extracted controller URLs to constants, closes #769
Justin Richer
parent
617d485478
commit
1735dbca11
|
|
@ -32,7 +32,7 @@ import com.google.common.collect.Sets;
|
|||
public interface SystemScopeService {
|
||||
|
||||
public static final String OFFLINE_ACCESS = "offline_access";
|
||||
public static final Object OPENID_SCOPE = "openid";
|
||||
public static final String OPENID_SCOPE = "openid";
|
||||
public static final String ID_TOKEN_SCOPE = "id-token";
|
||||
public static final String REGISTRATION_TOKEN_SCOPE = "registration-token";
|
||||
public static final String RESOURCE_TOKEN_SCOPE = "resource-token";
|
||||
|
|
|
|||
|
|
@ -86,13 +86,13 @@
|
|||
<security:access-denied-handler ref="oauthAccessDeniedHandler" />
|
||||
</security:http>
|
||||
|
||||
<!-- Allow open access to required endpoints -->
|
||||
<security:http pattern="/jwk**" use-expressions="true" entry-point-ref="http403EntryPoint" create-session="stateless">
|
||||
<security:intercept-url pattern="/jwk**" access="permitAll"/>
|
||||
<!-- Allow open access to discovery endpoints -->
|
||||
<security:http pattern="/#{T(org.mitre.openid.connect.web.JWKSetPublishingEndpoint).URL}**" use-expressions="true" entry-point-ref="http403EntryPoint" create-session="stateless">
|
||||
<security:intercept-url pattern="/#{T(org.mitre.openid.connect.web.JWKSetPublishingEndpoint).URL}**" access="permitAll"/>
|
||||
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
|
||||
</security:http>
|
||||
<security:http pattern="/.well-known/**" use-expressions="true" entry-point-ref="http403EntryPoint" create-session="stateless">
|
||||
<security:intercept-url pattern="/.well-known/**" access="permitAll"/>
|
||||
<security:http pattern="/#{T(org.mitre.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**" use-expressions="true" entry-point-ref="http403EntryPoint" create-session="stateless">
|
||||
<security:intercept-url pattern="/#{T(org.mitre.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**" access="permitAll"/>
|
||||
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
|
||||
</security:http>
|
||||
|
||||
|
|
@ -103,32 +103,32 @@
|
|||
</security:http>
|
||||
|
||||
<!-- OAuth-protect API and other endpoints -->
|
||||
<security:http pattern="/register/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">
|
||||
<security:http pattern="/#{T(org.mitre.openid.connect.web.DynamicClientRegistrationEndpoint).URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">
|
||||
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
|
||||
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
|
||||
<security:expression-handler ref="oauthWebExpressionHandler" />
|
||||
<security:intercept-url pattern="/register/**" access="permitAll"/>
|
||||
</security:http>
|
||||
|
||||
<security:http pattern="/resource/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">
|
||||
<security:http pattern="/#{T(org.mitre.openid.connect.web.ProtectedResourceRegistrationEndpoint).URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">
|
||||
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
|
||||
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
|
||||
<security:expression-handler ref="oauthWebExpressionHandler" />
|
||||
<security:intercept-url pattern="/resource/**" access="permitAll"/>
|
||||
</security:http>
|
||||
|
||||
<security:http pattern="/userinfo**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">
|
||||
<security:http pattern="/#{T(org.mitre.openid.connect.web.UserInfoEndpoint).URL}**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">
|
||||
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
|
||||
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
|
||||
<security:expression-handler ref="oauthWebExpressionHandler" />
|
||||
</security:http>
|
||||
|
||||
<security:http pattern="/api/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="never">
