github
/
OpenID-Connect-Java-Spring-Server
mirror of https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #138 from dBucik/new_urls 

New urls
pull/1580/head
Dominik František Bučík 2022-01-27 12:27:15 +01:00 committed by GitHub
parent 50b6051c19 0e009d9cc2
commit 700d603645
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
53 changed files with 910 additions and 1027 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
perun-oidc-server-webapp/src/main/resources/logback.xml
View File

@ -55,7 +55,7 @@
<logger name="cz.muni.ics" level="${log.level}"/> <logger name="cz.muni.ics" level="${log.level}"/>
<logger name="cz.muni.ics.oidc.aop.WebLoggingAspect" level="debug"/> <logger name="cz.muni.ics.oidc.aop.WebLoggingAspect" level="debug"/>
<logger name="cz.muni.ics.oidc.aop.ExecutionTimeLoggingAspect" level="trace"/> <logger name="cz.muni.ics.oidc.aop.ExecutionTimeLoggingAspect" level="trace"/>
<logger name="cz.muni.ics.openid.connect.web.EndSessionEndpoint" level="${log.level}"/> <logger name="cz.muni.ics.openid.connect.web.endpoint.EndSessionEndpoint" level="${log.level}"/>
<logger name="cz.muni.ics.openid.connect.config.JsonMessageSource" level="warn"/> <logger name="cz.muni.ics.openid.connect.config.JsonMessageSource" level="warn"/>
</configuration> </configuration>

308
perun-oidc-server-webapp/src/main/webapp/WEB-INF/application-context.xml
View File

@ -17,104 +17,16 @@
limitations under the License. limitations under the License.
--> -->
<beans xmlns="http://www.springframework.org/schema/beans" <beans xmlns="http://www.springframework.org/schema/beans"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:context="http://www.springframework.org/schema/context" xmlns:context="http://www.springframework.org/schema/context"
xmlns:security="http://www.springframework.org/schema/security" xsi:schemaLocation="
xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2
http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc-4.3.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.2.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.3.xsd http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
http://www.springframework.org/schema/tx
http://www.springframework.org/schema/tx/spring-tx-4.3.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-4.3.xsd"> http://www.springframework.org/schema/context/spring-context-4.3.xsd">
<!-- Scan for components --> <!-- Scan for components -->
<context:component-scan annotation-config="true" base-package="cz.muni.ics" /> <context:component-scan base-package="cz.muni.ics" />
<!-- Enables the Spring MVC @Controller programming model -->
<tx:annotation-driven transaction-manager="transactionManager" />
<mvc:annotation-driven ignore-default-model-on-redirect="true">
<mvc:message-converters>
<bean class="org.springframework.http.converter.StringHttpMessageConverter" />
<bean class="org.springframework.http.converter.json.MappingJackson2HttpMessageConverter" />
</mvc:message-converters>
</mvc:annotation-driven>
<bean id="userInfoInterceptor" class="cz.muni.ics.openid.connect.web.UserInfoInterceptor" />
<bean id="serverConfigInterceptor" class="cz.muni.ics.openid.connect.web.ServerConfigInterceptor" />
<bean id="localeChangeInterceptor" class="org.springframework.web.servlet.i18n.LocaleChangeInterceptor">
<property name="paramName" value="lang"/>
</bean>
<mvc:interceptors>
<mvc:interceptor>
<mvc:mapping path="/**"/>
<ref bean="localeChangeInterceptor"/>
</mvc:interceptor>
<mvc:interceptor>
<!-- Exclude APIs and other machine-facing endpoints from these interceptors -->
<mvc:mapping path="/**" />
<mvc:exclude-mapping path="/token**"/>
<mvc:exclude-mapping path="/resources/**" />
<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.JWKSetPublishingEndpoint).URL}**" />
<mvc:exclude-mapping path="/#{T(cz.muni.ics.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**" />
<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.DynamicClientRegistrationEndpoint).URL}/**" />
<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.ProtectedResourceRegistrationEndpoint).URL}/**" />
<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.UserInfoEndpoint).URL}**" />
<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.RootController).API_URL}/**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oauth2.web.DeviceEndpoint).ENDPOINT_URL}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oauth2.web.DeviceEndpoint).REQUEST_USER_CODE_URL}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oauth2.web.DeviceEndpoint).DEVICE_APPROVED_URL}**" />
<mvc:exclude-mapping path="/#{T(cz.muni.ics.oauth2.web.IntrospectionEndpoint).URL}**" />
<mvc:exclude-mapping path="/#{T(cz.muni.ics.oauth2.web.RevocationEndpoint).URL}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.IsTestSpController).MAPPING}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.AupController).URL}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_MAPPING}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_AUTHORIZATION}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_ENSURE_VO_MAPPING}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_IS_CESNET_ELIGIBLE_MAPPING}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_NOT_IN_MANDATORY_VOS_GROUPS}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_NOT_IN_PROD_VOS_GROUPS}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_NOT_IN_TEST_VOS_GROUPS}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_NOT_LOGGED_IN}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_SPECIFIC_MAPPING}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedRegistrationController).REGISTRATION_CONTINUE_MAPPING}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedRegistrationController).REGISTRATION_FORM_MAPPING}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedRegistrationController).REGISTRATION_FORM_SUBMIT_MAPPING}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.RegistrationController).CONTINUE_DIRECT_MAPPING}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.LogoutController).MAPPING_SUCCESS}" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.LoginController).MAPPING_FAILURE}" />
<mvc:exclude-mapping path="/saml**" />
<!-- Inject the UserInfo into the response -->
<ref bean="userInfoInterceptor" />
</mvc:interceptor>
<mvc:interceptor>
<!-- Exclude APIs and other machine-facing endpoints from these interceptors -->
<mvc:mapping path="/**" />
<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.JWKSetPublishingEndpoint).URL}**" />
<mvc:exclude-mapping path="/#{T(cz.muni.ics.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**" />
<mvc:exclude-mapping path="/resources/**" />
<mvc:exclude-mapping path="/token**"/>
<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.DynamicClientRegistrationEndpoint).URL}/**" />
<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.ProtectedResourceRegistrationEndpoint).URL}/**" />
<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.UserInfoEndpoint).URL}**" />
<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.RootController).API_URL}/**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oauth2.web.DeviceEndpoint).ENDPOINT_URL}**" />
<mvc:exclude-mapping path="/#{T(cz.muni.ics.oauth2.web.IntrospectionEndpoint).URL}**" />
<mvc:exclude-mapping path="/#{T(cz.muni.ics.oauth2.web.RevocationEndpoint).URL}**" />
<!-- Inject the server configuration into the response -->
<ref bean="serverConfigInterceptor"/>
</mvc:interceptor>
</mvc:interceptors>
<mvc:default-servlet-handler />
<!-- Bean to hold configuration properties --> <!-- Bean to hold configuration properties -->
<import resource="server-config.xml" /> <import resource="server-config.xml" />
@ -122,186 +34,6 @@
<!-- Import the data context --> <!-- Import the data context -->
<import resource="data-context.xml" /> <import resource="data-context.xml" />
<!-- SPEL processors -->
<security:global-method-security pre-post-annotations="enabled" proxy-target-class="true" authentication-manager-ref="authenticationManager">
<!--you could also wire in the expression handler up at the layer of the http filters. See https://jira.springsource.org/browse/SEC-1452 -->
<security:expression-handler ref="oauthExpressionHandler" />
</security:global-method-security>
<oauth:expression-handler id="oauthExpressionHandler" />
<oauth:web-expression-handler id="oauthWebExpressionHandler" />
<bean id="mdcFilter" class="cz.muni.ics.mdc.MultiMDCFilter"/>
<!-- Spring Security configuration -->
<oauth:resource-server id="resourceServerFilter" token-services-ref="defaultOAuth2ProviderTokenService" stateless="false" />
<security:http pattern="/token"
create-session="stateless"
authentication-manager-ref="clientAuthenticationManager"
entry-point-ref="oauthAuthenticationEntryPoint"
use-expressions="true">
<security:intercept-url pattern="/token" access="permitAll" method="OPTIONS" /> <!-- allow OPTIONS calls without auth for CORS stuff -->
<security:intercept-url pattern="/token" access="isAuthenticated()" />
<security:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
<!-- include this only if you need to authenticate clients via request parameters -->
<security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:custom-filter ref="mdcFilter" before="FIRST"/>
<security:access-denied-handler ref="oauthAccessDeniedHandler" />
<security:csrf disabled="true"/>
</security:http>
<!-- Allow open access to discovery endpoints -->
<security:http pattern="/#{T(cz.muni.ics.openid.connect.web.JWKSetPublishingEndpoint).URL}**" use-expressions="true" entry-point-ref="http403EntryPoint" create-session="stateless">
<security:intercept-url pattern="/#{T(cz.muni.ics.openid.connect.web.JWKSetPublishingEndpoint).URL}**" access="permitAll"/>
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:custom-filter ref="mdcFilter" before="FIRST"/>
<security:csrf disabled="true"/>
</security:http>
<security:http pattern="/#{T(cz.muni.ics.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**" use-expressions="true" entry-point-ref="http403EntryPoint" create-session="stateless">
<security:intercept-url pattern="/#{T(cz.muni.ics.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**" access="permitAll"/>
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:custom-filter ref="mdcFilter" before="FIRST"/>
<security:csrf disabled="true"/>
</security:http>
<!-- Allow open access to all static resources -->
<security:http pattern="/resources/**" use-expressions="true" entry-point-ref="http403EntryPoint" create-session="stateless">
<security:intercept-url pattern="/resources/**" access="permitAll"/>
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:custom-filter ref="mdcFilter" before="FIRST"/>
<security:csrf disabled="true"/>
</security:http>
<!-- OAuth-protect API and other endpoints -->
<security:http pattern="/#{T(cz.muni.ics.openid.connect.web.DynamicClientRegistrationEndpoint).URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:custom-filter ref="mdcFilter" before="FIRST"/>
<security:expression-handler ref="oauthWebExpressionHandler" />
<security:intercept-url pattern="/register/**" access="permitAll"/>
<security:csrf disabled="true"/>
</security:http>
<security:http pattern="/#{T(cz.muni.ics.openid.connect.web.ProtectedResourceRegistrationEndpoint).URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:custom-filter ref="mdcFilter" before="FIRST"/>
<security:expression-handler ref="oauthWebExpressionHandler" />
<security:intercept-url pattern="/resource/**" access="permitAll"/>
<security:csrf disabled="true"/>
</security:http>
<security:http pattern="/#{T(cz.muni.ics.openid.connect.web.UserInfoEndpoint).URL}**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:custom-filter ref="mdcFilter" before="FIRST"/>
<security:expression-handler ref="oauthWebExpressionHandler" />
<security:csrf disabled="true"/>
</security:http>
<security:http pattern="/#{T(cz.muni.ics.openid.connect.web.RootController).API_URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="never">
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<security:custom-filter ref="mdcFilter" before="FIRST"/>
<security:expression-handler ref="oauthWebExpressionHandler" />
<security:csrf disabled="true"/>
</security:http>
<security:http pattern="#{T(cz.muni.ics.oauth2.web.DeviceEndpoint).ENDPOINT_URL}**"
use-expressions="true"
entry-point-ref="oauthAuthenticationEntryPoint"
create-session="stateless"
authentication-manager-ref="clientAuthenticationManager">
<security:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
<!-- include this only if you need to authenticate clients via request parameters -->
<security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:custom-filter ref="mdcFilter" before="FIRST"/>
<security:access-denied-handler ref="oauthAccessDeniedHandler" />
<security:csrf disabled="true"/>
</security:http>
<security:http pattern="/#{T(cz.muni.ics.oauth2.web.IntrospectionEndpoint).URL}**"
use-expressions="true"
entry-point-ref="oauthAuthenticationEntryPoint"
create-session="stateless"
authentication-manager-ref="clientAuthenticationManager">
<security:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
<security:custom-filter ref="mdcFilter" before="FIRST"/>
<security:csrf disabled="true"/>
</security:http>
<security:http pattern="/#{T(cz.muni.ics.oauth2.web.RevocationEndpoint).URL}**"
use-expressions="true"
entry-point-ref="oauthAuthenticationEntryPoint"
create-session="stateless"
authentication-manager-ref="clientAuthenticationManager">
<security:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
<security:custom-filter ref="mdcFilter" before="FIRST"/>
<security:csrf disabled="true"/>
</security:http>
<bean id="oauthAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
<property name="realmName" value="openidconnect" />
</bean>
<bean id="http403EntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" />
<!-- Additional endpoints for extensions (such as UMA) -->
<import resource="endpoint-config.xml" />
<!-- SECOAUTH Authorization Server -->
<import resource="authz-config.xml" />
<bean id="oauth2ExceptionTranslator" class="org.springframework.security.oauth2.provider.error.DefaultWebResponseExceptionTranslator" />
<bean id="clientAuthMatcher" class="cz.muni.ics.openid.connect.filter.MultiUrlRequestMatcher">
<constructor-arg name="filterProcessesUrls">
<set>
<value>/introspect</value>
<value>/revoke</value>
<value>/token</value>
</set>
</constructor-arg>
</bean>
<bean id="clientCredentialsEndpointFilter" class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
<property name="authenticationManager" ref="clientAuthenticationManager" />
<property name="requiresAuthenticationRequestMatcher" ref="clientAuthMatcher" />
</bean>
<bean id="clientAssertionEndpointFilter" class="cz.muni.ics.openid.connect.assertion.JWTBearerClientAssertionTokenEndpointFilter">
<constructor-arg name="additionalMatcher" ref="clientAuthMatcher" />
<property name="authenticationManager" ref="clientAssertionAuthenticationManager" />
</bean>
<security:authentication-manager id="clientAuthenticationManager">
<security:authentication-provider user-service-ref="clientUserDetailsService" />
<security:authentication-provider user-service-ref="uriEncodedClientUserDetailsService" />
</security:authentication-manager>
<security:authentication-manager id="clientAssertionAuthenticationManager">
<security:authentication-provider ref="clientAssertionAuthenticationProvider" />
</security:authentication-manager>
<bean id="clientAssertionAuthenticationProvider" class="cz.muni.ics.openid.connect.assertion.JWTBearerAuthenticationProvider" />
<!-- Configure locale information --> <!-- Configure locale information -->
<import resource="locale-config.xml" /> <import resource="locale-config.xml" />
@ -311,49 +43,15 @@
<!-- assertion processing --> <!-- assertion processing -->
<import resource="assertion-config.xml" /> <import resource="assertion-config.xml" />
<!-- End Spring Security configuration -->
<!-- JPA --> <!-- JPA -->
<import resource="jpa-config.xml" /> <import resource="jpa-config.xml" />
<!-- End JPA -->
<!-- Crypto --> <!-- Crypto -->
<import resource="crypto-config.xml" /> <import resource="crypto-config.xml" />
<!-- End Crypto -->
<!-- View configuration -->
<!-- Handles HTTP GET requests for /resources/** by efficiently serving
up static resources in the ${webappRoot}/resources directory -->
<mvc:resources mapping="/resources/**" location="/resources/" />
<!-- Resolves views selected for rendering by @Controllers to .jsp resources
in the /WEB-INF/views directory -->
<bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="viewClass" value="org.springframework.web.servlet.view.JstlView" />
<property name="prefix" value="/WEB-INF/views/" />
<property name="suffix" value=".jsp" />
<property name="order" value="2" />
</bean>
<!-- Resolve views based on string names -->
<bean class="org.springframework.web.servlet.view.BeanNameViewResolver">
<property name="order" value="1" />
</bean>
<!-- End view configuration -->
<!--Import scheduled task configuration -->
<import resource="task-config.xml" />
<!-- Import configuration for front-end (JavaScript) UI components --> <!-- Import configuration for front-end (JavaScript) UI components -->
<import resource="ui-config.xml" /> <import resource="ui-config.xml" />
<!-- import application-local configuration information (such as bean definitions) --> <import resource="web-context.xml" />
<import resource="local-config.xml" />
</beans> </beans>

