extracted controller URLs to constants, closes #769

openid-connect-common/src/main/java/org/mitre/oauth2/service/SystemScopeService.java

@@ -32,7 +32,7 @@ import com.google.common.collect.Sets;
 public interface SystemScopeService {
 
 	public static final String OFFLINE_ACCESS = "offline_access";
-	public static final Object OPENID_SCOPE = "openid";
+	public static final String OPENID_SCOPE = "openid";
 	public static final String ID_TOKEN_SCOPE = "id-token";
 	public static final String REGISTRATION_TOKEN_SCOPE = "registration-token";
 	public static final String RESOURCE_TOKEN_SCOPE = "resource-token";

openid-connect-server-webapp/src/main/webapp/WEB-INF/application-context.xml

@@ -86,13 +86,13 @@
 		<security:access-denied-handler ref="oauthAccessDeniedHandler" />
 	</security:http>
 
-	<!-- Allow open access to required endpoints -->
+	<!-- Allow open access to discovery endpoints -->
-	<security:http pattern="/jwk**" use-expressions="true" entry-point-ref="http403EntryPoint" create-session="stateless">
+	<security:http pattern="/#{T(org.mitre.openid.connect.web.JWKSetPublishingEndpoint).URL}**" use-expressions="true" entry-point-ref="http403EntryPoint" create-session="stateless">
-		<security:intercept-url pattern="/jwk**" access="permitAll"/>
+		<security:intercept-url pattern="/#{T(org.mitre.openid.connect.web.JWKSetPublishingEndpoint).URL}**" access="permitAll"/>
 		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
 	</security:http>
-	<security:http pattern="/.well-known/**" use-expressions="true" entry-point-ref="http403EntryPoint" create-session="stateless">
+	<security:http pattern="/#{T(org.mitre.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**" use-expressions="true" entry-point-ref="http403EntryPoint" create-session="stateless">
-		<security:intercept-url pattern="/.well-known/**" access="permitAll"/>
+		<security:intercept-url pattern="/#{T(org.mitre.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**" access="permitAll"/>
 		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
 	</security:http>
 
@@ -103,32 +103,32 @@
 	</security:http>
 	
 	<!-- OAuth-protect API and other endpoints -->
-	<security:http pattern="/register/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">
+	<security:http pattern="/#{T(org.mitre.openid.connect.web.DynamicClientRegistrationEndpoint).URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">
 		<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
 		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
 		<security:expression-handler ref="oauthWebExpressionHandler" />
 		<security:intercept-url pattern="/register/**" access="permitAll"/>
 	</security:http>
 
-	<security:http pattern="/resource/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">
+	<security:http pattern="/#{T(org.mitre.openid.connect.web.ProtectedResourceRegistrationEndpoint).URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">
 		<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
 		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
 		<security:expression-handler ref="oauthWebExpressionHandler" />
 		<security:intercept-url pattern="/resource/**" access="permitAll"/>
 	</security:http>
 
-	<security:http pattern="/userinfo**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">
+	<security:http pattern="/#{T(org.mitre.openid.connect.web.UserInfoEndpoint).URL}**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">
 		<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
 		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
 		<security:expression-handler ref="oauthWebExpressionHandler" />
 	</security:http>
 
- 	<security:http pattern="/api/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="never">
+ 	<security:http pattern="/#{T(org.mitre.openid.connect.web.RootController).API_URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="never">
 		<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
 		<security:expression-handler ref="oauthWebExpressionHandler" />
 	</security:http>
 	
-	<security:http pattern="/introspect**" 
+	<security:http pattern="/#{T(org.mitre.oauth2.web.IntrospectionEndpoint).URL}**" 
 			use-expressions="true" 
 			entry-point-ref="oauthAuthenticationEntryPoint" 
 			create-session="stateless"
@@ -140,7 +140,7 @@
 		<security:custom-filter ref="clientCredentialsIntrospectionEndpointFilter" after="BASIC_AUTH_FILTER" />
 	</security:http>
 
