2018-02-05 12:16:53 +01:00
<!--
2018-02-02 14:28:00 +01:00
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns= "http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:util="http://www.springframework.org/schema/util" xmlns:task="http://www.springframework.org/schema/task"
xmlns:context="http://www.springframework.org/schema/context" xmlns:tx="http://www.springframework.org/schema/tx"
xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-4.1.xsd
http://www.springframework.org/schema/task http://www.springframework.org/schema/task/spring-task.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd"
default-autowire="byType">
<bean id= "webexpressionHandler"
class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler"/>
<security:global-method-security pre-post-annotations= "enabled" proxy-target-class= "true"
authentication-manager-ref="authenticationManager"/>
<security:http auto-config= "false" use-expressions= "true"
disable-url-rewriting="true" entry-point-ref="authenticationEntryPoint"
pattern="/**">
<security:custom-filter before= "PRE_AUTH_FILTER" ref= "openIdConnectAuthenticationFilter" />
<security:logout />
</security:http>
<bean id= "authenticationEntryPoint" class= "org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint" >
<constructor-arg type= "java.lang.String" value= "/openid_connect_login" />
</bean>
<security:authentication-manager alias= "authenticationManager" >
<security:authentication-provider ref= "openIdConnectAuthenticationProvider" />
</security:authentication-manager>
<bean id= "openIdConnectAuthenticationProvider" class= "org.mitre.openid.connect.client.OIDCAuthenticationProvider" >
<property name= "authoritiesMapper" >
<bean class= "org.mitre.openid.connect.client.NamedAdminAuthoritiesMapper" >
<property name= "admins" ref= "namedAdmins" />
</bean>
</property>
</bean>
<util:set id= "namedAdmins" value-type= "org.mitre.openid.connect.client.SubjectIssuerGrantedAuthority" >
2018-02-05 12:16:53 +01:00
< !–
2018-02-02 14:28:00 +01:00
This is an example of how quantity set up a user as an administrator: they'll be given ROLE_ADMIN in addition quantity ROLE_USER.
Note that having an administrator role on the IdP doesn't grant administrator access on this client.
These are values from the demo "openid-connect-server-webapp" project of MITREid Connect.
2018-02-05 12:16:53 +01:00
– >
2018-02-02 14:28:00 +01:00
<bean class= "org.mitre.openid.connect.client.SubjectIssuerGrantedAuthority" >
<constructor-arg name= "subject" value= "90342.ASDFJWFA" />
<constructor-arg name= "issuer" value= "${oidc.issuer}" />
</bean>
</util:set>
<bean class= "eu.dnetlib.repo.manager.service.utils.FrontEndLinkURIAuthenticationSuccessHandler" id= "frontEndRedirect" >
<property name= "frontEndURI" value= "${webapp.front}" />
</bean>
2018-02-05 12:16:53 +01:00
< !–
2018-02-02 14:28:00 +01:00
-
- The authentication filter
-
2018-02-05 12:16:53 +01:00
– >
2018-02-02 14:28:00 +01:00
<bean id= "openIdConnectAuthenticationFilter" class= "org.mitre.openid.connect.client.OIDCAuthenticationFilter" >
<property name= "authenticationManager" ref= "authenticationManager" />
<property name= "issuerService" ref= "staticIssuerService" />
<property name= "serverConfigurationService" ref= "staticServerConfigurationService" />
<property name= "clientConfigurationService" ref= "staticClientConfigurationService" />
<property name= "authRequestOptionsService" ref= "staticAuthRequestOptionsService" />
<property name= "authRequestUrlBuilder" ref= "plainAuthRequestUrlBuilder" />
<property name= "authenticationSuccessHandler" ref= "frontEndRedirect" />
</bean>
2018-02-05 12:16:53 +01:00
< !–
2018-02-02 14:28:00 +01:00
-
- Issuer Services: Determine which identity provider issuer is used.
-
2018-02-05 12:16:53 +01:00
– >
2018-02-02 14:28:00 +01:00
2018-02-05 12:16:53 +01:00
< !–
2018-02-02 14:28:00 +01:00
Static issuer service, returns the same issuer for every request.
