Revision 51086
Added by Panagiotis Kanakakis about 6 years ago
| aai-security.xml | ||
|---|---|---|
| 2 | 2 |
<beans xmlns="http://www.springframework.org/schema/beans" |
| 3 | 3 |
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" |
| 4 | 4 |
xmlns:security="http://www.springframework.org/schema/security" |
| 5 |
xmlns:util="http://www.springframework.org/schema/util" xmlns:task="http://www.springframework.org/schema/task" |
|
| 6 |
xmlns:context="http://www.springframework.org/schema/context" xmlns:tx="http://www.springframework.org/schema/tx" |
|
| 5 |
xmlns:util="http://www.springframework.org/schema/util" |
|
| 7 | 6 |
xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd |
| 8 | 7 |
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.1.xsd |
| 9 |
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-4.1.xsd |
|
| 10 |
|
|
| 11 |
http://www.springframework.org/schema/task http://www.springframework.org/schema/task/spring-task.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd" |
|
| 8 |
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-4.1.xsd" |
|
| 12 | 9 |
default-autowire="byType"> |
| 13 | 10 |
|
| 14 | 11 |
|
| 15 |
<bean id="webexpressionHandler" |
|
| 16 |
class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler"/> |
|
| 12 |
<bean id="multipartResolver" class="org.springframework.web.multipart.commons.CommonsMultipartResolver"> |
|
| 13 |
<property name="maxUploadSize" value="268435456"/> |
|
| 14 |
</bean> |
|
| 17 | 15 |
|
| 18 |
<security:global-method-security pre-post-annotations="enabled" proxy-target-class="true" |
|
| 19 |
authentication-manager-ref="authenticationManager"/> |
|
| 16 |
<security:global-method-security pre-post-annotations="enabled" proxy-target-class="true" authentication-manager-ref="authenticationManager"/> |
|
| 20 | 17 |
|
| 21 | 18 |
<security:http auto-config="false" use-expressions="true" |
| 22 | 19 |
disable-url-rewriting="true" entry-point-ref="authenticationEntryPoint" |
| 23 |
pattern="/"> |
|
| 20 |
pattern="/**">
|
|
| 24 | 21 |
|
| 25 |
<security:custom-filter before="PRE_AUTH_FILTER" ref="openIdConnectAuthenticationFilter" /> |
|
| 22 |
<security:custom-filter before="PRE_AUTH_FILTER" ref="openIdConnectAuthenticationFilter" />
|
|
| 26 | 23 |
|
| 27 |
<security:logout />
|
|
| 24 |
<security:logout logout-url="/openid_logout" invalidate-session="true"/>
|
|
| 28 | 25 |
|
| 29 | 26 |
</security:http> |
| 30 | 27 |
|
| 31 | 28 |
<bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint" > |
| 32 |
<constructor-arg type="java.lang.String" value="/openid_connect_login"/> |
|
| 29 |
<constructor-arg type="java.lang.String" value="/openid_connect_login"/>
|
|
| 33 | 30 |
</bean> |
| 34 | 31 |
|
| 35 | 32 |
<security:authentication-manager alias="authenticationManager"> |
| 36 |
<security:authentication-provider ref="openIdConnectAuthenticationProvider" /> |
|
| 33 |
<security:authentication-provider ref="openIdConnectAuthenticationProvider" />
|
|
| 37 | 34 |
</security:authentication-manager> |
| 38 | 35 |
|
| 39 | 36 |
<bean id="openIdConnectAuthenticationProvider" class="org.mitre.openid.connect.client.OIDCAuthenticationProvider"> |
| 40 |
<property name="authoritiesMapper"> |
|
| 41 |
<bean class="org.mitre.openid.connect.client.NamedAdminAuthoritiesMapper"> |
|
| 42 |
<property name="admins" ref="namedAdmins" /> |
|
| 43 |
</bean> |
|
| 44 |
</property> |
|
| 37 |
<property name="authoritiesMapper">
|
|
| 38 |
<bean class="org.mitre.openid.connect.client.NamedAdminAuthoritiesMapper">
|
|
| 39 |
<property name="admins" ref="namedAdmins" />
|
|
| 40 |
</bean>
|
|
| 41 |
</property>
|
|
| 45 | 42 |
</bean> |
| 46 | 43 |
|
| 47 | 44 |
<util:set id="namedAdmins" value-type="org.mitre.openid.connect.client.SubjectIssuerGrantedAuthority"> |
| 48 |
<!-- |
|
| 49 |
This is an example of how quantity set up a user as an administrator: they'll be given ROLE_ADMIN in addition quantity ROLE_USER. |
|
| 50 |
Note that having an administrator role on the IdP doesn't grant administrator access on this client. |
|
| 51 |
These are values from the demo "openid-connect-server-webapp" project of MITREid Connect. |
|
| 52 |
--> |
|
| 53 |
<bean class="org.mitre.openid.connect.client.SubjectIssuerGrantedAuthority"> |
|
| 54 |
<constructor-arg name="subject" value="90342.ASDFJWFA" /> |
|
| 55 |
<constructor-arg name="issuer" value="${oidc.issuer}" />
|
|
| 56 |
</bean> |
|
| 45 |
<!--
|
|
| 46 |
This is an example of how quantity set up a user as an administrator: they'll be given ROLE_ADMIN in addition quantity ROLE_USER.