-	<security:http pattern="/revoke**"
+	<security:http pattern="/#{T(org.mitre.oauth2.web.RevocationEndpoint).URL}**"
 			use-expressions="true" 
 			entry-point-ref="oauthAuthenticationEntryPoint" 
 			create-session="stateless"

openid-connect-server/src/main/java/org/mitre/discovery/web/DiscoveryEndpoint.java

@@ -24,11 +24,16 @@ import org.mitre.discovery.util.WebfingerURLNormalizer;
 import org.mitre.jwt.encryption.service.JWTEncryptionAndDecryptionService;
 import org.mitre.jwt.signer.service.JWTSigningAndValidationService;
 import org.mitre.oauth2.service.SystemScopeService;
+import org.mitre.oauth2.web.IntrospectionEndpoint;
+import org.mitre.oauth2.web.RevocationEndpoint;
 import org.mitre.openid.connect.config.ConfigurationPropertiesBean;
 import org.mitre.openid.connect.model.UserInfo;
 import org.mitre.openid.connect.service.UserInfoService;
 import org.mitre.openid.connect.view.HttpCodeView;
 import org.mitre.openid.connect.view.JsonEntityView;
+import org.mitre.openid.connect.web.DynamicClientRegistrationEndpoint;
+import org.mitre.openid.connect.web.JWKSetPublishingEndpoint;
+import org.mitre.openid.connect.web.UserInfoEndpoint;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -58,6 +63,10 @@ import com.nimbusds.jose.JWSAlgorithm;
 @Controller
 public class DiscoveryEndpoint {
 
+	public static final String WELL_KNOWN_URL = ".well-known";
+	public static final String OPENID_CONFIGURATION_URL = WELL_KNOWN_URL + "/openid-configuration";
+	public static final String WEBFINGER_URL = WELL_KNOWN_URL + "/webfinger";
+
 	/**
 	 * Logger for this class
 	 */
@@ -91,7 +100,7 @@ public class DiscoveryEndpoint {
 		}
 	};
 
-	@RequestMapping(value={"/.well-known/webfinger"},
+	@RequestMapping(value={"/" + WEBFINGER_URL},
 			params={"resource", "rel=http://openid.net/specs/connect/1.0/issuer"}, produces = MediaType.APPLICATION_JSON_VALUE)
 	public String webfinger(@RequestParam("resource") String resource, Model model) {
 
@@ -135,7 +144,7 @@ public class DiscoveryEndpoint {
 		return "webfingerView";
 	}
 
-	@RequestMapping("/.well-known/openid-configuration")
+	@RequestMapping("/" + OPENID_CONFIGURATION_URL)
 	public String providerConfiguration(Model model) {
 
 		/*
@@ -273,11 +282,11 @@ public class DiscoveryEndpoint {
 		m.put("issuer", config.getIssuer());
 		m.put("authorization_endpoint", baseUrl + "authorize");
 		m.put("token_endpoint", baseUrl + "token");
-		m.put("userinfo_endpoint", baseUrl + "userinfo");
+		m.put("userinfo_endpoint", baseUrl + UserInfoEndpoint.URL);
 		//check_session_iframe
 		//end_session_endpoint
-		m.put("jwks_uri", baseUrl + "jwk");
+		m.put("jwks_uri", baseUrl + JWKSetPublishingEndpoint.URL);
-		m.put("registration_endpoint", baseUrl + "register");
+		m.put("registration_endpoint", baseUrl + DynamicClientRegistrationEndpoint.URL);
 		m.put("scopes_supported", scopeService.toStrings(scopeService.getUnrestricted())); // these are the scopes that you can dynamically register for, which is what matters for discovery
 		m.put("response_types_supported", Lists.newArrayList("code", "token")); // we don't support these yet: , "id_token", "id_token token"));
 		m.put("grant_types_supported", Lists.newArrayList("authorization_code", "implicit", "urn:ietf:params:oauth:grant-type:jwt-bearer", "client_credentials", "urn:ietf:params:oauth:grant_type:redelegate"));
@@ -328,8 +337,8 @@ public class DiscoveryEndpoint {
 		m.put("op_policy_uri", baseUrl + "about");
 		m.put("op_tos_uri", baseUrl + "about");
 
