github
/
OpenID-Connect-Java-Spring-Server
mirror of https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

cleaned up UMA server overlay

pull/1192/merge
Justin Richer 2017-02-16 18:23:32 -05:00
parent 52d2298f99
commit 3acb71763a
7 changed files with 183 additions and 345 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
openid-connect-server-webapp/src/main/webapp/WEB-INF/application-context.xml
View File

@ -144,7 +144,7 @@
create-session="stateless"
authentication-manager-ref="clientAuthenticationManager">
<security:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
<!-- <security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" /> -->
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
@ -157,7 +157,7 @@
create-session="stateless"
authentication-manager-ref="clientAuthenticationManager">
<security:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
<!-- <security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" /> -->
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
@ -170,6 +170,10 @@
<bean id="http403EntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" />
<!-- Additional endpoints for extensions (such as UMA) -->
<import resource="endpoint-config.xml" />
<!-- SECOAUTH Authorization Server -->
<import resource="authz-config.xml" />

35
openid-connect-server-webapp/src/main/webapp/WEB-INF/endpoint-config.xml Normal file
View File

@ -0,0 +1,35 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
Copyright 2017 The MITRE Corporation
and the MIT Internet Trust Consortium
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.3.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.3.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.3.xsd">
<!-- This file allows you to define additional endpoints, it's normally empty in the OIDC server and has entries in the UMA server -->
</beans>

22
uma-server-webapp/src/main/resources/db/hsql/scopes.sql
View File

@ -10,25 +10,25 @@ START TRANSACTION;
-- Insert scope information into the temporary tables.
--
INSERT INTO system_scope_TEMP (scope, description, icon, restricted, default_scope, structured, structured_param_description) VALUES
('openid', 'log in using your identity', 'user', false, true, false, null),
('profile', 'basic profile information', 'list-alt', false, true, false, null),
('email', 'email address', 'envelope', false, true, false, null),
('address', 'physical address', 'home', false, true, false, null),
('phone', 'telephone number', 'bell', false, true, false, null),
('offline_access', 'offline access', 'time', false, false, false, null),
('uma_protection', 'manage protected resources', 'briefcase', false, false, false, null),
('uma_authorization', 'request access to protected resources', 'share', false, false, false, null);
INSERT INTO system_scope_TEMP (scope, description, icon, restricted, default_scope) VALUES
('openid', 'log in using your identity', 'user', false, true),
('profile', 'basic profile information', 'list-alt', false, true),
('email', 'email address', 'envelope', false, true),
('address', 'physical address', 'home', false, true),
('phone', 'telephone number', 'bell', false, true),
('offline_access', 'offline access', 'time', false, false),
('uma_protection', 'manage protected resources', 'briefcase', false, false),
('uma_authorization', 'request access to protected resources', 'share', false, false);
--
-- Merge the temporary scopes safely into the database. This is a two-step process to keep scopes from being created on every startup with a persistent store.
--
MERGE INTO system_scope
USING (SELECT scope, description, icon, restricted, default_scope, structured, structured_param_description FROM system_scope_TEMP) AS vals(scope, description, icon, restricted, default_scope, structured, structured_param_description)
USING (SELECT scope, description, icon, restricted, default_scope FROM system_scope_TEMP) AS vals(scope, description, icon, restricted, default_scope)
ON vals.scope = system_scope.scope
WHEN NOT MATCHED THEN
INSERT (scope, description, icon, restricted, default_scope, structured, structured_param_description) VALUES(vals.scope, vals.description, vals.icon, vals.restricted, vals.default_scope, vals.structured, vals.structured_param_description);
INSERT (scope, description, icon, restricted, default_scope) VALUES(vals.scope, vals.description, vals.icon, vals.restricted, vals.default_scope);
COMMIT;