|
||||
<security:http pattern="/#{T(org.mitre.openid.connect.web.RootController).API_URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="never">
|
||||
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
|
||||
<security:expression-handler ref="oauthWebExpressionHandler" />
|
||||
</security:http>
|
||||
|
||||
<security:http pattern="/introspect**"
|
||||
<security:http pattern="/#{T(org.mitre.oauth2.web.IntrospectionEndpoint).URL}**"
|
||||
use-expressions="true"
|
||||
entry-point-ref="oauthAuthenticationEntryPoint"
|
||||
create-session="stateless"
|
||||
|
|
@ -140,7 +140,7 @@
|
|||
<security:custom-filter ref="clientCredentialsIntrospectionEndpointFilter" after="BASIC_AUTH_FILTER" />
|
||||
</security:http>
|
||||
|
||||
<security:http pattern="/revoke**"
|
||||
<security:http pattern="/#{T(org.mitre.oauth2.web.RevocationEndpoint).URL}**"
|
||||
use-expressions="true"
|
||||
entry-point-ref="oauthAuthenticationEntryPoint"
|
||||
create-session="stateless"
|
||||
|
|
|
|||
|
|
@ -24,11 +24,16 @@ import org.mitre.discovery.util.WebfingerURLNormalizer;
|
|||
import org.mitre.jwt.encryption.service.JWTEncryptionAndDecryptionService;
|
||||
import org.mitre.jwt.signer.service.JWTSigningAndValidationService;
|
||||
import org.mitre.oauth2.service.SystemScopeService;
|
||||
import org.mitre.oauth2.web.IntrospectionEndpoint;
|
||||
import org.mitre.oauth2.web.RevocationEndpoint;
|
||||
import org.mitre.openid.connect.config.ConfigurationPropertiesBean;
|
||||
import org.mitre.openid.connect.model.UserInfo;
|
||||
import org.mitre.openid.connect.service.UserInfoService;
|
||||
import org.mitre.openid.connect.view.HttpCodeView;
|
||||
import org.mitre.openid.connect.view.JsonEntityView;
|
||||
import org.mitre.openid.connect.web.DynamicClientRegistrationEndpoint;
|
||||
import org.mitre.openid.connect.web.JWKSetPublishingEndpoint;
|
||||
import org.mitre.openid.connect.web.UserInfoEndpoint;
|
||||
import org.slf4j.Logger;
|
||||
import org.slf4j.LoggerFactory;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
|
|
@ -58,6 +63,10 @@ import com.nimbusds.jose.JWSAlgorithm;
|
|||
@Controller
|
||||
public class DiscoveryEndpoint {
|
||||
|
||||
public static final String WELL_KNOWN_URL = ".well-known";
|
||||
public static final String OPENID_CONFIGURATION_URL = WELL_KNOWN_URL + "/openid-configuration";
|
||||
public static final String WEBFINGER_URL = WELL_KNOWN_URL + "/webfinger";
|
||||
|
||||
/**
|
||||
* Logger for this class
|
||||
*/
|
||||
|
|
@ -91,7 +100,7 @@ public class DiscoveryEndpoint {
|
|||
}
|
||||
};
|
||||
|
||||
@RequestMapping(value={"/.well-known/webfinger"},
|
||||
@RequestMapping(value={"/" + WEBFINGER_URL},
|
||||
params={"resource", "rel=http://openid.net/specs/connect/1.0/issuer"}, produces = MediaType.APPLICATION_JSON_VALUE)
|
||||
public String webfinger(@RequestParam("resource") String resource, Model model) {
|
||||
|
||||
|
|
@ -135,7 +144,7 @@ public class DiscoveryEndpoint {
|
|||
return "webfingerView";
|
||||
}
|
||||
|
||||
@RequestMapping("/.well-known/openid-configuration")
|
||||
@RequestMapping("/" + OPENID_CONFIGURATION_URL)
|
||||
public String providerConfiguration(Model model) {
|
||||
|
||||
/*
|
||||
|
|
@ -273,11 +282,11 @@ public class DiscoveryEndpoint {
|
|||
m.put("issuer", config.getIssuer());
|
||||
m.put("authorization_endpoint", baseUrl + "authorize");
|
||||
m.put("token_endpoint", baseUrl + "token");
|
||||
m.put("userinfo_endpoint", baseUrl + "userinfo");
|
||||
m.put("userinfo_endpoint", baseUrl + UserInfoEndpoint.URL);
|
||||
//check_session_iframe
|
||||
//end_session_endpoint
|
||||
m.put("jwks_uri", baseUrl + "jwk");
|
||||
m.put("registration_endpoint", baseUrl + "register");
|
||||
m.put("jwks_uri", baseUrl + JWKSetPublishingEndpoint.URL);
|
||||
m.put("registration_endpoint", baseUrl + DynamicClientRegistrationEndpoint.URL);