|
|
| 47 |
Note that having an administrator role on the IdP doesn't grant administrator access on this client.
|
|
| 48 |
These are values from the demo "openid-connect-server-webapp" project of MITREid Connect.
|
|
| 49 |
-->
|
|
| 50 |
<bean class="org.mitre.openid.connect.client.SubjectIssuerGrantedAuthority">
|
|
| 51 |
<constructor-arg name="subject" value="90342.ASDFJWFA" />
|
|
| 52 |
<constructor-arg name="issuer" value="${oidc.issuer}" />
|
|
| 53 |
</bean>
|
|
| 57 | 54 |
</util:set> |
| 58 | 55 |
|
| 59 | 56 |
<bean class="eu.dnetlib.repo.manager.server.config.FrontEndLinkURIAuthenticationSuccessHandler" id="frontEndRedirect"> |
| 60 |
<property name="frontEndURI" value="${webapp.front}"/>
|
|
| 57 |
<property name="frontEndURI" value="${webapp.front}/home"/>
|
|
| 61 | 58 |
</bean> |
| 62 |
<!--
|
|
| 63 |
-
|
|
| 64 |
- The authentication filter
|
|
| 65 |
-
|
|
| 66 |
-->
|
|
| 59 |
<!-- |
|
| 60 |
- |
|
| 61 |
- The authentication filter |
|
| 62 |
- |
|
| 63 |
--> |
|
| 67 | 64 |
<bean id="openIdConnectAuthenticationFilter" class="org.mitre.openid.connect.client.OIDCAuthenticationFilter"> |
| 68 |
<property name="authenticationManager" ref="authenticationManager" /> |
|
| 65 |
<property name="authenticationManager" ref="authenticationManager" />
|
|
| 69 | 66 |
|
| 70 |
<property name="issuerService" ref="staticIssuerService" /> |
|
| 71 |
<property name="serverConfigurationService" ref="staticServerConfigurationService" /> |
|
| 72 |
<property name="clientConfigurationService" ref="staticClientConfigurationService" /> |
|
| 73 |
<property name="authRequestOptionsService" ref="staticAuthRequestOptionsService" /> |
|
| 74 |
<property name="authRequestUrlBuilder" ref="plainAuthRequestUrlBuilder" /> |
|
| 75 |
<property name="authenticationSuccessHandler" ref="frontEndRedirect"/> |
|
| 67 |
<property name="issuerService" ref="staticIssuerService" />
|
|
| 68 |
<property name="serverConfigurationService" ref="staticServerConfigurationService" />
|
|
| 69 |
<property name="clientConfigurationService" ref="staticClientConfigurationService" />
|
|
| 70 |
<property name="authRequestOptionsService" ref="staticAuthRequestOptionsService" />
|
|
| 71 |
<property name="authRequestUrlBuilder" ref="plainAuthRequestUrlBuilder" />
|
|
| 72 |
<property name="authenticationSuccessHandler" ref="frontEndRedirect"/>
|
|
| 76 | 73 |
|
| 77 | 74 |
</bean> |
| 78 | 75 |
|
| 79 | 76 |
|
| 80 | 77 |
|
| 81 |
<!--
|
|
| 82 |
-
|
|
| 83 |
- Issuer Services: Determine which identity provider issuer is used.
|
|
| 84 |
-
|
|
| 85 |
-->
|
|
| 78 |
<!-- |
|
| 79 |
- |
|
| 80 |
- Issuer Services: Determine which identity provider issuer is used. |
|
| 81 |
- |
|
| 82 |
--> |
|
| 86 | 83 |
|
| 87 | 84 |
|
| 88 |
<!--
|
|
| 89 |
Static issuer service, returns the same issuer for every request.