-		m.put("introspection_endpoint", baseUrl + "introspect"); // token introspection endpoint for verifying tokens
+		m.put("introspection_endpoint", baseUrl + IntrospectionEndpoint.URL); // token introspection endpoint for verifying tokens
-		m.put("revocation_endpoint", baseUrl + "revoke"); // token revocation endpoint
+		m.put("revocation_endpoint", baseUrl + RevocationEndpoint.URL); // token revocation endpoint
 
 		model.addAttribute("entity", m);
 

openid-connect-server/src/main/java/org/mitre/oauth2/web/IntrospectionEndpoint.java

@@ -52,6 +52,11 @@ import com.google.common.collect.ImmutableMap;
 @Controller
 public class IntrospectionEndpoint {
 
+	/**
+	 * 
+	 */
+	public static final String URL = "introspect";
+
 	@Autowired
 	private OAuth2TokenEntityService tokenServices;
 
@@ -84,7 +89,7 @@ public class IntrospectionEndpoint {
 	}
 
 	@PreAuthorize("hasRole('ROLE_CLIENT')")
-	@RequestMapping("/introspect")
+	@RequestMapping("/" + URL)
 	public String verify(@RequestParam("token") String tokenValue,
 			@RequestParam(value = "resource_id", required = false) String resourceId,
 			@RequestParam(value = "token_type_hint", required = false) String tokenType,

openid-connect-server/src/main/java/org/mitre/oauth2/web/RevocationEndpoint.java

@@ -45,8 +45,10 @@ public class RevocationEndpoint {
 	 */
 	private static final Logger logger = LoggerFactory.getLogger(RevocationEndpoint.class);
 
+	public static final String URL = "revoke";
+
 	@PreAuthorize("hasRole('ROLE_ADMIN') or hasRole('ROLE_CLIENT')")
-	@RequestMapping("/revoke")
+	@RequestMapping("/" + URL)
 	public String revoke(@RequestParam("token") String tokenValue, @RequestParam(value = "token_type_hint", required = false) String tokenType, Principal principal, Model model) {
 
 		// This is the token as passed in from OAuth (in case we need it some day)

openid-connect-server/src/main/java/org/mitre/oauth2/web/ScopeAPI.java

@@ -26,6 +26,7 @@ import org.mitre.oauth2.service.SystemScopeService;
 import org.mitre.openid.connect.view.HttpCodeView;
 import org.mitre.openid.connect.view.JsonEntityView;
 import org.mitre.openid.connect.view.JsonErrorView;
+import org.mitre.openid.connect.web.RootController;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -50,10 +51,12 @@ import com.google.gson.Gson;
  *
  */
 @Controller
-@RequestMapping("/api/scopes")
+@RequestMapping("/" + ScopeAPI.URL)
 @PreAuthorize("hasRole('ROLE_USER')")
 public class ScopeAPI {
 
+	public static final String URL = RootController.API_URL + "/scopes";
+	
 	@Autowired
 	private SystemScopeService scopeService;
 

openid-connect-server/src/main/java/org/mitre/oauth2/web/TokenAPI.java

@@ -29,6 +29,7 @@ import org.mitre.oauth2.view.TokenApiView;
 import org.mitre.openid.connect.service.OIDCTokenService;
 import org.mitre.openid.connect.view.HttpCodeView;
 import org.mitre.openid.connect.view.JsonErrorView;
+import org.mitre.openid.connect.web.RootController;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -51,10 +52,12 @@ import org.springframework.web.bind.annotation.RequestMethod;
  *
  */
 @Controller
-@RequestMapping("/api/tokens")
+@RequestMapping("/" + TokenAPI.URL)
 @PreAuthorize("hasRole('ROLE_USER')")
 public class TokenAPI {
 
+	public static final String URL = RootController.API_URL + "/tokens";
+
 	@Autowired
 	private OAuth2TokenEntityService tokenService;
 

openid-connect-server/src/main/java/org/mitre/openid/connect/web/ApprovedSiteAPI.java