60
perun-oidc-server-webapp/src/main/webapp/WEB-INF/authz-config.xml
View File

@ -1,60 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
Copyright 2018 The MIT Internet Trust Consortium
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.3.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.3.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.3.xsd">
<oauth:authorization-server
client-details-service-ref="defaultOAuth2ClientDetailsEntityService"
authorization-request-manager-ref="connectOAuth2RequestFactory"
token-services-ref="defaultOAuth2ProviderTokenService"
user-approval-handler-ref="tofuUserApprovalHandler"
request-validator-ref="oauthRequestValidator"
redirect-resolver-ref="blacklistAwareRedirectResolver"
authorization-endpoint-url="/authorize"
token-endpoint-url="/token"
error-page="/error">
<oauth:authorization-code authorization-code-services-ref="defaultOAuth2AuthorizationCodeService"/>
<oauth:implicit/>
<oauth:refresh-token/>
<oauth:client-credentials/>
<oauth:custom-grant token-granter-ref="chainedTokenGranter" />
<oauth:custom-grant token-granter-ref="jwtAssertionTokenGranter" />
<oauth:custom-grant token-granter-ref="deviceTokenGranter" />
</oauth:authorization-server>
<bean id="oauthAccessDeniedHandler" class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />
<bean id="oauthRequestValidator" class="cz.muni.ics.oauth2.token.ScopeServiceAwareOAuth2RequestValidator" />
<!-- Error page handler. -->
<mvc:view-controller path="/error" view-name="error" />
</beans>

46
perun-oidc-server-webapp/src/main/webapp/WEB-INF/endpoint-config.xml
View File

@ -1,46 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
Copyright 2018 The MIT Internet Trust Consortium
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.3.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.3.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.3.xsd">
<security:http pattern="/devicecodeMFA/**"
use-expressions="true"
entry-point-ref="oauthAuthenticationEntryPoint"
create-session="stateless"
authentication-manager-ref="clientAuthenticationManager">
<security:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
<!-- include this only if you need to authenticate clients via request parameters -->
<security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:access-denied-handler ref="oauthAccessDeniedHandler" />
<security:csrf disabled="true"/>
</security:http>
</beans>

36
perun-oidc-server-webapp/src/main/webapp/WEB-INF/local-config.xml
View File

@ -1,36 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
Copyright 2018 The MIT Internet Trust Consortium
Portions copyright 2011-2013 The MITRE Corporation
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.3.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.3.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.3.xsd">
<!-- Empty: Override this file in your local project to change configuration options. -->
</beans>

25
perun-oidc-server-webapp/src/main/webapp/WEB-INF/task-config.xml
View File

@ -1,25 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
Copyright 2018 The MIT Internet Trust Consortium
Portions copyright 2011-2013 The MITRE Corporation
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:task="http://www.springframework.org/schema/task"
xsi:schemaLocation="http://www.springframework.org/schema/task http://www.springframework.org/schema/task/spring-task-4.3.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd">
</beans>

293
perun-oidc-server-webapp/src/main/webapp/WEB-INF/user-context.xml
View File

@ -73,8 +73,6 @@
<prop key="saml.idp.defaultIdpEntityId"/> <prop key="saml.idp.defaultIdpEntityId"/>
<prop key="saml.idp.metadataLocation"/> <!-- i.e. /etc/perun/login-cesnet-metadata.xml --> <prop key="saml.idp.metadataLocation"/> <!-- i.e. /etc/perun/login-cesnet-metadata.xml -->
<prop key="saml.idp.metadataUrl"/> <!-- i.e. https://login.cesnet.cz/proxy/module.php/metadata --> <prop key="saml.idp.metadataUrl"/> <!-- i.e. https://login.cesnet.cz/proxy/module.php/metadata -->
<prop key="saml.proxy.spEntityId"/>
<prop key="saml.internalReferrers"/> <!-- comma separated list of URLs (which are matched as prefixes) -->
<prop key="saml.acrs.reserverdPrefixes">urn:cesnet:</prop> <prop key="saml.acrs.reserverdPrefixes">urn:cesnet:</prop>
<prop key="saml.acrs.enableComparison">false</prop> <prop key="saml.acrs.enableComparison">false</prop>
<prop key="saml.acrs.onlyreserved.append">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</prop> <prop key="saml.acrs.onlyreserved.append">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</prop>
@ -474,295 +472,6 @@
<property name="testSpAttr" value="testSp" /> <property name="testSpAttr" value="testSp" />
</bean> </bean>
<!-- authentication -->
<!--suppress SpringXmlModelInspection -->
<security:http auto-config="false"
use-expressions="true"
entry-point-ref="samlEntryPoint"
create-session="always"
authentication-manager-ref="authenticationManager">
<security:csrf disabled="true"/>
<security:intercept-url pattern="/saml/**" access="permitAll()"/>
<security:intercept-url pattern="/logout" access="permitAll()"/>
<security:intercept-url pattern="#{T(cz.muni.ics.oidc.web.controllers.LogoutController).MAPPING_SUCCESS}" access="permitAll()"/>
<security:intercept-url pattern="#{T(cz.muni.ics.oidc.web.controllers.LoginController).MAPPING_FAILURE}" access="permitAll()"/>
<security:intercept-url pattern="/**" access="hasRole('ROLE_USER')"/>
<security:custom-filter ref="mdcMuFilter" before="FIRST"/>
<security:custom-filter ref="metadataGeneratorFilter" before="CHANNEL_FILTER"/>
<security:custom-filter ref="clearSessionFilter" after="CHANNEL_FILTER"/>
<security:custom-filter ref="samlFilter" before="CSRF_FILTER"/>
<security:custom-filter ref="samlFilter" after="BASIC_AUTH_FILTER"/>
<security:custom-filter ref="callPerunFiltersFilter" before="LAST"/>
<security:logout logout-url="/saml/logout"/>
</security:http>
<security:authentication-manager id="authenticationManager">
<security:authentication-provider ref="authenticationProvider"/>
</security:authentication-manager>
<bean id="mdcMuFilter" class="cz.muni.ics.oidc.server.filters.impl.MultiMDCFilter"/>
<!-- SAML -->
<bean id="clearSessionFilter" class="cz.muni.ics.oidc.saml.SamlInvalidateSessionFilter">
<constructor-arg name="oidcIssuer" value="${main.oidc.issuer.url}"/>
<constructor-arg name="idpEntityId" value="${saml.idp.defaultIdpEntityId}"/>
<constructor-arg name="proxySpEntityId" value="${saml.proxy.spEntityId}"/>
<constructor-arg name="internalReferrers" value="#{'${saml.internalReferrers}'.split('\s*,\s*')}"/>
<constructor-arg name="contextLogoutHandler" ref="logoutHandler"/>
</bean>
<bean id="samlDiscovery" class="org.springframework.security.saml.SAMLDiscovery">
<property name="contextProvider" ref="samlContextProvider"/>
<property name="samlEntryPoint" ref="samlEntryPoint"/>
<property name="metadata" ref="metadata"/>
</bean>
<bean id="successRedirectHandler" class="cz.muni.ics.oidc.saml.PerunSamlAuthenticationSuccessHandler">
<property name="defaultTargetUrl" value="#{T(cz.muni.ics.oidc.web.controllers.LoginController).MAPPING_SUCCESS}"/>
</bean>
<bean id="authenticationFailureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<property name="defaultFailureUrl" value="#{T(cz.muni.ics.oidc.web.controllers.LoginController).MAPPING_FAILURE}"/>
<property name="useForward" value="true"/>
</bean>
<bean id="successLogoutHandler" class="cz.muni.ics.oidc.saml.PerunOidcLogoutSuccessHandler">
<property name="defaultTargetUrl" value="#{T(cz.muni.ics.oidc.web.controllers.LogoutController).MAPPING_SUCCESS}"/>
<property name="targetUrlParameter" value="#{T(cz.muni.ics.oidc.server.filters.PerunFilterConstants).PARAM_TARGET}"/>
</bean>
<bean id="logoutHandler" class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler">
<property name="clearAuthentication" value="true"/>
<property name="invalidateHttpSession" value="true"/>
</bean>
<bean id="samlLogoutProcessingFilter" class="org.springframework.security.saml.SAMLLogoutProcessingFilter">
<constructor-arg name="logoutSuccessHandler" ref="successLogoutHandler"/>
<constructor-arg name="handlers" ref="logoutHandler"/>
</bean>
<bean id="samlLogoutFilter" class="org.springframework.security.saml.SAMLLogoutFilter">
<constructor-arg name="logoutSuccessHandler" ref="successLogoutHandler"/>
<constructor-arg name="localHandler" ref="logoutHandler"/>
<constructor-arg name="globalHandlers" ref="logoutHandler"/>
</bean>
<bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager">
<constructor-arg name="storeFile">
<bean class="org.springframework.core.io.FileSystemResource">
<constructor-arg name="path" value="${saml.keystore.location}"/>
</bean>
</constructor-arg>
<constructor-arg name="storePass" value="${saml.keystore.password}"/>
<constructor-arg name="passwords">
<map>
<entry key="${saml.keystore.defaultKey}" value="${saml.keystore.defaultKeyPass}"/>
</map>
</constructor-arg>
<constructor-arg name="defaultKey" value="${saml.keystore.defaultKey}"/>
</bean>
<bean id="extendedMetadata" class="org.springframework.security.saml.metadata.ExtendedMetadata">
<property name="idpDiscoveryEnabled" value="false"/>
</bean>
<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
<constructor-arg name="generator">
<bean class="org.springframework.security.saml.metadata.MetadataGenerator">
<property name="includeDiscoveryExtension" value="false"/>
<property name="entityId" value="${saml.entityID}"/>
<property name="extendedMetadata" ref="extendedMetadata"/>
<property name="wantAssertionSigned" value="true"/>
<property name="requestSigned" value="true"/>
</bean>
</constructor-arg>
<property name="normalizeBaseUrl" value="true"/>
</bean>
<bean id="metadataDisplayFilter" class="org.springframework.security.saml.metadata.MetadataDisplayFilter"/>
<bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager">
<property name="defaultIDP" value="${saml.idp.defaultIdpEntityId}"/>
<property name="refreshCheckInterval" value="3600000"/>
<property name="refreshRequired" value="true"/>
<constructor-arg name="providers">
<list>
<ref bean="idpMetadata"/>
</list>
</constructor-arg>
</bean>
<bean id="parserPool" class="org.opensaml.xml.parse.StaticBasicParserPool" init-method="initialize"/>
<bean id="parserPoolHolder" class="org.springframework.security.saml.parser.ParserPoolHolder"/>
<bean id="processor" class="org.springframework.security.saml.processor.SAMLProcessorImpl">
<constructor-arg name="bindings">
<list>
<bean id="httpPostBinding" class="org.springframework.security.saml.processor.HTTPPostBinding">
<constructor-arg name="parserPool" ref="parserPool"/>
<constructor-arg name="encoder">
<bean class="cz.muni.ics.oidc.saml.PerunPostEncoder">
<constructor-arg name="engine" value="#{T(org.springframework.security.saml.util.VelocityFactory).getEngine()}"/>
<constructor-arg name="templateId" value="/templates/saml2-post-binding.vm"/>
</bean>
</constructor-arg>
<constructor-arg name="decoder">
<bean class="org.opensaml.saml2.binding.decoding.HTTPPostDecoder">
<constructor-arg name="pool" ref="parserPool"/>
</bean>
</constructor-arg>
</bean>
<bean id="httpRedirectDeflateBinding" class="org.springframework.security.saml.processor.HTTPRedirectDeflateBinding">
<constructor-arg name="encoder">
<bean class="cz.muni.ics.oidc.saml.PerunHTTPRedirectDeflateEncoder"/>
</constructor-arg>
<constructor-arg name="decoder">
<bean class="org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder">
<constructor-arg name="pool" ref="parserPool"/>
</bean>
</constructor-arg>
</bean>
</list>
</constructor-arg>
</bean>
<bean id="samlWebSSOProcessingFilter" class="org.springframework.security.saml.SAMLProcessingFilter">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="authenticationSuccessHandler" ref="successRedirectHandler"/>
<property name="authenticationFailureHandler" ref="authenticationFailureHandler"/>
</bean>
<bean id="samlFilter" class="org.springframework.security.web.FilterChainProxy">
<constructor-arg name="filterChains">
<list>
<bean class="org.springframework.security.web.DefaultSecurityFilterChain">
<constructor-arg name="requestMatcher">
<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
<constructor-arg name="pattern"
value="#{T(org.springframework.security.saml.metadata.MetadataDisplayFilter).FILTER_URL}/**"/>
</bean>
</constructor-arg>
<constructor-arg name="filters">
<list>
<ref bean="metadataDisplayFilter"/>
</list>
</constructor-arg>
</bean>
<bean class="org.springframework.security.web.DefaultSecurityFilterChain">
<constructor-arg name="requestMatcher">
<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
<constructor-arg name="pattern"
value="#{T(org.springframework.security.saml.SAMLProcessingFilter).FILTER_URL}"/>
</bean>
</constructor-arg>
<constructor-arg name="filters">
<list>
<ref bean="samlWebSSOProcessingFilter"/>
</list>
</constructor-arg>
</bean>
<bean class="org.springframework.security.web.DefaultSecurityFilterChain">
<constructor-arg name="requestMatcher">
<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
<constructor-arg name="pattern"
value="#{T(org.springframework.security.saml.SAMLDiscovery).FILTER_URL}"/>
</bean>
</constructor-arg>
<constructor-arg name="filters">
<list>
<ref bean="samlDiscovery"/>
</list>
</constructor-arg>
</bean>
<bean class="org.springframework.security.web.DefaultSecurityFilterChain">
<constructor-arg name="requestMatcher">
<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
<constructor-arg name="pattern"
value="#{T(org.springframework.security.saml.SAMLEntryPoint).FILTER_URL}"/>
</bean>
</constructor-arg>
<constructor-arg name="filters">
<list>
<ref bean="samlEntryPoint"/>
</list>
</constructor-arg>
</bean>
<bean class="org.springframework.security.web.DefaultSecurityFilterChain">
<constructor-arg name="requestMatcher">
<bean class="org.springframework.security.web.util.matcher.OrRequestMatcher">
<constructor-arg name="requestMatchers">
<list>
<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
<constructor-arg name="pattern"
value="#{T(org.springframework.security.saml.SAMLLogoutFilter).FILTER_URL}"/>
</bean>
<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
<constructor-arg name="pattern" value="/logout"/>
</bean>
</list>
</constructor-arg>
</bean>
</constructor-arg>
<constructor-arg name="filters">
<list>
<ref bean="samlLogoutFilter"/>
</list>
</constructor-arg>
</bean>
<bean class="org.springframework.security.web.DefaultSecurityFilterChain">
<constructor-arg name="requestMatcher">
<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
<constructor-arg name="pattern" value="#{T(org.springframework.security.saml.SAMLLogoutProcessingFilter).FILTER_URL}/**"/>
</bean>
</constructor-arg>
<constructor-arg name="filters">
<list>
<ref bean="samlLogoutProcessingFilter"/>
</list>
</constructor-arg>
</bean>
</list>
</constructor-arg>
</bean>
<bean id="webSSOProfileOptions" class="org.springframework.security.saml.websso.WebSSOProfileOptions">
<property name="includeScoping" value="false"/>
</bean>
<bean id="samlEntryPoint" class="cz.muni.ics.oidc.saml.PerunSamlEntryPoint">
<property name="defaultProfileOptions" ref="webSSOProfileOptions"/>
</bean>
<bean id="samlContextProvider" class="org.springframework.security.saml.context.SAMLContextProviderImpl"/>
<bean id="samlLogger" class="org.springframework.security.saml.log.SAMLDefaultLogger">
<property name="logMessagesOnException" value="true"/>
<property name="logErrors" value="true"/>
</bean>
<bean id="singleLogoutProfile" class="org.springframework.security.saml.websso.SingleLogoutProfileImpl"/>
<bean id="webSSOprofileConsumer" class="cz.muni.ics.oidc.saml.PerunWebSSOProfileConsumerImpl">
<property name="enableComparison" value="${saml.acrs.enableComparison}"/>
<property name="reservedPrefixes" value="#{'${saml.acrs.reserverdPrefixes}'.split('\s*,\s*')}"/>
<property name="maxAuthenticationAge" value="360"/>
</bean>
<bean id="webSSOprofile" class="org.springframework.security.saml.websso.WebSSOProfileImpl"/>
<bean id="hokWebSSOprofileConsumer" class="org.springframework.security.saml.websso.WebSSOProfileConsumerHoKImpl"/>
<bean id="samlUserDetailsService" class="cz.muni.ics.oidc.saml.PerunSamlUserDetailsService"/>
<bean id="authenticationProvider" class="cz.muni.ics.oidc.saml.PerunSamlAuthenticationProvider">
<constructor-arg name="adminIds" value="#{'${admins}'.split('\s*,\s*')}"/>
</bean>
<bean class="org.springframework.security.saml.SAMLBootstrap"/>
<!-- END SAML --> <!-- END SAML -->
<bean id="accessTokenClaimsModifier" class="${accessTokenClaimsModifier}"/> <bean id="accessTokenClaimsModifier" class="${accessTokenClaimsModifier}"/>
@ -778,7 +487,7 @@
<bean id="oidcTokenService" class="cz.muni.ics.oidc.server.PerunOIDCTokenService" primary="true"/> <bean id="oidcTokenService" class="cz.muni.ics.oidc.server.PerunOIDCTokenService" primary="true"/>
<bean id="callPerunFiltersFilter" class="cz.muni.ics.oidc.server.filters.CallPerunFiltersFilter"/> <bean id="authProcFilters" class="cz.muni.ics.oidc.server.filters.AuthProcFiltersContainer"/>
<bean id="htmlClasses" class="cz.muni.ics.oidc.web.WebHtmlClasses"> <bean id="htmlClasses" class="cz.muni.ics.oidc.web.WebHtmlClasses">
<constructor-arg name="perunOidcConfig" ref="perunOidcConfig"/> <constructor-arg name="perunOidcConfig" ref="perunOidcConfig"/>