282
uma-server-webapp/src/main/webapp/WEB-INF/application-context.xml
View File

@ -1,282 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
Copyright 2017 The MITRE Corporation
and the MIT Internet Trust Consortium
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
xmlns:util="http://www.springframework.org/schema/util"
xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.3.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-4.3.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.3.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.3.xsd">
<!-- Scan for components -->
<context:component-scan annotation-config="true" base-package="org.mitre" />
<!-- Enables the Spring MVC @Controller programming model -->
<tx:annotation-driven transaction-manager="transactionManager" />
<mvc:annotation-driven ignore-default-model-on-redirect="true">
<mvc:message-converters>
<bean class="org.springframework.http.converter.StringHttpMessageConverter" />
<bean class="org.springframework.http.converter.json.MappingJackson2HttpMessageConverter" />
</mvc:message-converters>
</mvc:annotation-driven>
<mvc:interceptors>
<!-- Inject the UserInfo into the response -->
<bean id="userInfoInterceptor" class="org.mitre.openid.connect.web.UserInfoInterceptor" />
<!-- Inject the server configuration into the response -->
<bean id="serverConfigInterceptor" class="org.mitre.openid.connect.web.ServerConfigInterceptor" />
</mvc:interceptors>
<mvc:default-servlet-handler />
<!-- Bean to hold configuration properties -->
<import resource="server-config.xml" />
<!-- Import the data context -->
<import resource="data-context.xml" />
<!-- SPEL processors -->
<security:global-method-security pre-post-annotations="enabled" proxy-target-class="true" authentication-manager-ref="authenticationManager">
<!--you could also wire in the expression handler up at the layer of the http filters. See https://jira.springsource.org/browse/SEC-1452 -->
<security:expression-handler ref="oauthExpressionHandler" />
</security:global-method-security>
<oauth:expression-handler id="oauthExpressionHandler" />
<oauth:web-expression-handler id="oauthWebExpressionHandler" />
<!-- Spring Security configuration -->
<oauth:resource-server id="resourceServerFilter" token-services-ref="defaultOAuth2ProviderTokenService" />
<security:http pattern="/token"
create-session="stateless"
authentication-manager-ref="clientAuthenticationManager"
entry-point-ref="oauthAuthenticationEntryPoint"
use-expressions="true">
<security:intercept-url pattern="/token" access="permitAll" method="OPTIONS" /> <!-- allow OPTIONS calls without auth for CORS stuff -->
<security:intercept-url pattern="/token" access="isAuthenticated()" />
<security:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
<!-- include this only if you need to authenticate clients via request parameters -->
<security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:access-denied-handler ref="oauthAccessDeniedHandler" />
<security:csrf disabled="true"/>
</security:http>
<!-- Allow open access to discovery endpoints -->
<security:http pattern="/#{T(org.mitre.openid.connect.web.JWKSetPublishingEndpoint).URL}**" use-expressions="true" entry-point-ref="http403EntryPoint" create-session="stateless">
<security:intercept-url pattern="/#{T(org.mitre.openid.connect.web.JWKSetPublishingEndpoint).URL}**" access="permitAll"/>
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:csrf disabled="true"/>
</security:http>
<security:http pattern="/#{T(org.mitre.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**" use-expressions="true" entry-point-ref="http403EntryPoint" create-session="stateless">
<security:intercept-url pattern="/#{T(org.mitre.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**" access="permitAll"/>
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:csrf disabled="true"/>
</security:http>
<!-- Allow open access to all static resources -->
<security:http pattern="/resources/**" use-expressions="true" entry-point-ref="http403EntryPoint" create-session="stateless">
<security:intercept-url pattern="/resources/**" access="permitAll"/>
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:csrf disabled="true"/>
</security:http>
<!-- OAuth-protect API and other endpoints -->
<security:http pattern="/#{T(org.mitre.openid.connect.web.DynamicClientRegistrationEndpoint).URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">
<security:custom-filter ref="resourceServerFilter" after="CHANNEL_FILTER" />
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:expression-handler ref="oauthWebExpressionHandler" />
<security:intercept-url pattern="/register/**" access="permitAll"/>
<security:csrf disabled="true"/>
</security:http>
<security:http pattern="/#{T(org.mitre.openid.connect.web.ProtectedResourceRegistrationEndpoint).URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">
<security:custom-filter ref="resourceServerFilter" after="CHANNEL_FILTER" />
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:expression-handler ref="oauthWebExpressionHandler" />
<security:intercept-url pattern="/resource/**" access="permitAll"/>
<security:csrf disabled="true"/>
</security:http>
<security:http pattern="/#{T(org.mitre.uma.web.ResourceSetRegistrationEndpoint).URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="never">
<security:custom-filter ref="resourceServerFilter" after="CHANNEL_FILTER" />
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:expression-handler ref="oauthWebExpressionHandler" />
<security:csrf disabled="true"/>
</security:http>
<security:http pattern="/#{T(org.mitre.uma.web.PermissionRegistrationEndpoint).URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="never">
<security:custom-filter ref="resourceServerFilter" after="CHANNEL_FILTER" />
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:expression-handler ref="oauthWebExpressionHandler" />
<security:csrf disabled="true"/>
</security:http>
<security:http pattern="/#{T(org.mitre.uma.web.AuthorizationRequestEndpoint).URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="never">
<security:custom-filter ref="resourceServerFilter" after="CHANNEL_FILTER" />
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:expression-handler ref="oauthWebExpressionHandler" />
<security:csrf disabled="true"/>
</security:http>
<security:http pattern="/#{T(org.mitre.openid.connect.web.UserInfoEndpoint).URL}**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">
<security:custom-filter ref="resourceServerFilter" after="CHANNEL_FILTER" />
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:expression-handler ref="oauthWebExpressionHandler" />
<security:csrf disabled="true"/>
</security:http>
<security:http pattern="/#{T(org.mitre.openid.connect.web.RootController).API_URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="never">
<security:custom-filter ref="resourceServerFilter" after="CHANNEL_FILTER" />
<security:expression-handler ref="oauthWebExpressionHandler" />
<security:csrf disabled="true"/>
</security:http>
<security:http pattern="/#{T(org.mitre.oauth2.web.IntrospectionEndpoint).URL}**"
use-expressions="true"
entry-point-ref="oauthAuthenticationEntryPoint"
create-session="stateless"
authentication-manager-ref="clientAuthenticationManager">
<security:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
<!-- <security:custom-filter ref="resourceServerFilter" after="CHANNEL_FILTER" /> -->
<security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
<security:csrf disabled="true"/>
</security:http>
<security:http pattern="/#{T(org.mitre.oauth2.web.RevocationEndpoint).URL}**"
use-expressions="true"
entry-point-ref="oauthAuthenticationEntryPoint"
create-session="stateless"
authentication-manager-ref="clientAuthenticationManager">
<security:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
<!-- <security:custom-filter ref="resourceServerFilter" after="CHANNEL_FILTER" /> -->
<security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
<security:csrf disabled="true"/>
</security:http>
<bean id="oauthAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
<property name="realmName" value="openidconnect" />
</bean>
<bean id="http403EntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" />
<!-- SECOAUTH Authorization Server -->
<import resource="authz-config.xml" />
<bean id="oauth2ExceptionTranslator" class="org.springframework.security.oauth2.provider.error.DefaultWebResponseExceptionTranslator" />
<bean id="clientAuthMatcher" class="org.mitre.openid.connect.filter.MultiUrlRequestMatcher">
<constructor-arg name="filterProcessesUrls">
<set>
<value>/introspect</value>
<value>/revoke</value>
<value>/token</value>
</set>
</constructor-arg>
</bean>
<bean id="clientCredentialsEndpointFilter" class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
<property name="authenticationManager" ref="clientAuthenticationManager" />
<property name="requiresAuthenticationRequestMatcher" ref="clientAuthMatcher" />
</bean>
<bean id="clientAssertionEndpointFilter" class="org.mitre.openid.connect.assertion.JWTBearerClientAssertionTokenEndpointFilter">
<constructor-arg name="additionalMatcher" ref="clientAuthMatcher" />
<property name="authenticationManager" ref="clientAssertionAuthenticationManager" />
</bean>
<security:authentication-manager id="clientAuthenticationManager">
<security:authentication-provider user-service-ref="clientUserDetailsService" />
<security:authentication-provider user-service-ref="uriEncodedClientUserDetailsService" />
</security:authentication-manager>
<security:authentication-manager id="clientAssertionAuthenticationManager">
<security:authentication-provider ref="clientAssertionAuthenticationProvider" />
</security:authentication-manager>
<bean id="clientAssertionAuthenticationProvider" class="org.mitre.openid.connect.assertion.JWTBearerAuthenticationProvider" />
<!-- Configure locale information -->
<import resource="locale-config.xml" />
<!-- user services -->
<import resource="user-context.xml" />
<!-- assertion processing -->
<import resource="assertion-config.xml" />
<!-- End Spring Security configuration -->
<!-- JPA -->
<import resource="jpa-config.xml" />
<!-- End JPA -->
<!-- Crypto -->
<import resource="crypto-config.xml" />
<!-- End Crypto -->
<!-- View configuration -->
<!-- Handles HTTP GET requests for /resources/** by efficiently serving
up static resources in the ${webappRoot}/resources directory -->
<mvc:resources mapping="/resources/**" location="/resources/" />
<!-- Resolves views selected for rendering by @Controllers to .jsp resources
in the /WEB-INF/views directory -->
<bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="viewClass" value="org.springframework.web.servlet.view.JstlView" />
<property name="prefix" value="/WEB-INF/views/" />
<property name="suffix" value=".jsp" />
<property name="order" value="2" />
</bean>
<!-- Resolve views based on string names -->
<bean class="org.springframework.web.servlet.view.BeanNameViewResolver">
<property name="order" value="1" />
</bean>
<!-- End view configuration -->
<!--Import scheduled task configuration -->
<import resource="task-config.xml" />
<!-- import application-local configuration information (such as bean definitions) -->
<import resource="local-config.xml" />
</beans>

54
uma-server-webapp/src/main/webapp/WEB-INF/endpoint-config.xml Normal file
View File

@ -0,0 +1,54 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
Copyright 2017 The MITRE Corporation
and the MIT Internet Trust Consortium
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.3.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.3.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.3.xsd">
<security:http pattern="/#{T(org.mitre.uma.web.ResourceSetRegistrationEndpoint).URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="never">
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:expression-handler ref="oauthWebExpressionHandler" />
<security:csrf disabled="true"/>
</security:http>
<security:http pattern="/#{T(org.mitre.uma.web.PermissionRegistrationEndpoint).URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="never">
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:expression-handler ref="oauthWebExpressionHandler" />
<security:csrf disabled="true"/>
</security:http>
<security:http pattern="/#{T(org.mitre.uma.web.AuthorizationRequestEndpoint).URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="never">
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:expression-handler ref="oauthWebExpressionHandler" />
<security:csrf disabled="true"/>
</security:http>
</beans>

10
uma-server-webapp/src/main/webapp/WEB-INF/server-config.xml
View File

@ -43,7 +43,7 @@
<!-- This property sets the lifetime of registration access tokens, in seconds. Leave it unset (null) for no rotation. -->
<!-- <property name="regTokenLifeTime" value="172800" /> -->
<!-- This property forces the issuer value to start with "https" -->
<!-- This property forces the issuer value to start with "https", recommended on production servers -->
<!-- <property name="forceHttps" value="true" /> -->
<!-- This property sets the locale for server text -->
@ -56,6 +56,14 @@
<value>messages</value>
</list>
</property>
<!-- This property indicates if a dynamically registered client supports dual flows, such as client_credentials
at the same time with authorization_code or implicit -->
<!-- <property name="dualClient" value="true" /> -->
<!-- This property turns on HEART compliance mode -->
<!-- <property name="heartMode" value="true" /> -->
</bean>
</beans>