@@ -49,10 +49,12 @@ import org.springframework.web.bind.annotation.RequestMethod;
  *
  */
 @Controller
-@RequestMapping("/api/approved")
+@RequestMapping("/" + ApprovedSiteAPI.URL)
 @PreAuthorize("hasRole('ROLE_USER')")
 public class ApprovedSiteAPI {
 
+	public static final String URL = RootController.API_URL + "/approved";
+
 	@Autowired
 	private ApprovedSiteService approvedSiteService;
 

openid-connect-server/src/main/java/org/mitre/openid/connect/web/BlacklistAPI.java

@@ -54,10 +54,12 @@ import com.google.gson.JsonSyntaxException;
  *
  */
 @Controller
-@RequestMapping("/api/blacklist")
+@RequestMapping("/" + BlacklistAPI.URL)
 @PreAuthorize("hasRole('ROLE_ADMIN')")
 public class BlacklistAPI {
 
+	public static final String URL = RootController.API_URL + "/blacklist";
+
 	@Autowired
 	private BlacklistedSiteService blacklistService;
 

openid-connect-server/src/main/java/org/mitre/openid/connect/web/ClientAPI.java

@@ -66,10 +66,12 @@ import com.google.gson.JsonSyntaxException;
  */
 
 @Controller
-@RequestMapping("/api/clients")
+@RequestMapping("/" + ClientAPI.URL)
 @PreAuthorize("hasRole('ROLE_USER')")
 public class ClientAPI {
 
+	public static final String URL = RootController.API_URL + "/clients";
+
 	@Autowired
 	private ClientDetailsEntityService clientService;
 

openid-connect-server/src/main/java/org/mitre/openid/connect/web/DataAPI.java

@@ -54,10 +54,12 @@ import com.google.gson.stream.JsonWriter;
  * 
  */
 @Controller
-@RequestMapping("/api/data")
+@RequestMapping("/" + DataAPI.URL)
 @PreAuthorize("hasRole('ROLE_ADMIN')") // you need to be an admin to even think about this -- this is a potentially dangerous API!!
 public class DataAPI {
 
+	public static final String URL = RootController.API_URL + "/data";
+
 	/**
 	 * Logger for this class
 	 */

openid-connect-server/src/main/java/org/mitre/openid/connect/web/DynamicClientRegistrationEndpoint.java

@@ -66,9 +66,11 @@ import com.google.common.collect.Sets;
 import com.google.gson.JsonSyntaxException;
 
 @Controller
-@RequestMapping(value = "register")
+@RequestMapping(value = DynamicClientRegistrationEndpoint.URL)
 public class DynamicClientRegistrationEndpoint {
 
+	public static final String URL = "register";
+
 	@Autowired
 	private ClientDetailsEntityService clientService;
 

openid-connect-server/src/main/java/org/mitre/openid/connect/web/JWKSetPublishingEndpoint.java

@@ -31,10 +31,12 @@ import com.nimbusds.jose.jwk.JWK;
 @Controller
 public class JWKSetPublishingEndpoint {
 
+	public static final String URL = "jwk";
+	
 	@Autowired
 	private JWTSigningAndValidationService jwtService;
 
-	@RequestMapping(value = "/jwk", produces = MediaType.APPLICATION_JSON_VALUE)
+	@RequestMapping(value = "/" + URL, produces = MediaType.APPLICATION_JSON_VALUE)
 	public String getJwk(Model m) {
 
 		// map from key id to key

openid-connect-server/src/main/java/org/mitre/openid/connect/web/ProtectedResourceRegistrationEndpoint.java

@@ -63,9 +63,14 @@ import com.google.common.base.Strings;
 import com.google.gson.JsonSyntaxException;
 
 @Controller
-@RequestMapping(value = "resource")
+@RequestMapping(value = ProtectedResourceRegistrationEndpoint.URL)
 public class ProtectedResourceRegistrationEndpoint {
 
+	/**
+	 * 
+	 */
+	public static final String URL = "resource";
+
 	@Autowired
 	private ClientDetailsEntityService clientService;
 

openid-connect-server/src/main/java/org/mitre/openid/connect/web/RootController.java