2
perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/approve.jsp
View File

@ -37,7 +37,7 @@
</h1> </h1>
<form name="confirmationForm" <form name="confirmationForm"
action="${ config.issuer }${ config.issuer.endsWith('/') ? '' : '/' }authorize" method="post"> action="${ config.issuer }${ config.issuer.endsWith('/') ? '' : '/' }auth/authorize" method="post">
<div class="row"> <div class="row">
<div class="span5 offset1 well-small" style="text-align: left"> <div class="span5 offset1 well-small" style="text-align: left">

2
perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/approveDevice.jsp
View File

@ -37,7 +37,7 @@
</h1> </h1>
<form name="confirmationForm" <form name="confirmationForm"
action="${ config.issuer }${ config.issuer.endsWith('/') ? '' : '/' }device/approved" method="post"> action="${ config.issuer }${ config.issuer.endsWith('/') ? '' : '/' }auth/device/approved" method="post">
<div class="row"> <div class="row">
<div class="span5 offset1 well-small" style="text-align: left"> <div class="span5 offset1 well-small" style="text-align: left">

2
perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/requestUserCode.jsp
View File

@ -39,7 +39,7 @@
</c:if> </c:if>
<form action="${ config.issuer }${ config.issuer.endsWith('/') ? '' : '/' }device/code" method="POST"> <form action="${ config.issuer }${ config.issuer.endsWith('/') ? '' : '/' }auth/device" method="POST">
<div class="row-fluid"> <div class="row-fluid">
<div class="span12"> <div class="span12">

2
perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/themedApprove.jsp
View File

@ -30,7 +30,7 @@
<div id="content"> <div id="content">
<c:remove scope="session" var="SPRING_SECURITY_LAST_EXCEPTION" /> <c:remove scope="session" var="SPRING_SECURITY_LAST_EXCEPTION" />
<form name="confirmationForm" method="post" action="${pageContext.request.contextPath.endsWith('/') ? <form name="confirmationForm" method="post" action="${pageContext.request.contextPath.endsWith('/') ?
pageContext.request.contextPath : pageContext.request.contextPath.concat('/')}authorize"> pageContext.request.contextPath : pageContext.request.contextPath.concat('/')}auth/authorize">
<p> <p>
<c:if test="${not empty client.policyUri}"> <c:if test="${not empty client.policyUri}">
<spring:message code="consent_privacy_policy"/>${" "} <spring:message code="consent_privacy_policy"/>${" "}

2
perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/themedApproveDevice.jsp
View File

@ -33,7 +33,7 @@
<div id="content"> <div id="content">
<c:remove scope="session" var="SPRING_SECURITY_LAST_EXCEPTION" /> <c:remove scope="session" var="SPRING_SECURITY_LAST_EXCEPTION" />
<form name="confirmationForm" <form name="confirmationForm"
action="${ config.issuer }${ config.issuer.endsWith('/') ? '' : '/' }device/approved" method="post"> action="${ config.issuer }${ config.issuer.endsWith('/') ? '' : '/' }auth/device/approved" method="post">
<p> <p>
<c:if test="${not empty client.policyUri}"> <c:if test="${not empty client.policyUri}">
<spring:message code="device_approve_privacy"/>${" "}<a target='_blank' href='${fn:escapeXml(client.policyUri)}'><em>${fn:escapeXml(client.clientName)}</em></a> <spring:message code="device_approve_privacy"/>${" "}<a target='_blank' href='${fn:escapeXml(client.policyUri)}'><em>${fn:escapeXml(client.clientName)}</em></a>

2
perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/themedRequestUserCode.jsp
View File

@ -52,7 +52,7 @@
</c:choose> </c:choose>
<form name="confirmationForm" class="mt-2" method="POST" <form name="confirmationForm" class="mt-2" method="POST"
action="${ config.issuer }${ config.issuer.endsWith('/') ? '' : '/' }device/code"> action="${ config.issuer }${ config.issuer.endsWith('/') ? '' : '/' }auth/device">
<div class="row-fluid"> <div class="row-fluid">
<div class="span12"> <div class="span12">
<div> <div>

634
perun-oidc-server-webapp/src/main/webapp/WEB-INF/web-context.xml Normal file
View File