|
||||
m.put("scopes_supported", scopeService.toStrings(scopeService.getUnrestricted())); // these are the scopes that you can dynamically register for, which is what matters for discovery
|
||||
m.put("response_types_supported", Lists.newArrayList("code", "token")); // we don't support these yet: , "id_token", "id_token token"));
|
||||
m.put("grant_types_supported", Lists.newArrayList("authorization_code", "implicit", "urn:ietf:params:oauth:grant-type:jwt-bearer", "client_credentials", "urn:ietf:params:oauth:grant_type:redelegate"));
|
||||
|
|
@ -328,8 +337,8 @@ public class DiscoveryEndpoint {
|
|||
m.put("op_policy_uri", baseUrl + "about");
|
||||
m.put("op_tos_uri", baseUrl + "about");
|
||||
|
||||
m.put("introspection_endpoint", baseUrl + "introspect"); // token introspection endpoint for verifying tokens
|
||||
m.put("revocation_endpoint", baseUrl + "revoke"); // token revocation endpoint
|
||||
m.put("introspection_endpoint", baseUrl + IntrospectionEndpoint.URL); // token introspection endpoint for verifying tokens
|
||||
m.put("revocation_endpoint", baseUrl + RevocationEndpoint.URL); // token revocation endpoint
|
||||
|
||||
model.addAttribute("entity", m);
|
||||
|
||||
|
|
|
|||
|
|
@ -52,6 +52,11 @@ import com.google.common.collect.ImmutableMap;
|
|||
@Controller
|
||||
public class IntrospectionEndpoint {
|
||||
|
||||
/**
|
||||
*
|
||||
*/
|
||||
public static final String URL = "introspect";
|
||||
|
||||
@Autowired
|
||||
private OAuth2TokenEntityService tokenServices;
|
||||
|
||||
|
|
@ -84,7 +89,7 @@ public class IntrospectionEndpoint {
|
|||
}
|
||||
|
||||
@PreAuthorize("hasRole('ROLE_CLIENT')")
|
||||
@RequestMapping("/introspect")
|
||||
@RequestMapping("/" + URL)
|
||||
public String verify(@RequestParam("token") String tokenValue,
|
||||
@RequestParam(value = "resource_id", required = false) String resourceId,
|
||||
@RequestParam(value = "token_type_hint", required = false) String tokenType,
|
||||
|
|
|
|||
|
|
@ -45,8 +45,10 @@ public class RevocationEndpoint {
|
|||
*/
|
||||
private static final Logger logger = LoggerFactory.getLogger(RevocationEndpoint.class);
|
||||
|
||||
public static final String URL = "revoke";
|
||||
|
||||
@PreAuthorize("hasRole('ROLE_ADMIN') or hasRole('ROLE_CLIENT')")
|
||||
@RequestMapping("/revoke")
|
||||
@RequestMapping("/" + URL)
|
||||
public String revoke(@RequestParam("token") String tokenValue, @RequestParam(value = "token_type_hint", required = false) String tokenType, Principal principal, Model model) {
|
||||
|
||||
// This is the token as passed in from OAuth (in case we need it some day)
|
||||
|
|
|
|||
|
|
@ -26,6 +26,7 @@ import org.mitre.oauth2.service.SystemScopeService;
|
|||
import org.mitre.openid.connect.view.HttpCodeView;
|
||||
import org.mitre.openid.connect.view.JsonEntityView;
|
||||
import org.mitre.openid.connect.view.JsonErrorView;
|
||||
import org.mitre.openid.connect.web.RootController;
|
||||
import org.slf4j.Logger;
|
||||
import org.slf4j.LoggerFactory;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
|
|
@ -50,10 +51,12 @@ import com.google.gson.Gson;
|
|||
*
|
||||
*/
|
||||
@Controller
|
||||
@RequestMapping("/api/scopes")
|
||||
@RequestMapping("/" + ScopeAPI.URL)
|
||||
@PreAuthorize("hasRole('ROLE_USER')")
|
||||
public class ScopeAPI {
|
||||
|
||||
public static final String URL = RootController.API_URL + "/scopes";
|
||||
|
||||
@Autowired
|
||||
private SystemScopeService scopeService;
|
||||
|
||||
|
|
|
|||
|
|
@ -29,6 +29,7 @@ import org.mitre.oauth2.view.TokenApiView;
|
|||
import org.mitre.openid.connect.service.OIDCTokenService;
|
||||
import org.mitre.openid.connect.view.HttpCodeView;
|
||||
import org.mitre.openid.connect.view.JsonErrorView;
|
||||
import org.mitre.openid.connect.web.RootController;
|
||||
import org.slf4j.Logger;
|
||||