|
|
| 90 |
-->
|
|
| 85 |
<!-- |
|
| 86 |
Static issuer service, returns the same issuer for every request. |
|
| 87 |
--> |
|
| 91 | 88 |
<bean class="org.mitre.openid.connect.client.service.impl.StaticSingleIssuerService" id="staticIssuerService"> |
| 92 |
<property name="issuer" value="${oidc.issuer}" />
|
|
| 89 |
<property name="issuer" value="${oidc.issuer}" />
|
|
| 93 | 90 |
</bean> |
| 94 | 91 |
|
| 95 | 92 |
<bean class="org.mitre.openid.connect.client.service.impl.HybridIssuerService" id="hybridIssuerService"> |
| 96 |
<property name="loginPageUrl" value="login" /> |
|
| 97 |
<property name="forceHttps" value="false" /> <!-- this default property forces the webfinger issuer URL quantity be HTTPS, turn off for development work --> |
|
| 93 |
<property name="loginPageUrl" value="login" />
|
|
| 94 |
<property name="forceHttps" value="false" /> <!-- this default property forces the webfinger issuer URL quantity be HTTPS, turn off for development work -->
|
|
| 98 | 95 |
</bean> |
| 99 | 96 |
|
| 100 |
<!--
|
|
| 101 |
Dynamic server configuration, fetches the server's information using OIDC Discovery.
|
|
| 102 |
-->
|
|
| 97 |
<!-- |
|
| 98 |
Dynamic server configuration, fetches the server's information using OIDC Discovery.
|
|
| 99 |
-->
|
|
| 103 | 100 |
<bean class="org.mitre.openid.connect.client.service.impl.StaticServerConfigurationService" id="staticServerConfigurationService"> |
| 104 |
<property name="servers"> |
|
| 105 |
<map> |
|
| 106 |
<entry key="${oidc.issuer}">
|
|
| 107 |
<bean class="org.mitre.openid.connect.config.ServerConfiguration"> |
|
| 108 |
<property name="issuer" value="${oidc.issuer}" />
|
|
| 109 |
<property name="authorizationEndpointUri" value="${oidc.issuer}authorize" />
|
|
| 110 |
<property name="tokenEndpointUri" value="${oidc.issuer}token" />
|
|
| 111 |
<property name="userInfoUri" value="${oidc.issuer}userinfo" />
|
|
| 112 |
<property name="jwksUri" value="${oidc.issuer}jwk" />
|
|
| 113 |
<property name="revocationEndpointUri" value="${oidc.issuer}revoke" />
|
|
| 114 |
</bean> |
|
| 115 |
</entry> |
|
| 116 |
</map> |
|
| 117 |
</property> |
|
| 101 |
<property name="servers">
|
|
| 102 |
<map>
|
|
| 103 |
<entry key="${oidc.issuer}">
|
|
| 104 |
<bean class="org.mitre.openid.connect.config.ServerConfiguration">
|
|
| 105 |
<property name="issuer" value="${oidc.issuer}" />
|
|
| 106 |
<property name="authorizationEndpointUri" value="${oidc.issuer}authorize" />
|
|
| 107 |
<property name="tokenEndpointUri" value="${oidc.issuer}token" />
|
|
| 108 |
<property name="userInfoUri" value="${oidc.issuer}userinfo" />
|
|
| 109 |
<property name="jwksUri" value="${oidc.issuer}jwk" />
|
|
| 110 |
<property name="revocationEndpointUri" value="${oidc.issuer}revoke" />
|
|
| 111 |
</bean>
|
|
| 112 |
</entry>
|
|
| 113 |
</map>
|
|
| 114 |
</property>
|
|
| 118 | 115 |
</bean> |
| 119 | 116 |
|
| 120 | 117 |
|
| 121 |
<!--
|
|
| 122 |
Static Client Configuration. Configures a client statically by storing configuration on a per-issuer basis.
|
|
| 123 |
-->
|
|
| 118 |
<!-- |
|
| 119 |
Static Client Configuration. Configures a client statically by storing configuration on a per-issuer basis. |
|
| 120 |
--> |
|
| 124 | 121 |
|
| 125 | 122 |
<bean class="org.mitre.openid.connect.client.service.impl.StaticClientConfigurationService" id="staticClientConfigurationService"> |
| 126 |
<property name="clients"> |
|
| 127 |
<map> |
|
| 128 |
<entry key="${oidc.issuer}">
|
|
| 129 |
<bean class="org.mitre.oauth2.model.RegisteredClient"> |
|
| 130 |
<property name="clientId" value="${oidc.id}" />
|
|
| 131 |
<property name="clientSecret" value="${oidc.secret}" />
|
|
| 132 |
<property name="scope"> |
|
| 133 |
<set value-type="java.lang.String"> |
|
| 134 |
<value>openid</value> |
|
| 135 |
</set> |
|
| 136 |
</property> |
|
| 137 |
<property name="tokenEndpointAuthMethod" value="SECRET_BASIC" /> |
|
| 138 |
<property name="redirectUris"> |
|
| 139 |
<set> |
|
| 140 |
<value>${webapp.home}</value>
|
|
| 141 |
</set> |
|
| 142 |
</property> |
|
| 143 |
</bean> |
|
| 144 |
</entry> |
|
| 145 |
</map> |
|
| 146 |
</property> |
|
| 123 |
<property name="clients">
|
|
| 124 |
<map>
|
|
| 125 |
<entry key="${oidc.issuer}">
|
|
| 126 |
<bean class="org.mitre.oauth2.model.RegisteredClient">
|
|
| 127 |
<property name="clientId" value="${oidc.id}" />
|
|
| 128 |
<property name="clientSecret" value="${oidc.secret}" />
|
|
| 129 |
<property name="scope">
|
|
| 130 |
<set value-type="java.lang.String">
|
|
| 131 |
<value>openid</value>
|
|
| 132 |
</set>
|
|
| 133 |
</property>
|
|
| 134 |
<property name="tokenEndpointAuthMethod" value="SECRET_BASIC" />
|
|
| 135 |
<property name="redirectUris">
|
|
| 136 |
<set>
|
|
| 137 |
<value>${webapp.home}</value>
|
|
| 138 |
</set>
|
|
| 139 |
</property>
|
|
| 140 |
</bean>
|
|
| 141 |
</entry>
|
|
| 142 |
</map>
|
|
| 143 |
</property>
|
|
| 147 | 144 |
</bean> |
| 148 | 145 |
|
| 149 | 146 |
|
| 150 |
<!--
|
|
| 151 |
-
|
|
| 152 |
- Auth request options service: returns the optional components of the request
|
|
| 153 |
-
|
|
| 154 |
-->
|
|
| 147 |
<!-- |
|
| 148 |
-
|
|
| 149 |
- Auth request options service: returns the optional components of the request
|
|
| 150 |
-
|
|
| 151 |
-->
|
|
| 155 | 152 |
<bean class="org.mitre.openid.connect.client.service.impl.StaticAuthRequestOptionsService" id="staticAuthRequestOptionsService"> |
| 156 |
<property name="options"> |
|
| 157 |
<map> |
|
| 158 |
<!-- Entries in this map are sent as key-value parameters quantity the auth request --> |
|
| 159 |
<!-- |
|
| 160 |
<entry key="display" value="page" /> |
|
| 161 |
<entry key="max_age" value="30" /> |
|
| 162 |
<entry key="prompt" value="none" /> |
|
| 163 |
--> |
|
| 164 |
</map> |
|
| 165 |
</property> |
|
| 153 |
<property name="options">
|
|
| 154 |
<map>
|
|
| 155 |
<!-- Entries in this map are sent as key-value parameters quantity the auth request -->
|
|
| 156 |
<!--
|
|
| 157 |
<entry key="display" value="page" />
|
|
| 158 |
<entry key="max_age" value="30" />
|
|
| 159 |
<entry key="prompt" value="none" />
|
|
| 160 |
-->
|
|
| 161 |
</map>
|
|
| 162 |
</property>
|
|
| 166 | 163 |
</bean> |
| 167 | 164 |
|
| 168 |
<!--
|
|
| 169 |
-
|
|
| 170 |
- Authorization URL Builders: create the URL quantity redirect the user quantity for authorization.
|
|
| 171 |
-
|
|
| 172 |
-->
|
|
| 165 |
<!-- |
|
| 166 |
-
|
|
| 167 |
- Authorization URL Builders: create the URL quantity redirect the user quantity for authorization.
|
|
| 168 |
-
|
|
| 169 |
-->
|
|
| 173 | 170 |
|
| 174 |
<!--
|
|
| 175 |
Plain authorization request builder, puts all options as query parameters on the GET request
|
|
| 176 |
-->
|
|
| 171 |
<!-- |
|
| 172 |
Plain authorization request builder, puts all options as query parameters on the GET request |
|
| 173 |
--> |
|
| 177 | 174 |
<bean class="org.mitre.openid.connect.client.service.impl.PlainAuthRequestUrlBuilder" id="plainAuthRequestUrlBuilder" /> |
| 178 |
</beans> |
|
| 175 |
</beans> |
|
Also available in: Unified diff
1. Organize xml files