@ -0,0 +1,634 @@
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2
http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc-4.3.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.2.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
http://www.springframework.org/schema/tx
http://www.springframework.org/schema/tx/spring-tx-4.3.xsd">
<bean id="userInfoInterceptor" class="cz.muni.ics.openid.connect.web.interceptor.UserInfoInterceptor" />
<bean id="serverConfigInterceptor" class="cz.muni.ics.openid.connect.web.interceptor.ServerConfigInterceptor" />
<bean id="localeChangeInterceptor" class="org.springframework.web.servlet.i18n.LocaleChangeInterceptor">
<property name="paramName" value="lang"/>
</bean>
<!-- Enables the Spring MVC @Controller programming model -->
<tx:annotation-driven />
<bean id="mdcFilter" class="cz.muni.ics.mdc.MultiMDCFilter"/>
<!-- MVC -->
<!-- Error page handler. -->
<mvc:view-controller path="/error" view-name="error" />
<mvc:annotation-driven ignore-default-model-on-redirect="true">
<mvc:message-converters>
<bean class="org.springframework.http.converter.StringHttpMessageConverter" />
<bean class="org.springframework.http.converter.json.MappingJackson2HttpMessageConverter" />
</mvc:message-converters>
</mvc:annotation-driven>
<mvc:interceptors>
<mvc:interceptor>
<mvc:mapping path="/**"/>
<ref bean="localeChangeInterceptor"/>
</mvc:interceptor>
<mvc:interceptor>
<!-- Exclude APIs and other machine-facing endpoints from these interceptors -->
<mvc:mapping path="/**" />
<mvc:exclude-mapping path="/token**"/>
<mvc:exclude-mapping path="/resources/**" />
<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.endpoint.JWKSetPublishingEndpoint).URL}**" />
<mvc:exclude-mapping path="/#{T(cz.muni.ics.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**" />
<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.endpoint.DynamicClientRegistrationEndpoint).URL}/**" />
<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.endpoint.ProtectedResourceRegistrationEndpoint).URL}/**" />
<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.endpoint.UserInfoEndpoint).URL}**" />
<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.controller.GuiController).API_URL}/**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oauth2.web.endpoint.DeviceEndpoint).ENDPOINT_URL}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oauth2.web.endpoint.DeviceEndpoint).REQUEST_USER_CODE_URL}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oauth2.web.endpoint.DeviceEndpoint).REQUEST_USER_CODE_INIT_URL}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oauth2.web.endpoint.DeviceEndpoint).DEVICE_APPROVED_URL}**" />
<mvc:exclude-mapping path="/#{T(cz.muni.ics.oauth2.web.endpoint.IntrospectionEndpoint).URL}**" />
<mvc:exclude-mapping path="/#{T(cz.muni.ics.oauth2.web.endpoint.RevocationEndpoint).URL}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.IsTestSpController).MAPPING}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.AupController).URL}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_MAPPING}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_AUTHORIZATION}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_ENSURE_VO_MAPPING}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_IS_CESNET_ELIGIBLE_MAPPING}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_NOT_IN_MANDATORY_VOS_GROUPS}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_NOT_IN_PROD_VOS_GROUPS}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_NOT_IN_TEST_VOS_GROUPS}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_NOT_LOGGED_IN}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_SPECIFIC_MAPPING}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedRegistrationController).REGISTRATION_CONTINUE_MAPPING}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedRegistrationController).REGISTRATION_FORM_MAPPING}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedRegistrationController).REGISTRATION_FORM_SUBMIT_MAPPING}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.RegistrationController).CONTINUE_DIRECT_MAPPING}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.LogoutController).MAPPING_SUCCESS}" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.LoginController).MAPPING_FAILURE}" />
<mvc:exclude-mapping path="/saml**" />
<!-- Inject the UserInfo into the response -->
<ref bean="userInfoInterceptor" />
</mvc:interceptor>
<mvc:interceptor>
<!-- Exclude APIs and other machine-facing endpoints from these interceptors -->
<mvc:mapping path="/**" />
<mvc:exclude-mapping path="/token**"/>
<mvc:exclude-mapping path="/resources/**" />
<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.endpoint.JWKSetPublishingEndpoint).URL}**" />
<mvc:exclude-mapping path="/#{T(cz.muni.ics.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**" />
<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.endpoint.DynamicClientRegistrationEndpoint).URL}/**" />
<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.endpoint.ProtectedResourceRegistrationEndpoint).URL}/**" />
<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.endpoint.UserInfoEndpoint).URL}**" />
<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.controller.GuiController).API_URL}/**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oauth2.web.endpoint.DeviceEndpoint).ENDPOINT_URL}**" />
<mvc:exclude-mapping path="/#{T(cz.muni.ics.oauth2.web.endpoint.IntrospectionEndpoint).URL}**" />
<mvc:exclude-mapping path="/#{T(cz.muni.ics.oauth2.web.endpoint.RevocationEndpoint).URL}**" />
<!-- Inject the server configuration into the response -->
<ref bean="serverConfigInterceptor"/>
</mvc:interceptor>
</mvc:interceptors>
<!-- Handles HTTP GET requests for /resources/** by efficiently serving
up static resources in the ${webappRoot}/resources directory -->
<mvc:resources mapping="/resources/**" location="/resources/" />
<mvc:default-servlet-handler />
<!-- SECURITY -->
<!-- SPEL processor -->
<security:global-method-security pre-post-annotations="enabled"
proxy-target-class="true"
authentication-manager-ref="authenticationManager">
<security:expression-handler ref="oauthExpressionHandler" />
</security:global-method-security>
<!-- Token endpoint -->
<security:http pattern="/token"
create-session="stateless"
authentication-manager-ref="clientAuthenticationManager"
entry-point-ref="oauthAuthenticationEntryPoint"
use-expressions="true">
<security:intercept-url pattern="/token" access="permitAll" method="OPTIONS" /> <!-- allow OPTIONS calls without auth for CORS stuff -->
<security:intercept-url pattern="/token" access="isAuthenticated()" />
<security:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
<!-- include this only if you need to authenticate clients via request parameters -->
<security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:custom-filter ref="mdcFilter" before="FIRST"/>
<security:access-denied-handler ref="oauthAccessDeniedHandler" />
<security:csrf disabled="true"/>
</security:http>
<!-- Userinfo endpoint -->
<security:http pattern="/#{T(cz.muni.ics.openid.connect.web.endpoint.UserInfoEndpoint).URL}**"
use-expressions="true"
entry-point-ref="oauthAuthenticationEntryPoint"
create-session="stateless">
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:custom-filter ref="mdcFilter" before="FIRST"/>
<security:expression-handler ref="oauthWebExpressionHandler" />
<security:csrf disabled="true"/>
</security:http>
<!-- Introspection endpoint -->
<security:http pattern="/#{T(cz.muni.ics.oauth2.web.endpoint.IntrospectionEndpoint).URL}**"
use-expressions="true"
entry-point-ref="oauthAuthenticationEntryPoint"
create-session="stateless"
authentication-manager-ref="clientAuthenticationManager">
<security:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
<security:custom-filter ref="mdcFilter" before="FIRST"/>
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
<security:csrf disabled="true"/>
</security:http>
<!-- Revocation endpoint -->
<security:http pattern="/#{T(cz.muni.ics.oauth2.web.endpoint.RevocationEndpoint).URL}**"
use-expressions="true"
entry-point-ref="oauthAuthenticationEntryPoint"
create-session="stateless"
authentication-manager-ref="clientAuthenticationManager">
<security:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
<security:custom-filter ref="mdcFilter" before="FIRST"/>
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
<security:csrf disabled="true"/>
</security:http>
<!-- Device endpoint -->
<security:http pattern="#{T(cz.muni.ics.oauth2.web.endpoint.DeviceEndpoint).ENDPOINT_URL}**"
use-expressions="true"
entry-point-ref="oauthAuthenticationEntryPoint"
create-session="stateless"
authentication-manager-ref="clientAuthenticationManager">
<security:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
<!-- include this only if you need to authenticate clients via request parameters -->
<security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:custom-filter ref="mdcFilter" before="FIRST"/>
<security:access-denied-handler ref="oauthAccessDeniedHandler" />
<security:csrf disabled="true"/>
</security:http>
<!-- JWK endpoint -->
<security:http pattern="/#{T(cz.muni.ics.openid.connect.web.endpoint.JWKSetPublishingEndpoint).URL}**"
use-expressions="true"
entry-point-ref="http403EntryPoint"
create-session="stateless">
<security:intercept-url pattern="/#{T(cz.muni.ics.openid.connect.web.endpoint.JWKSetPublishingEndpoint).URL}**" access="permitAll"/>
<security:custom-filter ref="mdcFilter" before="FIRST"/>
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:csrf disabled="true"/>
</security:http>
<!-- Well-known -->
<security:http pattern="/#{T(cz.muni.ics.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**"
use-expressions="true"
entry-point-ref="http403EntryPoint"
create-session="stateless">
<security:intercept-url pattern="/#{T(cz.muni.ics.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**" access="permitAll"/>
<security:custom-filter ref="mdcFilter" before="FIRST"/>
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:csrf disabled="true"/>
</security:http>
<!--Static resources -->
<security:http pattern="/resources/**"
use-expressions="true"
entry-point-ref="http403EntryPoint"
create-session="stateless">
<security:intercept-url pattern="/resources/**" access="permitAll"/>
<security:custom-filter ref="mdcFilter" before="FIRST"/>
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:csrf disabled="true"/>
</security:http>
<!-- GUI -->
<security:http pattern="/#{T(cz.muni.ics.openid.connect.web.controller.GuiController).API_URL}/**"
use-expressions="true"
entry-point-ref="oauthAuthenticationEntryPoint"
create-session="never">
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<security:custom-filter ref="mdcFilter" before="FIRST"/>
<security:expression-handler ref="oauthWebExpressionHandler" />
<security:csrf disabled="true"/>
</security:http>
<security:http auto-config="false"
use-expressions="true"
entry-point-ref="samlEntryPoint"
create-session="always"
authentication-manager-ref="authenticationManager">
<security:csrf disabled="true"/>
<security:intercept-url pattern="#{T(cz.muni.ics.oauth2.web.endpoint.AuthorizationEndpoint).ENDPOINT_INIT_URL}"
access="permitAll()"/>
<security:intercept-url pattern="#{T(cz.muni.ics.oauth2.web.endpoint.DeviceEndpoint).REQUEST_USER_CODE_INIT_URL}"
access="permitAll()"/>
<security:intercept-url pattern="/saml/**" access="permitAll()"/>
<security:intercept-url pattern="/logout" access="permitAll()"/>
<security:intercept-url pattern="#{T(cz.muni.ics.oidc.web.controllers.LogoutController).MAPPING_SUCCESS}"
access="permitAll()"/>
<security:intercept-url pattern="#{T(cz.muni.ics.oidc.web.controllers.LoginController).MAPPING_FAILURE}"
access="permitAll()"/>
<security:intercept-url pattern="/**" access="hasRole('ROLE_USER')"/>
<security:custom-filter ref="mdcMuFilter" before="FIRST"/>
<security:custom-filter ref="metadataGeneratorFilter" before="CHANNEL_FILTER"/>
<security:custom-filter ref="clearSessionFilter" after="CHANNEL_FILTER"/>
<security:custom-filter ref="samlFilter" before="CSRF_FILTER"/>
<security:custom-filter ref="samlFilter" after="BASIC_AUTH_FILTER"/>
<security:custom-filter ref="authProcFilters" before="LAST"/>
<security:logout logout-url="/saml/logout"/>
</security:http>
<security:authentication-manager id="clientAuthenticationManager">
<security:authentication-provider user-service-ref="clientUserDetailsService" />
<security:authentication-provider user-service-ref="uriEncodedClientUserDetailsService" />
</security:authentication-manager>
<security:authentication-manager id="clientAssertionAuthenticationManager">
<security:authentication-provider ref="clientAssertionAuthenticationProvider" />
</security:authentication-manager>
<security:authentication-manager id="authenticationManager">
<security:authentication-provider ref="authenticationProvider"/>
</security:authentication-manager>
<!-- Dynamic registration endpoint -->
<!-- <security:http pattern="/#{T(cz.muni.ics.openid.connect.web.endpoint.DynamicClientRegistrationEndpoint).URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">-->
<!-- <security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />-->
<!-- <security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />-->
<!-- <security:custom-filter ref="mdcFilter" before="FIRST"/>-->
<!-- <security:expression-handler ref="oauthWebExpressionHandler" />-->
<!-- <security:intercept-url pattern="/register/**" access="permitAll"/>-->
<!-- <security:csrf disabled="true"/>-->
<!-- </security:http>-->
<!-- <security:http pattern="/#{T(cz.muni.ics.openid.connect.web.endpoint.ProtectedResourceRegistrationEndpoint).URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">-->
<!-- <security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />-->
<!-- <security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />-->
<!-- <security:custom-filter ref="mdcFilter" before="FIRST"/>-->
<!-- <security:expression-handler ref="oauthWebExpressionHandler" />-->
<!-- <security:intercept-url pattern="/resource/**" access="permitAll"/>-->
<!-- <security:csrf disabled="true"/>-->
<!-- </security:http>-->
<bean id="oauthAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
<property name="realmName" value="openidconnect" />
</bean>
<bean id="http403EntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" />
<bean id="oauth2ExceptionTranslator" class="org.springframework.security.oauth2.provider.error.DefaultWebResponseExceptionTranslator" />
<bean id="clientAuthMatcher" class="cz.muni.ics.openid.connect.filter.MultiUrlRequestMatcher">
<constructor-arg name="filterProcessesUrls">
<set>
<value>/introspect</value>
<value>/revoke</value>
<value>/token</value>
</set>
</constructor-arg>
</bean>
<bean id="clientCredentialsEndpointFilter" class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
<property name="authenticationManager" ref="clientAuthenticationManager" />
<property name="requiresAuthenticationRequestMatcher" ref="clientAuthMatcher" />
</bean>
<bean id="clientAssertionEndpointFilter" class="cz.muni.ics.openid.connect.assertion.JWTBearerClientAssertionTokenEndpointFilter">
<constructor-arg name="additionalMatcher" ref="clientAuthMatcher" />
<property name="authenticationManager" ref="clientAssertionAuthenticationManager" />
</bean>
<bean id="clientAssertionAuthenticationProvider" class="cz.muni.ics.openid.connect.assertion.JWTBearerAuthenticationProvider" />
<!-- Resolves views selected for rendering by @Controllers to .jsp resources
in the /WEB-INF/views directory -->
<bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="viewClass" value="org.springframework.web.servlet.view.JstlView" />
<property name="prefix" value="/WEB-INF/views/" />
<property name="suffix" value=".jsp" />
<property name="order" value="2" />
</bean>
<!-- Resolve views based on string names -->
<bean class="org.springframework.web.servlet.view.BeanNameViewResolver">
<property name="order" value="1" />
</bean>
<bean id="mdcMuFilter" class="cz.muni.ics.oidc.server.filters.impl.MultiMDCFilter"/>
<!-- SAML -->
<bean id="clearSessionFilter" class="cz.muni.ics.oidc.saml.SamlInvalidateSessionFilter">
<constructor-arg name="contextLogoutHandler" ref="logoutHandler"/>
</bean>
<bean id="samlDiscovery" class="org.springframework.security.saml.SAMLDiscovery">
<property name="contextProvider" ref="samlContextProvider"/>
<property name="samlEntryPoint" ref="samlEntryPoint"/>
<property name="metadata" ref="metadata"/>
</bean>
<bean id="successRedirectHandler" class="cz.muni.ics.oidc.saml.PerunSamlAuthenticationSuccessHandler">
<property name="defaultTargetUrl" value="#{T(cz.muni.ics.oidc.web.controllers.LoginController).MAPPING_SUCCESS}"/>
</bean>
<bean id="authenticationFailureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<property name="defaultFailureUrl" value="#{T(cz.muni.ics.oidc.web.controllers.LoginController).MAPPING_FAILURE}"/>
<property name="useForward" value="true"/>
</bean>
<bean id="successLogoutHandler" class="cz.muni.ics.oidc.saml.PerunOidcLogoutSuccessHandler">
<property name="defaultTargetUrl" value="#{T(cz.muni.ics.oidc.web.controllers.LogoutController).MAPPING_SUCCESS}"/>
<property name="targetUrlParameter" value="#{T(cz.muni.ics.oidc.server.filters.PerunFilterConstants).PARAM_TARGET}"/>
</bean>
<bean id="logoutHandler" class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler">
<property name="clearAuthentication" value="true"/>
<property name="invalidateHttpSession" value="true"/>
</bean>
<bean id="samlLogoutProcessingFilter" class="org.springframework.security.saml.SAMLLogoutProcessingFilter">
<constructor-arg name="logoutSuccessHandler" ref="successLogoutHandler"/>
<constructor-arg name="handlers" ref="logoutHandler"/>
</bean>
<bean id="samlLogoutFilter" class="org.springframework.security.saml.SAMLLogoutFilter">
<constructor-arg name="logoutSuccessHandler" ref="successLogoutHandler"/>
<constructor-arg name="localHandler" ref="logoutHandler"/>
<constructor-arg name="globalHandlers" ref="logoutHandler"/>
</bean>
<bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager">
<constructor-arg name="storeFile">
<bean class="org.springframework.core.io.FileSystemResource">
<constructor-arg name="path" value="${saml.keystore.location}"/>
</bean>
</constructor-arg>
<constructor-arg name="storePass" value="${saml.keystore.password}"/>
<constructor-arg name="passwords">
<map>
<entry key="${saml.keystore.defaultKey}" value="${saml.keystore.defaultKeyPass}"/>
</map>
</constructor-arg>
<constructor-arg name="defaultKey" value="${saml.keystore.defaultKey}"/>
</bean>
<bean id="extendedMetadata" class="org.springframework.security.saml.metadata.ExtendedMetadata">
<property name="idpDiscoveryEnabled" value="false"/>
</bean>
<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
<constructor-arg name="generator">
<bean class="org.springframework.security.saml.metadata.MetadataGenerator">
<property name="includeDiscoveryExtension" value="false"/>
<property name="entityId" value="${saml.entityID}"/>
<property name="extendedMetadata" ref="extendedMetadata"/>
<property name="wantAssertionSigned" value="true"/>
<property name="requestSigned" value="true"/>
</bean>
</constructor-arg>
<property name="normalizeBaseUrl" value="true"/>
</bean>
<bean id="metadataDisplayFilter" class="org.springframework.security.saml.metadata.MetadataDisplayFilter"/>
<bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager">
<property name="defaultIDP" value="${saml.idp.defaultIdpEntityId}"/>
<property name="refreshCheckInterval" value="3600000"/>
<property name="refreshRequired" value="true"/>
<constructor-arg name="providers">
<list>
<ref bean="idpMetadata"/>
</list>
</constructor-arg>
</bean>
<bean id="parserPool" class="org.opensaml.xml.parse.StaticBasicParserPool" init-method="initialize"/>
<bean id="parserPoolHolder" class="org.springframework.security.saml.parser.ParserPoolHolder"/>
<bean id="processor" class="org.springframework.security.saml.processor.SAMLProcessorImpl">
<constructor-arg name="bindings">
<list>
<bean id="httpPostBinding" class="org.springframework.security.saml.processor.HTTPPostBinding">
<constructor-arg name="parserPool" ref="parserPool"/>
<constructor-arg name="encoder">
<bean class="cz.muni.ics.oidc.saml.PerunPostEncoder">
<constructor-arg name="engine" value="#{T(org.springframework.security.saml.util.VelocityFactory).getEngine()}"/>
<constructor-arg name="templateId" value="/templates/saml2-post-binding.vm"/>
</bean>
</constructor-arg>
<constructor-arg name="decoder">
<bean class="org.opensaml.saml2.binding.decoding.HTTPPostDecoder">
<constructor-arg name="pool" ref="parserPool"/>
</bean>
</constructor-arg>
</bean>
<bean id="httpRedirectDeflateBinding" class="org.springframework.security.saml.processor.HTTPRedirectDeflateBinding">
<constructor-arg name="encoder">
<bean class="cz.muni.ics.oidc.saml.PerunHTTPRedirectDeflateEncoder"/>
</constructor-arg>
<constructor-arg name="decoder">
<bean class="org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder">
<constructor-arg name="pool" ref="parserPool"/>
</bean>
</constructor-arg>
</bean>
</list>
</constructor-arg>
</bean>
<bean id="samlWebSSOProcessingFilter" class="org.springframework.security.saml.SAMLProcessingFilter">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="authenticationSuccessHandler" ref="successRedirectHandler"/>
<property name="authenticationFailureHandler" ref="authenticationFailureHandler"/>
</bean>
<bean id="samlFilter" class="org.springframework.security.web.FilterChainProxy">
<constructor-arg name="filterChains">
<list>
<bean class="org.springframework.security.web.DefaultSecurityFilterChain">
<constructor-arg name="requestMatcher">
<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
<constructor-arg name="pattern"
value="#{T(org.springframework.security.saml.metadata.MetadataDisplayFilter).FILTER_URL}/**"/>
</bean>
</constructor-arg>
<constructor-arg name="filters">
<list>
<ref bean="metadataDisplayFilter"/>
</list>
</constructor-arg>
</bean>
<bean class="org.springframework.security.web.DefaultSecurityFilterChain">
<constructor-arg name="requestMatcher">
<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
<constructor-arg name="pattern"
value="#{T(org.springframework.security.saml.SAMLProcessingFilter).FILTER_URL}"/>
</bean>
</constructor-arg>
<constructor-arg name="filters">
<list>
<ref bean="samlWebSSOProcessingFilter"/>
</list>
</constructor-arg>
</bean>
<bean class="org.springframework.security.web.DefaultSecurityFilterChain">
<constructor-arg name="requestMatcher">
<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
<constructor-arg name="pattern"
value="#{T(org.springframework.security.saml.SAMLDiscovery).FILTER_URL}"/>
</bean>
</constructor-arg>
<constructor-arg name="filters">
<list>
<ref bean="samlDiscovery"/>
</list>
</constructor-arg>
</bean>
<bean class="org.springframework.security.web.DefaultSecurityFilterChain">
<constructor-arg name="requestMatcher">
<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
<constructor-arg name="pattern"
value="#{T(org.springframework.security.saml.SAMLEntryPoint).FILTER_URL}"/>
</bean>
</constructor-arg>
<constructor-arg name="filters">
<list>
<ref bean="samlEntryPoint"/>
</list>
</constructor-arg>
</bean>
<bean class="org.springframework.security.web.DefaultSecurityFilterChain">
<constructor-arg name="requestMatcher">
<bean class="org.springframework.security.web.util.matcher.OrRequestMatcher">
<constructor-arg name="requestMatchers">
<list>
<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
<constructor-arg name="pattern"
value="#{T(org.springframework.security.saml.SAMLLogoutFilter).FILTER_URL}"/>
</bean>
<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
<constructor-arg name="pattern" value="/logout"/>
</bean>
</list>
</constructor-arg>
</bean>
</constructor-arg>
<constructor-arg name="filters">
<list>
<ref bean="samlLogoutFilter"/>
</list>
</constructor-arg>
</bean>
<bean class="org.springframework.security.web.DefaultSecurityFilterChain">
<constructor-arg name="requestMatcher">
<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
<constructor-arg name="pattern" value="#{T(org.springframework.security.saml.SAMLLogoutProcessingFilter).FILTER_URL}/**"/>
</bean>
</constructor-arg>
<constructor-arg name="filters">
<list>
<ref bean="samlLogoutProcessingFilter"/>
</list>
</constructor-arg>
</bean>
</list>
</constructor-arg>
</bean>
<bean id="webSSOProfileOptions" class="org.springframework.security.saml.websso.WebSSOProfileOptions">
<property name="includeScoping" value="false"/>
</bean>
<bean id="samlEntryPoint" class="cz.muni.ics.oidc.saml.PerunSamlEntryPoint">
<property name="defaultProfileOptions" ref="webSSOProfileOptions"/>
</bean>
<bean id="samlContextProvider" class="org.springframework.security.saml.context.SAMLContextProviderImpl"/>
<bean id="samlLogger" class="org.springframework.security.saml.log.SAMLDefaultLogger">
<property name="logMessagesOnException" value="true"/>
<property name="logErrors" value="true"/>
</bean>
<bean id="singleLogoutProfile" class="org.springframework.security.saml.websso.SingleLogoutProfileImpl"/>
<bean id="webSSOprofileConsumer" class="cz.muni.ics.oidc.saml.PerunWebSSOProfileConsumerImpl">
<property name="enableComparison" value="${saml.acrs.enableComparison}"/>
<property name="reservedPrefixes" value="#{'${saml.acrs.reserverdPrefixes}'.split('\s*,\s*')}"/>
<property name="maxAuthenticationAge" value="360"/>
</bean>
<bean id="webSSOprofile" class="org.springframework.security.saml.websso.WebSSOProfileImpl"/>
<bean id="hokWebSSOprofileConsumer" class="org.springframework.security.saml.websso.WebSSOProfileConsumerHoKImpl"/>
<bean id="samlUserDetailsService" class="cz.muni.ics.oidc.saml.PerunSamlUserDetailsService"/>
<bean id="authenticationProvider" class="cz.muni.ics.oidc.saml.PerunSamlAuthenticationProvider">
<constructor-arg name="adminIds" value="#{'${admins}'.split('\s*,\s*')}"/>
</bean>
<bean class="org.springframework.security.saml.SAMLBootstrap"/>
<!-- END SAML -->
<!-- OAuth -->
<oauth:authorization-server
client-details-service-ref="defaultOAuth2ClientDetailsEntityService"
authorization-request-manager-ref="connectOAuth2RequestFactory"
token-services-ref="defaultOAuth2ProviderTokenService"
user-approval-handler-ref="tofuUserApprovalHandler"
request-validator-ref="oauthRequestValidator"
redirect-resolver-ref="blacklistAwareRedirectResolver"
authorization-endpoint-url="/auth/authorize"
token-endpoint-url="/token"
error-page="/error">
<oauth:authorization-code authorization-code-services-ref="defaultOAuth2AuthorizationCodeService"/>
<oauth:implicit/>
<oauth:refresh-token/>
<oauth:client-credentials/>
<oauth:custom-grant token-granter-ref="chainedTokenGranter" />
<oauth:custom-grant token-granter-ref="jwtAssertionTokenGranter" />
<oauth:custom-grant token-granter-ref="deviceTokenGranter" />
</oauth:authorization-server>
<oauth:resource-server id="resourceServerFilter"
token-services-ref="defaultOAuth2ProviderTokenService"
stateless="false" />
<oauth:expression-handler id="oauthExpressionHandler" />
<oauth:web-expression-handler id="oauthWebExpressionHandler" />
<bean id="oauthAccessDeniedHandler" class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />
<bean id="oauthRequestValidator" class="cz.muni.ics.oauth2.token.ScopeServiceAwareOAuth2RequestValidator" />
</beans>