import org.slf4j.LoggerFactory;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
|
|
@ -51,10 +52,12 @@ import org.springframework.web.bind.annotation.RequestMethod;
|
|||
*
|
||||
*/
|
||||
@Controller
|
||||
@RequestMapping("/api/tokens")
|
||||
@RequestMapping("/" + TokenAPI.URL)
|
||||
@PreAuthorize("hasRole('ROLE_USER')")
|
||||
public class TokenAPI {
|
||||
|
||||
public static final String URL = RootController.API_URL + "/tokens";
|
||||
|
||||
@Autowired
|
||||
private OAuth2TokenEntityService tokenService;
|
||||
|
||||
|
|
|
|||
|
|
@ -49,10 +49,12 @@ import org.springframework.web.bind.annotation.RequestMethod;
|
|||
*
|
||||
*/
|
||||
@Controller
|
||||
@RequestMapping("/api/approved")
|
||||
@RequestMapping("/" + ApprovedSiteAPI.URL)
|
||||
@PreAuthorize("hasRole('ROLE_USER')")
|
||||
public class ApprovedSiteAPI {
|
||||
|
||||
public static final String URL = RootController.API_URL + "/approved";
|
||||
|
||||
@Autowired
|
||||
private ApprovedSiteService approvedSiteService;
|
||||
|
||||
|
|
|
|||
|
|
@ -54,10 +54,12 @@ import com.google.gson.JsonSyntaxException;
|
|||
*
|
||||
*/
|
||||
@Controller
|
||||
@RequestMapping("/api/blacklist")
|
||||
@RequestMapping("/" + BlacklistAPI.URL)
|
||||
@PreAuthorize("hasRole('ROLE_ADMIN')")
|
||||
public class BlacklistAPI {
|
||||
|
||||
public static final String URL = RootController.API_URL + "/blacklist";
|
||||
|
||||
@Autowired
|
||||
private BlacklistedSiteService blacklistService;
|
||||
|
||||
|
|
|
|||
|
|
@ -66,10 +66,12 @@ import com.google.gson.JsonSyntaxException;
|
|||
*/
|
||||
|
||||
@Controller
|
||||
@RequestMapping("/api/clients")
|
||||
@RequestMapping("/" + ClientAPI.URL)
|
||||
@PreAuthorize("hasRole('ROLE_USER')")
|
||||
public class ClientAPI {
|
||||
|
||||
public static final String URL = RootController.API_URL + "/clients";
|
||||
|
||||
@Autowired
|
||||
private ClientDetailsEntityService clientService;
|
||||
|
||||
|
|
|
|||
|
|
@ -54,10 +54,12 @@ import com.google.gson.stream.JsonWriter;
|
|||
*
|
||||
*/
|
||||
@Controller
|
||||
@RequestMapping("/api/data")
|
||||
@RequestMapping("/" + DataAPI.URL)
|
||||
@PreAuthorize("hasRole('ROLE_ADMIN')") // you need to be an admin to even think about this -- this is a potentially dangerous API!!
|
||||
public class DataAPI {
|
||||
|
||||
public static final String URL = RootController.API_URL + "/data";
|
||||
|
||||
/**
|
||||
* Logger for this class
|
||||
*/
|
||||
|
|
|
|||
|
|
@ -66,9 +66,11 @@ import com.google.common.collect.Sets;
|
|||
import com.google.gson.JsonSyntaxException;
|
||||
|
||||
@Controller
|
||||
@RequestMapping(value = "register")
|
||||
@RequestMapping(value = DynamicClientRegistrationEndpoint.URL)
|
||||
public class DynamicClientRegistrationEndpoint {
|
||||
|
||||
public static final String URL = "register";
|
||||
|
||||
@Autowired
|
||||
private ClientDetailsEntityService clientService;
|
||||
|
||||
|
|
|
|||
|
|
@ -31,10 +31,12 @@ import com.nimbusds.jose.jwk.JWK;
|
|||
@Controller
|
||||
public class JWKSetPublishingEndpoint {
|
||||
|
||||
public static final String URL = "jwk";
|
||||
|
||||
@Autowired
|
||||
private JWTSigningAndValidationService jwtService;
|
||||
|
||||
@RequestMapping(value = "/jwk", produces = MediaType.APPLICATION_JSON_VALUE)
|
||||
@RequestMapping(value = "/" + URL, produces = MediaType.APPLICATION_JSON_VALUE)
|
||||
public String getJwk(Model m) {
|
||||
|
||||
// map from key id to key
|
||||
|
|
|
|||
|
|
@ -63,9 +63,14 @@ import com.google.common.base.Strings;
|
|||
import com.google.gson.JsonSyntaxException;
|
||||
|
||||
@Controller
|
||||
@RequestMapping(value = "resource")
|
||||
@RequestMapping(value = ProtectedResourceRegistrationEndpoint.URL)
|
||||
public class ProtectedResourceRegistrationEndpoint {
|
||||
|
||||
/**
|
||||
*
|
||||
*/
|
||||
public static final String URL = "resource";
|
||||
|
||||
@Autowired
|
||||
