>openid</value>
<value>email</value>
<value>address</value>
<value>profile</value>
<value>phone</value>
</set>
</property>
<property name="tokenEndpointAuthMethod" value="SECRET_BASIC" />
<property name="redirectUris">
<set>
<value>${ecomp_openid_connect_client}</value>
</set>
</property>
</bean>
</entry>
</map>
</property>
<property name="template">
<bean class="org.mitre.oauth2.model.RegisteredClient">
<property name="clientName" value="ECOMP Portal OpenId Connect Client2" />
<property name="scope">
<set value-type="java.lang.String">
<value>openid</value>
<value>email</value>
<value>address</value>
<value>profile</value>
<value>phone</value>
</set>
</property>
<property name="tokenEndpointAuthMethod" value="SECRET_BASIC" />
<property name="redirectUris">
<set>
<value>${ecomp_openid_connect_client}</value>
</set>
</property>
</bean>
</property>
<!--
Registered Client Service. Uncomment this to save dynamically registered clients out to a
file on disk (indicated by the filename property) or replace this with another implementation
of RegisteredClientService. This defaults to an in-memory implementation of RegisteredClientService
which will forget and re-register all clients on restart.
-->
<!--
<property name="registeredClientService">
<bean class="org.mitre.openid.connect.client.service.impl.JsonFileRegisteredClientService">
<constructor-arg name="filename" value="/tmp/simple-web-app-clients.json" />
</bean>
</property>
-->
</bean>
<!--
-
- Auth request options service: returns the optional components of the request
-
-->
<bean class="org.mitre.openid.connect.client.service.impl.StaticAuthRequestOptionsService" id="staticAuthRequestOptionsService">
<property name="options">
<map>
<!-- Entries in this map are sent as key-value parameters to the auth request -->
<!--
<entry key="display" value="page" />
<entry key="max_age" value="30" />
<entry key="prompt" value="none" />
-->
</map>
</property>
</bean>
<!--
-
- Authorization URL Builders: create the URL to redirect the user to for authorization.
-
-->
<!--
Plain authorization request builder, puts all options as query parameters on the GET request
-->
<bean class="org.mitre.openid.connect.client.service.impl.PlainAuthRequestUrlBuilder" id="plainAuthRequestUrlBuilder" />
<!--
Signed authorization request builder, puts all options as elements in a JWS-signed request object
-->
<bean class="org.mitre.openid.connect.client.service.impl.SignedAuthRequestUrlBuilder" id="signedAuthRequestUrlBuilder">
<property name="signingAndValidationService" ref="defaultSignerService" />
</bean>
<!--
Encrypted authorization request builder, puts all the options as elements in a JWE-encrypted request object
-->
<bean class="org.mitre.openid.connect.client.service.impl.EncryptedAuthRequestUrlBuilder" id="encryptedAuthRequestUrlBuilder">
<property name="encrypterService" ref="validatorCache" />
<property name="alg">
<util:constant static-field="com.nimbusds.jose.JWEAlgorithm.RSA1_5"/>
</property>
<property name="enc">
<util:constant static-field="com.nimbusds.jose.EncryptionMethod.A128GCM"/>
</property>
</bean>
<!--
-
- Utility beans for the above classes
-
-->
<!--
This service fetches and caches JWK sets from URLs.
-->
<bean id="validatorCache" class="org.mitre.jwt.signer.service.impl.JWKSetCacheService" />
<!--
This service sets up a bunch of signers and validators based on our own keys.
Replace this keystore's contents for a production deployment.
-->
<bean id="defaultSignerService" class="org.mitre.jwt.signer.service.impl.DefaultJWTSigningAndValidationService">
<constructor-arg name="keyStore">
<bean id="defaultKeyStore" class="org.mitre.jose.keystore.JWKSetKeyStore">
<property name="location" value="classpath:openid-keystore.jwks" />
</bean>
</constructor-arg>
<property name="defaultSignerKeyId" value="rsa1" />
<property name="defaultSigningAlgorithmName" value="RS256" />
</bean>
<!--
This service publishes the client's public key on a the endpoint "jwk" off the root of this client.
-->
<bean id="clientKeyPublisher" class="org.mitre.openid.connect.client.keypublisher.ClientKeyPublisher">
<property name="jwkPublishUrl" value="jwk" />
<property name="signingAndValidationService" ref="defaultSignerService" />
</bean>
</beans>