14
perun-oidc-server/src/main/java/cz/muni/ics/discovery/web/DiscoveryEndpoint.java
View File

@ -28,18 +28,18 @@ import cz.muni.ics.jwt.encryption.service.JWTEncryptionAndDecryptionService;
import cz.muni.ics.jwt.signer.service.JWTSigningAndValidationService; import cz.muni.ics.jwt.signer.service.JWTSigningAndValidationService;
import cz.muni.ics.oauth2.model.PKCEAlgorithm; import cz.muni.ics.oauth2.model.PKCEAlgorithm;
import cz.muni.ics.oauth2.service.SystemScopeService; import cz.muni.ics.oauth2.service.SystemScopeService;
import cz.muni.ics.oauth2.web.DeviceEndpoint; import cz.muni.ics.oauth2.web.endpoint.DeviceEndpoint;
import cz.muni.ics.oauth2.web.IntrospectionEndpoint; import cz.muni.ics.oauth2.web.endpoint.IntrospectionEndpoint;
import cz.muni.ics.oauth2.web.RevocationEndpoint; import cz.muni.ics.oauth2.web.endpoint.RevocationEndpoint;
import cz.muni.ics.openid.connect.config.ConfigurationPropertiesBean; import cz.muni.ics.openid.connect.config.ConfigurationPropertiesBean;
import cz.muni.ics.openid.connect.model.UserInfo; import cz.muni.ics.openid.connect.model.UserInfo;
import cz.muni.ics.openid.connect.service.UserInfoService; import cz.muni.ics.openid.connect.service.UserInfoService;
import cz.muni.ics.openid.connect.view.HttpCodeView; import cz.muni.ics.openid.connect.view.HttpCodeView;
import cz.muni.ics.openid.connect.view.JsonEntityView; import cz.muni.ics.openid.connect.view.JsonEntityView;
import cz.muni.ics.openid.connect.web.DynamicClientRegistrationEndpoint; import cz.muni.ics.openid.connect.web.endpoint.DynamicClientRegistrationEndpoint;
import cz.muni.ics.openid.connect.web.EndSessionEndpoint; import cz.muni.ics.openid.connect.web.endpoint.EndSessionEndpoint;
import cz.muni.ics.openid.connect.web.JWKSetPublishingEndpoint; import cz.muni.ics.openid.connect.web.endpoint.JWKSetPublishingEndpoint;
import cz.muni.ics.openid.connect.web.UserInfoEndpoint; import cz.muni.ics.openid.connect.web.endpoint.UserInfoEndpoint;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.Collection; import java.util.Collection;
import java.util.HashMap; import java.util.HashMap;

2
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/token/DeviceTokenGranter.java
View File

@ -20,7 +20,7 @@ import cz.muni.ics.oauth2.exception.AuthorizationPendingException;
import cz.muni.ics.oauth2.exception.DeviceCodeExpiredException; import cz.muni.ics.oauth2.exception.DeviceCodeExpiredException;
import cz.muni.ics.oauth2.model.DeviceCode; import cz.muni.ics.oauth2.model.DeviceCode;
import cz.muni.ics.oauth2.service.DeviceCodeService; import cz.muni.ics.oauth2.service.DeviceCodeService;
import cz.muni.ics.oauth2.web.DeviceEndpoint; import cz.muni.ics.oauth2.web.endpoint.DeviceEndpoint;
import java.util.Date; import java.util.Date;
import lombok.extern.slf4j.Slf4j; import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Autowired;

6
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/ScopeAPI.java → perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/api/ScopeAPI.java
View File

@ -18,7 +18,7 @@
/** /**
* *
*/ */
package cz.muni.ics.oauth2.web; package cz.muni.ics.oauth2.web.api;
import com.google.gson.Gson; import com.google.gson.Gson;
import cz.muni.ics.oauth2.model.SystemScope; import cz.muni.ics.oauth2.model.SystemScope;
@ -26,7 +26,7 @@ import cz.muni.ics.oauth2.service.SystemScopeService;
import cz.muni.ics.openid.connect.view.HttpCodeView; import cz.muni.ics.openid.connect.view.HttpCodeView;
import cz.muni.ics.openid.connect.view.JsonEntityView; import cz.muni.ics.openid.connect.view.JsonEntityView;
import cz.muni.ics.openid.connect.view.JsonErrorView; import cz.muni.ics.openid.connect.view.JsonErrorView;
import cz.muni.ics.openid.connect.web.RootController; import cz.muni.ics.openid.connect.web.controller.GuiController;
import java.util.Set; import java.util.Set;
import lombok.extern.slf4j.Slf4j; import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Autowired;
@ -50,7 +50,7 @@ import org.springframework.web.bind.annotation.RequestMethod;
@Slf4j @Slf4j
public class ScopeAPI { public class ScopeAPI {
public static final String URL = RootController.API_URL + "/scopes"; public static final String URL = GuiController.API_URL + "/scopes";
@Autowired @Autowired
private SystemScopeService scopeService; private SystemScopeService scopeService;

6
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/TokenAPI.java → perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/api/TokenAPI.java
View File

@ -15,7 +15,7 @@
* See the License for the specific language governing permissions and * See the License for the specific language governing permissions and
* limitations under the License. * limitations under the License.
*******************************************************************************/ *******************************************************************************/
package cz.muni.ics.oauth2.web; package cz.muni.ics.oauth2.web.api;
import cz.muni.ics.oauth2.model.ClientDetailsEntity; import cz.muni.ics.oauth2.model.ClientDetailsEntity;
import cz.muni.ics.oauth2.model.OAuth2AccessTokenEntity; import cz.muni.ics.oauth2.model.OAuth2AccessTokenEntity;
@ -27,7 +27,7 @@ import cz.muni.ics.openid.connect.service.OIDCTokenService;
import cz.muni.ics.openid.connect.view.HttpCodeView; import cz.muni.ics.openid.connect.view.HttpCodeView;
import cz.muni.ics.openid.connect.view.JsonEntityView; import cz.muni.ics.openid.connect.view.JsonEntityView;
import cz.muni.ics.openid.connect.view.JsonErrorView; import cz.muni.ics.openid.connect.view.JsonErrorView;
import cz.muni.ics.openid.connect.web.RootController; import cz.muni.ics.openid.connect.web.controller.GuiController;
import java.security.Principal; import java.security.Principal;
import java.util.List; import java.util.List;
import java.util.Set; import java.util.Set;
@ -53,7 +53,7 @@ import org.springframework.web.bind.annotation.RequestMethod;
@Slf4j @Slf4j
public class TokenAPI { public class TokenAPI {
public static final String URL = RootController.API_URL + "/tokens"; public static final String URL = GuiController.API_URL + "/tokens";
@Autowired @Autowired
private OAuth2TokenEntityService tokenService; private OAuth2TokenEntityService tokenService;

2
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/OAuthConfirmationController.java → perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/controller/OAuthConfirmationController.java
View File

@ -18,7 +18,7 @@
/** /**
* *
*/ */
package cz.muni.ics.oauth2.web; package cz.muni.ics.oauth2.web.controller;
import com.google.common.base.Joiner; import com.google.common.base.Joiner;
import com.google.common.base.Splitter; import com.google.common.base.Splitter;

25
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/endpoint/AuthorizationEndpoint.java Normal file
View File

@ -0,0 +1,25 @@
package cz.muni.ics.oauth2.web.endpoint;
import javax.servlet.http.HttpServletRequest;
import lombok.extern.slf4j.Slf4j;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.servlet.view.RedirectView;
@Controller
@Slf4j
public class AuthorizationEndpoint {
public static final String ENDPOINT_INIT_URL = "/authorize";
public static final String ENDPOINT_URL = "/auth/authorize";
@RequestMapping(value = ENDPOINT_INIT_URL)
public RedirectView authorize(HttpServletRequest req) {
String redirect = ENDPOINT_URL + '?' + req.getQueryString();
RedirectView view = new RedirectView(redirect);
view.setContextRelative(true);
log.debug("Authorization endpoint - {}: user is being redirected to to: {}", ENDPOINT_INIT_URL, redirect);
return view;
}
}

25
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/DeviceEndpoint.java → perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/endpoint/DeviceEndpoint.java
View File

@ -14,7 +14,7 @@
* limitations under the License. * limitations under the License.
*******************************************************************************/ *******************************************************************************/
package cz.muni.ics.oauth2.web; package cz.muni.ics.oauth2.web.endpoint;
import cz.muni.ics.oauth2.exception.DeviceCodeCreationException; import cz.muni.ics.oauth2.exception.DeviceCodeCreationException;
import cz.muni.ics.oauth2.model.ClientDetailsEntity; import cz.muni.ics.oauth2.model.ClientDetailsEntity;
@ -35,7 +35,6 @@ import cz.muni.ics.openid.connect.view.HttpCodeView;
import cz.muni.ics.openid.connect.view.JsonEntityView; import cz.muni.ics.openid.connect.view.JsonEntityView;
import cz.muni.ics.openid.connect.view.JsonErrorView; import cz.muni.ics.openid.connect.view.JsonErrorView;
import java.net.URISyntaxException; import java.net.URISyntaxException;
import java.security.Principal;
import java.util.Collection; import java.util.Collection;
import java.util.Date; import java.util.Date;
import java.util.HashMap; import java.util.HashMap;
@ -57,13 +56,14 @@ import org.springframework.security.oauth2.provider.AuthorizationRequest;
import org.springframework.security.oauth2.provider.OAuth2Authentication; import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.security.oauth2.provider.OAuth2Request; import org.springframework.security.oauth2.provider.OAuth2Request;
import org.springframework.security.oauth2.provider.OAuth2RequestFactory; import org.springframework.security.oauth2.provider.OAuth2RequestFactory;
import org.springframework.security.saml.SAMLCredential;
import org.springframework.stereotype.Controller; import org.springframework.stereotype.Controller;
import org.springframework.ui.ModelMap; import org.springframework.ui.ModelMap;
import org.springframework.util.StringUtils; import org.springframework.util.StringUtils;
import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PostMapping; import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestParam; import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.servlet.view.RedirectView;
/** /**
* Implements https://tools.ietf.org/html/draft-ietf-oauth-device-flow * Implements https://tools.ietf.org/html/draft-ietf-oauth-device-flow
@ -120,9 +120,10 @@ public class DeviceEndpoint {
// other // other
public static final String DEFAULT = "default"; public static final String DEFAULT = "default";
public static final String ENDPOINT_URL = "/devicecode"; public static final String ENDPOINT_URL = "/devicecode";
public static final String REQUEST_USER_CODE_URL = "/device/code"; public static final String REQUEST_USER_CODE_INIT_URL = "/device";
public static final String CHECK_USER_CODE_URL = "/device/checkcode"; public static final String REQUEST_USER_CODE_URL = "/auth/device";
public static final String DEVICE_APPROVED_URL = "/device/approved"; public static final String CHECK_USER_CODE_URL = "/auth/device/authorize";
public static final String DEVICE_APPROVED_URL = "/auth/device/approved";
private final ClientDetailsEntityService clientService; private final ClientDetailsEntityService clientService;
private final SystemScopeService scopeService; private final SystemScopeService scopeService;
@ -184,7 +185,7 @@ public class DeviceEndpoint {
if (StringUtils.hasText(acrValues)) { if (StringUtils.hasText(acrValues)) {
uriParams.put(ACR_VALUES, acrValues); uriParams.put(ACR_VALUES, acrValues);
} }
String uriBase = perunOidcConfig.getConfigBean().getIssuer(false) + REQUEST_USER_CODE_URL; String uriBase = perunOidcConfig.getConfigBean().getIssuer(false) + REQUEST_USER_CODE_INIT_URL;
response.put(VERIFICATION_URI, constructVerificationURI(uriBase, uriParams)); response.put(VERIFICATION_URI, constructVerificationURI(uriBase, uriParams));
if (perunOidcConfig.getConfigBean().isAllowCompleteDeviceCodeUri()) { if (perunOidcConfig.getConfigBean().isAllowCompleteDeviceCodeUri()) {
@ -210,6 +211,16 @@ public class DeviceEndpoint {
} }
} }
@RequestMapping(value = REQUEST_USER_CODE_INIT_URL)
public RedirectView authorize(HttpServletRequest req) {
String redirect = REQUEST_USER_CODE_URL
+ (StringUtils.hasText(req.getQueryString()) ? '?' + req.getQueryString() : "");
RedirectView view = new RedirectView(redirect);
view.setContextRelative(true);
log.debug("User device endpoint - {}: user is being redirected to to: {}", REQUEST_USER_CODE_INIT_URL, redirect);
return view;
}
@PreAuthorize("hasRole('ROLE_USER')") @PreAuthorize("hasRole('ROLE_USER')")
@GetMapping(value = REQUEST_USER_CODE_URL) @GetMapping(value = REQUEST_USER_CODE_URL)
public String requestUserCode(@RequestParam(value = USER_CODE, required = false) String userCode, public String requestUserCode(@RequestParam(value = USER_CODE, required = false) String userCode,

3
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/IntrospectionEndpoint.java → perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/endpoint/IntrospectionEndpoint.java
View File

@ -15,7 +15,7 @@
* See the License for the specific language governing permissions and * See the License for the specific language governing permissions and
* limitations under the License. * limitations under the License.
*******************************************************************************/ *******************************************************************************/
package cz.muni.ics.oauth2.web; package cz.muni.ics.oauth2.web.endpoint;
import com.google.common.base.Strings; import com.google.common.base.Strings;
import com.google.common.collect.ImmutableMap; import com.google.common.collect.ImmutableMap;
@ -26,6 +26,7 @@ import cz.muni.ics.oauth2.service.ClientDetailsEntityService;
import cz.muni.ics.oauth2.service.IntrospectionResultAssembler; import cz.muni.ics.oauth2.service.IntrospectionResultAssembler;
import cz.muni.ics.oauth2.service.OAuth2TokenEntityService; import cz.muni.ics.oauth2.service.OAuth2TokenEntityService;
import cz.muni.ics.oauth2.service.SystemScopeService; import cz.muni.ics.oauth2.service.SystemScopeService;
import cz.muni.ics.oauth2.web.AuthenticationUtilities;
import cz.muni.ics.openid.connect.model.UserInfo; import cz.muni.ics.openid.connect.model.UserInfo;
import cz.muni.ics.openid.connect.service.UserInfoService; import cz.muni.ics.openid.connect.service.UserInfoService;
import cz.muni.ics.openid.connect.view.HttpCodeView; import cz.muni.ics.openid.connect.view.HttpCodeView;

