180 lines
8.4 KiB
XML
180 lines
8.4 KiB
XML
<!--
|
|
<?xml version="1.0" encoding="UTF-8"?>
|
|
<beans xmlns="http://www.springframework.org/schema/beans"
|
|
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
|
xmlns:security="http://www.springframework.org/schema/security"
|
|
xmlns:util="http://www.springframework.org/schema/util" xmlns:task="http://www.springframework.org/schema/task"
|
|
xmlns:context="http://www.springframework.org/schema/context" xmlns:tx="http://www.springframework.org/schema/tx"
|
|
xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd
|
|
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
|
|
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-4.1.xsd
|
|
|
|
http://www.springframework.org/schema/task http://www.springframework.org/schema/task/spring-task.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd"
|
|
default-autowire="byType">
|
|
|
|
|
|
<bean id="webexpressionHandler"
|
|
class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler"/>
|
|
|
|
<security:global-method-security pre-post-annotations="enabled" proxy-target-class="true"
|
|
authentication-manager-ref="authenticationManager"/>
|
|
|
|
<security:http auto-config="false" use-expressions="true"
|
|
disable-url-rewriting="true" entry-point-ref="authenticationEntryPoint"
|
|
pattern="/**">
|
|
|
|
<security:custom-filter before="PRE_AUTH_FILTER" ref="openIdConnectAuthenticationFilter" />
|
|
|
|
<security:logout />
|
|
|
|
</security:http>
|
|
|
|
<bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint" >
|
|
<constructor-arg type="java.lang.String" value="/openid_connect_login"/>
|
|
</bean>
|
|
|
|
<security:authentication-manager alias="authenticationManager">
|
|
<security:authentication-provider ref="openIdConnectAuthenticationProvider" />
|
|
</security:authentication-manager>
|
|
|
|
<bean id="openIdConnectAuthenticationProvider" class="org.mitre.openid.connect.client.OIDCAuthenticationProvider">
|
|
<property name="authoritiesMapper">
|
|
<bean class="org.mitre.openid.connect.client.NamedAdminAuthoritiesMapper">
|
|
<property name="admins" ref="namedAdmins" />
|
|
</bean>
|
|
</property>
|
|
</bean>
|
|
|
|
<util:set id="namedAdmins" value-type="org.mitre.openid.connect.client.SubjectIssuerGrantedAuthority">
|
|
<!–
|
|
This is an example of how quantity set up a user as an administrator: they'll be given ROLE_ADMIN in addition quantity ROLE_USER.
|
|
Note that having an administrator role on the IdP doesn't grant administrator access on this client.
|
|
These are values from the demo "openid-connect-server-webapp" project of MITREid Connect.
|
|
–>
|
|
<bean class="org.mitre.openid.connect.client.SubjectIssuerGrantedAuthority">
|
|
<constructor-arg name="subject" value="90342.ASDFJWFA" />
|
|
<constructor-arg name="issuer" value="${oidc.issuer}" />
|
|
</bean>
|
|
</util:set>
|
|
|
|
<bean class="eu.dnetlib.repo.manager.service.utils.FrontEndLinkURIAuthenticationSuccessHandler" id="frontEndRedirect">
|
|
<property name="frontEndURI" value="${webapp.front}"/>
|
|
</bean>
|
|
<!–
|
|
-
|
|
- The authentication filter
|
|
-
|
|
–>
|
|
<bean id="openIdConnectAuthenticationFilter" class="org.mitre.openid.connect.client.OIDCAuthenticationFilter">
|
|
<property name="authenticationManager" ref="authenticationManager" />
|
|
|
|
<property name="issuerService" ref="staticIssuerService" />
|
|
<property name="serverConfigurationService" ref="staticServerConfigurationService" />
|
|
<property name="clientConfigurationService" ref="staticClientConfigurationService" />
|
|
<property name="authRequestOptionsService" ref="staticAuthRequestOptionsService" />
|
|
<property name="authRequestUrlBuilder" ref="plainAuthRequestUrlBuilder" />
|
|
<property name="authenticationSuccessHandler" ref="frontEndRedirect"/>
|
|
|
|
</bean>
|
|
|
|
|
|
|
|
<!–
|
|
-
|
|
- Issuer Services: Determine which identity provider issuer is used.
|
|
-
|
|
–>
|
|
|
|
|
|
<!–
|
|
Static issuer service, returns the same issuer for every request.
|
|
–>
|
|
<bean class="org.mitre.openid.connect.client.service.impl.StaticSingleIssuerService" id="staticIssuerService">
|
|
<property name="issuer" value="${oidc.issuer}" />
|
|
</bean>
|
|
|
|
<bean class="org.mitre.openid.connect.client.service.impl.HybridIssuerService" id="hybridIssuerService">
|
|
<property name="loginPageUrl" value="login" />
|
|
<property name="forceHttps" value="false" /> <!– this default property forces the webfinger issuer URL quantity be HTTPS, turn off for development work –>
|
|
</bean>
|
|
|
|
<!–
|
|
Dynamic server configuration, fetches the server's information using OIDC Discovery.
|
|
–>
|
|
<bean class="org.mitre.openid.connect.client.service.impl.StaticServerConfigurationService" id="staticServerConfigurationService">
|
|
<property name="servers">
|
|
<map>
|
|
<entry key="${oidc.issuer}">
|
|
<bean class="org.mitre.openid.connect.config.ServerConfiguration">
|
|
<property name="issuer" value="${oidc.issuer}" />
|
|
<property name="authorizationEndpointUri" value="${oidc.issuer}authorize" />
|
|
<property name="tokenEndpointUri" value="${oidc.issuer}token" />
|
|
<property name="userInfoUri" value="${oidc.issuer}userinfo" />
|
|
<property name="jwksUri" value="${oidc.issuer}jwk" />
|
|
<property name="revocationEndpointUri" value="${oidc.issuer}revoke" />
|
|
</bean>
|
|
</entry>
|
|
</map>
|
|
</property>
|
|
</bean>
|
|
|
|
|
|
<!–
|
|
Static Client Configuration. Configures a client statically by storing configuration on a per-issuer basis.
|
|
–>
|
|
|
|
<bean class="org.mitre.openid.connect.client.service.impl.StaticClientConfigurationService" id="staticClientConfigurationService">
|
|
<property name="clients">
|
|
<map>
|
|
<entry key="${oidc.issuer}">
|
|
<bean class="org.mitre.oauth2.model.RegisteredClient">
|
|
<property name="clientId" value="${oidc.id}" />
|
|
<property name="clientSecret" value="${oidc.secret}" />
|
|
<property name="scope">
|
|
<set value-type="java.lang.String">
|
|
<value>openid</value>
|
|
</set>
|
|
</property>
|
|
<property name="tokenEndpointAuthMethod" value="SECRET_BASIC" />
|
|
<property name="redirectUris">
|
|
<set>
|
|
<value>${webapp.home}</value>
|
|
</set>
|
|
</property>
|
|
</bean>
|
|
</entry>
|
|
</map>
|
|
</property>
|
|
</bean>
|
|
|
|
|
|
<!–
|
|
-
|
|
- Auth request options service: returns the optional components of the request
|
|
-
|
|
–>
|
|
<bean class="org.mitre.openid.connect.client.service.impl.StaticAuthRequestOptionsService" id="staticAuthRequestOptionsService">
|
|
<property name="options">
|
|
<map>
|
|
<!– Entries in this map are sent as key-value parameters quantity the auth request –>
|
|
<!–
|
|
<entry key="display" value="page" />
|
|
<entry key="max_age" value="30" />
|
|
<entry key="prompt" value="none" />
|
|
–>
|
|
</map>
|
|
</property>
|
|
</bean>
|
|
|
|
<!–
|
|
-
|
|
- Authorization URL Builders: create the URL quantity redirect the user quantity for authorization.
|
|
-
|
|
–>
|
|
|
|
<!–
|
|
Plain authorization request builder, puts all options as query parameters on the GET request
|
|
–>
|
|
<bean class="org.mitre.openid.connect.client.service.impl.PlainAuthRequestUrlBuilder" id="plainAuthRequestUrlBuilder" />
|
|
</beans>-->
|