D-Net

<?xml version="1.0" encoding="UTF-8"?>

<beans xmlns="http://www.springframework.org/schema/beans"

       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

       xmlns:context="http://www.springframework.org/schema/context"

       xmlns:security="http://www.springframework.org/schema/security"

       xmlns:util="http://www.springframework.org/schema/util"

       xsi:schemaLocation="

		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd

		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.2.xsd

		http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-4.2.xsd

		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.2.xsd"

       default-autowire="byType">

    <security:global-method-security pre-post-annotations="enabled" proxy-target-class="true" authentication-manager-ref="authenticationManager"/>

    <!--

      -

      - The authentication filter

      -

      -->

    <bean id="openIdConnectAuthenticationFilter" class="org.mitre.openid.connect.client.OIDCAuthenticationFilter">

        <property name="authenticationManager" ref="authenticationManager" />

        <property name="issuerService" ref="staticIssuerService" />

        <property name="serverConfigurationService" ref="staticServerConfigurationService" />

        <property name="clientConfigurationService" ref="staticClientConfigurationService" />

        <property name="authRequestOptionsService" ref="staticAuthRequestOptionsService" />

        <property name="authRequestUrlBuilder" ref="plainAuthRequestUrlBuilder" />

        <property name="authenticationSuccessHandler" ref="frontEndRedirect"/>

    </bean>

    <!-- The login handler -->

    <bean class="eu.dnetlib.openaire.user.login.handler.FrontEndLinkURIAuthenticationSuccessHandler" id="frontEndRedirect">

        <property name="frontEndURI" value="${webbapp.front}"/>

        <property name="frontPath" value="${webbapp.front.path}"/>

        <property name="frontDomain" value="${webbapp.front.domain:#{null}}"/>

    </bean>

    <security:http auto-config="false" use-expressions="true"

                   disable-url-rewriting="true" entry-point-ref="authenticationEntryPoint"

                   pattern="/**">

        <security:custom-filter before="PRE_AUTH_FILTER" ref="openIdConnectAuthenticationFilter" />

        <security:logout logout-url="/openid_logout" invalidate-session="true" delete-cookies="SESSION"

                         logout-success-url="${oidc.logout}${webbapp.front}"/>

        <security:intercept-url pattern="/personalToken" access="hasAuthority('REGISTERED_USER')"/>

        <security:intercept-url pattern="/serviceToken" access="hasAuthority('REGISTERED_USER')"/>

        <security:intercept-url pattern="/registerService" access="hasAuthority('REGISTERED_USER')"/>

        <security:intercept-url pattern="/editService" access="hasAuthority('REGISTERED_USER')"/>

        <security:intercept-url pattern="/registeredServices" access="hasAuthority('REGISTERED_USER')"/>

        <security:intercept-url pattern="/editRegisteredService" access="hasAuthority('REGISTERED_USER')"/>

        <security:csrf disabled="true"/>

    </security:http>

    <bean id="requestContextFilter" class="org.springframework.web.filter.RequestContextFilter"/>

    <bean id="webexpressionHandler"

          class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler"/>

    <bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint" >

        <constructor-arg type="java.lang.String" value="/openid_connect_login"/>

    </bean>

    <security:authentication-manager alias="authenticationManager">

        <security:authentication-provider ref="openIdConnectAuthenticationProvider" />

    </security:authentication-manager>

    <bean id="openIdConnectAuthenticationProvider" class="org.mitre.openid.connect.client.OIDCAuthenticationProvider">

        <property name="authoritiesMapper">

            <bean class="eu.dnetlib.openaire.user.login.authorization.OpenAIREAuthoritiesMapper"/>

        </property>

    </bean>

    <util:set id="namedAdmins" value-type="org.mitre.openid.connect.client.SubjectIssuerGrantedAuthority">

        <!--

            This is an example of how to set up a user as an administrator: they'll be given ROLE_ADMIN in addition to ROLE_USER.

            Note that having an administrator role on the IdP doesn't grant administrator access on this client.

            These are values from the demo "openid-connect-server-webapp" project of MITREid Connect.