2
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/RevocationEndpoint.java → perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/endpoint/RevocationEndpoint.java
View File

@ -15,7 +15,7 @@
* See the License for the specific language governing permissions and * See the License for the specific language governing permissions and
* limitations under the License. * limitations under the License.
*******************************************************************************/ *******************************************************************************/
package cz.muni.ics.oauth2.web; package cz.muni.ics.oauth2.web.endpoint;
import static cz.muni.ics.oauth2.web.AuthenticationUtilities.ensureOAuthScope; import static cz.muni.ics.oauth2.web.AuthenticationUtilities.ensureOAuthScope;

2
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/CorsFilter.java → perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/filter/CorsFilter.java
View File

@ -18,7 +18,7 @@
/** /**
* *
*/ */
package cz.muni.ics.oauth2.web; package cz.muni.ics.oauth2.web.filter;
import java.io.IOException; import java.io.IOException;
import javax.servlet.FilterChain; import javax.servlet.FilterChain;

58
perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/SamlInvalidateSessionFilter.java
View File

@ -1,14 +1,6 @@
package cz.muni.ics.oidc.saml; package cz.muni.ics.oidc.saml;
import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.AUTHORIZE_REQ_PATTERN;
import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.DEVICE_APPROVE_REQ_PATTERN;
import static org.springframework.http.HttpHeaders.REFERER;
import java.io.IOException; import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.stream.Collectors;
import javax.servlet.FilterChain; import javax.servlet.FilterChain;
import javax.servlet.ServletException; import javax.servlet.ServletException;
import javax.servlet.ServletRequest; import javax.servlet.ServletRequest;
@ -20,45 +12,20 @@ import org.springframework.security.web.authentication.logout.SecurityContextLog
import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.OrRequestMatcher; import org.springframework.security.web.util.matcher.OrRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher; import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.util.StringUtils;
import org.springframework.web.filter.GenericFilterBean; import org.springframework.web.filter.GenericFilterBean;
@Slf4j @Slf4j
public class SamlInvalidateSessionFilter extends GenericFilterBean { public class SamlInvalidateSessionFilter extends GenericFilterBean {
private static final RequestMatcher AUTHORIZE_MATCHER = new AntPathRequestMatcher(AUTHORIZE_REQ_PATTERN);
private static final RequestMatcher AUTHORIZE_ALL_MATCHER = new AntPathRequestMatcher(AUTHORIZE_REQ_PATTERN + "/**");
private static final RequestMatcher DEVICE_CODE_MATCHER = new AntPathRequestMatcher(DEVICE_APPROVE_REQ_PATTERN);
private static final RequestMatcher DEVICE_CODE_ALL_MATCHER = new AntPathRequestMatcher(DEVICE_APPROVE_REQ_PATTERN + "/**");
private static final RequestMatcher MATCHER = new OrRequestMatcher( private static final RequestMatcher MATCHER = new OrRequestMatcher(
Arrays.asList(AUTHORIZE_MATCHER, AUTHORIZE_ALL_MATCHER, DEVICE_CODE_MATCHER, DEVICE_CODE_ALL_MATCHER)); new AntPathRequestMatcher("/authorize"),
new AntPathRequestMatcher("/device")
);
private final SecurityContextLogoutHandler contextLogoutHandler; private final SecurityContextLogoutHandler contextLogoutHandler;
private final List<String> internalReferrers = new ArrayList<>();
public SamlInvalidateSessionFilter(String idpEntityId, public SamlInvalidateSessionFilter(SecurityContextLogoutHandler contextLogoutHandler) {
String oidcIssuer,
String proxySpEntityId,
SecurityContextLogoutHandler contextLogoutHandler,
String[] internalReferrers)
{
if (StringUtils.hasText(idpEntityId)) {
this.internalReferrers.add(idpEntityId);
}
if (StringUtils.hasText(oidcIssuer)) {
this.internalReferrers.add(oidcIssuer);
}
if (StringUtils.hasText(proxySpEntityId)) {
this.internalReferrers.add(proxySpEntityId);
}
this.contextLogoutHandler = contextLogoutHandler; this.contextLogoutHandler = contextLogoutHandler;
if (internalReferrers != null && internalReferrers.length > 0) {
List<String> referrers = Arrays.asList(internalReferrers);
referrers = referrers.stream().filter(StringUtils::hasText).collect(Collectors.toList());
if (!referrers.isEmpty()) {
this.internalReferrers.addAll(referrers);
}
}
} }
@Override @Override
@ -68,25 +35,10 @@ public class SamlInvalidateSessionFilter extends GenericFilterBean {
HttpServletRequest req = (HttpServletRequest) request; HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse res = (HttpServletResponse) response; HttpServletResponse res = (HttpServletResponse) response;
if (MATCHER.matches(req)) { if (MATCHER.matches(req)) {
String referer = req.getHeader(REFERER); log.debug("Invalidate session to enable SAML IdP re-authentication");
if (!isInternalReferer(referer)) {
log.debug("Got external referer, clear session to reauthenticate");
contextLogoutHandler.logout(req, res, null); contextLogoutHandler.logout(req, res, null);
} }
}
chain.doFilter(req, res); chain.doFilter(req, res);
} }
private boolean isInternalReferer(String referer) {
if (!StringUtils.hasText(referer)) {
return false;
}
for (String internal : internalReferrers) {
if (referer.startsWith(internal)) {
return true;
}
}
return false;
}
} }

56
perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/PerunRequestFilter.java → perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFilter.java
View File

@ -1,20 +1,14 @@
package cz.muni.ics.oidc.server.filters; package cz.muni.ics.oidc.server.filters;
import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.AUTHORIZE_REQ_PATTERN;
import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.DEVICE_APPROVE_REQ_PATTERN;
import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.DEVICE_CHECK_CODE_REQ_PATTERN;
import java.io.IOException; import java.io.IOException;
import java.security.Principal;
import java.util.Arrays; import java.util.Arrays;
import java.util.HashSet; import java.util.HashSet;
import java.util.Set; import java.util.Set;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import lombok.extern.slf4j.Slf4j; import lombok.extern.slf4j.Slf4j;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.OrRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
/** /**
* Abstract class for Perun filters. All filters called in CallPerunFiltersFilter has to extend this. * Abstract class for Perun filters. All filters called in CallPerunFiltersFilter has to extend this.
@ -39,7 +33,7 @@ import org.springframework.security.web.util.matcher.RequestMatcher;
* @author Dominik Frantisek Bucik <bucik@ics.muni.cz> * @author Dominik Frantisek Bucik <bucik@ics.muni.cz>
*/ */
@Slf4j @Slf4j
public abstract class PerunRequestFilter { public abstract class AuthProcFilter {
private static final String DELIMITER = ","; private static final String DELIMITER = ",";
private static final String CLIENT_IDS = "clientIds"; private static final String CLIENT_IDS = "clientIds";
@ -49,7 +43,7 @@ public abstract class PerunRequestFilter {
private Set<String> clientIds = new HashSet<>(); private Set<String> clientIds = new HashSet<>();
private Set<String> subs = new HashSet<>(); private Set<String> subs = new HashSet<>();
public PerunRequestFilter(PerunRequestFilterParams params) { public AuthProcFilter(AuthProcFilterParams params) {
filterName = params.getFilterName(); filterName = params.getFilterName();
if (params.hasProperty(CLIENT_IDS)) { if (params.hasProperty(CLIENT_IDS)) {
@ -65,6 +59,8 @@ public abstract class PerunRequestFilter {
log.debug("{} - skip execution for clients with CLIENT_ID in: {}", filterName, clientIds); log.debug("{} - skip execution for clients with CLIENT_ID in: {}", filterName, clientIds);
} }
protected abstract String getSessionAppliedParamName();
/** /**
* In this method is done whole logic of filer * In this method is done whole logic of filer
* *
@ -73,31 +69,51 @@ public abstract class PerunRequestFilter {
* @return boolean if filter was successfully done * @return boolean if filter was successfully done
* @throws IOException this exception could be thrown because of failed or interrupted I/O operation * @throws IOException this exception could be thrown because of failed or interrupted I/O operation
*/ */
protected abstract boolean process(ServletRequest request, ServletResponse response, FilterParams params) protected abstract boolean process(HttpServletRequest request, HttpServletResponse response, FilterParams params)
throws IOException; throws IOException;
public boolean doFilter(ServletRequest req, ServletResponse res, FilterParams params) throws IOException { public boolean doFilter(HttpServletRequest req, HttpServletResponse res, FilterParams params) throws IOException {
HttpServletRequest request = (HttpServletRequest) req; if (!skip(req)) {
if (!skip(request)) {
log.trace("{} - executing filter", filterName); log.trace("{} - executing filter", filterName);
return this.process(req, res, params); return process(req, res, params);
} else { } else {
return true; return true;
} }
} }
private boolean skip(HttpServletRequest request) { private boolean skip(HttpServletRequest request) {
String sub = (request.getUserPrincipal() != null) ? request.getUserPrincipal().getName() : null; if (hasBeenApplied(request.getSession(true))) {
String clientId = request.getParameter(PerunFilterConstants.PARAM_CLIENT_ID); return true;
}
log.debug("{} - marking filter as applied", filterName);
request.getSession(true).setAttribute(getSessionAppliedParamName(), true);
return skipForSub(request.getUserPrincipal())
|| skipForClientId(request.getParameter(PerunFilterConstants.PARAM_CLIENT_ID));
}
private boolean hasBeenApplied(HttpSession sess) {
String sessionParamName = getSessionAppliedParamName();
if (sess.getAttribute(sessionParamName) != null) {
log.debug("{} - skip filter execution: filter has been already applied", filterName);
return true;
}
return false;
}
private boolean skipForSub(Principal p) {
String sub = (p != null) ? p.getName() : null;
if (sub != null && subs.contains(sub)) { if (sub != null && subs.contains(sub)) {
log.debug("{} - skip filter execution: matched one of the ignored SUBS ({})", filterName, sub); log.debug("{} - skip filter execution: matched one of the ignored SUBS ({})", filterName, sub);
return true; return true;
} else if (clientId != null && clientIds.contains(clientId)){ }
return false;
}
private boolean skipForClientId(String clientId) {
if (clientId != null && clientIds.contains(clientId)){
log.debug("{} - skip filter execution: matched one of the ignored CLIENT_IDS ({})", filterName, clientId); log.debug("{} - skip filter execution: matched one of the ignored CLIENT_IDS ({})", filterName, clientId);
return true; return true;
} }
return false; return false;
} }

4
perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/PerunRequestFilterParams.java → perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFilterParams.java
View File

@ -8,7 +8,7 @@ import java.util.Properties;
* *
* @author Dominik Frantisek Bucik <bucik@ics.muni.cz> * @author Dominik Frantisek Bucik <bucik@ics.muni.cz>
*/ */
public class PerunRequestFilterParams { public class AuthProcFilterParams {
private final String filterName; private final String filterName;
@ -16,7 +16,7 @@ public class PerunRequestFilterParams {
private final Properties properties; private final Properties properties;
private final BeanUtil beanUtil; private final BeanUtil beanUtil;
public PerunRequestFilterParams(String filterName, String propertyPrefix, Properties properties, BeanUtil beanUtil) { public AuthProcFilterParams(String filterName, String propertyPrefix, Properties properties, BeanUtil beanUtil) {
this.filterName = filterName; this.filterName = filterName;
this.propertyPrefix = propertyPrefix; this.propertyPrefix = propertyPrefix;
this.properties = properties; this.properties = properties;

34
perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/CallPerunFiltersFilter.java → perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFiltersContainer.java
View File

@ -1,7 +1,7 @@
package cz.muni.ics.oidc.server.filters; package cz.muni.ics.oidc.server.filters;
import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.AUTHORIZE_REQ_PATTERN; import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.AUTHORIZE_REQ_PATTERN;
import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.DEVICE_CHECK_CODE_REQ_PATTERN; import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.DEVICE_APPROVE_REQ_PATTERN;
import cz.muni.ics.oauth2.model.ClientDetailsEntity; import cz.muni.ics.oauth2.model.ClientDetailsEntity;
import cz.muni.ics.oauth2.service.ClientDetailsEntityService; import cz.muni.ics.oauth2.service.ClientDetailsEntityService;
@ -20,6 +20,7 @@ import javax.servlet.ServletException;
import javax.servlet.ServletRequest; import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse; import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import lombok.extern.slf4j.Slf4j; import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.oauth2.provider.OAuth2RequestFactory; import org.springframework.security.oauth2.provider.OAuth2RequestFactory;
@ -36,12 +37,12 @@ import org.springframework.web.filter.GenericFilterBean;
* @author Dominik Frantisek Bucik <bucik@ics.muni.cz> * @author Dominik Frantisek Bucik <bucik@ics.muni.cz>
*/ */
@Slf4j @Slf4j
public class CallPerunFiltersFilter extends GenericFilterBean { public class AuthProcFiltersContainer extends GenericFilterBean {
private static final RequestMatcher AUTHORIZE_MATCHER = new AntPathRequestMatcher(AUTHORIZE_REQ_PATTERN); private static final RequestMatcher AUTHORIZE_MATCHER = new AntPathRequestMatcher(AUTHORIZE_REQ_PATTERN);
private static final RequestMatcher AUTHORIZE_ALL_MATCHER = new AntPathRequestMatcher(AUTHORIZE_REQ_PATTERN + "/**"); private static final RequestMatcher AUTHORIZE_ALL_MATCHER = new AntPathRequestMatcher(AUTHORIZE_REQ_PATTERN + "/**");
private static final RequestMatcher DEVICE_CODE_MATCHER = new AntPathRequestMatcher(DEVICE_CHECK_CODE_REQ_PATTERN); private static final RequestMatcher DEVICE_CODE_MATCHER = new AntPathRequestMatcher(DEVICE_APPROVE_REQ_PATTERN);
private static final RequestMatcher DEVICE_CODE_ALL_MATCHER = new AntPathRequestMatcher(DEVICE_CHECK_CODE_REQ_PATTERN + "/**"); private static final RequestMatcher DEVICE_CODE_ALL_MATCHER = new AntPathRequestMatcher(DEVICE_APPROVE_REQ_PATTERN + "/**");
private static final RequestMatcher MATCHER = new OrRequestMatcher( private static final RequestMatcher MATCHER = new OrRequestMatcher(
Arrays.asList(AUTHORIZE_MATCHER, AUTHORIZE_ALL_MATCHER, DEVICE_CODE_MATCHER, DEVICE_CODE_ALL_MATCHER)); Arrays.asList(AUTHORIZE_MATCHER, AUTHORIZE_ALL_MATCHER, DEVICE_CODE_MATCHER, DEVICE_CODE_ALL_MATCHER));
@ -63,24 +64,25 @@ public class CallPerunFiltersFilter extends GenericFilterBean {
@Autowired @Autowired
private SamlProperties samlProperties; private SamlProperties samlProperties;
private PerunFiltersContext perunFiltersContext; private AuthProcFiltersContext perunFiltersContext;
@PostConstruct @PostConstruct
public void postConstruct() { public void postConstruct() {
this.perunFiltersContext = new PerunFiltersContext(coreProperties, beanUtil); this.perunFiltersContext = new AuthProcFiltersContext(coreProperties, beanUtil);
} }
@Override @Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain)
throws IOException, ServletException throws IOException, ServletException
{ {
HttpServletRequest request = (HttpServletRequest) servletRequest; HttpServletRequest req = (HttpServletRequest) servletRequest;
if (!MATCHER.matches(request)) { HttpServletResponse res = (HttpServletResponse) servletResponse;
log.debug("Custom filters have been skipped, did not match '/authorize' nor '/device/code' request"); if (!MATCHER.matches(req)) {
log.debug("AuthProc filters have been skipped, did not match authorization nor device req URL");
} else { } else {
List<PerunRequestFilter> filters = perunFiltersContext.getFilters(); List<AuthProcFilter> filters = perunFiltersContext.getFilters();
if (filters != null && !filters.isEmpty()) { if (filters != null && !filters.isEmpty()) {
ClientDetailsEntity client = FiltersUtils.extractClientFromRequest(request, authRequestFactory, ClientDetailsEntity client = FiltersUtils.extractClientFromRequest(req, authRequestFactory,
clientDetailsEntityService); clientDetailsEntityService);
Facility facility = null; Facility facility = null;
if (client != null && StringUtils.hasText(client.getClientId())) { if (client != null && StringUtils.hasText(client.getClientId())) {
@ -88,20 +90,20 @@ public class CallPerunFiltersFilter extends GenericFilterBean {
facility = perunAdapter.getFacilityByClientId(client.getClientId()); facility = perunAdapter.getFacilityByClientId(client.getClientId());
} catch (Exception e) { } catch (Exception e) {
log.warn("{} - could not fetch facility for client_id '{}'", log.warn("{} - could not fetch facility for client_id '{}'",
CallPerunFiltersFilter.class.getSimpleName(), client.getClientId(), e); AuthProcFiltersContainer.class.getSimpleName(), client.getClientId(), e);
} }
} }
PerunUser user = FiltersUtils.getPerunUser(request, perunAdapter, PerunUser user = FiltersUtils.getPerunUser(req, perunAdapter,
samlProperties.getUserIdentifierAttribute()); samlProperties.getUserIdentifierAttribute());
FilterParams params = new FilterParams(client, facility, user); FilterParams params = new FilterParams(client, facility, user);
for (PerunRequestFilter filter : filters) { for (AuthProcFilter filter : filters) {
if (!filter.doFilter(servletRequest, servletResponse, params)) { if (!filter.doFilter(req, res, params)) {
return; return;
} }
} }
} }
} }
filterChain.doFilter(servletRequest, servletResponse); filterChain.doFilter(req, res);
} }
} }

26
perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/PerunFiltersContext.java → perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/AuthProcFiltersContext.java
View File

@ -16,22 +16,22 @@ import org.springframework.util.StringUtils;
* Filters are configured from configuration file in following way: * Filters are configured from configuration file in following way:
* filter.names=filterName1,filterName2,... * filter.names=filterName1,filterName2,...
* *
* @see PerunRequestFilter for configuration of filter * @see AuthProcFilter for configuration of filter
* *
* @author Dominik Frantisek Bucik <bucik@ics.muni.cz> * @author Dominik Frantisek Bucik <bucik@ics.muni.cz>
*/ */
@Slf4j @Slf4j
public class PerunFiltersContext { public class AuthProcFiltersContext {
private static final String FILTER_NAMES = "filter.names"; private static final String FILTER_NAMES = "filter.names";
private static final String FILTER_CLASS = ".class"; private static final String FILTER_CLASS = ".class";
private static final String PREFIX = "filter."; private static final String PREFIX = "filter.";
private final List<PerunRequestFilter> filters; private final List<AuthProcFilter> filters;
private final Properties properties; private final Properties properties;
private final BeanUtil beanUtil; private final BeanUtil beanUtil;
public PerunFiltersContext(Properties properties, BeanUtil beanUtil) { public AuthProcFiltersContext(Properties properties, BeanUtil beanUtil) {
this.properties = properties; this.properties = properties;
this.beanUtil = beanUtil; this.beanUtil = beanUtil;
this.filters = new LinkedList<>(); this.filters = new LinkedList<>();
@ -41,18 +41,18 @@ public class PerunFiltersContext {
log.debug("--------------------------------"); log.debug("--------------------------------");
for (String filterName: filterNames.split(",")) { for (String filterName: filterNames.split(",")) {
PerunRequestFilter requestFilter = loadFilter(filterName); AuthProcFilter requestFilter = loadFilter(filterName);
filters.add(requestFilter); filters.add(requestFilter);
log.debug("--------------------------------"); log.debug("--------------------------------");
} }
} }
public List<PerunRequestFilter> getFilters() { public List<AuthProcFilter> getFilters() {
return filters; return filters;
} }
private PerunRequestFilter loadFilter(String filterName) { private AuthProcFilter loadFilter(String filterName) {
String propPrefix = PerunFiltersContext.PREFIX + filterName; String propPrefix = AuthProcFiltersContext.PREFIX + filterName;
String filterClass = properties.getProperty(propPrefix + FILTER_CLASS, null); String filterClass = properties.getProperty(propPrefix + FILTER_CLASS, null);
if (!StringUtils.hasText(filterClass)) { if (!StringUtils.hasText(filterClass)) {
log.warn("{} - failed to initialized filter: no class has ben configured", filterName); log.warn("{} - failed to initialized filter: no class has ben configured", filterName);
@ -62,15 +62,15 @@ public class PerunFiltersContext {
try { try {
Class<?> rawClazz = Class.forName(filterClass); Class<?> rawClazz = Class.forName(filterClass);
if (!PerunRequestFilter.class.isAssignableFrom(rawClazz)) { if (!AuthProcFilter.class.isAssignableFrom(rawClazz)) {
log.warn("{} - failed to initialized filter: class '{}' does not extend PerunRequestFilter", log.warn("{} - failed to initialized filter: class '{}' does not extend AuthProcFilter",
filterName, filterClass); filterName, filterClass);
return null; return null;
} }
@SuppressWarnings("unchecked") Class<PerunRequestFilter> clazz = (Class<PerunRequestFilter>) rawClazz; @SuppressWarnings("unchecked") Class<AuthProcFilter> clazz = (Class<AuthProcFilter>) rawClazz;
Constructor<PerunRequestFilter> constructor = clazz.getConstructor(PerunRequestFilterParams.class); Constructor<AuthProcFilter> constructor = clazz.getConstructor(AuthProcFilterParams.class);
PerunRequestFilterParams params = new PerunRequestFilterParams(filterName, propPrefix, properties, beanUtil); AuthProcFilterParams params = new AuthProcFilterParams(filterName, propPrefix, properties, beanUtil);
return constructor.newInstance(params); return constructor.newInstance(params);
} catch (ClassNotFoundException e) { } catch (ClassNotFoundException e) {
log.warn("{} - failed to initialize filter: class '{}' was not found", filterName, filterClass); log.warn("{} - failed to initialize filter: class '{}' was not found", filterName, filterClass);

4
perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/FiltersUtils.java
View File

@ -1,6 +1,6 @@
package cz.muni.ics.oidc.server.filters; package cz.muni.ics.oidc.server.filters;
import static cz.muni.ics.oauth2.web.DeviceEndpoint.DEVICE_CODE_SESSION_ATTRIBUTE; import static cz.muni.ics.oauth2.web.endpoint.DeviceEndpoint.DEVICE_CODE_SESSION_ATTRIBUTE;
import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.PARAM_FORCE_AUTHN; import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.PARAM_FORCE_AUTHN;
import cz.muni.ics.oauth2.model.ClientDetailsEntity; import cz.muni.ics.oauth2.model.ClientDetailsEntity;
@ -278,7 +278,7 @@ public class FiltersUtils {
public static String fillStringMandatoryProperty(String propertyName, public static String fillStringMandatoryProperty(String propertyName,
String filterName, String filterName,
PerunRequestFilterParams params) { AuthProcFilterParams params) {
String filled = params.getProperty(propertyName); String filled = params.getProperty(propertyName);
if (!StringUtils.hasText(filled)) { if (!StringUtils.hasText(filled)) {

5
perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/PerunFilterConstants.java
View File

@ -11,9 +11,8 @@ import java.util.Map;
*/ */
public class PerunFilterConstants { public class PerunFilterConstants {
public static final String AUTHORIZE_REQ_PATTERN = "/authorize"; public static final String AUTHORIZE_REQ_PATTERN = "/auth/authorize";
public static final String DEVICE_APPROVE_REQ_PATTERN = "/device/code"; public static final String DEVICE_APPROVE_REQ_PATTERN = "/auth/device/authorize";
public static final String DEVICE_CHECK_CODE_REQ_PATTERN = "/device/checkcode";
public static final String PARAM_CLIENT_ID = "client_id"; public static final String PARAM_CLIENT_ID = "client_id";
public static final String PARAM_SCOPE = "scope"; public static final String PARAM_SCOPE = "scope";

22
perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunAuthorizationFilter.java
View File

@ -9,12 +9,10 @@ import cz.muni.ics.oidc.server.configurations.FacilityAttrsConfig;
import cz.muni.ics.oidc.server.configurations.PerunOidcConfig; import cz.muni.ics.oidc.server.configurations.PerunOidcConfig;
import cz.muni.ics.oidc.server.filters.FilterParams; import cz.muni.ics.oidc.server.filters.FilterParams;
import cz.muni.ics.oidc.server.filters.FiltersUtils; import cz.muni.ics.oidc.server.filters.FiltersUtils;
import cz.muni.ics.oidc.server.filters.PerunRequestFilter; import cz.muni.ics.oidc.server.filters.AuthProcFilter;
import cz.muni.ics.oidc.server.filters.PerunRequestFilterParams; import cz.muni.ics.oidc.server.filters.AuthProcFilterParams;
import cz.muni.ics.oidc.web.controllers.PerunUnapprovedController; import cz.muni.ics.oidc.web.controllers.PerunUnapprovedController;
import java.util.Map; import java.util.Map;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpServletResponse;
import lombok.extern.slf4j.Slf4j; import lombok.extern.slf4j.Slf4j;
@ -31,14 +29,16 @@ import lombok.extern.slf4j.Slf4j;
* @author Dominik Frantisek Bucik <bucik@ics.muni.cz> * @author Dominik Frantisek Bucik <bucik@ics.muni.cz>
*/ */
@Slf4j @Slf4j
public class PerunAuthorizationFilter extends PerunRequestFilter { public class PerunAuthorizationFilter extends AuthProcFilter {
public static final String APPLIED = "APPLIED_" + PerunAuthorizationFilter.class.getSimpleName();
private final PerunAdapter perunAdapter; private final PerunAdapter perunAdapter;
private final FacilityAttrsConfig facilityAttrsConfig; private final FacilityAttrsConfig facilityAttrsConfig;
private final String filterName; private final String filterName;
private final PerunOidcConfig config; private final PerunOidcConfig config;
public PerunAuthorizationFilter(PerunRequestFilterParams params) { public PerunAuthorizationFilter(AuthProcFilterParams params) {
super(params); super(params);
BeanUtil beanUtil = params.getBeanUtil(); BeanUtil beanUtil = params.getBeanUtil();
this.perunAdapter = beanUtil.getBean(PerunAdapter.class); this.perunAdapter = beanUtil.getBean(PerunAdapter.class);
@ -48,10 +48,12 @@ public class PerunAuthorizationFilter extends PerunRequestFilter {
} }
@Override @Override
protected boolean process(ServletRequest req, ServletResponse res, FilterParams params) { protected String getSessionAppliedParamName() {
HttpServletRequest request = (HttpServletRequest) req; return APPLIED;
HttpServletResponse response = (HttpServletResponse) res; }
@Override
protected boolean process(HttpServletRequest req, HttpServletResponse res, FilterParams params) {
Facility facility = params.getFacility(); Facility facility = params.getFacility();
if (facility == null || facility.getId() == null) { if (facility == null || facility.getId() == null) {
log.debug("{} - skip filter execution: no facility provided", filterName); log.debug("{} - skip filter execution: no facility provided", filterName);
@ -64,7 +66,7 @@ public class PerunAuthorizationFilter extends PerunRequestFilter {
return true; return true;
} }
return this.decideAccess(facility, user, request, response, params.getClientIdentifier(), return this.decideAccess(facility, user, req, res, params.getClientIdentifier(),
perunAdapter, facilityAttrsConfig); perunAdapter, facilityAttrsConfig);
} }

37
perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunEnsureVoMember.java
View File

@ -7,20 +7,15 @@ import cz.muni.ics.oidc.server.adapters.PerunAdapter;
import cz.muni.ics.oidc.server.configurations.PerunOidcConfig; import cz.muni.ics.oidc.server.configurations.PerunOidcConfig;
import cz.muni.ics.oidc.server.filters.FilterParams; import cz.muni.ics.oidc.server.filters.FilterParams;
import cz.muni.ics.oidc.server.filters.FiltersUtils; import cz.muni.ics.oidc.server.filters.FiltersUtils;
import cz.muni.ics.oidc.server.filters.PerunRequestFilter; import cz.muni.ics.oidc.server.filters.AuthProcFilter;
import cz.muni.ics.oidc.server.filters.PerunRequestFilterParams; import cz.muni.ics.oidc.server.filters.AuthProcFilterParams;
import cz.muni.ics.oidc.web.controllers.ControllerUtils; import cz.muni.ics.oidc.web.controllers.ControllerUtils;
import cz.muni.ics.oidc.web.controllers.PerunUnapprovedController; import cz.muni.ics.oidc.web.controllers.PerunUnapprovedController;
import cz.muni.ics.oidc.web.controllers.RegistrationController; import cz.muni.ics.oidc.web.controllers.RegistrationController;
import java.io.IOException;
import java.util.Arrays; import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap; import java.util.HashMap;
import java.util.HashSet;
import java.util.Map; import java.util.Map;
import java.util.Set; import javax.servlet.http.HttpServletRequest;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpServletResponse;
import lombok.extern.slf4j.Slf4j; import lombok.extern.slf4j.Slf4j;
import org.apache.http.HttpHeaders; import org.apache.http.HttpHeaders;
@ -39,7 +34,9 @@ import org.springframework.util.StringUtils;
* @author Dominik Frantisek Bucik <bucik@ics.muni.cz> * @author Dominik Frantisek Bucik <bucik@ics.muni.cz>
*/ */
@Slf4j @Slf4j
public class PerunEnsureVoMember extends PerunRequestFilter { public class PerunEnsureVoMember extends AuthProcFilter {
public static final String APPLIED = "APPLIED_" + PerunEnsureVoMember.class.getSimpleName();
private static final String TRIGGER_ATTR = "triggerAttr"; private static final String TRIGGER_ATTR = "triggerAttr";
private static final String VO_DEFS_ATTR = "voDefsAttr"; private static final String VO_DEFS_ATTR = "voDefsAttr";
@ -52,7 +49,7 @@ public class PerunEnsureVoMember extends PerunRequestFilter {
private final String filterName; private final String filterName;
private final PerunOidcConfig perunOidcConfig; private final PerunOidcConfig perunOidcConfig;
public PerunEnsureVoMember(PerunRequestFilterParams params) { public PerunEnsureVoMember(AuthProcFilterParams params) {
super(params); super(params);
BeanUtil beanUtil = params.getBeanUtil(); BeanUtil beanUtil = params.getBeanUtil();
@ -68,9 +65,12 @@ public class PerunEnsureVoMember extends PerunRequestFilter {
} }
@Override @Override
protected boolean process(ServletRequest req, ServletResponse res, FilterParams params) throws IOException { protected String getSessionAppliedParamName() {
HttpServletResponse response = (HttpServletResponse) res; return APPLIED;
}
@Override
protected boolean process(HttpServletRequest req, HttpServletResponse res, FilterParams params) {
Facility facility = params.getFacility(); Facility facility = params.getFacility();
if (facility == null || facility.getId() == null) { if (facility == null || facility.getId() == null) {
log.debug("{} - skip execution: no facility provided", filterName); log.debug("{} - skip execution: no facility provided", filterName);
@ -100,7 +100,7 @@ public class PerunEnsureVoMember extends PerunRequestFilter {
log.debug("{} - user allowed to continue", filterName); log.debug("{} - user allowed to continue", filterName);
return true; return true;
} else { } else {
redirect(response, getLoginUrl(facility.getId()), voShortName); redirect(res, getLoginUrl(facility.getId()), voShortName);
return false; return false;
} }
} }
@ -133,17 +133,6 @@ public class PerunEnsureVoMember extends PerunRequestFilter {
return attrValue; return attrValue;
} }
private boolean canAccess(PerunAttributeValue attrValue, Set<String> memberShortNames) {
if (attrValue.valueAsJson().isArray()) {
Set<String> val = attrValue.valueAsList() == null ?
Collections.emptySet() : new HashSet<>(attrValue.valueAsList());
return !Collections.disjoint(val, memberShortNames);
} else {
String val = attrValue.valueAsString();
return memberShortNames.contains(val);
}
}
@Override @Override
public String toString() { public String toString() {
return "PerunEnsureVoMember{" + return "PerunEnsureVoMember{" +