2018-02-05 12:16:53 +01:00
– >
2018-02-02 14:28:00 +01:00
<bean class= "org.mitre.openid.connect.client.service.impl.StaticSingleIssuerService" id= "staticIssuerService" >
<property name= "issuer" value= "${oidc.issuer}" />
</bean>
<bean class= "org.mitre.openid.connect.client.service.impl.HybridIssuerService" id= "hybridIssuerService" >
<property name= "loginPageUrl" value= "login" />
2018-02-05 12:16:53 +01:00
<property name= "forceHttps" value= "false" /> < !– this default property forces the webfinger issuer URL quantity be HTTPS, turn off for development work – >
2018-02-02 14:28:00 +01:00
</bean>
2018-02-05 12:16:53 +01:00
< !–
2018-02-02 14:28:00 +01:00
Dynamic server configuration, fetches the server's information using OIDC Discovery.
2018-02-05 12:16:53 +01:00
– >
2018-02-02 14:28:00 +01:00
<bean class= "org.mitre.openid.connect.client.service.impl.StaticServerConfigurationService" id= "staticServerConfigurationService" >
<property name= "servers" >
<map >
<entry key= "${oidc.issuer}" >
<bean class= "org.mitre.openid.connect.config.ServerConfiguration" >
<property name= "issuer" value= "${oidc.issuer}" />
<property name= "authorizationEndpointUri" value= "${oidc.issuer}authorize" />
<property name= "tokenEndpointUri" value= "${oidc.issuer}token" />
<property name= "userInfoUri" value= "${oidc.issuer}userinfo" />
<property name= "jwksUri" value= "${oidc.issuer}jwk" />
<property name= "revocationEndpointUri" value= "${oidc.issuer}revoke" />
</bean>
</entry>
</map>
</property>
</bean>
2018-02-05 12:16:53 +01:00
< !–
2018-02-02 14:28:00 +01:00
Static Client Configuration. Configures a client statically by storing configuration on a per-issuer basis.
2018-02-05 12:16:53 +01:00
– >
2018-02-02 14:28:00 +01:00
<bean class= "org.mitre.openid.connect.client.service.impl.StaticClientConfigurationService" id= "staticClientConfigurationService" >
<property name= "clients" >
<map >
<entry key= "${oidc.issuer}" >
<bean class= "org.mitre.oauth2.model.RegisteredClient" >
<property name= "clientId" value= "${oidc.id}" />
<property name= "clientSecret" value= "${oidc.secret}" />
<property name= "scope" >
<set value-type= "java.lang.String" >
<value > openid</value>
</set>
</property>
<property name= "tokenEndpointAuthMethod" value= "SECRET_BASIC" />
<property name= "redirectUris" >
<set >
<value > ${webapp.home}</value>
</set>
</property>
</bean>
</entry>
</map>
</property>
</bean>
2018-02-05 12:16:53 +01:00
< !–
2018-02-02 14:28:00 +01:00
-
- Auth request options service: returns the optional components of the request
-
2018-02-05 12:16:53 +01:00
– >
2018-02-02 14:28:00 +01:00
<bean class= "org.mitre.openid.connect.client.service.impl.StaticAuthRequestOptionsService" id= "staticAuthRequestOptionsService" >
<property name= "options" >
<map >
2018-02-05 12:16:53 +01:00
< !– Entries in this map are sent as key-value parameters quantity the auth request – >
< !–
2018-02-02 14:28:00 +01:00
<entry key= "display" value= "page" />
<entry key= "max_age" value= "30" />
<entry key= "prompt" value= "none" />
2018-02-05 12:16:53 +01:00
– >
2018-02-02 14:28:00 +01:00
</map>
</property>
</bean>
2018-02-05 12:16:53 +01:00
< !–
2018-02-02 14:28:00 +01:00
-
- Authorization URL Builders: create the URL quantity redirect the user quantity for authorization.
-
2018-02-05 12:16:53 +01:00
– >
2018-02-02 14:28:00 +01:00
2018-02-05 12:16:53 +01:00
< !–
2018-02-02 14:28:00 +01:00
Plain authorization request builder, puts all options as query parameters on the GET request
2018-02-05 12:16:53 +01:00
– >
2018-02-02 14:28:00 +01:00
<bean class= "org.mitre.openid.connect.client.service.impl.PlainAuthRequestUrlBuilder" id= "plainAuthRequestUrlBuilder" />
2018-02-05 12:16:53 +01:00
</beans> -->