private ClientDetailsEntityService clientService;
|
||||
|
||||
|
|
|
|||
|
|
@ -30,29 +30,25 @@ import org.springframework.web.bind.annotation.RequestMapping;
|
|||
*/
|
||||
|
||||
@Controller
|
||||
public class ManagerController {
|
||||
public class RootController {
|
||||
|
||||
public static final String API_URL = "api";
|
||||
|
||||
@Autowired
|
||||
private StatsService statsService;
|
||||
|
||||
@RequestMapping({"", "home", "index"})
|
||||
public String showHomePage(ModelMap m) {
|
||||
|
||||
//Map<String, Integer> summary = statsService.getSummaryStats();
|
||||
|
||||
//m.put("statsSummary", summary);
|
||||
return "home";
|
||||
}
|
||||
|
||||
@RequestMapping({"about", "about/"})
|
||||
public String showAboutPage(ModelMap m) {
|
||||
|
||||
return "about";
|
||||
}
|
||||
|
||||
@RequestMapping({"stats", "stats/"})
|
||||
public String showStatsPage(ModelMap m) {
|
||||
|
||||
Map<String, Integer> summary = statsService.getSummaryStats();
|
||||
|
||||
m.put("statsSummary", summary);
|
||||
|
|
@ -61,7 +57,6 @@ public class ManagerController {
|
|||
|
||||
@RequestMapping({"contact", "contact/"})
|
||||
public String showContactPage(ModelMap m) {
|
||||
|
||||
return "contact";
|
||||
}
|
||||
|
||||
|
|
@ -35,8 +35,11 @@ import org.springframework.web.bind.annotation.PathVariable;
|
|||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
|
||||
@Controller
|
||||
@RequestMapping("/api/stats")
|
||||
@RequestMapping("/" + StatsAPI.URL)
|
||||
public class StatsAPI {
|
||||
|
||||
public static final String URL = RootController.API_URL + "/stats";
|
||||
|
||||
// Logger for this class
|
||||
private static final Logger logger = LoggerFactory.getLogger(StatsAPI.class);
|
||||
|
||||
|
|
|
|||
|
|
@ -20,6 +20,7 @@ import java.util.List;
|
|||
|
||||
import org.mitre.oauth2.model.ClientDetailsEntity;
|
||||
import org.mitre.oauth2.service.ClientDetailsEntityService;
|
||||
import org.mitre.oauth2.service.SystemScopeService;
|
||||
import org.mitre.openid.connect.model.UserInfo;
|
||||
import org.mitre.openid.connect.service.UserInfoService;
|
||||
import org.mitre.openid.connect.view.HttpCodeView;
|
||||
|
|
@ -52,8 +53,11 @@ import com.google.common.base.Strings;
|
|||
*
|
||||
*/
|
||||
@Controller
|
||||
@RequestMapping("/" + UserInfoEndpoint.URL)
|
||||
public class UserInfoEndpoint {
|
||||
|
||||
public static final String URL = "userinfo";
|
||||
|
||||
@Autowired
|
||||
private UserInfoService userInfoService;
|
||||
|
||||
|
|
@ -74,8 +78,8 @@ public class UserInfoEndpoint {
|
|||
/**
|
||||
* Get information about the user as specified in the accessToken included in this request
|
||||
*/
|
||||
@PreAuthorize("hasRole('ROLE_USER') and #oauth2.hasScope('openid')")
|
||||
@RequestMapping(value="/userinfo", method= {RequestMethod.GET, RequestMethod.POST}, produces = {MediaType.APPLICATION_JSON_VALUE, JOSE_MEDIA_TYPE_VALUE})
|
||||
@PreAuthorize("hasRole('ROLE_USER') and #oauth2.hasScope('" + SystemScopeService.OPENID_SCOPE + "')")
|
||||
@RequestMapping(method= {RequestMethod.GET, RequestMethod.POST}, produces = {MediaType.APPLICATION_JSON_VALUE, JOSE_MEDIA_TYPE_VALUE})
|
||||
public String getInfo(@RequestParam(value="claims", required=false) String claimsRequestJsonString,
|
||||
@RequestHeader(value="Accept", required=false) String acceptHeader,
|
||||
OAuth2Authentication auth, Model model) {
|
||||
|
|
|
|||
|
|
@ -54,10 +54,12 @@ import com.google.gson.JsonParser;
|
|||
*
|
||||
*/
|
||||
@Controller
|
||||
@RequestMapping("/api/whitelist")
|
||||
@RequestMapping("/" + WhitelistAPI.URL)
|
||||
@PreAuthorize("hasRole('ROLE_USER')")
|
||||
public class WhitelistAPI {
|
||||
|
||||
public static final String URL = RootController.API_URL + "/whitelist";
|
||||
|
||||
@Autowired
|
||||
private WhitelistedSiteService whitelistService;
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue