diff --git a/perun-oidc-server-webapp/src/main/resources/logback.xml b/perun-oidc-server-webapp/src/main/resources/logback.xml
index fa230a84a..37d6367df 100644
--- a/perun-oidc-server-webapp/src/main/resources/logback.xml
+++ b/perun-oidc-server-webapp/src/main/resources/logback.xml
@@ -55,7 +55,7 @@
<logger name="cz.muni.ics" level="${log.level}"/>
<logger name="cz.muni.ics.oidc.aop.WebLoggingAspect" level="debug"/>
<logger name="cz.muni.ics.oidc.aop.ExecutionTimeLoggingAspect" level="trace"/>
- <logger name="cz.muni.ics.openid.connect.web.EndSessionEndpoint" level="${log.level}"/>
+ <logger name="cz.muni.ics.openid.connect.web.endpoint.EndSessionEndpoint" level="${log.level}"/>
<logger name="cz.muni.ics.openid.connect.config.JsonMessageSource" level="warn"/>
</configuration>
diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/application-context.xml b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/application-context.xml
index d5ef99ee5..a6a41b25c 100644
--- a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/application-context.xml
+++ b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/application-context.xml
@@ -17,104 +17,16 @@
limitations under the License.
-->
<beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:context="http://www.springframework.org/schema/context"
- xmlns:security="http://www.springframework.org/schema/security"
- xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
- xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2
- http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
- http://www.springframework.org/schema/mvc
- http://www.springframework.org/schema/mvc/spring-mvc-4.3.xsd
- http://www.springframework.org/schema/security
- http://www.springframework.org/schema/security/spring-security-4.2.xsd
+ xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
- http://www.springframework.org/schema/tx
- http://www.springframework.org/schema/tx/spring-tx-4.3.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-4.3.xsd">
<!-- Scan for components -->
- <context:component-scan annotation-config="true" base-package="cz.muni.ics" />
-
- <!-- Enables the Spring MVC @Controller programming model -->
- <tx:annotation-driven transaction-manager="transactionManager" />
- <mvc:annotation-driven ignore-default-model-on-redirect="true">
- <mvc:message-converters>
- <bean class="org.springframework.http.converter.StringHttpMessageConverter" />
- <bean class="org.springframework.http.converter.json.MappingJackson2HttpMessageConverter" />
- </mvc:message-converters>
- </mvc:annotation-driven>
-
- <bean id="userInfoInterceptor" class="cz.muni.ics.openid.connect.web.UserInfoInterceptor" />
- <bean id="serverConfigInterceptor" class="cz.muni.ics.openid.connect.web.ServerConfigInterceptor" />
- <bean id="localeChangeInterceptor" class="org.springframework.web.servlet.i18n.LocaleChangeInterceptor">
- <property name="paramName" value="lang"/>
- </bean>
- <mvc:interceptors>
- <mvc:interceptor>
- <mvc:mapping path="/**"/>
- <ref bean="localeChangeInterceptor"/>
- </mvc:interceptor>
- <mvc:interceptor>
- <!-- Exclude APIs and other machine-facing endpoints from these interceptors -->
- <mvc:mapping path="/**" />
- <mvc:exclude-mapping path="/token**"/>
- <mvc:exclude-mapping path="/resources/**" />
- <mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.JWKSetPublishingEndpoint).URL}**" />
- <mvc:exclude-mapping path="/#{T(cz.muni.ics.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**" />
- <mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.DynamicClientRegistrationEndpoint).URL}/**" />
- <mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.ProtectedResourceRegistrationEndpoint).URL}/**" />
- <mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.UserInfoEndpoint).URL}**" />
- <mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.RootController).API_URL}/**" />
- <mvc:exclude-mapping path="#{T(cz.muni.ics.oauth2.web.DeviceEndpoint).ENDPOINT_URL}**" />
- <mvc:exclude-mapping path="#{T(cz.muni.ics.oauth2.web.DeviceEndpoint).REQUEST_USER_CODE_URL}**" />
- <mvc:exclude-mapping path="#{T(cz.muni.ics.oauth2.web.DeviceEndpoint).DEVICE_APPROVED_URL}**" />
- <mvc:exclude-mapping path="/#{T(cz.muni.ics.oauth2.web.IntrospectionEndpoint).URL}**" />
- <mvc:exclude-mapping path="/#{T(cz.muni.ics.oauth2.web.RevocationEndpoint).URL}**" />
- <mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.IsTestSpController).MAPPING}**" />
- <mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.AupController).URL}**" />
- <mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_MAPPING}**" />
- <mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_AUTHORIZATION}**" />
- <mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_ENSURE_VO_MAPPING}**" />
- <mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_IS_CESNET_ELIGIBLE_MAPPING}**" />
- <mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_NOT_IN_MANDATORY_VOS_GROUPS}**" />
- <mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_NOT_IN_PROD_VOS_GROUPS}**" />
- <mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_NOT_IN_TEST_VOS_GROUPS}**" />
- <mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_NOT_LOGGED_IN}**" />
- <mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_SPECIFIC_MAPPING}**" />
- <mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedRegistrationController).REGISTRATION_CONTINUE_MAPPING}**" />
- <mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedRegistrationController).REGISTRATION_FORM_MAPPING}**" />
- <mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedRegistrationController).REGISTRATION_FORM_SUBMIT_MAPPING}**" />
- <mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.RegistrationController).CONTINUE_DIRECT_MAPPING}**" />
- <mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.LogoutController).MAPPING_SUCCESS}" />
- <mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.LoginController).MAPPING_FAILURE}" />
- <mvc:exclude-mapping path="/saml**" />
- <!-- Inject the UserInfo into the response -->
- <ref bean="userInfoInterceptor" />
- </mvc:interceptor>
- <mvc:interceptor>
- <!-- Exclude APIs and other machine-facing endpoints from these interceptors -->
- <mvc:mapping path="/**" />
- <mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.JWKSetPublishingEndpoint).URL}**" />
- <mvc:exclude-mapping path="/#{T(cz.muni.ics.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**" />
- <mvc:exclude-mapping path="/resources/**" />
- <mvc:exclude-mapping path="/token**"/>
- <mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.DynamicClientRegistrationEndpoint).URL}/**" />
- <mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.ProtectedResourceRegistrationEndpoint).URL}/**" />
- <mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.UserInfoEndpoint).URL}**" />
- <mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.RootController).API_URL}/**" />
- <mvc:exclude-mapping path="#{T(cz.muni.ics.oauth2.web.DeviceEndpoint).ENDPOINT_URL}**" />
- <mvc:exclude-mapping path="/#{T(cz.muni.ics.oauth2.web.IntrospectionEndpoint).URL}**" />
- <mvc:exclude-mapping path="/#{T(cz.muni.ics.oauth2.web.RevocationEndpoint).URL}**" />
- <!-- Inject the server configuration into the response -->
- <ref bean="serverConfigInterceptor"/>
- </mvc:interceptor>
- </mvc:interceptors>
-
- <mvc:default-servlet-handler />
+ <context:component-scan base-package="cz.muni.ics" />
<!-- Bean to hold configuration properties -->
<import resource="server-config.xml" />
@@ -122,186 +34,6 @@
<!-- Import the data context -->
<import resource="data-context.xml" />
- <!-- SPEL processors -->
- <security:global-method-security pre-post-annotations="enabled" proxy-target-class="true" authentication-manager-ref="authenticationManager">
- <!--you could also wire in the expression handler up at the layer of the http filters. See https://jira.springsource.org/browse/SEC-1452 -->
- <security:expression-handler ref="oauthExpressionHandler" />
- </security:global-method-security>
-
- <oauth:expression-handler id="oauthExpressionHandler" />
-
- <oauth:web-expression-handler id="oauthWebExpressionHandler" />
-
- <bean id="mdcFilter" class="cz.muni.ics.mdc.MultiMDCFilter"/>
-
- <!-- Spring Security configuration -->
-
- <oauth:resource-server id="resourceServerFilter" token-services-ref="defaultOAuth2ProviderTokenService" stateless="false" />
-
- <security:http pattern="/token"
- create-session="stateless"
- authentication-manager-ref="clientAuthenticationManager"
- entry-point-ref="oauthAuthenticationEntryPoint"
- use-expressions="true">
-
- <security:intercept-url pattern="/token" access="permitAll" method="OPTIONS" /> <!-- allow OPTIONS calls without auth for CORS stuff -->
- <security:intercept-url pattern="/token" access="isAuthenticated()" />
- <security:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
- <!-- include this only if you need to authenticate clients via request parameters -->
- <security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
- <security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
- <security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
- <security:custom-filter ref="mdcFilter" before="FIRST"/>
- <security:access-denied-handler ref="oauthAccessDeniedHandler" />
- <security:csrf disabled="true"/>
- </security:http>
-
- <!-- Allow open access to discovery endpoints -->
- <security:http pattern="/#{T(cz.muni.ics.openid.connect.web.JWKSetPublishingEndpoint).URL}**" use-expressions="true" entry-point-ref="http403EntryPoint" create-session="stateless">
- <security:intercept-url pattern="/#{T(cz.muni.ics.openid.connect.web.JWKSetPublishingEndpoint).URL}**" access="permitAll"/>
- <security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
- <security:custom-filter ref="mdcFilter" before="FIRST"/>
- <security:csrf disabled="true"/>
- </security:http>
- <security:http pattern="/#{T(cz.muni.ics.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**" use-expressions="true" entry-point-ref="http403EntryPoint" create-session="stateless">
- <security:intercept-url pattern="/#{T(cz.muni.ics.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**" access="permitAll"/>
- <security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
- <security:custom-filter ref="mdcFilter" before="FIRST"/>
- <security:csrf disabled="true"/>
- </security:http>
-
- <!-- Allow open access to all static resources -->
- <security:http pattern="/resources/**" use-expressions="true" entry-point-ref="http403EntryPoint" create-session="stateless">
- <security:intercept-url pattern="/resources/**" access="permitAll"/>
- <security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
- <security:custom-filter ref="mdcFilter" before="FIRST"/>
- <security:csrf disabled="true"/>
- </security:http>
-
- <!-- OAuth-protect API and other endpoints -->
- <security:http pattern="/#{T(cz.muni.ics.openid.connect.web.DynamicClientRegistrationEndpoint).URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">
- <security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
- <security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
- <security:custom-filter ref="mdcFilter" before="FIRST"/>
- <security:expression-handler ref="oauthWebExpressionHandler" />
- <security:intercept-url pattern="/register/**" access="permitAll"/>
- <security:csrf disabled="true"/>
- </security:http>
-
- <security:http pattern="/#{T(cz.muni.ics.openid.connect.web.ProtectedResourceRegistrationEndpoint).URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">
- <security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
- <security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
- <security:custom-filter ref="mdcFilter" before="FIRST"/>
- <security:expression-handler ref="oauthWebExpressionHandler" />
- <security:intercept-url pattern="/resource/**" access="permitAll"/>
- <security:csrf disabled="true"/>
- </security:http>
-
- <security:http pattern="/#{T(cz.muni.ics.openid.connect.web.UserInfoEndpoint).URL}**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">
- <security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
- <security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
- <security:custom-filter ref="mdcFilter" before="FIRST"/>
- <security:expression-handler ref="oauthWebExpressionHandler" />
- <security:csrf disabled="true"/>
- </security:http>
-
- <security:http pattern="/#{T(cz.muni.ics.openid.connect.web.RootController).API_URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="never">
- <security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
- <security:custom-filter ref="mdcFilter" before="FIRST"/>
- <security:expression-handler ref="oauthWebExpressionHandler" />
- <security:csrf disabled="true"/>
- </security:http>
-
- <security:http pattern="#{T(cz.muni.ics.oauth2.web.DeviceEndpoint).ENDPOINT_URL}**"
- use-expressions="true"
- entry-point-ref="oauthAuthenticationEntryPoint"
- create-session="stateless"
- authentication-manager-ref="clientAuthenticationManager">
- <security:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
- <!-- include this only if you need to authenticate clients via request parameters -->
- <security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
- <security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
- <security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
- <security:custom-filter ref="mdcFilter" before="FIRST"/>
- <security:access-denied-handler ref="oauthAccessDeniedHandler" />
- <security:csrf disabled="true"/>
- </security:http>
-
- <security:http pattern="/#{T(cz.muni.ics.oauth2.web.IntrospectionEndpoint).URL}**"
- use-expressions="true"
- entry-point-ref="oauthAuthenticationEntryPoint"
- create-session="stateless"
- authentication-manager-ref="clientAuthenticationManager">
- <security:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
- <security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
- <security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
- <security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
- <security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
- <security:custom-filter ref="mdcFilter" before="FIRST"/>
- <security:csrf disabled="true"/>
- </security:http>
-
- <security:http pattern="/#{T(cz.muni.ics.oauth2.web.RevocationEndpoint).URL}**"
- use-expressions="true"
- entry-point-ref="oauthAuthenticationEntryPoint"
- create-session="stateless"
- authentication-manager-ref="clientAuthenticationManager">
- <security:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
- <security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
- <security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
- <security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
- <security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
- <security:custom-filter ref="mdcFilter" before="FIRST"/>
- <security:csrf disabled="true"/>
- </security:http>
-
- <bean id="oauthAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
- <property name="realmName" value="openidconnect" />
- </bean>
-
- <bean id="http403EntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" />
-
- <!-- Additional endpoints for extensions (such as UMA) -->
-
- <import resource="endpoint-config.xml" />
-
- <!-- SECOAUTH Authorization Server -->
-
- <import resource="authz-config.xml" />
-
- <bean id="oauth2ExceptionTranslator" class="org.springframework.security.oauth2.provider.error.DefaultWebResponseExceptionTranslator" />
-
- <bean id="clientAuthMatcher" class="cz.muni.ics.openid.connect.filter.MultiUrlRequestMatcher">
- <constructor-arg name="filterProcessesUrls">
- <set>
- <value>/introspect</value>
- <value>/revoke</value>
- <value>/token</value>
- </set>
- </constructor-arg>
- </bean>
-
- <bean id="clientCredentialsEndpointFilter" class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
- <property name="authenticationManager" ref="clientAuthenticationManager" />
- <property name="requiresAuthenticationRequestMatcher" ref="clientAuthMatcher" />
- </bean>
-
- <bean id="clientAssertionEndpointFilter" class="cz.muni.ics.openid.connect.assertion.JWTBearerClientAssertionTokenEndpointFilter">
- <constructor-arg name="additionalMatcher" ref="clientAuthMatcher" />
- <property name="authenticationManager" ref="clientAssertionAuthenticationManager" />
- </bean>
-
- <security:authentication-manager id="clientAuthenticationManager">
- <security:authentication-provider user-service-ref="clientUserDetailsService" />
- <security:authentication-provider user-service-ref="uriEncodedClientUserDetailsService" />
- </security:authentication-manager>
-
- <security:authentication-manager id="clientAssertionAuthenticationManager">
- <security:authentication-provider ref="clientAssertionAuthenticationProvider" />
- </security:authentication-manager>
-
- <bean id="clientAssertionAuthenticationProvider" class="cz.muni.ics.openid.connect.assertion.JWTBearerAuthenticationProvider" />
-
<!-- Configure locale information -->
<import resource="locale-config.xml" />
@@ -311,49 +43,15 @@
<!-- assertion processing -->
<import resource="assertion-config.xml" />
- <!-- End Spring Security configuration -->
-
<!-- JPA -->
-
<import resource="jpa-config.xml" />
- <!-- End JPA -->
-
<!-- Crypto -->
-
<import resource="crypto-config.xml" />
-
- <!-- End Crypto -->
-
- <!-- View configuration -->
-
- <!-- Handles HTTP GET requests for /resources/** by efficiently serving
- up static resources in the ${webappRoot}/resources directory -->
- <mvc:resources mapping="/resources/**" location="/resources/" />
-
- <!-- Resolves views selected for rendering by @Controllers to .jsp resources
- in the /WEB-INF/views directory -->
- <bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
- <property name="viewClass" value="org.springframework.web.servlet.view.JstlView" />
- <property name="prefix" value="/WEB-INF/views/" />
- <property name="suffix" value=".jsp" />
- <property name="order" value="2" />
- </bean>
-
- <!-- Resolve views based on string names -->
- <bean class="org.springframework.web.servlet.view.BeanNameViewResolver">
- <property name="order" value="1" />
- </bean>
-
- <!-- End view configuration -->
-
- <!--Import scheduled task configuration -->
- <import resource="task-config.xml" />
<!-- Import configuration for front-end (JavaScript) UI components -->
<import resource="ui-config.xml" />
- <!-- import application-local configuration information (such as bean definitions) -->
- <import resource="local-config.xml" />
+ <import resource="web-context.xml" />
</beans>
diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/authz-config.xml b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/authz-config.xml
deleted file mode 100644
index 4ca0109b9..000000000
--- a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/authz-config.xml
+++ /dev/null
@@ -1,60 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
- Copyright 2018 The MIT Internet Trust Consortium
-
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
- -->
-<beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:mvc="http://www.springframework.org/schema/mvc"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xmlns:tx="http://www.springframework.org/schema/tx"
- xmlns:context="http://www.springframework.org/schema/context"
- xmlns:security="http://www.springframework.org/schema/security"
- xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
- xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
- http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.3.xsd
- http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd
- http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
- http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.3.xsd
- http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.3.xsd">
-
-
- <oauth:authorization-server
- client-details-service-ref="defaultOAuth2ClientDetailsEntityService"
- authorization-request-manager-ref="connectOAuth2RequestFactory"
- token-services-ref="defaultOAuth2ProviderTokenService"
- user-approval-handler-ref="tofuUserApprovalHandler"
- request-validator-ref="oauthRequestValidator"
- redirect-resolver-ref="blacklistAwareRedirectResolver"
- authorization-endpoint-url="/authorize"
- token-endpoint-url="/token"
- error-page="/error">
-
- <oauth:authorization-code authorization-code-services-ref="defaultOAuth2AuthorizationCodeService"/>
- <oauth:implicit/>
- <oauth:refresh-token/>
- <oauth:client-credentials/>
- <oauth:custom-grant token-granter-ref="chainedTokenGranter" />
- <oauth:custom-grant token-granter-ref="jwtAssertionTokenGranter" />
- <oauth:custom-grant token-granter-ref="deviceTokenGranter" />
-
- </oauth:authorization-server>
-
- <bean id="oauthAccessDeniedHandler" class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />
-
- <bean id="oauthRequestValidator" class="cz.muni.ics.oauth2.token.ScopeServiceAwareOAuth2RequestValidator" />
-
- <!-- Error page handler. -->
- <mvc:view-controller path="/error" view-name="error" />
-
-</beans>
diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/endpoint-config.xml b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/endpoint-config.xml
deleted file mode 100644
index 44390d5de..000000000
--- a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/endpoint-config.xml
+++ /dev/null
@@ -1,46 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
- Copyright 2018 The MIT Internet Trust Consortium
-
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
- -->
-<beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:mvc="http://www.springframework.org/schema/mvc"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xmlns:tx="http://www.springframework.org/schema/tx"
- xmlns:context="http://www.springframework.org/schema/context"
- xmlns:security="http://www.springframework.org/schema/security"
- xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
- xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
- http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.3.xsd
- http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd
- http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
- http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.3.xsd
- http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.3.xsd">
-
-
- <security:http pattern="/devicecodeMFA/**"
- use-expressions="true"
- entry-point-ref="oauthAuthenticationEntryPoint"
- create-session="stateless"
- authentication-manager-ref="clientAuthenticationManager">
- <security:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
- <!-- include this only if you need to authenticate clients via request parameters -->
- <security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
- <security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
- <security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
- <security:access-denied-handler ref="oauthAccessDeniedHandler" />
- <security:csrf disabled="true"/>
- </security:http>
-
-</beans>
diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/local-config.xml b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/local-config.xml
deleted file mode 100644
index 3e5fef8e8..000000000
--- a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/local-config.xml
+++ /dev/null
@@ -1,36 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
- Copyright 2018 The MIT Internet Trust Consortium
-
- Portions copyright 2011-2013 The MITRE Corporation
-
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
- -->
-<beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:mvc="http://www.springframework.org/schema/mvc"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xmlns:tx="http://www.springframework.org/schema/tx"
- xmlns:context="http://www.springframework.org/schema/context"
- xmlns:security="http://www.springframework.org/schema/security"
- xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
- xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
- http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.3.xsd
- http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd
- http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
- http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.3.xsd
- http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.3.xsd">
-
-
-<!-- Empty: Override this file in your local project to change configuration options. -->
-
-</beans>
diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/task-config.xml b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/task-config.xml
deleted file mode 100644
index 4719b08e3..000000000
--- a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/task-config.xml
+++ /dev/null
@@ -1,25 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
- Copyright 2018 The MIT Internet Trust Consortium
-
- Portions copyright 2011-2013 The MITRE Corporation
-
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
- -->
-<beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xmlns:task="http://www.springframework.org/schema/task"
- xsi:schemaLocation="http://www.springframework.org/schema/task http://www.springframework.org/schema/task/spring-task-4.3.xsd
- http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd">
-
-</beans>
diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/user-context.xml b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/user-context.xml
index 0ef67be68..9441f224a 100644
--- a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/user-context.xml
+++ b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/user-context.xml
@@ -73,8 +73,6 @@
<prop key="saml.idp.defaultIdpEntityId"/>
<prop key="saml.idp.metadataLocation"/> <!-- i.e. /etc/perun/login-cesnet-metadata.xml -->
<prop key="saml.idp.metadataUrl"/> <!-- i.e. https://login.cesnet.cz/proxy/module.php/metadata -->
- <prop key="saml.proxy.spEntityId"/>
- <prop key="saml.internalReferrers"/> <!-- comma separated list of URLs (which are matched as prefixes) -->
<prop key="saml.acrs.reserverdPrefixes">urn:cesnet:</prop>
<prop key="saml.acrs.enableComparison">false</prop>
<prop key="saml.acrs.onlyreserved.append">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</prop>
@@ -474,295 +472,6 @@
<property name="testSpAttr" value="testSp" />
</bean>
- <!-- authentication -->
-
- <!--suppress SpringXmlModelInspection -->
- <security:http auto-config="false"
- use-expressions="true"
- entry-point-ref="samlEntryPoint"
- create-session="always"
- authentication-manager-ref="authenticationManager">
- <security:csrf disabled="true"/>
- <security:intercept-url pattern="/saml/**" access="permitAll()"/>
- <security:intercept-url pattern="/logout" access="permitAll()"/>
- <security:intercept-url pattern="#{T(cz.muni.ics.oidc.web.controllers.LogoutController).MAPPING_SUCCESS}" access="permitAll()"/>
- <security:intercept-url pattern="#{T(cz.muni.ics.oidc.web.controllers.LoginController).MAPPING_FAILURE}" access="permitAll()"/>
- <security:intercept-url pattern="/**" access="hasRole('ROLE_USER')"/>
- <security:custom-filter ref="mdcMuFilter" before="FIRST"/>
- <security:custom-filter ref="metadataGeneratorFilter" before="CHANNEL_FILTER"/>
- <security:custom-filter ref="clearSessionFilter" after="CHANNEL_FILTER"/>
- <security:custom-filter ref="samlFilter" before="CSRF_FILTER"/>
- <security:custom-filter ref="samlFilter" after="BASIC_AUTH_FILTER"/>
- <security:custom-filter ref="callPerunFiltersFilter" before="LAST"/>
- <security:logout logout-url="/saml/logout"/>
- </security:http>
-
- <security:authentication-manager id="authenticationManager">
- <security:authentication-provider ref="authenticationProvider"/>
- </security:authentication-manager>
-
- <bean id="mdcMuFilter" class="cz.muni.ics.oidc.server.filters.impl.MultiMDCFilter"/>
-
- <!-- SAML -->
-
- <bean id="clearSessionFilter" class="cz.muni.ics.oidc.saml.SamlInvalidateSessionFilter">
- <constructor-arg name="oidcIssuer" value="${main.oidc.issuer.url}"/>
- <constructor-arg name="idpEntityId" value="${saml.idp.defaultIdpEntityId}"/>
- <constructor-arg name="proxySpEntityId" value="${saml.proxy.spEntityId}"/>
- <constructor-arg name="internalReferrers" value="#{'${saml.internalReferrers}'.split('\s*,\s*')}"/>
- <constructor-arg name="contextLogoutHandler" ref="logoutHandler"/>
- </bean>
-
- <bean id="samlDiscovery" class="org.springframework.security.saml.SAMLDiscovery">
- <property name="contextProvider" ref="samlContextProvider"/>
- <property name="samlEntryPoint" ref="samlEntryPoint"/>
- <property name="metadata" ref="metadata"/>
- </bean>
-
- <bean id="successRedirectHandler" class="cz.muni.ics.oidc.saml.PerunSamlAuthenticationSuccessHandler">
- <property name="defaultTargetUrl" value="#{T(cz.muni.ics.oidc.web.controllers.LoginController).MAPPING_SUCCESS}"/>
- </bean>
-
- <bean id="authenticationFailureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
- <property name="defaultFailureUrl" value="#{T(cz.muni.ics.oidc.web.controllers.LoginController).MAPPING_FAILURE}"/>
- <property name="useForward" value="true"/>
- </bean>
-
- <bean id="successLogoutHandler" class="cz.muni.ics.oidc.saml.PerunOidcLogoutSuccessHandler">
- <property name="defaultTargetUrl" value="#{T(cz.muni.ics.oidc.web.controllers.LogoutController).MAPPING_SUCCESS}"/>
- <property name="targetUrlParameter" value="#{T(cz.muni.ics.oidc.server.filters.PerunFilterConstants).PARAM_TARGET}"/>
- </bean>
-
- <bean id="logoutHandler" class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler">
- <property name="clearAuthentication" value="true"/>
- <property name="invalidateHttpSession" value="true"/>
- </bean>
-
- <bean id="samlLogoutProcessingFilter" class="org.springframework.security.saml.SAMLLogoutProcessingFilter">
- <constructor-arg name="logoutSuccessHandler" ref="successLogoutHandler"/>
- <constructor-arg name="handlers" ref="logoutHandler"/>
- </bean>
-
- <bean id="samlLogoutFilter" class="org.springframework.security.saml.SAMLLogoutFilter">
- <constructor-arg name="logoutSuccessHandler" ref="successLogoutHandler"/>
- <constructor-arg name="localHandler" ref="logoutHandler"/>
- <constructor-arg name="globalHandlers" ref="logoutHandler"/>
- </bean>
-
- <bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager">
- <constructor-arg name="storeFile">
- <bean class="org.springframework.core.io.FileSystemResource">
- <constructor-arg name="path" value="${saml.keystore.location}"/>
- </bean>
- </constructor-arg>
- <constructor-arg name="storePass" value="${saml.keystore.password}"/>
- <constructor-arg name="passwords">
- <map>
- <entry key="${saml.keystore.defaultKey}" value="${saml.keystore.defaultKeyPass}"/>
- </map>
- </constructor-arg>
- <constructor-arg name="defaultKey" value="${saml.keystore.defaultKey}"/>
- </bean>
-
- <bean id="extendedMetadata" class="org.springframework.security.saml.metadata.ExtendedMetadata">
- <property name="idpDiscoveryEnabled" value="false"/>
- </bean>
-
- <bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
- <constructor-arg name="generator">
- <bean class="org.springframework.security.saml.metadata.MetadataGenerator">
- <property name="includeDiscoveryExtension" value="false"/>
- <property name="entityId" value="${saml.entityID}"/>
- <property name="extendedMetadata" ref="extendedMetadata"/>
- <property name="wantAssertionSigned" value="true"/>
- <property name="requestSigned" value="true"/>
- </bean>
- </constructor-arg>
- <property name="normalizeBaseUrl" value="true"/>
- </bean>
-
- <bean id="metadataDisplayFilter" class="org.springframework.security.saml.metadata.MetadataDisplayFilter"/>
-
- <bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager">
- <property name="defaultIDP" value="${saml.idp.defaultIdpEntityId}"/>
- <property name="refreshCheckInterval" value="3600000"/>
- <property name="refreshRequired" value="true"/>
- <constructor-arg name="providers">
- <list>
- <ref bean="idpMetadata"/>
- </list>
- </constructor-arg>
- </bean>
-
- <bean id="parserPool" class="org.opensaml.xml.parse.StaticBasicParserPool" init-method="initialize"/>
-
- <bean id="parserPoolHolder" class="org.springframework.security.saml.parser.ParserPoolHolder"/>
-
- <bean id="processor" class="org.springframework.security.saml.processor.SAMLProcessorImpl">
- <constructor-arg name="bindings">
- <list>
- <bean id="httpPostBinding" class="org.springframework.security.saml.processor.HTTPPostBinding">
- <constructor-arg name="parserPool" ref="parserPool"/>
- <constructor-arg name="encoder">
- <bean class="cz.muni.ics.oidc.saml.PerunPostEncoder">
- <constructor-arg name="engine" value="#{T(org.springframework.security.saml.util.VelocityFactory).getEngine()}"/>
- <constructor-arg name="templateId" value="/templates/saml2-post-binding.vm"/>
- </bean>
- </constructor-arg>
- <constructor-arg name="decoder">
- <bean class="org.opensaml.saml2.binding.decoding.HTTPPostDecoder">
- <constructor-arg name="pool" ref="parserPool"/>
- </bean>
- </constructor-arg>
- </bean>
- <bean id="httpRedirectDeflateBinding" class="org.springframework.security.saml.processor.HTTPRedirectDeflateBinding">
- <constructor-arg name="encoder">
- <bean class="cz.muni.ics.oidc.saml.PerunHTTPRedirectDeflateEncoder"/>
- </constructor-arg>
- <constructor-arg name="decoder">
- <bean class="org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder">
- <constructor-arg name="pool" ref="parserPool"/>
- </bean>
- </constructor-arg>
- </bean>
- </list>
- </constructor-arg>
- </bean>
-
- <bean id="samlWebSSOProcessingFilter" class="org.springframework.security.saml.SAMLProcessingFilter">
- <property name="authenticationManager" ref="authenticationManager"/>
- <property name="authenticationSuccessHandler" ref="successRedirectHandler"/>
- <property name="authenticationFailureHandler" ref="authenticationFailureHandler"/>
- </bean>
-
- <bean id="samlFilter" class="org.springframework.security.web.FilterChainProxy">
- <constructor-arg name="filterChains">
- <list>
- <bean class="org.springframework.security.web.DefaultSecurityFilterChain">
- <constructor-arg name="requestMatcher">
- <bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
- <constructor-arg name="pattern"
- value="#{T(org.springframework.security.saml.metadata.MetadataDisplayFilter).FILTER_URL}/**"/>
- </bean>
- </constructor-arg>
- <constructor-arg name="filters">
- <list>
- <ref bean="metadataDisplayFilter"/>
- </list>
- </constructor-arg>
- </bean>
- <bean class="org.springframework.security.web.DefaultSecurityFilterChain">
- <constructor-arg name="requestMatcher">
- <bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
- <constructor-arg name="pattern"
- value="#{T(org.springframework.security.saml.SAMLProcessingFilter).FILTER_URL}"/>
- </bean>
- </constructor-arg>
- <constructor-arg name="filters">
- <list>
- <ref bean="samlWebSSOProcessingFilter"/>
- </list>
- </constructor-arg>
- </bean>
- <bean class="org.springframework.security.web.DefaultSecurityFilterChain">
- <constructor-arg name="requestMatcher">
- <bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
- <constructor-arg name="pattern"
- value="#{T(org.springframework.security.saml.SAMLDiscovery).FILTER_URL}"/>
- </bean>
- </constructor-arg>
- <constructor-arg name="filters">
- <list>
- <ref bean="samlDiscovery"/>
- </list>
- </constructor-arg>
- </bean>
- <bean class="org.springframework.security.web.DefaultSecurityFilterChain">
- <constructor-arg name="requestMatcher">
- <bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
- <constructor-arg name="pattern"
- value="#{T(org.springframework.security.saml.SAMLEntryPoint).FILTER_URL}"/>
- </bean>
- </constructor-arg>
- <constructor-arg name="filters">
- <list>
- <ref bean="samlEntryPoint"/>
- </list>
- </constructor-arg>
- </bean>
- <bean class="org.springframework.security.web.DefaultSecurityFilterChain">
- <constructor-arg name="requestMatcher">
- <bean class="org.springframework.security.web.util.matcher.OrRequestMatcher">
- <constructor-arg name="requestMatchers">
- <list>
- <bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
- <constructor-arg name="pattern"
- value="#{T(org.springframework.security.saml.SAMLLogoutFilter).FILTER_URL}"/>
- </bean>
- <bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
- <constructor-arg name="pattern" value="/logout"/>
- </bean>
- </list>
- </constructor-arg>
- </bean>
- </constructor-arg>
- <constructor-arg name="filters">
- <list>
- <ref bean="samlLogoutFilter"/>
- </list>
- </constructor-arg>
- </bean>
- <bean class="org.springframework.security.web.DefaultSecurityFilterChain">
- <constructor-arg name="requestMatcher">
- <bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
- <constructor-arg name="pattern" value="#{T(org.springframework.security.saml.SAMLLogoutProcessingFilter).FILTER_URL}/**"/>
- </bean>
- </constructor-arg>
- <constructor-arg name="filters">
- <list>
- <ref bean="samlLogoutProcessingFilter"/>
- </list>
- </constructor-arg>
- </bean>
- </list>
- </constructor-arg>
- </bean>
-
- <bean id="webSSOProfileOptions" class="org.springframework.security.saml.websso.WebSSOProfileOptions">
- <property name="includeScoping" value="false"/>
- </bean>
-
- <bean id="samlEntryPoint" class="cz.muni.ics.oidc.saml.PerunSamlEntryPoint">
- <property name="defaultProfileOptions" ref="webSSOProfileOptions"/>
- </bean>
-
- <bean id="samlContextProvider" class="org.springframework.security.saml.context.SAMLContextProviderImpl"/>
-
- <bean id="samlLogger" class="org.springframework.security.saml.log.SAMLDefaultLogger">
- <property name="logMessagesOnException" value="true"/>
- <property name="logErrors" value="true"/>
- </bean>
-
- <bean id="singleLogoutProfile" class="org.springframework.security.saml.websso.SingleLogoutProfileImpl"/>
-
- <bean id="webSSOprofileConsumer" class="cz.muni.ics.oidc.saml.PerunWebSSOProfileConsumerImpl">
- <property name="enableComparison" value="${saml.acrs.enableComparison}"/>
- <property name="reservedPrefixes" value="#{'${saml.acrs.reserverdPrefixes}'.split('\s*,\s*')}"/>
- <property name="maxAuthenticationAge" value="360"/>
- </bean>
-
- <bean id="webSSOprofile" class="org.springframework.security.saml.websso.WebSSOProfileImpl"/>
-
- <bean id="hokWebSSOprofileConsumer" class="org.springframework.security.saml.websso.WebSSOProfileConsumerHoKImpl"/>
-
- <bean id="samlUserDetailsService" class="cz.muni.ics.oidc.saml.PerunSamlUserDetailsService"/>
-
- <bean id="authenticationProvider" class="cz.muni.ics.oidc.saml.PerunSamlAuthenticationProvider">
- <constructor-arg name="adminIds" value="#{'${admins}'.split('\s*,\s*')}"/>
- </bean>
-
- <bean class="org.springframework.security.saml.SAMLBootstrap"/>
-
<!-- END SAML -->
<bean id="accessTokenClaimsModifier" class="${accessTokenClaimsModifier}"/>
@@ -778,7 +487,7 @@
<bean id="oidcTokenService" class="cz.muni.ics.oidc.server.PerunOIDCTokenService" primary="true"/>
- <bean id="callPerunFiltersFilter" class="cz.muni.ics.oidc.server.filters.CallPerunFiltersFilter"/>
+ <bean id="authProcFilters" class="cz.muni.ics.oidc.server.filters.AuthProcFiltersContainer"/>
<bean id="htmlClasses" class="cz.muni.ics.oidc.web.WebHtmlClasses">
<constructor-arg name="perunOidcConfig" ref="perunOidcConfig"/>
diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/approve.jsp b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/approve.jsp
index 32e2a3dba..9c6a74347 100644
--- a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/approve.jsp
+++ b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/approve.jsp
@@ -37,7 +37,7 @@
</h1>
<form name="confirmationForm"
- action="${ config.issuer }${ config.issuer.endsWith('/') ? '' : '/' }authorize" method="post">
+ action="${ config.issuer }${ config.issuer.endsWith('/') ? '' : '/' }auth/authorize" method="post">
<div class="row">
<div class="span5 offset1 well-small" style="text-align: left">
diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/approveDevice.jsp b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/approveDevice.jsp
index 4a5462ba5..dbcdc1108 100644
--- a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/approveDevice.jsp
+++ b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/approveDevice.jsp
@@ -37,7 +37,7 @@
</h1>
<form name="confirmationForm"
- action="${ config.issuer }${ config.issuer.endsWith('/') ? '' : '/' }device/approved" method="post">
+ action="${ config.issuer }${ config.issuer.endsWith('/') ? '' : '/' }auth/device/approved" method="post">
<div class="row">
<div class="span5 offset1 well-small" style="text-align: left">
diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/requestUserCode.jsp b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/requestUserCode.jsp
index df4dd18e2..94d1eaae7 100644
--- a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/requestUserCode.jsp
+++ b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/requestUserCode.jsp
@@ -39,7 +39,7 @@
</c:if>
- <form action="${ config.issuer }${ config.issuer.endsWith('/') ? '' : '/' }device/code" method="POST">
+ <form action="${ config.issuer }${ config.issuer.endsWith('/') ? '' : '/' }auth/device" method="POST">
<div class="row-fluid">
<div class="span12">
diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/themedApprove.jsp b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/themedApprove.jsp
index 8aead87e5..1ba620d71 100644
--- a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/themedApprove.jsp
+++ b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/themedApprove.jsp
@@ -30,7 +30,7 @@
<div id="content">
<c:remove scope="session" var="SPRING_SECURITY_LAST_EXCEPTION" />
<form name="confirmationForm" method="post" action="${pageContext.request.contextPath.endsWith('/') ?
- pageContext.request.contextPath : pageContext.request.contextPath.concat('/')}authorize">
+ pageContext.request.contextPath : pageContext.request.contextPath.concat('/')}auth/authorize">
<p>
<c:if test="${not empty client.policyUri}">
<spring:message code="consent_privacy_policy"/>${" "}
diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/themedApproveDevice.jsp b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/themedApproveDevice.jsp
index 80b75a830..329c74fb6 100644
--- a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/themedApproveDevice.jsp
+++ b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/themedApproveDevice.jsp
@@ -33,7 +33,7 @@
<div id="content">
<c:remove scope="session" var="SPRING_SECURITY_LAST_EXCEPTION" />
<form name="confirmationForm"
- action="${ config.issuer }${ config.issuer.endsWith('/') ? '' : '/' }device/approved" method="post">
+ action="${ config.issuer }${ config.issuer.endsWith('/') ? '' : '/' }auth/device/approved" method="post">
<p>
<c:if test="${not empty client.policyUri}">
<spring:message code="device_approve_privacy"/>${" "}<a target='_blank' href='${fn:escapeXml(client.policyUri)}'><em>${fn:escapeXml(client.clientName)}</em></a>
diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/themedRequestUserCode.jsp b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/themedRequestUserCode.jsp
index b3130f9f8..9b3ab9611 100644
--- a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/themedRequestUserCode.jsp
+++ b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/themedRequestUserCode.jsp
@@ -52,7 +52,7 @@
</c:choose>
<form name="confirmationForm" class="mt-2" method="POST"
- action="${ config.issuer }${ config.issuer.endsWith('/') ? '' : '/' }device/code">
+ action="${ config.issuer }${ config.issuer.endsWith('/') ? '' : '/' }auth/device">
<div class="row-fluid">
<div class="span12">
<div>
diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/web-context.xml b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/web-context.xml
new file mode 100644
index 000000000..1c8371d42
--- /dev/null
+++ b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/web-context.xml
@@ -0,0 +1,634 @@
+<beans xmlns="http://www.springframework.org/schema/beans"
+ xmlns:mvc="http://www.springframework.org/schema/mvc"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xmlns:tx="http://www.springframework.org/schema/tx"
+ xmlns:security="http://www.springframework.org/schema/security"
+ xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
+ xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2
+ http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
+ http://www.springframework.org/schema/mvc
+ http://www.springframework.org/schema/mvc/spring-mvc-4.3.xsd
+ http://www.springframework.org/schema/security
+ http://www.springframework.org/schema/security/spring-security-4.2.xsd
+ http://www.springframework.org/schema/beans
+ http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
+ http://www.springframework.org/schema/tx
+ http://www.springframework.org/schema/tx/spring-tx-4.3.xsd">
+
+ <bean id="userInfoInterceptor" class="cz.muni.ics.openid.connect.web.interceptor.UserInfoInterceptor" />
+ <bean id="serverConfigInterceptor" class="cz.muni.ics.openid.connect.web.interceptor.ServerConfigInterceptor" />
+ <bean id="localeChangeInterceptor" class="org.springframework.web.servlet.i18n.LocaleChangeInterceptor">
+ <property name="paramName" value="lang"/>
+ </bean>
+
+ <!-- Enables the Spring MVC @Controller programming model -->
+ <tx:annotation-driven />
+
+ <bean id="mdcFilter" class="cz.muni.ics.mdc.MultiMDCFilter"/>
+
+ <!-- MVC -->
+
+ <!-- Error page handler. -->
+ <mvc:view-controller path="/error" view-name="error" />
+
+ <mvc:annotation-driven ignore-default-model-on-redirect="true">
+ <mvc:message-converters>
+ <bean class="org.springframework.http.converter.StringHttpMessageConverter" />
+ <bean class="org.springframework.http.converter.json.MappingJackson2HttpMessageConverter" />
+ </mvc:message-converters>
+ </mvc:annotation-driven>
+
+ <mvc:interceptors>
+ <mvc:interceptor>
+ <mvc:mapping path="/**"/>
+ <ref bean="localeChangeInterceptor"/>
+ </mvc:interceptor>
+ <mvc:interceptor>
+ <!-- Exclude APIs and other machine-facing endpoints from these interceptors -->
+ <mvc:mapping path="/**" />
+ <mvc:exclude-mapping path="/token**"/>
+ <mvc:exclude-mapping path="/resources/**" />
+ <mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.endpoint.JWKSetPublishingEndpoint).URL}**" />
+ <mvc:exclude-mapping path="/#{T(cz.muni.ics.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**" />
+ <mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.endpoint.DynamicClientRegistrationEndpoint).URL}/**" />
+ <mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.endpoint.ProtectedResourceRegistrationEndpoint).URL}/**" />
+ <mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.endpoint.UserInfoEndpoint).URL}**" />
+ <mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.controller.GuiController).API_URL}/**" />
+ <mvc:exclude-mapping path="#{T(cz.muni.ics.oauth2.web.endpoint.DeviceEndpoint).ENDPOINT_URL}**" />
+ <mvc:exclude-mapping path="#{T(cz.muni.ics.oauth2.web.endpoint.DeviceEndpoint).REQUEST_USER_CODE_URL}**" />
+ <mvc:exclude-mapping path="#{T(cz.muni.ics.oauth2.web.endpoint.DeviceEndpoint).REQUEST_USER_CODE_INIT_URL}**" />
+ <mvc:exclude-mapping path="#{T(cz.muni.ics.oauth2.web.endpoint.DeviceEndpoint).DEVICE_APPROVED_URL}**" />
+ <mvc:exclude-mapping path="/#{T(cz.muni.ics.oauth2.web.endpoint.IntrospectionEndpoint).URL}**" />
+ <mvc:exclude-mapping path="/#{T(cz.muni.ics.oauth2.web.endpoint.RevocationEndpoint).URL}**" />
+ <mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.IsTestSpController).MAPPING}**" />
+ <mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.AupController).URL}**" />
+ <mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_MAPPING}**" />
+ <mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_AUTHORIZATION}**" />
+ <mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_ENSURE_VO_MAPPING}**" />
+ <mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_IS_CESNET_ELIGIBLE_MAPPING}**" />
+ <mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_NOT_IN_MANDATORY_VOS_GROUPS}**" />
+ <mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_NOT_IN_PROD_VOS_GROUPS}**" />
+ <mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_NOT_IN_TEST_VOS_GROUPS}**" />
+ <mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_NOT_LOGGED_IN}**" />
+ <mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_SPECIFIC_MAPPING}**" />
+ <mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedRegistrationController).REGISTRATION_CONTINUE_MAPPING}**" />
+ <mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedRegistrationController).REGISTRATION_FORM_MAPPING}**" />
+ <mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedRegistrationController).REGISTRATION_FORM_SUBMIT_MAPPING}**" />
+ <mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.RegistrationController).CONTINUE_DIRECT_MAPPING}**" />
+ <mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.LogoutController).MAPPING_SUCCESS}" />
+ <mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.LoginController).MAPPING_FAILURE}" />
+ <mvc:exclude-mapping path="/saml**" />
+ <!-- Inject the UserInfo into the response -->
+ <ref bean="userInfoInterceptor" />
+ </mvc:interceptor>
+ <mvc:interceptor>
+ <!-- Exclude APIs and other machine-facing endpoints from these interceptors -->
+ <mvc:mapping path="/**" />
+ <mvc:exclude-mapping path="/token**"/>
+ <mvc:exclude-mapping path="/resources/**" />
+ <mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.endpoint.JWKSetPublishingEndpoint).URL}**" />
+ <mvc:exclude-mapping path="/#{T(cz.muni.ics.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**" />
+ <mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.endpoint.DynamicClientRegistrationEndpoint).URL}/**" />
+ <mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.endpoint.ProtectedResourceRegistrationEndpoint).URL}/**" />
+ <mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.endpoint.UserInfoEndpoint).URL}**" />
+ <mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.controller.GuiController).API_URL}/**" />
+ <mvc:exclude-mapping path="#{T(cz.muni.ics.oauth2.web.endpoint.DeviceEndpoint).ENDPOINT_URL}**" />
+ <mvc:exclude-mapping path="/#{T(cz.muni.ics.oauth2.web.endpoint.IntrospectionEndpoint).URL}**" />
+ <mvc:exclude-mapping path="/#{T(cz.muni.ics.oauth2.web.endpoint.RevocationEndpoint).URL}**" />
+ <!-- Inject the server configuration into the response -->
+ <ref bean="serverConfigInterceptor"/>
+ </mvc:interceptor>
+ </mvc:interceptors>
+
+ <!-- Handles HTTP GET requests for /resources/** by efficiently serving
+ up static resources in the ${webappRoot}/resources directory -->
+ <mvc:resources mapping="/resources/**" location="/resources/" />
+
+ <mvc:default-servlet-handler />
+
+ <!-- SECURITY -->
+
+ <!-- SPEL processor -->
+ <security:global-method-security pre-post-annotations="enabled"
+ proxy-target-class="true"
+ authentication-manager-ref="authenticationManager">
+ <security:expression-handler ref="oauthExpressionHandler" />
+ </security:global-method-security>
+
+ <!-- Token endpoint -->
+ <security:http pattern="/token"
+ create-session="stateless"
+ authentication-manager-ref="clientAuthenticationManager"
+ entry-point-ref="oauthAuthenticationEntryPoint"
+ use-expressions="true">
+ <security:intercept-url pattern="/token" access="permitAll" method="OPTIONS" /> <!-- allow OPTIONS calls without auth for CORS stuff -->
+ <security:intercept-url pattern="/token" access="isAuthenticated()" />
+ <security:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
+ <!-- include this only if you need to authenticate clients via request parameters -->
+ <security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
+ <security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
+ <security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
+ <security:custom-filter ref="mdcFilter" before="FIRST"/>
+ <security:access-denied-handler ref="oauthAccessDeniedHandler" />
+ <security:csrf disabled="true"/>
+ </security:http>
+
+ <!-- Userinfo endpoint -->
+ <security:http pattern="/#{T(cz.muni.ics.openid.connect.web.endpoint.UserInfoEndpoint).URL}**"
+ use-expressions="true"
+ entry-point-ref="oauthAuthenticationEntryPoint"
+ create-session="stateless">
+ <security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
+ <security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
+ <security:custom-filter ref="mdcFilter" before="FIRST"/>
+ <security:expression-handler ref="oauthWebExpressionHandler" />
+ <security:csrf disabled="true"/>
+ </security:http>
+
+ <!-- Introspection endpoint -->
+ <security:http pattern="/#{T(cz.muni.ics.oauth2.web.endpoint.IntrospectionEndpoint).URL}**"
+ use-expressions="true"
+ entry-point-ref="oauthAuthenticationEntryPoint"
+ create-session="stateless"
+ authentication-manager-ref="clientAuthenticationManager">
+ <security:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
+ <security:custom-filter ref="mdcFilter" before="FIRST"/>
+ <security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
+ <security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
+ <security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
+ <security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
+ <security:csrf disabled="true"/>
+ </security:http>
+
+ <!-- Revocation endpoint -->
+ <security:http pattern="/#{T(cz.muni.ics.oauth2.web.endpoint.RevocationEndpoint).URL}**"
+ use-expressions="true"
+ entry-point-ref="oauthAuthenticationEntryPoint"
+ create-session="stateless"
+ authentication-manager-ref="clientAuthenticationManager">
+ <security:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
+ <security:custom-filter ref="mdcFilter" before="FIRST"/>
+ <security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
+ <security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
+ <security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
+ <security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
+ <security:csrf disabled="true"/>
+ </security:http>
+
+ <!-- Device endpoint -->
+ <security:http pattern="#{T(cz.muni.ics.oauth2.web.endpoint.DeviceEndpoint).ENDPOINT_URL}**"
+ use-expressions="true"
+ entry-point-ref="oauthAuthenticationEntryPoint"
+ create-session="stateless"
+ authentication-manager-ref="clientAuthenticationManager">
+ <security:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
+ <!-- include this only if you need to authenticate clients via request parameters -->
+ <security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
+ <security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
+ <security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
+ <security:custom-filter ref="mdcFilter" before="FIRST"/>
+ <security:access-denied-handler ref="oauthAccessDeniedHandler" />
+ <security:csrf disabled="true"/>
+ </security:http>
+
+ <!-- JWK endpoint -->
+ <security:http pattern="/#{T(cz.muni.ics.openid.connect.web.endpoint.JWKSetPublishingEndpoint).URL}**"
+ use-expressions="true"
+ entry-point-ref="http403EntryPoint"
+ create-session="stateless">
+ <security:intercept-url pattern="/#{T(cz.muni.ics.openid.connect.web.endpoint.JWKSetPublishingEndpoint).URL}**" access="permitAll"/>
+ <security:custom-filter ref="mdcFilter" before="FIRST"/>
+ <security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
+ <security:csrf disabled="true"/>
+ </security:http>
+
+ <!-- Well-known -->
+ <security:http pattern="/#{T(cz.muni.ics.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**"
+ use-expressions="true"
+ entry-point-ref="http403EntryPoint"
+ create-session="stateless">
+ <security:intercept-url pattern="/#{T(cz.muni.ics.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**" access="permitAll"/>
+ <security:custom-filter ref="mdcFilter" before="FIRST"/>
+ <security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
+ <security:csrf disabled="true"/>
+ </security:http>
+
+ <!--Static resources -->
+ <security:http pattern="/resources/**"
+ use-expressions="true"
+ entry-point-ref="http403EntryPoint"
+ create-session="stateless">
+ <security:intercept-url pattern="/resources/**" access="permitAll"/>
+ <security:custom-filter ref="mdcFilter" before="FIRST"/>
+ <security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
+ <security:csrf disabled="true"/>
+ </security:http>
+
+ <!-- GUI -->
+ <security:http pattern="/#{T(cz.muni.ics.openid.connect.web.controller.GuiController).API_URL}/**"
+ use-expressions="true"
+ entry-point-ref="oauthAuthenticationEntryPoint"
+ create-session="never">
+ <security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
+ <security:custom-filter ref="mdcFilter" before="FIRST"/>
+ <security:expression-handler ref="oauthWebExpressionHandler" />
+ <security:csrf disabled="true"/>
+ </security:http>
+
+ <security:http auto-config="false"
+ use-expressions="true"
+ entry-point-ref="samlEntryPoint"
+ create-session="always"
+ authentication-manager-ref="authenticationManager">
+ <security:csrf disabled="true"/>
+ <security:intercept-url pattern="#{T(cz.muni.ics.oauth2.web.endpoint.AuthorizationEndpoint).ENDPOINT_INIT_URL}"
+ access="permitAll()"/>
+ <security:intercept-url pattern="#{T(cz.muni.ics.oauth2.web.endpoint.DeviceEndpoint).REQUEST_USER_CODE_INIT_URL}"
+ access="permitAll()"/>
+ <security:intercept-url pattern="/saml/**" access="permitAll()"/>
+ <security:intercept-url pattern="/logout" access="permitAll()"/>
+ <security:intercept-url pattern="#{T(cz.muni.ics.oidc.web.controllers.LogoutController).MAPPING_SUCCESS}"
+ access="permitAll()"/>
+ <security:intercept-url pattern="#{T(cz.muni.ics.oidc.web.controllers.LoginController).MAPPING_FAILURE}"
+ access="permitAll()"/>
+ <security:intercept-url pattern="/**" access="hasRole('ROLE_USER')"/>
+ <security:custom-filter ref="mdcMuFilter" before="FIRST"/>
+ <security:custom-filter ref="metadataGeneratorFilter" before="CHANNEL_FILTER"/>
+ <security:custom-filter ref="clearSessionFilter" after="CHANNEL_FILTER"/>
+ <security:custom-filter ref="samlFilter" before="CSRF_FILTER"/>
+ <security:custom-filter ref="samlFilter" after="BASIC_AUTH_FILTER"/>
+ <security:custom-filter ref="authProcFilters" before="LAST"/>
+ <security:logout logout-url="/saml/logout"/>
+ </security:http>
+
+ <security:authentication-manager id="clientAuthenticationManager">
+ <security:authentication-provider user-service-ref="clientUserDetailsService" />
+ <security:authentication-provider user-service-ref="uriEncodedClientUserDetailsService" />
+ </security:authentication-manager>
+
+ <security:authentication-manager id="clientAssertionAuthenticationManager">
+ <security:authentication-provider ref="clientAssertionAuthenticationProvider" />
+ </security:authentication-manager>
+
+ <security:authentication-manager id="authenticationManager">
+ <security:authentication-provider ref="authenticationProvider"/>
+ </security:authentication-manager>
+
+ <!-- Dynamic registration endpoint -->
+<!-- <security:http pattern="/#{T(cz.muni.ics.openid.connect.web.endpoint.DynamicClientRegistrationEndpoint).URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">-->
+<!-- <security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />-->
+<!-- <security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />-->
+<!-- <security:custom-filter ref="mdcFilter" before="FIRST"/>-->
+<!-- <security:expression-handler ref="oauthWebExpressionHandler" />-->
+<!-- <security:intercept-url pattern="/register/**" access="permitAll"/>-->
+<!-- <security:csrf disabled="true"/>-->
+<!-- </security:http>-->
+
+<!-- <security:http pattern="/#{T(cz.muni.ics.openid.connect.web.endpoint.ProtectedResourceRegistrationEndpoint).URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">-->
+<!-- <security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />-->
+<!-- <security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />-->
+<!-- <security:custom-filter ref="mdcFilter" before="FIRST"/>-->
+<!-- <security:expression-handler ref="oauthWebExpressionHandler" />-->
+<!-- <security:intercept-url pattern="/resource/**" access="permitAll"/>-->
+<!-- <security:csrf disabled="true"/>-->
+<!-- </security:http>-->
+
+ <bean id="oauthAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
+ <property name="realmName" value="openidconnect" />
+ </bean>
+
+ <bean id="http403EntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" />
+
+ <bean id="oauth2ExceptionTranslator" class="org.springframework.security.oauth2.provider.error.DefaultWebResponseExceptionTranslator" />
+
+ <bean id="clientAuthMatcher" class="cz.muni.ics.openid.connect.filter.MultiUrlRequestMatcher">
+ <constructor-arg name="filterProcessesUrls">
+ <set>
+ <value>/introspect</value>
+ <value>/revoke</value>
+ <value>/token</value>
+ </set>
+ </constructor-arg>
+ </bean>
+
+ <bean id="clientCredentialsEndpointFilter" class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
+ <property name="authenticationManager" ref="clientAuthenticationManager" />
+ <property name="requiresAuthenticationRequestMatcher" ref="clientAuthMatcher" />
+ </bean>
+
+ <bean id="clientAssertionEndpointFilter" class="cz.muni.ics.openid.connect.assertion.JWTBearerClientAssertionTokenEndpointFilter">
+ <constructor-arg name="additionalMatcher" ref="clientAuthMatcher" />
+ <property name="authenticationManager" ref="clientAssertionAuthenticationManager" />
+ </bean>
+
+ <bean id="clientAssertionAuthenticationProvider" class="cz.muni.ics.openid.connect.assertion.JWTBearerAuthenticationProvider" />
+
+ <!-- Resolves views selected for rendering by @Controllers to .jsp resources
+ in the /WEB-INF/views directory -->
+ <bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
+ <property name="viewClass" value="org.springframework.web.servlet.view.JstlView" />
+ <property name="prefix" value="/WEB-INF/views/" />
+ <property name="suffix" value=".jsp" />
+ <property name="order" value="2" />
+ </bean>
+
+ <!-- Resolve views based on string names -->
+ <bean class="org.springframework.web.servlet.view.BeanNameViewResolver">
+ <property name="order" value="1" />
+ </bean>
+
+ <bean id="mdcMuFilter" class="cz.muni.ics.oidc.server.filters.impl.MultiMDCFilter"/>
+
+ <!-- SAML -->
+ <bean id="clearSessionFilter" class="cz.muni.ics.oidc.saml.SamlInvalidateSessionFilter">
+ <constructor-arg name="contextLogoutHandler" ref="logoutHandler"/>
+ </bean>
+
+ <bean id="samlDiscovery" class="org.springframework.security.saml.SAMLDiscovery">
+ <property name="contextProvider" ref="samlContextProvider"/>
+ <property name="samlEntryPoint" ref="samlEntryPoint"/>
+ <property name="metadata" ref="metadata"/>
+ </bean>
+
+ <bean id="successRedirectHandler" class="cz.muni.ics.oidc.saml.PerunSamlAuthenticationSuccessHandler">
+ <property name="defaultTargetUrl" value="#{T(cz.muni.ics.oidc.web.controllers.LoginController).MAPPING_SUCCESS}"/>
+ </bean>
+
+ <bean id="authenticationFailureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
+ <property name="defaultFailureUrl" value="#{T(cz.muni.ics.oidc.web.controllers.LoginController).MAPPING_FAILURE}"/>
+ <property name="useForward" value="true"/>
+ </bean>
+
+ <bean id="successLogoutHandler" class="cz.muni.ics.oidc.saml.PerunOidcLogoutSuccessHandler">
+ <property name="defaultTargetUrl" value="#{T(cz.muni.ics.oidc.web.controllers.LogoutController).MAPPING_SUCCESS}"/>
+ <property name="targetUrlParameter" value="#{T(cz.muni.ics.oidc.server.filters.PerunFilterConstants).PARAM_TARGET}"/>
+ </bean>
+
+ <bean id="logoutHandler" class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler">
+ <property name="clearAuthentication" value="true"/>
+ <property name="invalidateHttpSession" value="true"/>
+ </bean>
+
+ <bean id="samlLogoutProcessingFilter" class="org.springframework.security.saml.SAMLLogoutProcessingFilter">
+ <constructor-arg name="logoutSuccessHandler" ref="successLogoutHandler"/>
+ <constructor-arg name="handlers" ref="logoutHandler"/>
+ </bean>
+
+ <bean id="samlLogoutFilter" class="org.springframework.security.saml.SAMLLogoutFilter">
+ <constructor-arg name="logoutSuccessHandler" ref="successLogoutHandler"/>
+ <constructor-arg name="localHandler" ref="logoutHandler"/>
+ <constructor-arg name="globalHandlers" ref="logoutHandler"/>
+ </bean>
+
+ <bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager">
+ <constructor-arg name="storeFile">
+ <bean class="org.springframework.core.io.FileSystemResource">
+ <constructor-arg name="path" value="${saml.keystore.location}"/>
+ </bean>
+ </constructor-arg>
+ <constructor-arg name="storePass" value="${saml.keystore.password}"/>
+ <constructor-arg name="passwords">
+ <map>
+ <entry key="${saml.keystore.defaultKey}" value="${saml.keystore.defaultKeyPass}"/>
+ </map>
+ </constructor-arg>
+ <constructor-arg name="defaultKey" value="${saml.keystore.defaultKey}"/>
+ </bean>
+
+ <bean id="extendedMetadata" class="org.springframework.security.saml.metadata.ExtendedMetadata">
+ <property name="idpDiscoveryEnabled" value="false"/>
+ </bean>
+
+ <bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
+ <constructor-arg name="generator">
+ <bean class="org.springframework.security.saml.metadata.MetadataGenerator">
+ <property name="includeDiscoveryExtension" value="false"/>
+ <property name="entityId" value="${saml.entityID}"/>
+ <property name="extendedMetadata" ref="extendedMetadata"/>
+ <property name="wantAssertionSigned" value="true"/>
+ <property name="requestSigned" value="true"/>
+ </bean>
+ </constructor-arg>
+ <property name="normalizeBaseUrl" value="true"/>
+ </bean>
+
+ <bean id="metadataDisplayFilter" class="org.springframework.security.saml.metadata.MetadataDisplayFilter"/>
+
+ <bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager">
+ <property name="defaultIDP" value="${saml.idp.defaultIdpEntityId}"/>
+ <property name="refreshCheckInterval" value="3600000"/>
+ <property name="refreshRequired" value="true"/>
+ <constructor-arg name="providers">
+ <list>
+ <ref bean="idpMetadata"/>
+ </list>
+ </constructor-arg>
+ </bean>
+
+ <bean id="parserPool" class="org.opensaml.xml.parse.StaticBasicParserPool" init-method="initialize"/>
+
+ <bean id="parserPoolHolder" class="org.springframework.security.saml.parser.ParserPoolHolder"/>
+
+ <bean id="processor" class="org.springframework.security.saml.processor.SAMLProcessorImpl">
+ <constructor-arg name="bindings">
+ <list>
+ <bean id="httpPostBinding" class="org.springframework.security.saml.processor.HTTPPostBinding">
+ <constructor-arg name="parserPool" ref="parserPool"/>
+ <constructor-arg name="encoder">
+ <bean class="cz.muni.ics.oidc.saml.PerunPostEncoder">
+ <constructor-arg name="engine" value="#{T(org.springframework.security.saml.util.VelocityFactory).getEngine()}"/>
+ <constructor-arg name="templateId" value="/templates/saml2-post-binding.vm"/>
+ </bean>
+ </constructor-arg>
+ <constructor-arg name="decoder">
+ <bean class="org.opensaml.saml2.binding.decoding.HTTPPostDecoder">
+ <constructor-arg name="pool" ref="parserPool"/>
+ </bean>
+ </constructor-arg>
+ </bean>
+ <bean id="httpRedirectDeflateBinding" class="org.springframework.security.saml.processor.HTTPRedirectDeflateBinding">
+ <constructor-arg name="encoder">
+ <bean class="cz.muni.ics.oidc.saml.PerunHTTPRedirectDeflateEncoder"/>
+ </constructor-arg>
+ <constructor-arg name="decoder">
+ <bean class="org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder">
+ <constructor-arg name="pool" ref="parserPool"/>
+ </bean>
+ </constructor-arg>
+ </bean>
+ </list>
+ </constructor-arg>
+ </bean>
+
+ <bean id="samlWebSSOProcessingFilter" class="org.springframework.security.saml.SAMLProcessingFilter">
+ <property name="authenticationManager" ref="authenticationManager"/>
+ <property name="authenticationSuccessHandler" ref="successRedirectHandler"/>
+ <property name="authenticationFailureHandler" ref="authenticationFailureHandler"/>
+ </bean>
+
+ <bean id="samlFilter" class="org.springframework.security.web.FilterChainProxy">
+ <constructor-arg name="filterChains">
+ <list>
+ <bean class="org.springframework.security.web.DefaultSecurityFilterChain">
+ <constructor-arg name="requestMatcher">
+ <bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
+ <constructor-arg name="pattern"
+ value="#{T(org.springframework.security.saml.metadata.MetadataDisplayFilter).FILTER_URL}/**"/>
+ </bean>
+ </constructor-arg>
+ <constructor-arg name="filters">
+ <list>
+ <ref bean="metadataDisplayFilter"/>
+ </list>
+ </constructor-arg>
+ </bean>
+ <bean class="org.springframework.security.web.DefaultSecurityFilterChain">
+ <constructor-arg name="requestMatcher">
+ <bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
+ <constructor-arg name="pattern"
+ value="#{T(org.springframework.security.saml.SAMLProcessingFilter).FILTER_URL}"/>
+ </bean>
+ </constructor-arg>
+ <constructor-arg name="filters">
+ <list>
+ <ref bean="samlWebSSOProcessingFilter"/>
+ </list>
+ </constructor-arg>
+ </bean>
+ <bean class="org.springframework.security.web.DefaultSecurityFilterChain">
+ <constructor-arg name="requestMatcher">
+ <bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
+ <constructor-arg name="pattern"
+ value="#{T(org.springframework.security.saml.SAMLDiscovery).FILTER_URL}"/>
+ </bean>
+ </constructor-arg>
+ <constructor-arg name="filters">
+ <list>
+ <ref bean="samlDiscovery"/>
+ </list>
+ </constructor-arg>
+ </bean>
+ <bean class="org.springframework.security.web.DefaultSecurityFilterChain">
+ <constructor-arg name="requestMatcher">
+ <bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
+ <constructor-arg name="pattern"
+ value="#{T(org.springframework.security.saml.SAMLEntryPoint).FILTER_URL}"/>
+ </bean>
+ </constructor-arg>
+ <constructor-arg name="filters">
+ <list>
+ <ref bean="samlEntryPoint"/>
+ </list>
+ </constructor-arg>
+ </bean>
+ <bean class="org.springframework.security.web.DefaultSecurityFilterChain">
+ <constructor-arg name="requestMatcher">
+ <bean class="org.springframework.security.web.util.matcher.OrRequestMatcher">
+ <constructor-arg name="requestMatchers">
+ <list>
+ <bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
+ <constructor-arg name="pattern"
+ value="#{T(org.springframework.security.saml.SAMLLogoutFilter).FILTER_URL}"/>
+ </bean>
+ <bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
+ <constructor-arg name="pattern" value="/logout"/>
+ </bean>
+ </list>
+ </constructor-arg>
+ </bean>
+ </constructor-arg>
+ <constructor-arg name="filters">
+ <list>
+ <ref bean="samlLogoutFilter"/>
+ </list>
+ </constructor-arg>
+ </bean>
+ <bean class="org.springframework.security.web.DefaultSecurityFilterChain">
+ <constructor-arg name="requestMatcher">
+ <bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
+ <constructor-arg name="pattern" value="#{T(org.springframework.security.saml.SAMLLogoutProcessingFilter).FILTER_URL}/**"/>
+ </bean>
+ </constructor-arg>
+ <constructor-arg name="filters">
+ <list>
+ <ref bean="samlLogoutProcessingFilter"/>
+ </list>
+ </constructor-arg>
+ </bean>
+ </list>
+ </constructor-arg>
+ </bean>
+
+ <bean id="webSSOProfileOptions" class="org.springframework.security.saml.websso.WebSSOProfileOptions">
+ <property name="includeScoping" value="false"/>
+ </bean>
+
+ <bean id="samlEntryPoint" class="cz.muni.ics.oidc.saml.PerunSamlEntryPoint">
+ <property name="defaultProfileOptions" ref="webSSOProfileOptions"/>
+ </bean>
+
+ <bean id="samlContextProvider" class="org.springframework.security.saml.context.SAMLContextProviderImpl"/>
+
+ <bean id="samlLogger" class="org.springframework.security.saml.log.SAMLDefaultLogger">
+ <property name="logMessagesOnException" value="true"/>
+ <property name="logErrors" value="true"/>
+ </bean>
+
+ <bean id="singleLogoutProfile" class="org.springframework.security.saml.websso.SingleLogoutProfileImpl"/>
+
+ <bean id="webSSOprofileConsumer" class="cz.muni.ics.oidc.saml.PerunWebSSOProfileConsumerImpl">
+ <property name="enableComparison" value="${saml.acrs.enableComparison}"/>
+ <property name="reservedPrefixes" value="#{'${saml.acrs.reserverdPrefixes}'.split('\s*,\s*')}"/>
+ <property name="maxAuthenticationAge" value="360"/>
+ </bean>
+
+ <bean id="webSSOprofile" class="org.springframework.security.saml.websso.WebSSOProfileImpl"/>
+
+ <bean id="hokWebSSOprofileConsumer" class="org.springframework.security.saml.websso.WebSSOProfileConsumerHoKImpl"/>
+
+ <bean id="samlUserDetailsService" class="cz.muni.ics.oidc.saml.PerunSamlUserDetailsService"/>
+
+ <bean id="authenticationProvider" class="cz.muni.ics.oidc.saml.PerunSamlAuthenticationProvider">
+ <constructor-arg name="adminIds" value="#{'${admins}'.split('\s*,\s*')}"/>
+ </bean>
+
+ <bean class="org.springframework.security.saml.SAMLBootstrap"/>
+
+ <!-- END SAML -->
+
+ <!-- OAuth -->
+
+ <oauth:authorization-server
+ client-details-service-ref="defaultOAuth2ClientDetailsEntityService"
+ authorization-request-manager-ref="connectOAuth2RequestFactory"
+ token-services-ref="defaultOAuth2ProviderTokenService"
+ user-approval-handler-ref="tofuUserApprovalHandler"
+ request-validator-ref="oauthRequestValidator"
+ redirect-resolver-ref="blacklistAwareRedirectResolver"
+ authorization-endpoint-url="/auth/authorize"
+ token-endpoint-url="/token"
+ error-page="/error">
+
+ <oauth:authorization-code authorization-code-services-ref="defaultOAuth2AuthorizationCodeService"/>
+ <oauth:implicit/>
+ <oauth:refresh-token/>
+ <oauth:client-credentials/>
+ <oauth:custom-grant token-granter-ref="chainedTokenGranter" />
+ <oauth:custom-grant token-granter-ref="jwtAssertionTokenGranter" />
+ <oauth:custom-grant token-granter-ref="deviceTokenGranter" />
+
+ </oauth:authorization-server>
+
+ <oauth:resource-server id="resourceServerFilter"
+ token-services-ref="defaultOAuth2ProviderTokenService"
+ stateless="false" />
+
+ <oauth:expression-handler id="oauthExpressionHandler" />
+
+ <oauth:web-expression-handler id="oauthWebExpressionHandler" />
+
+ <bean id="oauthAccessDeniedHandler" class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />
+
+ <bean id="oauthRequestValidator" class="cz.muni.ics.oauth2.token.ScopeServiceAwareOAuth2RequestValidator" />
+
+</beans>
\ No newline at end of file
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/discovery/web/DiscoveryEndpoint.java b/perun-oidc-server/src/main/java/cz/muni/ics/discovery/web/DiscoveryEndpoint.java
index fd7bca2e7..8b3e417d1 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/discovery/web/DiscoveryEndpoint.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/discovery/web/DiscoveryEndpoint.java
@@ -28,18 +28,18 @@ import cz.muni.ics.jwt.encryption.service.JWTEncryptionAndDecryptionService;
import cz.muni.ics.jwt.signer.service.JWTSigningAndValidationService;
import cz.muni.ics.oauth2.model.PKCEAlgorithm;
import cz.muni.ics.oauth2.service.SystemScopeService;
-import cz.muni.ics.oauth2.web.DeviceEndpoint;
-import cz.muni.ics.oauth2.web.IntrospectionEndpoint;
-import cz.muni.ics.oauth2.web.RevocationEndpoint;
+import cz.muni.ics.oauth2.web.endpoint.DeviceEndpoint;
+import cz.muni.ics.oauth2.web.endpoint.IntrospectionEndpoint;
+import cz.muni.ics.oauth2.web.endpoint.RevocationEndpoint;
import cz.muni.ics.openid.connect.config.ConfigurationPropertiesBean;
import cz.muni.ics.openid.connect.model.UserInfo;
import cz.muni.ics.openid.connect.service.UserInfoService;
import cz.muni.ics.openid.connect.view.HttpCodeView;
import cz.muni.ics.openid.connect.view.JsonEntityView;
-import cz.muni.ics.openid.connect.web.DynamicClientRegistrationEndpoint;
-import cz.muni.ics.openid.connect.web.EndSessionEndpoint;
-import cz.muni.ics.openid.connect.web.JWKSetPublishingEndpoint;
-import cz.muni.ics.openid.connect.web.UserInfoEndpoint;
+import cz.muni.ics.openid.connect.web.endpoint.DynamicClientRegistrationEndpoint;
+import cz.muni.ics.openid.connect.web.endpoint.EndSessionEndpoint;
+import cz.muni.ics.openid.connect.web.endpoint.JWKSetPublishingEndpoint;
+import cz.muni.ics.openid.connect.web.endpoint.UserInfoEndpoint;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/token/DeviceTokenGranter.java b/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/token/DeviceTokenGranter.java
index c2175afe7..660c1371d 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/token/DeviceTokenGranter.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/token/DeviceTokenGranter.java
@@ -20,7 +20,7 @@ import cz.muni.ics.oauth2.exception.AuthorizationPendingException;
import cz.muni.ics.oauth2.exception.DeviceCodeExpiredException;
import cz.muni.ics.oauth2.model.DeviceCode;
import cz.muni.ics.oauth2.service.DeviceCodeService;
-import cz.muni.ics.oauth2.web.DeviceEndpoint;
+import cz.muni.ics.oauth2.web.endpoint.DeviceEndpoint;
import java.util.Date;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired;
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/ScopeAPI.java b/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/api/ScopeAPI.java
similarity index 97%
rename from perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/ScopeAPI.java
rename to perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/api/ScopeAPI.java
index 8feb60797..700469ade 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/ScopeAPI.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/api/ScopeAPI.java
@@ -18,7 +18,7 @@
/**
*
*/
-package cz.muni.ics.oauth2.web;
+package cz.muni.ics.oauth2.web.api;
import com.google.gson.Gson;
import cz.muni.ics.oauth2.model.SystemScope;
@@ -26,7 +26,7 @@ import cz.muni.ics.oauth2.service.SystemScopeService;
import cz.muni.ics.openid.connect.view.HttpCodeView;
import cz.muni.ics.openid.connect.view.JsonEntityView;
import cz.muni.ics.openid.connect.view.JsonErrorView;
-import cz.muni.ics.openid.connect.web.RootController;
+import cz.muni.ics.openid.connect.web.controller.GuiController;
import java.util.Set;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired;
@@ -50,7 +50,7 @@ import org.springframework.web.bind.annotation.RequestMethod;
@Slf4j
public class ScopeAPI {
- public static final String URL = RootController.API_URL + "/scopes";
+ public static final String URL = GuiController.API_URL + "/scopes";
@Autowired
private SystemScopeService scopeService;
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/TokenAPI.java b/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/api/TokenAPI.java
similarity index 98%
rename from perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/TokenAPI.java
rename to perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/api/TokenAPI.java
index 4bd657a6a..e9dae6a0a 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/TokenAPI.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/api/TokenAPI.java
@@ -15,7 +15,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*******************************************************************************/
-package cz.muni.ics.oauth2.web;
+package cz.muni.ics.oauth2.web.api;
import cz.muni.ics.oauth2.model.ClientDetailsEntity;
import cz.muni.ics.oauth2.model.OAuth2AccessTokenEntity;
@@ -27,7 +27,7 @@ import cz.muni.ics.openid.connect.service.OIDCTokenService;
import cz.muni.ics.openid.connect.view.HttpCodeView;
import cz.muni.ics.openid.connect.view.JsonEntityView;
import cz.muni.ics.openid.connect.view.JsonErrorView;
-import cz.muni.ics.openid.connect.web.RootController;
+import cz.muni.ics.openid.connect.web.controller.GuiController;
import java.security.Principal;
import java.util.List;
import java.util.Set;
@@ -53,7 +53,7 @@ import org.springframework.web.bind.annotation.RequestMethod;
@Slf4j
public class TokenAPI {
- public static final String URL = RootController.API_URL + "/tokens";
+ public static final String URL = GuiController.API_URL + "/tokens";
@Autowired
private OAuth2TokenEntityService tokenService;
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/OAuthConfirmationController.java b/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/controller/OAuthConfirmationController.java
similarity index 99%
rename from perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/OAuthConfirmationController.java
rename to perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/controller/OAuthConfirmationController.java
index 2ebfb4b63..68243c78b 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/OAuthConfirmationController.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/controller/OAuthConfirmationController.java
@@ -18,7 +18,7 @@
/**
*
*/
-package cz.muni.ics.oauth2.web;
+package cz.muni.ics.oauth2.web.controller;
import com.google.common.base.Joiner;
import com.google.common.base.Splitter;
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/endpoint/AuthorizationEndpoint.java b/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/endpoint/AuthorizationEndpoint.java
new file mode 100644
index 000000000..339a5caf0
--- /dev/null
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/endpoint/AuthorizationEndpoint.java
@@ -0,0 +1,25 @@
+package cz.muni.ics.oauth2.web.endpoint;
+
+import javax.servlet.http.HttpServletRequest;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.servlet.view.RedirectView;
+
+@Controller
+@Slf4j
+public class AuthorizationEndpoint {
+
+ public static final String ENDPOINT_INIT_URL = "/authorize";
+ public static final String ENDPOINT_URL = "/auth/authorize";
+
+ @RequestMapping(value = ENDPOINT_INIT_URL)
+ public RedirectView authorize(HttpServletRequest req) {
+ String redirect = ENDPOINT_URL + '?' + req.getQueryString();
+ RedirectView view = new RedirectView(redirect);
+ view.setContextRelative(true);
+ log.debug("Authorization endpoint - {}: user is being redirected to to: {}", ENDPOINT_INIT_URL, redirect);
+ return view;
+ }
+
+}
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/DeviceEndpoint.java b/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/endpoint/DeviceEndpoint.java
similarity index 94%
rename from perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/DeviceEndpoint.java
rename to perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/endpoint/DeviceEndpoint.java
index 76655760b..967163287 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/DeviceEndpoint.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/endpoint/DeviceEndpoint.java
@@ -14,7 +14,7 @@
* limitations under the License.
*******************************************************************************/
-package cz.muni.ics.oauth2.web;
+package cz.muni.ics.oauth2.web.endpoint;
import cz.muni.ics.oauth2.exception.DeviceCodeCreationException;
import cz.muni.ics.oauth2.model.ClientDetailsEntity;
@@ -35,7 +35,6 @@ import cz.muni.ics.openid.connect.view.HttpCodeView;
import cz.muni.ics.openid.connect.view.JsonEntityView;
import cz.muni.ics.openid.connect.view.JsonErrorView;
import java.net.URISyntaxException;
-import java.security.Principal;
import java.util.Collection;
import java.util.Date;
import java.util.HashMap;
@@ -57,13 +56,14 @@ import org.springframework.security.oauth2.provider.AuthorizationRequest;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.security.oauth2.provider.OAuth2Request;
import org.springframework.security.oauth2.provider.OAuth2RequestFactory;
-import org.springframework.security.saml.SAMLCredential;
import org.springframework.stereotype.Controller;
import org.springframework.ui.ModelMap;
import org.springframework.util.StringUtils;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.servlet.view.RedirectView;
/**
* Implements https://tools.ietf.org/html/draft-ietf-oauth-device-flow
@@ -120,9 +120,10 @@ public class DeviceEndpoint {
// other
public static final String DEFAULT = "default";
public static final String ENDPOINT_URL = "/devicecode";
- public static final String REQUEST_USER_CODE_URL = "/device/code";
- public static final String CHECK_USER_CODE_URL = "/device/checkcode";
- public static final String DEVICE_APPROVED_URL = "/device/approved";
+ public static final String REQUEST_USER_CODE_INIT_URL = "/device";
+ public static final String REQUEST_USER_CODE_URL = "/auth/device";
+ public static final String CHECK_USER_CODE_URL = "/auth/device/authorize";
+ public static final String DEVICE_APPROVED_URL = "/auth/device/approved";
private final ClientDetailsEntityService clientService;
private final SystemScopeService scopeService;
@@ -184,7 +185,7 @@ public class DeviceEndpoint {
if (StringUtils.hasText(acrValues)) {
uriParams.put(ACR_VALUES, acrValues);
}
- String uriBase = perunOidcConfig.getConfigBean().getIssuer(false) + REQUEST_USER_CODE_URL;
+ String uriBase = perunOidcConfig.getConfigBean().getIssuer(false) + REQUEST_USER_CODE_INIT_URL;
response.put(VERIFICATION_URI, constructVerificationURI(uriBase, uriParams));
if (perunOidcConfig.getConfigBean().isAllowCompleteDeviceCodeUri()) {
@@ -210,6 +211,16 @@ public class DeviceEndpoint {
}
}
+ @RequestMapping(value = REQUEST_USER_CODE_INIT_URL)
+ public RedirectView authorize(HttpServletRequest req) {
+ String redirect = REQUEST_USER_CODE_URL
+ + (StringUtils.hasText(req.getQueryString()) ? '?' + req.getQueryString() : "");
+ RedirectView view = new RedirectView(redirect);
+ view.setContextRelative(true);
+ log.debug("User device endpoint - {}: user is being redirected to to: {}", REQUEST_USER_CODE_INIT_URL, redirect);
+ return view;
+ }
+
@PreAuthorize("hasRole('ROLE_USER')")
@GetMapping(value = REQUEST_USER_CODE_URL)
public String requestUserCode(@RequestParam(value = USER_CODE, required = false) String userCode,
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/IntrospectionEndpoint.java b/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/endpoint/IntrospectionEndpoint.java
similarity index 98%
rename from perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/IntrospectionEndpoint.java
rename to perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/endpoint/IntrospectionEndpoint.java
index 45ec000ae..9de0221ad 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/IntrospectionEndpoint.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/endpoint/IntrospectionEndpoint.java
@@ -15,7 +15,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*******************************************************************************/
-package cz.muni.ics.oauth2.web;
+package cz.muni.ics.oauth2.web.endpoint;
import com.google.common.base.Strings;
import com.google.common.collect.ImmutableMap;
@@ -26,6 +26,7 @@ import cz.muni.ics.oauth2.service.ClientDetailsEntityService;
import cz.muni.ics.oauth2.service.IntrospectionResultAssembler;
import cz.muni.ics.oauth2.service.OAuth2TokenEntityService;
import cz.muni.ics.oauth2.service.SystemScopeService;
+import cz.muni.ics.oauth2.web.AuthenticationUtilities;
import cz.muni.ics.openid.connect.model.UserInfo;
import cz.muni.ics.openid.connect.service.UserInfoService;
import cz.muni.ics.openid.connect.view.HttpCodeView;
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/RevocationEndpoint.java b/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/endpoint/RevocationEndpoint.java
similarity index 99%
rename from perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/RevocationEndpoint.java
rename to perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/endpoint/RevocationEndpoint.java
index 58584a35d..cd2a366a1 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/RevocationEndpoint.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/endpoint/RevocationEndpoint.java
@@ -15,7 +15,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*******************************************************************************/
-package cz.muni.ics.oauth2.web;
+package cz.muni.ics.oauth2.web.endpoint;
import static cz.muni.ics.oauth2.web.AuthenticationUtilities.ensureOAuthScope;
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/CorsFilter.java b/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/filter/CorsFilter.java
similarity index 98%
rename from perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/CorsFilter.java
rename to perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/filter/CorsFilter.java
index 041ec9c74..5f93ee1e5 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/CorsFilter.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/filter/CorsFilter.java
@@ -18,7 +18,7 @@
/**
*
*/
-package cz.muni.ics.oauth2.web;
+package cz.muni.ics.oauth2.web.filter;
import java.io.IOException;
import javax.servlet.FilterChain;
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/SamlInvalidateSessionFilter.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/SamlInvalidateSessionFilter.java
index 584e67bc4..483e317aa 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/SamlInvalidateSessionFilter.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/SamlInvalidateSessionFilter.java
@@ -1,14 +1,6 @@
package cz.muni.ics.oidc.saml;
-import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.AUTHORIZE_REQ_PATTERN;
-import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.DEVICE_APPROVE_REQ_PATTERN;
-import static org.springframework.http.HttpHeaders.REFERER;
-
import java.io.IOException;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.List;
-import java.util.stream.Collectors;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
@@ -20,45 +12,20 @@ import org.springframework.security.web.authentication.logout.SecurityContextLog
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.OrRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
-import org.springframework.util.StringUtils;
import org.springframework.web.filter.GenericFilterBean;
@Slf4j
public class SamlInvalidateSessionFilter extends GenericFilterBean {
- private static final RequestMatcher AUTHORIZE_MATCHER = new AntPathRequestMatcher(AUTHORIZE_REQ_PATTERN);
- private static final RequestMatcher AUTHORIZE_ALL_MATCHER = new AntPathRequestMatcher(AUTHORIZE_REQ_PATTERN + "/**");
- private static final RequestMatcher DEVICE_CODE_MATCHER = new AntPathRequestMatcher(DEVICE_APPROVE_REQ_PATTERN);
- private static final RequestMatcher DEVICE_CODE_ALL_MATCHER = new AntPathRequestMatcher(DEVICE_APPROVE_REQ_PATTERN + "/**");
private static final RequestMatcher MATCHER = new OrRequestMatcher(
- Arrays.asList(AUTHORIZE_MATCHER, AUTHORIZE_ALL_MATCHER, DEVICE_CODE_MATCHER, DEVICE_CODE_ALL_MATCHER));
+ new AntPathRequestMatcher("/authorize"),
+ new AntPathRequestMatcher("/device")
+ );
private final SecurityContextLogoutHandler contextLogoutHandler;
- private final List<String> internalReferrers = new ArrayList<>();
- public SamlInvalidateSessionFilter(String idpEntityId,
- String oidcIssuer,
- String proxySpEntityId,
- SecurityContextLogoutHandler contextLogoutHandler,
- String[] internalReferrers)
- {
- if (StringUtils.hasText(idpEntityId)) {
- this.internalReferrers.add(idpEntityId);
- }
- if (StringUtils.hasText(oidcIssuer)) {
- this.internalReferrers.add(oidcIssuer);
- }
- if (StringUtils.hasText(proxySpEntityId)) {
- this.internalReferrers.add(proxySpEntityId);
- }
+ public SamlInvalidateSessionFilter(SecurityContextLogoutHandler contextLogoutHandler) {
this.contextLogoutHandler = contextLogoutHandler;
- if (internalReferrers != null && internalReferrers.length > 0) {
- List<String> referrers = Arrays.asList(internalReferrers);
- referrers = referrers.stream().filter(StringUtils::hasText).collect(Collectors.toList());
- if (!referrers.isEmpty()) {
- this.internalReferrers.addAll(referrers);
- }
- }
}
@Override
@@ -68,25 +35,10 @@ public class SamlInvalidateSessionFilter extends GenericFilterBean {
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse res = (HttpServletResponse) response;
if (MATCHER.matches(req)) {
- String referer = req.getHeader(REFERER);
- if (!isInternalReferer(referer)) {
- log.debug("Got external referer, clear session to reauthenticate");
- contextLogoutHandler.logout(req, res, null);
- }
+ log.debug("Invalidate session to enable SAML IdP re-authentication");
+ contextLogoutHandler.logout(req, res, null);
}
chain.doFilter(req, res);
}
- private boolean isInternalReferer(String referer) {
- if (!StringUtils.hasText(referer)) {
- return false;
- }
- for (String internal : internalReferrers) {
- if (referer.startsWith(internal)) {
- return true;
- }
- }
- return false;
- }
-
}
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/PerunRequestFilter.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFilter.java
similarity index 65%
rename from perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/PerunRequestFilter.java
rename to perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFilter.java
index 3d5503c97..d736dc4f8 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/PerunRequestFilter.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFilter.java
@@ -1,20 +1,14 @@
package cz.muni.ics.oidc.server.filters;
-import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.AUTHORIZE_REQ_PATTERN;
-import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.DEVICE_APPROVE_REQ_PATTERN;
-import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.DEVICE_CHECK_CODE_REQ_PATTERN;
-
import java.io.IOException;
+import java.security.Principal;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Set;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
import lombok.extern.slf4j.Slf4j;
-import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
-import org.springframework.security.web.util.matcher.OrRequestMatcher;
-import org.springframework.security.web.util.matcher.RequestMatcher;
/**
* Abstract class for Perun filters. All filters called in CallPerunFiltersFilter has to extend this.
@@ -39,7 +33,7 @@ import org.springframework.security.web.util.matcher.RequestMatcher;
* @author Dominik Frantisek Bucik <bucik@ics.muni.cz>
*/
@Slf4j
-public abstract class PerunRequestFilter {
+public abstract class AuthProcFilter {
private static final String DELIMITER = ",";
private static final String CLIENT_IDS = "clientIds";
@@ -49,7 +43,7 @@ public abstract class PerunRequestFilter {
private Set<String> clientIds = new HashSet<>();
private Set<String> subs = new HashSet<>();
- public PerunRequestFilter(PerunRequestFilterParams params) {
+ public AuthProcFilter(AuthProcFilterParams params) {
filterName = params.getFilterName();
if (params.hasProperty(CLIENT_IDS)) {
@@ -65,6 +59,8 @@ public abstract class PerunRequestFilter {
log.debug("{} - skip execution for clients with CLIENT_ID in: {}", filterName, clientIds);
}
+ protected abstract String getSessionAppliedParamName();
+
/**
* In this method is done whole logic of filer
*
@@ -73,31 +69,51 @@ public abstract class PerunRequestFilter {
* @return boolean if filter was successfully done
* @throws IOException this exception could be thrown because of failed or interrupted I/O operation
*/
- protected abstract boolean process(ServletRequest request, ServletResponse response, FilterParams params)
+ protected abstract boolean process(HttpServletRequest request, HttpServletResponse response, FilterParams params)
throws IOException;
- public boolean doFilter(ServletRequest req, ServletResponse res, FilterParams params) throws IOException {
- HttpServletRequest request = (HttpServletRequest) req;
- if (!skip(request)) {
+ public boolean doFilter(HttpServletRequest req, HttpServletResponse res, FilterParams params) throws IOException {
+ if (!skip(req)) {
log.trace("{} - executing filter", filterName);
- return this.process(req, res, params);
+ return process(req, res, params);
} else {
return true;
}
}
private boolean skip(HttpServletRequest request) {
- String sub = (request.getUserPrincipal() != null) ? request.getUserPrincipal().getName() : null;
- String clientId = request.getParameter(PerunFilterConstants.PARAM_CLIENT_ID);
+ if (hasBeenApplied(request.getSession(true))) {
+ return true;
+ }
+ log.debug("{} - marking filter as applied", filterName);
+ request.getSession(true).setAttribute(getSessionAppliedParamName(), true);
+ return skipForSub(request.getUserPrincipal())
+ || skipForClientId(request.getParameter(PerunFilterConstants.PARAM_CLIENT_ID));
+ }
+ private boolean hasBeenApplied(HttpSession sess) {
+ String sessionParamName = getSessionAppliedParamName();
+ if (sess.getAttribute(sessionParamName) != null) {
+ log.debug("{} - skip filter execution: filter has been already applied", filterName);
+ return true;
+ }
+ return false;
+ }
+
+ private boolean skipForSub(Principal p) {
+ String sub = (p != null) ? p.getName() : null;
if (sub != null && subs.contains(sub)) {
log.debug("{} - skip filter execution: matched one of the ignored SUBS ({})", filterName, sub);
return true;
- } else if (clientId != null && clientIds.contains(clientId)){
+ }
+ return false;
+ }
+
+ private boolean skipForClientId(String clientId) {
+ if (clientId != null && clientIds.contains(clientId)){
log.debug("{} - skip filter execution: matched one of the ignored CLIENT_IDS ({})", filterName, clientId);
return true;
}
-
return false;
}
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/PerunRequestFilterParams.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFilterParams.java
similarity index 87%
rename from perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/PerunRequestFilterParams.java
rename to perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFilterParams.java
index 5c370fc0d..749fce772 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/PerunRequestFilterParams.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFilterParams.java
@@ -8,7 +8,7 @@ import java.util.Properties;
*
* @author Dominik Frantisek Bucik <bucik@ics.muni.cz>
*/
-public class PerunRequestFilterParams {
+public class AuthProcFilterParams {
private final String filterName;
@@ -16,7 +16,7 @@ public class PerunRequestFilterParams {
private final Properties properties;
private final BeanUtil beanUtil;
- public PerunRequestFilterParams(String filterName, String propertyPrefix, Properties properties, BeanUtil beanUtil) {
+ public AuthProcFilterParams(String filterName, String propertyPrefix, Properties properties, BeanUtil beanUtil) {
this.filterName = filterName;
this.propertyPrefix = propertyPrefix;
this.properties = properties;
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/CallPerunFiltersFilter.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFiltersContainer.java
similarity index 75%
rename from perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/CallPerunFiltersFilter.java
rename to perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFiltersContainer.java
index a4ce091d9..26a6d071d 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/CallPerunFiltersFilter.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFiltersContainer.java
@@ -1,7 +1,7 @@
package cz.muni.ics.oidc.server.filters;
import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.AUTHORIZE_REQ_PATTERN;
-import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.DEVICE_CHECK_CODE_REQ_PATTERN;
+import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.DEVICE_APPROVE_REQ_PATTERN;
import cz.muni.ics.oauth2.model.ClientDetailsEntity;
import cz.muni.ics.oauth2.service.ClientDetailsEntityService;
@@ -20,6 +20,7 @@ import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.oauth2.provider.OAuth2RequestFactory;
@@ -36,12 +37,12 @@ import org.springframework.web.filter.GenericFilterBean;
* @author Dominik Frantisek Bucik <bucik@ics.muni.cz>
*/
@Slf4j
-public class CallPerunFiltersFilter extends GenericFilterBean {
+public class AuthProcFiltersContainer extends GenericFilterBean {
private static final RequestMatcher AUTHORIZE_MATCHER = new AntPathRequestMatcher(AUTHORIZE_REQ_PATTERN);
private static final RequestMatcher AUTHORIZE_ALL_MATCHER = new AntPathRequestMatcher(AUTHORIZE_REQ_PATTERN + "/**");
- private static final RequestMatcher DEVICE_CODE_MATCHER = new AntPathRequestMatcher(DEVICE_CHECK_CODE_REQ_PATTERN);
- private static final RequestMatcher DEVICE_CODE_ALL_MATCHER = new AntPathRequestMatcher(DEVICE_CHECK_CODE_REQ_PATTERN + "/**");
+ private static final RequestMatcher DEVICE_CODE_MATCHER = new AntPathRequestMatcher(DEVICE_APPROVE_REQ_PATTERN);
+ private static final RequestMatcher DEVICE_CODE_ALL_MATCHER = new AntPathRequestMatcher(DEVICE_APPROVE_REQ_PATTERN + "/**");
private static final RequestMatcher MATCHER = new OrRequestMatcher(
Arrays.asList(AUTHORIZE_MATCHER, AUTHORIZE_ALL_MATCHER, DEVICE_CODE_MATCHER, DEVICE_CODE_ALL_MATCHER));
@@ -63,24 +64,25 @@ public class CallPerunFiltersFilter extends GenericFilterBean {
@Autowired
private SamlProperties samlProperties;
- private PerunFiltersContext perunFiltersContext;
+ private AuthProcFiltersContext perunFiltersContext;
@PostConstruct
public void postConstruct() {
- this.perunFiltersContext = new PerunFiltersContext(coreProperties, beanUtil);
+ this.perunFiltersContext = new AuthProcFiltersContext(coreProperties, beanUtil);
}
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain)
throws IOException, ServletException
{
- HttpServletRequest request = (HttpServletRequest) servletRequest;
- if (!MATCHER.matches(request)) {
- log.debug("Custom filters have been skipped, did not match '/authorize' nor '/device/code' request");
+ HttpServletRequest req = (HttpServletRequest) servletRequest;
+ HttpServletResponse res = (HttpServletResponse) servletResponse;
+ if (!MATCHER.matches(req)) {
+ log.debug("AuthProc filters have been skipped, did not match authorization nor device req URL");
} else {
- List<PerunRequestFilter> filters = perunFiltersContext.getFilters();
+ List<AuthProcFilter> filters = perunFiltersContext.getFilters();
if (filters != null && !filters.isEmpty()) {
- ClientDetailsEntity client = FiltersUtils.extractClientFromRequest(request, authRequestFactory,
+ ClientDetailsEntity client = FiltersUtils.extractClientFromRequest(req, authRequestFactory,
clientDetailsEntityService);
Facility facility = null;
if (client != null && StringUtils.hasText(client.getClientId())) {
@@ -88,20 +90,20 @@ public class CallPerunFiltersFilter extends GenericFilterBean {
facility = perunAdapter.getFacilityByClientId(client.getClientId());
} catch (Exception e) {
log.warn("{} - could not fetch facility for client_id '{}'",
- CallPerunFiltersFilter.class.getSimpleName(), client.getClientId(), e);
+ AuthProcFiltersContainer.class.getSimpleName(), client.getClientId(), e);
}
}
- PerunUser user = FiltersUtils.getPerunUser(request, perunAdapter,
+ PerunUser user = FiltersUtils.getPerunUser(req, perunAdapter,
samlProperties.getUserIdentifierAttribute());
FilterParams params = new FilterParams(client, facility, user);
- for (PerunRequestFilter filter : filters) {
- if (!filter.doFilter(servletRequest, servletResponse, params)) {
+ for (AuthProcFilter filter : filters) {
+ if (!filter.doFilter(req, res, params)) {
return;
}
}
}
}
- filterChain.doFilter(servletRequest, servletResponse);
+ filterChain.doFilter(req, res);
}
}
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/PerunFiltersContext.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFiltersContext.java
similarity index 74%
rename from perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/PerunFiltersContext.java
rename to perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFiltersContext.java
index 411b1ec97..c6f324a2b 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/PerunFiltersContext.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFiltersContext.java
@@ -16,22 +16,22 @@ import org.springframework.util.StringUtils;
* Filters are configured from configuration file in following way:
* filter.names=filterName1,filterName2,...
*
- * @see PerunRequestFilter for configuration of filter
+ * @see AuthProcFilter for configuration of filter
*
* @author Dominik Frantisek Bucik <bucik@ics.muni.cz>
*/
@Slf4j
-public class PerunFiltersContext {
+public class AuthProcFiltersContext {
private static final String FILTER_NAMES = "filter.names";
private static final String FILTER_CLASS = ".class";
private static final String PREFIX = "filter.";
- private final List<PerunRequestFilter> filters;
+ private final List<AuthProcFilter> filters;
private final Properties properties;
private final BeanUtil beanUtil;
- public PerunFiltersContext(Properties properties, BeanUtil beanUtil) {
+ public AuthProcFiltersContext(Properties properties, BeanUtil beanUtil) {
this.properties = properties;
this.beanUtil = beanUtil;
this.filters = new LinkedList<>();
@@ -41,18 +41,18 @@ public class PerunFiltersContext {
log.debug("--------------------------------");
for (String filterName: filterNames.split(",")) {
- PerunRequestFilter requestFilter = loadFilter(filterName);
+ AuthProcFilter requestFilter = loadFilter(filterName);
filters.add(requestFilter);
log.debug("--------------------------------");
}
}
- public List<PerunRequestFilter> getFilters() {
+ public List<AuthProcFilter> getFilters() {
return filters;
}
- private PerunRequestFilter loadFilter(String filterName) {
- String propPrefix = PerunFiltersContext.PREFIX + filterName;
+ private AuthProcFilter loadFilter(String filterName) {
+ String propPrefix = AuthProcFiltersContext.PREFIX + filterName;
String filterClass = properties.getProperty(propPrefix + FILTER_CLASS, null);
if (!StringUtils.hasText(filterClass)) {
log.warn("{} - failed to initialized filter: no class has ben configured", filterName);
@@ -62,15 +62,15 @@ public class PerunFiltersContext {
try {
Class<?> rawClazz = Class.forName(filterClass);
- if (!PerunRequestFilter.class.isAssignableFrom(rawClazz)) {
- log.warn("{} - failed to initialized filter: class '{}' does not extend PerunRequestFilter",
+ if (!AuthProcFilter.class.isAssignableFrom(rawClazz)) {
+ log.warn("{} - failed to initialized filter: class '{}' does not extend AuthProcFilter",
filterName, filterClass);
return null;
}
- @SuppressWarnings("unchecked") Class<PerunRequestFilter> clazz = (Class<PerunRequestFilter>) rawClazz;
- Constructor<PerunRequestFilter> constructor = clazz.getConstructor(PerunRequestFilterParams.class);
- PerunRequestFilterParams params = new PerunRequestFilterParams(filterName, propPrefix, properties, beanUtil);
+ @SuppressWarnings("unchecked") Class<AuthProcFilter> clazz = (Class<AuthProcFilter>) rawClazz;
+ Constructor<AuthProcFilter> constructor = clazz.getConstructor(AuthProcFilterParams.class);
+ AuthProcFilterParams params = new AuthProcFilterParams(filterName, propPrefix, properties, beanUtil);
return constructor.newInstance(params);
} catch (ClassNotFoundException e) {
log.warn("{} - failed to initialize filter: class '{}' was not found", filterName, filterClass);
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/FiltersUtils.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/FiltersUtils.java
index 43964205d..2da01950b 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/FiltersUtils.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/FiltersUtils.java
@@ -1,6 +1,6 @@
package cz.muni.ics.oidc.server.filters;
-import static cz.muni.ics.oauth2.web.DeviceEndpoint.DEVICE_CODE_SESSION_ATTRIBUTE;
+import static cz.muni.ics.oauth2.web.endpoint.DeviceEndpoint.DEVICE_CODE_SESSION_ATTRIBUTE;
import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.PARAM_FORCE_AUTHN;
import cz.muni.ics.oauth2.model.ClientDetailsEntity;
@@ -278,7 +278,7 @@ public class FiltersUtils {
public static String fillStringMandatoryProperty(String propertyName,
String filterName,
- PerunRequestFilterParams params) {
+ AuthProcFilterParams params) {
String filled = params.getProperty(propertyName);
if (!StringUtils.hasText(filled)) {
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/PerunFilterConstants.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/PerunFilterConstants.java
index 23a1f7426..d623a97ee 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/PerunFilterConstants.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/PerunFilterConstants.java
@@ -11,9 +11,8 @@ import java.util.Map;
*/
public class PerunFilterConstants {
- public static final String AUTHORIZE_REQ_PATTERN = "/authorize";
- public static final String DEVICE_APPROVE_REQ_PATTERN = "/device/code";
- public static final String DEVICE_CHECK_CODE_REQ_PATTERN = "/device/checkcode";
+ public static final String AUTHORIZE_REQ_PATTERN = "/auth/authorize";
+ public static final String DEVICE_APPROVE_REQ_PATTERN = "/auth/device/authorize";
public static final String PARAM_CLIENT_ID = "client_id";
public static final String PARAM_SCOPE = "scope";
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunAuthorizationFilter.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunAuthorizationFilter.java
index f5679b096..4ef27d2c0 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunAuthorizationFilter.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunAuthorizationFilter.java
@@ -9,12 +9,10 @@ import cz.muni.ics.oidc.server.configurations.FacilityAttrsConfig;
import cz.muni.ics.oidc.server.configurations.PerunOidcConfig;
import cz.muni.ics.oidc.server.filters.FilterParams;
import cz.muni.ics.oidc.server.filters.FiltersUtils;
-import cz.muni.ics.oidc.server.filters.PerunRequestFilter;
-import cz.muni.ics.oidc.server.filters.PerunRequestFilterParams;
+import cz.muni.ics.oidc.server.filters.AuthProcFilter;
+import cz.muni.ics.oidc.server.filters.AuthProcFilterParams;
import cz.muni.ics.oidc.web.controllers.PerunUnapprovedController;
import java.util.Map;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import lombok.extern.slf4j.Slf4j;
@@ -31,14 +29,16 @@ import lombok.extern.slf4j.Slf4j;
* @author Dominik Frantisek Bucik <bucik@ics.muni.cz>
*/
@Slf4j
-public class PerunAuthorizationFilter extends PerunRequestFilter {
+public class PerunAuthorizationFilter extends AuthProcFilter {
+
+ public static final String APPLIED = "APPLIED_" + PerunAuthorizationFilter.class.getSimpleName();
private final PerunAdapter perunAdapter;
private final FacilityAttrsConfig facilityAttrsConfig;
private final String filterName;
private final PerunOidcConfig config;
- public PerunAuthorizationFilter(PerunRequestFilterParams params) {
+ public PerunAuthorizationFilter(AuthProcFilterParams params) {
super(params);
BeanUtil beanUtil = params.getBeanUtil();
this.perunAdapter = beanUtil.getBean(PerunAdapter.class);
@@ -48,10 +48,12 @@ public class PerunAuthorizationFilter extends PerunRequestFilter {
}
@Override
- protected boolean process(ServletRequest req, ServletResponse res, FilterParams params) {
- HttpServletRequest request = (HttpServletRequest) req;
- HttpServletResponse response = (HttpServletResponse) res;
+ protected String getSessionAppliedParamName() {
+ return APPLIED;
+ }
+ @Override
+ protected boolean process(HttpServletRequest req, HttpServletResponse res, FilterParams params) {
Facility facility = params.getFacility();
if (facility == null || facility.getId() == null) {
log.debug("{} - skip filter execution: no facility provided", filterName);
@@ -64,7 +66,7 @@ public class PerunAuthorizationFilter extends PerunRequestFilter {
return true;
}
- return this.decideAccess(facility, user, request, response, params.getClientIdentifier(),
+ return this.decideAccess(facility, user, req, res, params.getClientIdentifier(),
perunAdapter, facilityAttrsConfig);
}
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunEnsureVoMember.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunEnsureVoMember.java
index e3467b0ef..cb736dabe 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunEnsureVoMember.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunEnsureVoMember.java
@@ -7,20 +7,15 @@ import cz.muni.ics.oidc.server.adapters.PerunAdapter;
import cz.muni.ics.oidc.server.configurations.PerunOidcConfig;
import cz.muni.ics.oidc.server.filters.FilterParams;
import cz.muni.ics.oidc.server.filters.FiltersUtils;
-import cz.muni.ics.oidc.server.filters.PerunRequestFilter;
-import cz.muni.ics.oidc.server.filters.PerunRequestFilterParams;
+import cz.muni.ics.oidc.server.filters.AuthProcFilter;
+import cz.muni.ics.oidc.server.filters.AuthProcFilterParams;
import cz.muni.ics.oidc.web.controllers.ControllerUtils;
import cz.muni.ics.oidc.web.controllers.PerunUnapprovedController;
import cz.muni.ics.oidc.web.controllers.RegistrationController;
-import java.io.IOException;
import java.util.Arrays;
-import java.util.Collections;
import java.util.HashMap;
-import java.util.HashSet;
import java.util.Map;
-import java.util.Set;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import lombok.extern.slf4j.Slf4j;
import org.apache.http.HttpHeaders;
@@ -39,7 +34,9 @@ import org.springframework.util.StringUtils;
* @author Dominik Frantisek Bucik <bucik@ics.muni.cz>
*/
@Slf4j
-public class PerunEnsureVoMember extends PerunRequestFilter {
+public class PerunEnsureVoMember extends AuthProcFilter {
+
+ public static final String APPLIED = "APPLIED_" + PerunEnsureVoMember.class.getSimpleName();
private static final String TRIGGER_ATTR = "triggerAttr";
private static final String VO_DEFS_ATTR = "voDefsAttr";
@@ -52,7 +49,7 @@ public class PerunEnsureVoMember extends PerunRequestFilter {
private final String filterName;
private final PerunOidcConfig perunOidcConfig;
- public PerunEnsureVoMember(PerunRequestFilterParams params) {
+ public PerunEnsureVoMember(AuthProcFilterParams params) {
super(params);
BeanUtil beanUtil = params.getBeanUtil();
@@ -68,9 +65,12 @@ public class PerunEnsureVoMember extends PerunRequestFilter {
}
@Override
- protected boolean process(ServletRequest req, ServletResponse res, FilterParams params) throws IOException {
- HttpServletResponse response = (HttpServletResponse) res;
+ protected String getSessionAppliedParamName() {
+ return APPLIED;
+ }
+ @Override
+ protected boolean process(HttpServletRequest req, HttpServletResponse res, FilterParams params) {
Facility facility = params.getFacility();
if (facility == null || facility.getId() == null) {
log.debug("{} - skip execution: no facility provided", filterName);
@@ -100,7 +100,7 @@ public class PerunEnsureVoMember extends PerunRequestFilter {
log.debug("{} - user allowed to continue", filterName);
return true;
} else {
- redirect(response, getLoginUrl(facility.getId()), voShortName);
+ redirect(res, getLoginUrl(facility.getId()), voShortName);
return false;
}
}
@@ -133,17 +133,6 @@ public class PerunEnsureVoMember extends PerunRequestFilter {
return attrValue;
}
- private boolean canAccess(PerunAttributeValue attrValue, Set<String> memberShortNames) {
- if (attrValue.valueAsJson().isArray()) {
- Set<String> val = attrValue.valueAsList() == null ?
- Collections.emptySet() : new HashSet<>(attrValue.valueAsList());
- return !Collections.disjoint(val, memberShortNames);
- } else {
- String val = attrValue.valueAsString();
- return memberShortNames.contains(val);
- }
- }
-
@Override
public String toString() {
return "PerunEnsureVoMember{" +
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunForceAupFilter.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunForceAupFilter.java
index 25d630e81..1f738aa93 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunForceAupFilter.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunForceAupFilter.java
@@ -14,8 +14,8 @@ import cz.muni.ics.oidc.server.adapters.PerunAdapter;
import cz.muni.ics.oidc.server.configurations.PerunOidcConfig;
import cz.muni.ics.oidc.server.filters.FilterParams;
import cz.muni.ics.oidc.server.filters.FiltersUtils;
-import cz.muni.ics.oidc.server.filters.PerunRequestFilter;
-import cz.muni.ics.oidc.server.filters.PerunRequestFilterParams;
+import cz.muni.ics.oidc.server.filters.AuthProcFilter;
+import cz.muni.ics.oidc.server.filters.AuthProcFilterParams;
import cz.muni.ics.oidc.web.controllers.AupController;
import java.io.IOException;
import java.text.ParseException;
@@ -27,8 +27,6 @@ import java.util.HashMap;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import lombok.extern.slf4j.Slf4j;
@@ -52,7 +50,9 @@ import org.springframework.util.StringUtils;
* @author Dominik Frantisek Bucik <bucik@ics.muni.cz>
*/
@Slf4j
-public class PerunForceAupFilter extends PerunRequestFilter {
+public class PerunForceAupFilter extends AuthProcFilter {
+
+ public static final String APPLIED = "APPLIED_" + PerunForceAupFilter.class.getSimpleName();
private static final String DATE_FORMAT = "yyyy-MM-dd";
@@ -77,7 +77,7 @@ public class PerunForceAupFilter extends PerunRequestFilter {
private final SamlProperties samlProperties;
private final String filterName;
- public PerunForceAupFilter(PerunRequestFilterParams params) {
+ public PerunForceAupFilter(AuthProcFilterParams params) {
super(params);
BeanUtil beanUtil = params.getBeanUtil();
this.perunAdapter = beanUtil.getBean(PerunAdapter.class);
@@ -93,18 +93,20 @@ public class PerunForceAupFilter extends PerunRequestFilter {
}
@Override
- protected boolean process(ServletRequest req, ServletResponse res, FilterParams params) throws IOException {
- HttpServletRequest request = (HttpServletRequest) req;
- HttpServletResponse response = (HttpServletResponse) res;
+ protected String getSessionAppliedParamName() {
+ return APPLIED;
+ }
- if (request.getSession() != null && request.getSession().getAttribute(APPROVED) != null) {
- request.getSession().removeAttribute(APPROVED);
+ @Override
+ protected boolean process(HttpServletRequest req, HttpServletResponse res, FilterParams params) throws IOException {
+ if (req.getSession() != null && req.getSession().getAttribute(APPROVED) != null) {
+ req.getSession().removeAttribute(APPROVED);
log.debug("{} - skip filter execution: aups are already approved, check at next access to the service due" +
" to a delayed propagation to LDAP", filterName);
return true;
}
- PerunUser user = FiltersUtils.getPerunUser(request, perunAdapter, samlProperties.getUserIdentifierAttribute());
+ PerunUser user = FiltersUtils.getPerunUser(req, perunAdapter, samlProperties.getUserIdentifierAttribute());
if (user == null || user.getId() == null) {
log.debug("{} - skip filter execution: no user provider", filterName);
return true;
@@ -147,13 +149,13 @@ public class PerunForceAupFilter extends PerunRequestFilter {
log.trace("{} - AUPS to be approved: '{}'", filterName, newAups);
String newAupsString = mapper.writeValueAsString(newAups);
- request.getSession().setAttribute(AupController.RETURN_URL, request.getRequestURI()
- .replace(request.getContextPath(), "") + '?' + request.getQueryString());
- request.getSession().setAttribute(AupController.NEW_AUPS, newAupsString);
- request.getSession().setAttribute(AupController.USER_ATTR, perunUserAupsAttrName);
+ req.getSession().setAttribute(AupController.RETURN_URL, req.getRequestURI()
+ .replace(req.getContextPath(), "") + '?' + req.getQueryString());
+ req.getSession().setAttribute(AupController.NEW_AUPS, newAupsString);
+ req.getSession().setAttribute(AupController.USER_ATTR, perunUserAupsAttrName);
log.debug("{} - redirecting user '{}' to AUPs approval page", filterName, user);
- response.sendRedirect(request.getContextPath() + '/' + AupController.URL);
+ res.sendRedirect(req.getContextPath() + '/' + AupController.URL);
return false;
}
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunIsCesnetEligibleFilter.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunIsCesnetEligibleFilter.java
index a51236965..50a41686e 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunIsCesnetEligibleFilter.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunIsCesnetEligibleFilter.java
@@ -14,9 +14,8 @@ import cz.muni.ics.oidc.server.adapters.PerunAdapter;
import cz.muni.ics.oidc.server.configurations.PerunOidcConfig;
import cz.muni.ics.oidc.server.filters.FilterParams;
import cz.muni.ics.oidc.server.filters.FiltersUtils;
-import cz.muni.ics.oidc.server.filters.PerunFilterConstants;
-import cz.muni.ics.oidc.server.filters.PerunRequestFilter;
-import cz.muni.ics.oidc.server.filters.PerunRequestFilterParams;
+import cz.muni.ics.oidc.server.filters.AuthProcFilter;
+import cz.muni.ics.oidc.server.filters.AuthProcFilterParams;
import cz.muni.ics.oidc.web.controllers.ControllerUtils;
import cz.muni.ics.oidc.web.controllers.PerunUnapprovedController;
import java.time.LocalDateTime;
@@ -25,8 +24,6 @@ import java.time.format.DateTimeParseException;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import lombok.extern.slf4j.Slf4j;
@@ -46,7 +43,9 @@ import org.apache.http.HttpHeaders;
* @author Dominik Frantisek Bucik <bucik@ics.muni.cz>
*/
@Slf4j
-public class PerunIsCesnetEligibleFilter extends PerunRequestFilter {
+public class PerunIsCesnetEligibleFilter extends AuthProcFilter {
+
+ public static final String APPLIED = "APPLIED_" + PerunIsCesnetEligibleFilter.class.getSimpleName();
/* CONFIGURATION PROPERTIES */
private static final String IS_CESNET_ELIGIBLE_ATTR_NAME = "isCesnetEligibleAttr";
@@ -63,7 +62,7 @@ public class PerunIsCesnetEligibleFilter extends PerunRequestFilter {
private final PerunAdapter perunAdapter;
private final String filterName;
- public PerunIsCesnetEligibleFilter(PerunRequestFilterParams params) {
+ public PerunIsCesnetEligibleFilter(AuthProcFilterParams params) {
super(params);
BeanUtil beanUtil = params.getBeanUtil();
this.config = beanUtil.getBean(PerunOidcConfig.class);
@@ -84,11 +83,13 @@ public class PerunIsCesnetEligibleFilter extends PerunRequestFilter {
}
@Override
- protected boolean process(ServletRequest req, ServletResponse res, FilterParams params) {
- HttpServletRequest request = (HttpServletRequest) req;
- HttpServletResponse response = (HttpServletResponse) res;
+ protected String getSessionAppliedParamName() {
+ return APPLIED;
+ }
- if (!FiltersUtils.isScopePresent(request.getParameter(PARAM_SCOPE), triggerScope)) {
+ @Override
+ protected boolean process(HttpServletRequest req, HttpServletResponse res, FilterParams params) {
+ if (!FiltersUtils.isScopePresent(req.getParameter(PARAM_SCOPE), triggerScope)) {
log.debug("{} - skip execution: scope '{}' is not present in request", filterName, triggerScope);
return true;
}
@@ -124,7 +125,7 @@ public class PerunIsCesnetEligibleFilter extends PerunRequestFilter {
}
log.debug("{} - attribute '{}' value is invalid, stop user at this point", filterName, attrValue);
- this.redirect(request, response, reason);
+ this.redirect(req, res, reason);
return false;
}
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunIsTestSpFilter.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunIsTestSpFilter.java
index d027eed43..06fc36676 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunIsTestSpFilter.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunIsTestSpFilter.java
@@ -10,16 +10,13 @@ import cz.muni.ics.oidc.server.adapters.PerunAdapter;
import cz.muni.ics.oidc.server.configurations.PerunOidcConfig;
import cz.muni.ics.oidc.server.filters.FilterParams;
import cz.muni.ics.oidc.server.filters.FiltersUtils;
-import cz.muni.ics.oidc.server.filters.PerunFilterConstants;
-import cz.muni.ics.oidc.server.filters.PerunRequestFilter;
-import cz.muni.ics.oidc.server.filters.PerunRequestFilterParams;
+import cz.muni.ics.oidc.server.filters.AuthProcFilter;
+import cz.muni.ics.oidc.server.filters.AuthProcFilterParams;
import cz.muni.ics.oidc.web.controllers.ControllerUtils;
import cz.muni.ics.oidc.web.controllers.IsTestSpController;
import java.io.IOException;
import java.util.HashMap;
import java.util.Map;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import lombok.extern.slf4j.Slf4j;
@@ -37,7 +34,9 @@ import org.apache.http.HttpHeaders;
* @author Pavol Pluta <500348@mail.muni.cz>
*/
@Slf4j
-public class PerunIsTestSpFilter extends PerunRequestFilter {
+public class PerunIsTestSpFilter extends AuthProcFilter {
+
+ public static final String APPLIED = "APPLIED_" + PerunIsTestSpFilter.class.getSimpleName();
private static final String IS_TEST_SP_ATTR_NAME = "isTestSpAttr";
@@ -46,7 +45,7 @@ public class PerunIsTestSpFilter extends PerunRequestFilter {
private final String filterName;
private final PerunOidcConfig config;
- public PerunIsTestSpFilter(PerunRequestFilterParams params) {
+ public PerunIsTestSpFilter(AuthProcFilterParams params) {
super(params);
BeanUtil beanUtil = params.getBeanUtil();
this.perunAdapter = beanUtil.getBean(PerunAdapter.class);
@@ -56,14 +55,17 @@ public class PerunIsTestSpFilter extends PerunRequestFilter {
}
@Override
- protected boolean process(ServletRequest req, ServletResponse res, FilterParams params) throws IOException {
- HttpServletRequest request = (HttpServletRequest) req;
- HttpServletResponse response = (HttpServletResponse) res;
+ protected String getSessionAppliedParamName() {
+ return APPLIED;
+ }
+
+ @Override
+ protected boolean process(HttpServletRequest req, HttpServletResponse res, FilterParams params) throws IOException {
Facility facility = params.getFacility();
if (facility == null || facility.getId() == null) {
log.debug("{} - skip execution: no facility provided", filterName);
return true;
- } else if (testSpWarningApproved(request)){
+ } else if (testSpWarningApproved(req)){
log.debug("{} - skip execution: warning already approved", filterName);
return true;
}
@@ -74,7 +76,7 @@ public class PerunIsTestSpFilter extends PerunRequestFilter {
return true;
} else if (attrValue.valueAsBoolean()) {
log.debug("{} - redirecting user to test SP warning page", filterName);
- this.redirect(request, response);
+ this.redirect(req, res);
return false;
}
log.debug("{} - service is not testing, let user access it", filterName);
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/ProxyStatisticsFilter.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/ProxyStatisticsFilter.java
index 6a9f90326..19fc1f3d0 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/ProxyStatisticsFilter.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/ProxyStatisticsFilter.java
@@ -8,8 +8,8 @@ import cz.muni.ics.oidc.BeanUtil;
import cz.muni.ics.oidc.saml.SamlProperties;
import cz.muni.ics.oidc.server.filters.FilterParams;
import cz.muni.ics.oidc.server.filters.FiltersUtils;
-import cz.muni.ics.oidc.server.filters.PerunRequestFilter;
-import cz.muni.ics.oidc.server.filters.PerunRequestFilterParams;
+import cz.muni.ics.oidc.server.filters.AuthProcFilter;
+import cz.muni.ics.oidc.server.filters.AuthProcFilterParams;
import java.sql.Connection;
import java.sql.Date;
import java.sql.PreparedStatement;
@@ -17,10 +17,8 @@ import java.sql.ResultSet;
import java.sql.SQLException;
import java.time.LocalDate;
import java.util.Objects;
-import java.util.Properties;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
import javax.sql.DataSource;
import lombok.extern.slf4j.Slf4j;
import org.springframework.security.saml.SAMLCredential;
@@ -51,7 +49,9 @@ import org.springframework.util.StringUtils;
*/
@SuppressWarnings("SqlResolve")
@Slf4j
-public class ProxyStatisticsFilter extends PerunRequestFilter {
+public class ProxyStatisticsFilter extends AuthProcFilter {
+
+ public static final String APPLIED = "APPLIED_" + ProxyStatisticsFilter.class.getSimpleName();
/* CONFIGURATION OPTIONS */
private static final String IDP_NAME_ATTRIBUTE_NAME = "idpNameAttributeName";
@@ -77,7 +77,7 @@ public class ProxyStatisticsFilter extends PerunRequestFilter {
private final String filterName;
private final SamlProperties samlProperties;
- public ProxyStatisticsFilter(PerunRequestFilterParams params) {
+ public ProxyStatisticsFilter(AuthProcFilterParams params) {
super(params);
BeanUtil beanUtil = params.getBeanUtil();
this.mitreIdStats = beanUtil.getBean("mitreIdStats", DataSource.class);
@@ -97,9 +97,12 @@ public class ProxyStatisticsFilter extends PerunRequestFilter {
}
@Override
- protected boolean process(ServletRequest req, ServletResponse res, FilterParams params) {
- HttpServletRequest request = (HttpServletRequest) req;
+ protected String getSessionAppliedParamName() {
+ return APPLIED;
+ }
+ @Override
+ protected boolean process(HttpServletRequest req, HttpServletResponse res, FilterParams params) {
ClientDetailsEntity client = params.getClient();
if (client == null) {
log.warn("{} - skip execution: no client provided", filterName);
@@ -112,7 +115,7 @@ public class ProxyStatisticsFilter extends PerunRequestFilter {
return true;
}
- SAMLCredential samlCredential = FiltersUtils.getSamlCredential(request);
+ SAMLCredential samlCredential = FiltersUtils.getSamlCredential(req);
if (samlCredential == null) {
log.warn("{} - skip execution: no authN object available, cannot extract user identifier and idp identifier",
filterName);
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/ValidUserFilter.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/ValidUserFilter.java
index bf05d8c69..e3d4d2cf9 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/ValidUserFilter.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/ValidUserFilter.java
@@ -9,14 +9,12 @@ import cz.muni.ics.oidc.server.configurations.FacilityAttrsConfig;
import cz.muni.ics.oidc.server.configurations.PerunOidcConfig;
import cz.muni.ics.oidc.server.filters.FilterParams;
import cz.muni.ics.oidc.server.filters.FiltersUtils;
-import cz.muni.ics.oidc.server.filters.PerunRequestFilter;
-import cz.muni.ics.oidc.server.filters.PerunRequestFilterParams;
+import cz.muni.ics.oidc.server.filters.AuthProcFilter;
+import cz.muni.ics.oidc.server.filters.AuthProcFilterParams;
import cz.muni.ics.oidc.web.controllers.PerunUnapprovedController;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import lombok.extern.slf4j.Slf4j;
@@ -46,7 +44,9 @@ import org.springframework.util.StringUtils;
*/
@SuppressWarnings("SqlResolve")
@Slf4j
-public class ValidUserFilter extends PerunRequestFilter {
+public class ValidUserFilter extends AuthProcFilter {
+
+ public static final String APPLIED = "APPLIED_" + ValidUserFilter.class.getSimpleName();
/* CONFIGURATION OPTIONS */
private static final String ALL_ENV_GROUPS = "allEnvGroups";
@@ -69,7 +69,7 @@ public class ValidUserFilter extends PerunRequestFilter {
private final String filterName;
private final PerunOidcConfig config;
- public ValidUserFilter(PerunRequestFilterParams params) {
+ public ValidUserFilter(AuthProcFilterParams params) {
super(params);
BeanUtil beanUtil = params.getBeanUtil();
this.perunAdapter = beanUtil.getBean(PerunAdapter.class);
@@ -86,10 +86,12 @@ public class ValidUserFilter extends PerunRequestFilter {
}
@Override
- protected boolean process(ServletRequest req, ServletResponse res, FilterParams params) {
- HttpServletRequest request = (HttpServletRequest) req;
- HttpServletResponse response = (HttpServletResponse) res;
+ protected String getSessionAppliedParamName() {
+ return APPLIED;
+ }
+ @Override
+ protected boolean process(HttpServletRequest req, HttpServletResponse res, FilterParams params) {
Set<Long> additionalVos = new HashSet<>();
Set<Long> additionalGroups = new HashSet<>();
@@ -106,7 +108,7 @@ public class ValidUserFilter extends PerunRequestFilter {
return true;
}
- if (!checkMemberValidInGroupsAndVos(user, facility, response, params, allEnvVos, allEnvGroups,
+ if (!checkMemberValidInGroupsAndVos(user, facility, res, params, allEnvVos, allEnvGroups,
PerunUnapprovedController.UNAPPROVED_NOT_IN_MANDATORY_VOS_GROUPS)) {
return false;
}
@@ -121,7 +123,7 @@ public class ValidUserFilter extends PerunRequestFilter {
additionalVos.addAll(testEnvVos);
additionalGroups.addAll(testEnvGroups);
- if (!checkMemberValidInGroupsAndVos(user, facility, response, params, additionalVos,
+ if (!checkMemberValidInGroupsAndVos(user, facility, res, params, additionalVos,
additionalGroups, PerunUnapprovedController.UNAPPROVED_NOT_IN_TEST_VOS_GROUPS)) {
return false;
}
@@ -129,7 +131,7 @@ public class ValidUserFilter extends PerunRequestFilter {
additionalVos.addAll(prodEnvVos);
additionalGroups.addAll(prodEnvGroups);
- if (!checkMemberValidInGroupsAndVos(user, facility, response, params, additionalVos,
+ if (!checkMemberValidInGroupsAndVos(user, facility, res, params, additionalVos,
additionalGroups, PerunUnapprovedController.UNAPPROVED_NOT_IN_PROD_VOS_GROUPS)) {
return false;
}
@@ -139,7 +141,7 @@ public class ValidUserFilter extends PerunRequestFilter {
return true;
}
- private Set<Long> getIdsFromParam(PerunRequestFilterParams params, String propKey) {
+ private Set<Long> getIdsFromParam(AuthProcFilterParams params, String propKey) {
Set<Long> result = new HashSet<>();
String prop = params.getProperty(propKey);
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/ga4gh/Ga4ghPassportAndVisaClaimSource.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/ga4gh/Ga4ghPassportAndVisaClaimSource.java
index 13307dc79..839aa3a1a 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/ga4gh/Ga4ghPassportAndVisaClaimSource.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/ga4gh/Ga4ghPassportAndVisaClaimSource.java
@@ -16,7 +16,7 @@ import cz.muni.ics.oidc.server.claims.ClaimSource;
import cz.muni.ics.oidc.server.claims.ClaimSourceInitContext;
import cz.muni.ics.oidc.server.claims.ClaimSourceProduceContext;
import cz.muni.ics.oidc.server.connectors.Affiliation;
-import cz.muni.ics.openid.connect.web.JWKSetPublishingEndpoint;
+import cz.muni.ics.openid.connect.web.endpoint.JWKSetPublishingEndpoint;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/web/controllers/ControllerUtils.java b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/web/controllers/ControllerUtils.java
index b288789c9..91982cec2 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/web/controllers/ControllerUtils.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/web/controllers/ControllerUtils.java
@@ -1,7 +1,7 @@
package cz.muni.ics.oidc.web.controllers;
-import static cz.muni.ics.oauth2.web.OAuthConfirmationController.CLAIMS;
-import static cz.muni.ics.oauth2.web.OAuthConfirmationController.SCOPES;
+import static cz.muni.ics.oauth2.web.controller.OAuthConfirmationController.CLAIMS;
+import static cz.muni.ics.oauth2.web.controller.OAuthConfirmationController.SCOPES;
import com.google.common.base.Strings;
import com.google.common.collect.Sets;
@@ -29,7 +29,6 @@ import java.util.Set;
import java.util.stream.Collectors;
import javax.servlet.http.HttpServletRequest;
-import cz.muni.ics.openid.connect.service.ScopeClaimTranslationService;
import lombok.extern.slf4j.Slf4j;
import org.apache.http.NameValuePair;
import org.apache.http.client.utils.URIBuilder;
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/filter/AuthorizationRequestFilter.java b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/filter/AuthorizationRequestFilter.java
index 844f6648d..e7b969ade 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/filter/AuthorizationRequestFilter.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/filter/AuthorizationRequestFilter.java
@@ -78,7 +78,7 @@ public class AuthorizationRequestFilter extends GenericFilterBean {
@Autowired(required = false)
private LoginHintExtracter loginHintExtracter = new RemoveLoginHintsWithHTTP();
- private RequestMatcher requestMatcher = new AntPathRequestMatcher("/authorize");
+ private RequestMatcher requestMatcher = new AntPathRequestMatcher("/auth/authorize");
/**
*
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/ApprovedSiteAPI.java b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/api/ApprovedSiteAPI.java
similarity index 96%
rename from perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/ApprovedSiteAPI.java
rename to perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/api/ApprovedSiteAPI.java
index c95d49bee..2b61b1b97 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/ApprovedSiteAPI.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/api/ApprovedSiteAPI.java
@@ -18,7 +18,7 @@
/**
*
*/
-package cz.muni.ics.openid.connect.web;
+package cz.muni.ics.openid.connect.web.api;
import cz.muni.ics.openid.connect.model.ApprovedSite;
import cz.muni.ics.openid.connect.service.ApprovedSiteService;
@@ -26,6 +26,7 @@ import cz.muni.ics.openid.connect.view.HttpCodeView;
import cz.muni.ics.openid.connect.view.JsonApprovedSiteView;
import cz.muni.ics.openid.connect.view.JsonEntityView;
import cz.muni.ics.openid.connect.view.JsonErrorView;
+import cz.muni.ics.openid.connect.web.controller.GuiController;
import java.security.Principal;
import java.util.Collection;
import lombok.extern.slf4j.Slf4j;
@@ -49,7 +50,7 @@ import org.springframework.web.bind.annotation.RequestMethod;
@Slf4j
public class ApprovedSiteAPI {
- public static final String URL = RootController.API_URL + "/approved";
+ public static final String URL = GuiController.API_URL + "/approved";
@Autowired
private ApprovedSiteService approvedSiteService;
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/BlacklistAPI.java b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/api/BlacklistAPI.java
similarity index 97%
rename from perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/BlacklistAPI.java
rename to perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/api/BlacklistAPI.java
index d443b1adc..716d8d56e 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/BlacklistAPI.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/api/BlacklistAPI.java
@@ -18,7 +18,7 @@
/**
*
*/
-package cz.muni.ics.openid.connect.web;
+package cz.muni.ics.openid.connect.web.api;
import com.google.gson.Gson;
import com.google.gson.JsonObject;
@@ -29,6 +29,7 @@ import cz.muni.ics.openid.connect.service.BlacklistedSiteService;
import cz.muni.ics.openid.connect.view.HttpCodeView;
import cz.muni.ics.openid.connect.view.JsonEntityView;
import cz.muni.ics.openid.connect.view.JsonErrorView;
+import cz.muni.ics.openid.connect.web.controller.GuiController;
import java.security.Principal;
import java.util.Collection;
import lombok.extern.slf4j.Slf4j;
@@ -53,7 +54,7 @@ import org.springframework.web.bind.annotation.RequestMethod;
@Slf4j
public class BlacklistAPI {
- public static final String URL = RootController.API_URL + "/blacklist";
+ public static final String URL = GuiController.API_URL + "/blacklist";
@Autowired
private BlacklistedSiteService blacklistService;
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/ClientAPI.java b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/api/ClientAPI.java
similarity index 99%
rename from perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/ClientAPI.java
rename to perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/api/ClientAPI.java
index fe402b3b8..262e32abe 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/ClientAPI.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/api/ClientAPI.java
@@ -15,7 +15,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*******************************************************************************/
-package cz.muni.ics.openid.connect.web;
+package cz.muni.ics.openid.connect.web.api;
import static cz.muni.ics.oauth2.model.RegisteredClientFields.APPLICATION_TYPE;
import static cz.muni.ics.oauth2.model.RegisteredClientFields.CLAIMS_REDIRECT_URIS;
@@ -88,6 +88,7 @@ import cz.muni.ics.openid.connect.view.ClientEntityViewForUsers;
import cz.muni.ics.openid.connect.view.HttpCodeView;
import cz.muni.ics.openid.connect.view.JsonEntityView;
import cz.muni.ics.openid.connect.view.JsonErrorView;
+import cz.muni.ics.openid.connect.web.controller.GuiController;
import java.lang.reflect.Type;
import java.sql.SQLIntegrityConstraintViolationException;
import java.text.ParseException;
@@ -120,7 +121,7 @@ import org.springframework.web.servlet.ModelAndView;
@Slf4j
public class ClientAPI {
- public static final String URL = RootController.API_URL + "/clients";
+ public static final String URL = GuiController.API_URL + "/clients";
@Autowired
private ClientDetailsEntityService clientService;
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/WhitelistAPI.java b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/api/WhitelistAPI.java
similarity index 97%
rename from perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/WhitelistAPI.java
rename to perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/api/WhitelistAPI.java
index 7d4e6bf15..a548525fc 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/WhitelistAPI.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/api/WhitelistAPI.java
@@ -18,7 +18,7 @@
/**
*
*/
-package cz.muni.ics.openid.connect.web;
+package cz.muni.ics.openid.connect.web.api;
import com.google.gson.Gson;
import com.google.gson.JsonObject;
@@ -29,6 +29,7 @@ import cz.muni.ics.openid.connect.service.WhitelistedSiteService;
import cz.muni.ics.openid.connect.view.HttpCodeView;
import cz.muni.ics.openid.connect.view.JsonEntityView;
import cz.muni.ics.openid.connect.view.JsonErrorView;
+import cz.muni.ics.openid.connect.web.controller.GuiController;
import java.security.Principal;
import java.util.Collection;
import lombok.extern.slf4j.Slf4j;
@@ -53,7 +54,7 @@ import org.springframework.web.bind.annotation.RequestMethod;
@Slf4j
public class WhitelistAPI {
- public static final String URL = RootController.API_URL + "/whitelist";
+ public static final String URL = GuiController.API_URL + "/whitelist";
@Autowired
private WhitelistedSiteService whitelistService;
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/RootController.java b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/controller/GuiController.java
similarity index 95%
rename from perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/RootController.java
rename to perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/controller/GuiController.java
index 0d5475c22..1670e62f0 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/RootController.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/controller/GuiController.java
@@ -15,7 +15,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*******************************************************************************/
-package cz.muni.ics.openid.connect.web;
+package cz.muni.ics.openid.connect.web.controller;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.stereotype.Controller;
@@ -27,7 +27,7 @@ import org.springframework.web.bind.annotation.RequestMapping;
*/
@Controller
-public class RootController {
+public class GuiController {
public static final String API_URL = "api";
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/DynamicClientRegistrationEndpoint.java b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/DynamicClientRegistrationEndpoint.java
similarity index 99%
rename from perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/DynamicClientRegistrationEndpoint.java
rename to perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/DynamicClientRegistrationEndpoint.java
index dfc335213..2d0579479 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/DynamicClientRegistrationEndpoint.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/DynamicClientRegistrationEndpoint.java
@@ -15,7 +15,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*******************************************************************************/
-package cz.muni.ics.openid.connect.web;
+package cz.muni.ics.openid.connect.web.endpoint;
import static cz.muni.ics.oauth2.model.RegisteredClientFields.APPLICATION_TYPE;
import static cz.muni.ics.oauth2.model.RegisteredClientFields.CLAIMS_REDIRECT_URIS;
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/EndSessionEndpoint.java b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/EndSessionEndpoint.java
similarity index 99%
rename from perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/EndSessionEndpoint.java
rename to perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/EndSessionEndpoint.java
index 569f73c08..7432e11b0 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/EndSessionEndpoint.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/EndSessionEndpoint.java
@@ -14,7 +14,7 @@
* limitations under the License.
*******************************************************************************/
-package cz.muni.ics.openid.connect.web;
+package cz.muni.ics.openid.connect.web.endpoint;
import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.PARAM_POST_LOGOUT_REDIRECT_URI;
import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.PARAM_STATE;
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/JWKSetPublishingEndpoint.java b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/JWKSetPublishingEndpoint.java
similarity index 97%
rename from perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/JWKSetPublishingEndpoint.java
rename to perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/JWKSetPublishingEndpoint.java
index fdf3c9bfa..455bcf66d 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/JWKSetPublishingEndpoint.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/JWKSetPublishingEndpoint.java
@@ -15,7 +15,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*******************************************************************************/
-package cz.muni.ics.openid.connect.web;
+package cz.muni.ics.openid.connect.web.endpoint;
import com.nimbusds.jose.jwk.JWK;
import cz.muni.ics.jwt.signer.service.JWTSigningAndValidationService;
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/ProtectedResourceRegistrationEndpoint.java b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/ProtectedResourceRegistrationEndpoint.java
similarity index 99%
rename from perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/ProtectedResourceRegistrationEndpoint.java
rename to perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/ProtectedResourceRegistrationEndpoint.java
index 9b10f06b9..1194d00ff 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/ProtectedResourceRegistrationEndpoint.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/ProtectedResourceRegistrationEndpoint.java
@@ -13,7 +13,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*******************************************************************************/
-package cz.muni.ics.openid.connect.web;
+package cz.muni.ics.openid.connect.web.endpoint;
import com.google.common.base.Strings;
import com.google.gson.JsonSyntaxException;
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/UserInfoEndpoint.java b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/UserInfoEndpoint.java
similarity index 98%
rename from perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/UserInfoEndpoint.java
rename to perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/UserInfoEndpoint.java
index ccdfaa7f2..b00079233 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/UserInfoEndpoint.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/UserInfoEndpoint.java
@@ -15,11 +15,10 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*******************************************************************************/
-package cz.muni.ics.openid.connect.web;
+package cz.muni.ics.openid.connect.web.endpoint;
import com.google.common.base.Strings;
import cz.muni.ics.oauth2.model.ClientDetailsEntity;
-import cz.muni.ics.oauth2.model.OAuth2AccessTokenEntity;
import cz.muni.ics.oauth2.model.SavedUserAuthentication;
import cz.muni.ics.oauth2.service.ClientDetailsEntityService;
import cz.muni.ics.oauth2.service.SystemScopeService;
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/ServerConfigInterceptor.java b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/interceptor/ServerConfigInterceptor.java
similarity index 97%
rename from perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/ServerConfigInterceptor.java
rename to perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/interceptor/ServerConfigInterceptor.java
index eb5dd49f9..b19e3e9e8 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/ServerConfigInterceptor.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/interceptor/ServerConfigInterceptor.java
@@ -18,7 +18,7 @@
/**
*
*/
-package cz.muni.ics.openid.connect.web;
+package cz.muni.ics.openid.connect.web.interceptor;
import cz.muni.ics.openid.connect.config.ConfigurationPropertiesBean;
import cz.muni.ics.openid.connect.config.UIConfiguration;
diff --git a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/UserInfoInterceptor.java b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/interceptor/UserInfoInterceptor.java
similarity index 98%
rename from perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/UserInfoInterceptor.java
rename to perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/interceptor/UserInfoInterceptor.java
index 9a83505bd..9cfc4a88c 100644
--- a/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/UserInfoInterceptor.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/interceptor/UserInfoInterceptor.java
@@ -18,7 +18,7 @@
/**
*
*/
-package cz.muni.ics.openid.connect.web;
+package cz.muni.ics.openid.connect.web.interceptor;
import static cz.muni.ics.openid.connect.request.ConnectRequestParameters.CLIENT_ID;
import static cz.muni.ics.openid.connect.request.ConnectRequestParameters.SCOPE;