117
uma-server-webapp/src/main/webapp/resources/js/admin.js
View File

@ -94,22 +94,7 @@ var ListWidgetChildView = Backbone.View.extend({
this.model.destroy({
dataType: false, processData: false,
error:function (error, response) {
console.log("An error occurred when deleting from a list widget");
//Pull out the response text.
var responseJson = JSON.parse(response.responseText);
//Display an alert with an error message
$('#modalAlert div.modal-header').html(responseJson.error);
$('#modalAlert div.modal-body').html(responseJson.error_description);
$("#modalAlert").modal({ // wire up the actual modal functionality and show the dialog
"backdrop" : "static",
"keyboard" : true,
"show" : true // ensure the modal is shown immediately
});
}
error:app.errorHandlerView.handleError()
});
},
@ -390,14 +375,14 @@ var ErrorHandlerView = Backbone.View.extend({
message = {};
}
if (message.log) {
console.log(message.log);
}
var _self = this;
return function(model, response, options) {
if (message.log) {
console.log(message.log);
}
_self.showErrorMessage(
_self.headerTemplate({message: message, model: model, response: response, options: options}),
_self.template({message: message, model: model, response: response, options: options})
@ -406,8 +391,8 @@ var ErrorHandlerView = Backbone.View.extend({
$('#modalAlert .modal-body .page-reload').on('click', _self.reloadPage);
}
},
},
showErrorMessage:function(header, message) {
// hide the sheet if it's visible
$('#loadingbox').sheet('hide');
@ -554,21 +539,42 @@ var AppRouter = Backbone.Router.extend({
contacts.push(userInfo.email);
}
client.set({
tokenEndpointAuthMethod: "SECRET_BASIC",
generateClientSecret:true,
displayClientSecret:false,
requireAuthTime:true,
defaultMaxAge:60000,
scope: _.uniq(_.flatten(app.systemScopeList.defaultScopes().pluck("value"))),
accessTokenValiditySeconds:3600,
idTokenValiditySeconds:600,
grantTypes: ["authorization_code"],
responseTypes: ["code"],
subjectType: "PUBLIC",
jwksType: "URI",
contacts: contacts
}, { silent: true });
// use a different set of defaults based on heart mode flag
if (heartMode) {
client.set({
tokenEndpointAuthMethod: "PRIVATE_KEY",
generateClientSecret:false,
displayClientSecret:false,
requireAuthTime:true,
defaultMaxAge:60000,
scope: _.uniq(_.flatten(app.systemScopeList.defaultScopes().pluck("value"))),
accessTokenValiditySeconds:3600,
refreshTokenValiditySeconds:24*3600,
idTokenValiditySeconds:300,
grantTypes: ["authorization_code"],
responseTypes: ["code"],
subjectType: "PUBLIC",
jwksType: "URI",
contacts: contacts
}, { silent: true });
} else {
// set up this new client to require a secret and have us autogenerate one
client.set({
tokenEndpointAuthMethod: "SECRET_BASIC",
generateClientSecret:true,
displayClientSecret:false,
requireAuthTime:true,
defaultMaxAge:60000,
scope: _.uniq(_.flatten(app.systemScopeList.defaultScopes().pluck("value"))),
accessTokenValiditySeconds:3600,
idTokenValiditySeconds:600,
grantTypes: ["authorization_code"],
responseTypes: ["code"],
subjectType: "PUBLIC",
jwksType: "URI",
contacts: contacts
}, { silent: true });
}
$('#content').html(view.render().el);
@ -921,17 +927,30 @@ var AppRouter = Backbone.Router.extend({
contacts.push(userInfo.email);
}
client.set({
require_auth_time:true,
default_max_age:60000,
scope: _.uniq(_.flatten(app.systemScopeList.defaultUnrestrictedScopes().pluck("value"))).join(" "),
token_endpoint_auth_method: 'client_secret_basic',
grant_types: ["authorization_code"],
response_types: ["code"],
subject_type: "public",
contacts: contacts
}, { silent: true });
if (heartMode) {
client.set({
require_auth_time:true,
default_max_age:60000,
scope: _.uniq(_.flatten(app.systemScopeList.defaultUnrestrictedScopes().pluck("value"))).join(" "),
token_endpoint_auth_method: 'private_key_jwt',
grant_types: ["authorization_code"],
response_types: ["code"],
subject_type: "public",
contacts: contacts
}, { silent: true });
} else {
client.set({
require_auth_time:true,
default_max_age:60000,
scope: _.uniq(_.flatten(app.systemScopeList.defaultUnrestrictedScopes().pluck("value"))).join(" "),
token_endpoint_auth_method: 'client_secret_basic',
grant_types: ["authorization_code"],
response_types: ["code"],
subject_type: "public",
contacts: contacts
}, { silent: true });
}
$('#content').html(view.render().el);
view.delegateEvents();
setPageTitle($.t('dynreg.new-client'));