@@ -30,29 +30,25 @@ import org.springframework.web.bind.annotation.RequestMapping;
  */
 
 @Controller
-public class ManagerController {
+public class RootController {
+	
+	public static final String API_URL = "api";
 
 	@Autowired
 	private StatsService statsService;
 
 	@RequestMapping({"", "home", "index"})
 	public String showHomePage(ModelMap m) {
-
-		//Map<String, Integer> summary = statsService.getSummaryStats();
-
-		//m.put("statsSummary", summary);
 		return "home";
 	}
 
 	@RequestMapping({"about", "about/"})
 	public String showAboutPage(ModelMap m) {
-
 		return "about";
 	}
 
 	@RequestMapping({"stats", "stats/"})
 	public String showStatsPage(ModelMap m) {
-
 		Map<String, Integer> summary = statsService.getSummaryStats();
 
 		m.put("statsSummary", summary);
@@ -61,7 +57,6 @@ public class ManagerController {
 
 	@RequestMapping({"contact", "contact/"})
 	public String showContactPage(ModelMap m) {
-
 		return "contact";
 	}
 

openid-connect-server/src/main/java/org/mitre/openid/connect/web/StatsAPI.java

@@ -35,8 +35,11 @@ import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.RequestMapping;
 
 @Controller
-@RequestMapping("/api/stats")
+@RequestMapping("/" + StatsAPI.URL)
 public class StatsAPI {
+
+	public static final String URL = RootController.API_URL + "/stats";
+
 	// Logger for this class
 	private static final Logger logger = LoggerFactory.getLogger(StatsAPI.class);
 

openid-connect-server/src/main/java/org/mitre/openid/connect/web/UserInfoEndpoint.java

@@ -20,6 +20,7 @@ import java.util.List;
 
 import org.mitre.oauth2.model.ClientDetailsEntity;
 import org.mitre.oauth2.service.ClientDetailsEntityService;
+import org.mitre.oauth2.service.SystemScopeService;
 import org.mitre.openid.connect.model.UserInfo;
 import org.mitre.openid.connect.service.UserInfoService;
 import org.mitre.openid.connect.view.HttpCodeView;
@@ -52,8 +53,11 @@ import com.google.common.base.Strings;
  *
  */
 @Controller
+@RequestMapping("/" + UserInfoEndpoint.URL)
 public class UserInfoEndpoint {
 
+	public static final String URL = "userinfo";
+	
 	@Autowired
 	private UserInfoService userInfoService;
 
@@ -74,8 +78,8 @@ public class UserInfoEndpoint {
 	/**
 	 * Get information about the user as specified in the accessToken included in this request
 	 */
-	@PreAuthorize("hasRole('ROLE_USER') and #oauth2.hasScope('openid')")
+	@PreAuthorize("hasRole('ROLE_USER') and #oauth2.hasScope('" + SystemScopeService.OPENID_SCOPE + "')")
-	@RequestMapping(value="/userinfo", method= {RequestMethod.GET, RequestMethod.POST}, produces = {MediaType.APPLICATION_JSON_VALUE, JOSE_MEDIA_TYPE_VALUE})
+	@RequestMapping(method= {RequestMethod.GET, RequestMethod.POST}, produces = {MediaType.APPLICATION_JSON_VALUE, JOSE_MEDIA_TYPE_VALUE})
 	public String getInfo(@RequestParam(value="claims", required=false) String claimsRequestJsonString,
 			@RequestHeader(value="Accept", required=false) String acceptHeader,
 			OAuth2Authentication auth, Model model) {

openid-connect-server/src/main/java/org/mitre/openid/connect/web/WhitelistAPI.java

@@ -54,10 +54,12 @@ import com.google.gson.JsonParser;
  *
  */
 @Controller
-@RequestMapping("/api/whitelist")
+@RequestMapping("/" + WhitelistAPI.URL)
 @PreAuthorize("hasRole('ROLE_USER')")
 public class WhitelistAPI {
 
+	public static final String URL = RootController.API_URL + "/whitelist";
+
 	@Autowired
 	private WhitelistedSiteService whitelistService;