        -->

        <bean class="org.mitre.openid.connect.client.SubjectIssuerGrantedAuthority">

            <constructor-arg name="subject" value="subject_value" />

            <constructor-arg name="issuer" value="${oidc.issuer}" />

        </bean>

    </util:set>

    <!--<bean id="securityContextLogoutHandler" class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"/>-->

    <!--<bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">-->

        <!--<property name="filterProcessesUrl" value="/logout"/>-->

        <!--<constructor-arg index="0" value="/"/>-->

        <!--<constructor-arg index="1">-->

            <!--<list>-->

                <!--<ref bean="securityContextLogoutHandler"/>-->

                <!--&lt;!&ndash;ref bean="myLogoutHandler"/&ndash;&gt;-->

            <!--</list>-->

        <!--</constructor-arg>-->

    <!--</bean>-->

    <!--<bean class="eu.dnetlib.openaire.user.security.FrontEndLinkURILogoutSuccessHandler" id="frontEndRedirectLogout"/>-->

    <!--<bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">-->

        <!--<property name="filterProcessesUrl" value="/logout"/>-->

        <!--<constructor-arg index="0" value="/"/>-->

        <!--<constructor-arg index="1">-->

            <!--<list>-->

                <!--<ref bean="securityContextLogoutHandler"/>-->

                <!--&lt;!&ndash;ref bean="myLogoutHandler"/&ndash;&gt;-->

            <!--</list>-->

        <!--</constructor-arg>-->

    <!--</bean>-->

    <!--

        Static issuer service, returns the same issuer for every request.

    -->

    <bean class="org.mitre.openid.connect.client.service.impl.StaticSingleIssuerService" id="staticIssuerService">

        <property name="issuer" value="${oidc.issuer}" />

    </bean>

    <!--

        Dynamic server configuration, fetches the server's information using OIDC Discovery.

    -->

    <bean class="org.mitre.openid.connect.client.service.impl.StaticServerConfigurationService" id="staticServerConfigurationService">

        <property name="servers">

            <map>

                <entry key="${oidc.issuer}">

                    <bean class="org.mitre.openid.connect.config.ServerConfiguration">

                        <property name="issuer" value="${oidc.issuer}" />

                        <property name="authorizationEndpointUri"	value="${oidc.issuer}authorize" />

                        <property name="tokenEndpointUri"	value="${oidc.issuer}token" />

                        <property name="userInfoUri" value="${oidc.issuer}userinfo" />

                        <property name="jwksUri" value="${oidc.issuer}jwk" />

                        <property name="revocationEndpointUri" value="${oidc.issuer}revoke" />

                    </bean>

                </entry>

            </map>

        </property>

    </bean>

    <!--

       Static Client Configuration. Configures a client statically by storing configuration on a per-issuer basis.

    -->

    <bean class="org.mitre.openid.connect.client.service.impl.StaticClientConfigurationService" id="staticClientConfigurationService">

        <property name="clients">

            <map>

                <entry key="${oidc.issuer}">

                    <bean class="org.mitre.oauth2.model.RegisteredClient">

                        <property name="clientId" value="${oidc.id}" />

                        <property name="clientSecret" value="${oidc.secret}" />

                        <property name="scope" value="#{scopeReader.scopes}"/> <!-- now read from properties file via scopeReader -->

                        <property name="tokenEndpointAuthMethod" value="SECRET_BASIC" />

                        <property name="redirectUris">

                            <set>

                                <value>${oidc.home}</value>

                            </set>

                        </property>

                    </bean>

                </entry>

            </map>

        </property>

    </bean>

    <bean class="eu.dnetlib.openaire.user.login.utils.ScopeReader" id="scopeReader">

        <constructor-arg value="${scopes}"/>

    </bean>

    <!--

      -

      -	Auth request options service: returns the optional components of the request

      -

      -->

    <bean class="org.mitre.openid.connect.client.service.impl.StaticAuthRequestOptionsService" id="staticAuthRequestOptionsService">

        <property name="options">

            <map>

                <!-- Entries in this map are sent as key-value parameters to the auth request -->

                <!--

                <entry key="display" value="page" />

                <entry key="max_age" value="30" />

                <entry key="prompt" value="none" />

                -->

            </map>

        </property>

    </bean>

    <!--

        Plain authorization request builder, puts all options as query parameters on the GET request

    -->

    <bean class="org.mitre.openid.connect.client.service.impl.PlainAuthRequestUrlBuilder" id="plainAuthRequestUrlBuilder" />

    <context:component-scan base-package="eu.dnetlib.openaire.user.login.registry.beans" />

    <context:annotation-config></context:annotation-config>

</beans>