36
perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunForceAupFilter.java
View File

@ -14,8 +14,8 @@ import cz.muni.ics.oidc.server.adapters.PerunAdapter;
import cz.muni.ics.oidc.server.configurations.PerunOidcConfig; import cz.muni.ics.oidc.server.configurations.PerunOidcConfig;
import cz.muni.ics.oidc.server.filters.FilterParams; import cz.muni.ics.oidc.server.filters.FilterParams;
import cz.muni.ics.oidc.server.filters.FiltersUtils; import cz.muni.ics.oidc.server.filters.FiltersUtils;
import cz.muni.ics.oidc.server.filters.PerunRequestFilter; import cz.muni.ics.oidc.server.filters.AuthProcFilter;
import cz.muni.ics.oidc.server.filters.PerunRequestFilterParams; import cz.muni.ics.oidc.server.filters.AuthProcFilterParams;
import cz.muni.ics.oidc.web.controllers.AupController; import cz.muni.ics.oidc.web.controllers.AupController;
import java.io.IOException; import java.io.IOException;
import java.text.ParseException; import java.text.ParseException;
@ -27,8 +27,6 @@ import java.util.HashMap;
import java.util.LinkedHashMap; import java.util.LinkedHashMap;
import java.util.List; import java.util.List;
import java.util.Map; import java.util.Map;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpServletResponse;
import lombok.extern.slf4j.Slf4j; import lombok.extern.slf4j.Slf4j;
@ -52,7 +50,9 @@ import org.springframework.util.StringUtils;
* @author Dominik Frantisek Bucik <bucik@ics.muni.cz> * @author Dominik Frantisek Bucik <bucik@ics.muni.cz>
*/ */
@Slf4j @Slf4j
public class PerunForceAupFilter extends PerunRequestFilter { public class PerunForceAupFilter extends AuthProcFilter {
public static final String APPLIED = "APPLIED_" + PerunForceAupFilter.class.getSimpleName();
private static final String DATE_FORMAT = "yyyy-MM-dd"; private static final String DATE_FORMAT = "yyyy-MM-dd";
@ -77,7 +77,7 @@ public class PerunForceAupFilter extends PerunRequestFilter {
private final SamlProperties samlProperties; private final SamlProperties samlProperties;
private final String filterName; private final String filterName;
public PerunForceAupFilter(PerunRequestFilterParams params) { public PerunForceAupFilter(AuthProcFilterParams params) {
super(params); super(params);
BeanUtil beanUtil = params.getBeanUtil(); BeanUtil beanUtil = params.getBeanUtil();
this.perunAdapter = beanUtil.getBean(PerunAdapter.class); this.perunAdapter = beanUtil.getBean(PerunAdapter.class);
@ -93,18 +93,20 @@ public class PerunForceAupFilter extends PerunRequestFilter {
} }
@Override @Override
protected boolean process(ServletRequest req, ServletResponse res, FilterParams params) throws IOException { protected String getSessionAppliedParamName() {
HttpServletRequest request = (HttpServletRequest) req; return APPLIED;
HttpServletResponse response = (HttpServletResponse) res; }
if (request.getSession() != null && request.getSession().getAttribute(APPROVED) != null) { @Override
request.getSession().removeAttribute(APPROVED); protected boolean process(HttpServletRequest req, HttpServletResponse res, FilterParams params) throws IOException {
if (req.getSession() != null && req.getSession().getAttribute(APPROVED) != null) {
req.getSession().removeAttribute(APPROVED);
log.debug("{} - skip filter execution: aups are already approved, check at next access to the service due" + log.debug("{} - skip filter execution: aups are already approved, check at next access to the service due" +
" to a delayed propagation to LDAP", filterName); " to a delayed propagation to LDAP", filterName);
return true; return true;
} }
PerunUser user = FiltersUtils.getPerunUser(request, perunAdapter, samlProperties.getUserIdentifierAttribute()); PerunUser user = FiltersUtils.getPerunUser(req, perunAdapter, samlProperties.getUserIdentifierAttribute());
if (user == null || user.getId() == null) { if (user == null || user.getId() == null) {
log.debug("{} - skip filter execution: no user provider", filterName); log.debug("{} - skip filter execution: no user provider", filterName);
return true; return true;
@ -147,13 +149,13 @@ public class PerunForceAupFilter extends PerunRequestFilter {
log.trace("{} - AUPS to be approved: '{}'", filterName, newAups); log.trace("{} - AUPS to be approved: '{}'", filterName, newAups);
String newAupsString = mapper.writeValueAsString(newAups); String newAupsString = mapper.writeValueAsString(newAups);
request.getSession().setAttribute(AupController.RETURN_URL, request.getRequestURI() req.getSession().setAttribute(AupController.RETURN_URL, req.getRequestURI()
.replace(request.getContextPath(), "") + '?' + request.getQueryString()); .replace(req.getContextPath(), "") + '?' + req.getQueryString());
request.getSession().setAttribute(AupController.NEW_AUPS, newAupsString); req.getSession().setAttribute(AupController.NEW_AUPS, newAupsString);
request.getSession().setAttribute(AupController.USER_ATTR, perunUserAupsAttrName); req.getSession().setAttribute(AupController.USER_ATTR, perunUserAupsAttrName);
log.debug("{} - redirecting user '{}' to AUPs approval page", filterName, user); log.debug("{} - redirecting user '{}' to AUPs approval page", filterName, user);
response.sendRedirect(request.getContextPath() + '/' + AupController.URL); res.sendRedirect(req.getContextPath() + '/' + AupController.URL);
return false; return false;
} }

25
perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunIsCesnetEligibleFilter.java
View File

@ -14,9 +14,8 @@ import cz.muni.ics.oidc.server.adapters.PerunAdapter;
import cz.muni.ics.oidc.server.configurations.PerunOidcConfig; import cz.muni.ics.oidc.server.configurations.PerunOidcConfig;
import cz.muni.ics.oidc.server.filters.FilterParams; import cz.muni.ics.oidc.server.filters.FilterParams;
import cz.muni.ics.oidc.server.filters.FiltersUtils; import cz.muni.ics.oidc.server.filters.FiltersUtils;
import cz.muni.ics.oidc.server.filters.PerunFilterConstants; import cz.muni.ics.oidc.server.filters.AuthProcFilter;
import cz.muni.ics.oidc.server.filters.PerunRequestFilter; import cz.muni.ics.oidc.server.filters.AuthProcFilterParams;
import cz.muni.ics.oidc.server.filters.PerunRequestFilterParams;
import cz.muni.ics.oidc.web.controllers.ControllerUtils; import cz.muni.ics.oidc.web.controllers.ControllerUtils;
import cz.muni.ics.oidc.web.controllers.PerunUnapprovedController; import cz.muni.ics.oidc.web.controllers.PerunUnapprovedController;
import java.time.LocalDateTime; import java.time.LocalDateTime;
@ -25,8 +24,6 @@ import java.time.format.DateTimeParseException;
import java.util.Collections; import java.util.Collections;
import java.util.HashMap; import java.util.HashMap;
import java.util.Map; import java.util.Map;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpServletResponse;
import lombok.extern.slf4j.Slf4j; import lombok.extern.slf4j.Slf4j;
@ -46,7 +43,9 @@ import org.apache.http.HttpHeaders;
* @author Dominik Frantisek Bucik <bucik@ics.muni.cz> * @author Dominik Frantisek Bucik <bucik@ics.muni.cz>
*/ */
@Slf4j @Slf4j
public class PerunIsCesnetEligibleFilter extends PerunRequestFilter { public class PerunIsCesnetEligibleFilter extends AuthProcFilter {
public static final String APPLIED = "APPLIED_" + PerunIsCesnetEligibleFilter.class.getSimpleName();
/* CONFIGURATION PROPERTIES */ /* CONFIGURATION PROPERTIES */
private static final String IS_CESNET_ELIGIBLE_ATTR_NAME = "isCesnetEligibleAttr"; private static final String IS_CESNET_ELIGIBLE_ATTR_NAME = "isCesnetEligibleAttr";
@ -63,7 +62,7 @@ public class PerunIsCesnetEligibleFilter extends PerunRequestFilter {
private final PerunAdapter perunAdapter; private final PerunAdapter perunAdapter;
private final String filterName; private final String filterName;
public PerunIsCesnetEligibleFilter(PerunRequestFilterParams params) { public PerunIsCesnetEligibleFilter(AuthProcFilterParams params) {
super(params); super(params);
BeanUtil beanUtil = params.getBeanUtil(); BeanUtil beanUtil = params.getBeanUtil();
this.config = beanUtil.getBean(PerunOidcConfig.class); this.config = beanUtil.getBean(PerunOidcConfig.class);
@ -84,11 +83,13 @@ public class PerunIsCesnetEligibleFilter extends PerunRequestFilter {
} }
@Override @Override
protected boolean process(ServletRequest req, ServletResponse res, FilterParams params) { protected String getSessionAppliedParamName() {
HttpServletRequest request = (HttpServletRequest) req; return APPLIED;
HttpServletResponse response = (HttpServletResponse) res; }
if (!FiltersUtils.isScopePresent(request.getParameter(PARAM_SCOPE), triggerScope)) { @Override
protected boolean process(HttpServletRequest req, HttpServletResponse res, FilterParams params) {
if (!FiltersUtils.isScopePresent(req.getParameter(PARAM_SCOPE), triggerScope)) {
log.debug("{} - skip execution: scope '{}' is not present in request", filterName, triggerScope); log.debug("{} - skip execution: scope '{}' is not present in request", filterName, triggerScope);
return true; return true;
} }
@ -124,7 +125,7 @@ public class PerunIsCesnetEligibleFilter extends PerunRequestFilter {
} }
log.debug("{} - attribute '{}' value is invalid, stop user at this point", filterName, attrValue); log.debug("{} - attribute '{}' value is invalid, stop user at this point", filterName, attrValue);
this.redirect(request, response, reason); this.redirect(req, res, reason);
return false; return false;
} }

26
perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunIsTestSpFilter.java
View File

@ -10,16 +10,13 @@ import cz.muni.ics.oidc.server.adapters.PerunAdapter;
import cz.muni.ics.oidc.server.configurations.PerunOidcConfig; import cz.muni.ics.oidc.server.configurations.PerunOidcConfig;
import cz.muni.ics.oidc.server.filters.FilterParams; import cz.muni.ics.oidc.server.filters.FilterParams;
import cz.muni.ics.oidc.server.filters.FiltersUtils; import cz.muni.ics.oidc.server.filters.FiltersUtils;
import cz.muni.ics.oidc.server.filters.PerunFilterConstants; import cz.muni.ics.oidc.server.filters.AuthProcFilter;
import cz.muni.ics.oidc.server.filters.PerunRequestFilter; import cz.muni.ics.oidc.server.filters.AuthProcFilterParams;
import cz.muni.ics.oidc.server.filters.PerunRequestFilterParams;
import cz.muni.ics.oidc.web.controllers.ControllerUtils; import cz.muni.ics.oidc.web.controllers.ControllerUtils;
import cz.muni.ics.oidc.web.controllers.IsTestSpController; import cz.muni.ics.oidc.web.controllers.IsTestSpController;
import java.io.IOException; import java.io.IOException;
import java.util.HashMap; import java.util.HashMap;
import java.util.Map; import java.util.Map;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpServletResponse;
import lombok.extern.slf4j.Slf4j; import lombok.extern.slf4j.Slf4j;
@ -37,7 +34,9 @@ import org.apache.http.HttpHeaders;
* @author Pavol Pluta <500348@mail.muni.cz> * @author Pavol Pluta <500348@mail.muni.cz>
*/ */
@Slf4j @Slf4j
public class PerunIsTestSpFilter extends PerunRequestFilter { public class PerunIsTestSpFilter extends AuthProcFilter {
public static final String APPLIED = "APPLIED_" + PerunIsTestSpFilter.class.getSimpleName();
private static final String IS_TEST_SP_ATTR_NAME = "isTestSpAttr"; private static final String IS_TEST_SP_ATTR_NAME = "isTestSpAttr";
@ -46,7 +45,7 @@ public class PerunIsTestSpFilter extends PerunRequestFilter {
private final String filterName; private final String filterName;
private final PerunOidcConfig config; private final PerunOidcConfig config;
public PerunIsTestSpFilter(PerunRequestFilterParams params) { public PerunIsTestSpFilter(AuthProcFilterParams params) {
super(params); super(params);
BeanUtil beanUtil = params.getBeanUtil(); BeanUtil beanUtil = params.getBeanUtil();
this.perunAdapter = beanUtil.getBean(PerunAdapter.class); this.perunAdapter = beanUtil.getBean(PerunAdapter.class);
@ -56,14 +55,17 @@ public class PerunIsTestSpFilter extends PerunRequestFilter {
} }
@Override @Override
protected boolean process(ServletRequest req, ServletResponse res, FilterParams params) throws IOException { protected String getSessionAppliedParamName() {
HttpServletRequest request = (HttpServletRequest) req; return APPLIED;
HttpServletResponse response = (HttpServletResponse) res; }
@Override
protected boolean process(HttpServletRequest req, HttpServletResponse res, FilterParams params) throws IOException {
Facility facility = params.getFacility(); Facility facility = params.getFacility();
if (facility == null || facility.getId() == null) { if (facility == null || facility.getId() == null) {
log.debug("{} - skip execution: no facility provided", filterName); log.debug("{} - skip execution: no facility provided", filterName);
return true; return true;
} else if (testSpWarningApproved(request)){ } else if (testSpWarningApproved(req)){
log.debug("{} - skip execution: warning already approved", filterName); log.debug("{} - skip execution: warning already approved", filterName);
return true; return true;
} }
@ -74,7 +76,7 @@ public class PerunIsTestSpFilter extends PerunRequestFilter {
return true; return true;
} else if (attrValue.valueAsBoolean()) { } else if (attrValue.valueAsBoolean()) {
log.debug("{} - redirecting user to test SP warning page", filterName); log.debug("{} - redirecting user to test SP warning page", filterName);
this.redirect(request, response); this.redirect(req, res);
return false; return false;
} }
log.debug("{} - service is not testing, let user access it", filterName); log.debug("{} - service is not testing, let user access it", filterName);

23
perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/ProxyStatisticsFilter.java
View File

@ -8,8 +8,8 @@ import cz.muni.ics.oidc.BeanUtil;
import cz.muni.ics.oidc.saml.SamlProperties; import cz.muni.ics.oidc.saml.SamlProperties;
import cz.muni.ics.oidc.server.filters.FilterParams; import cz.muni.ics.oidc.server.filters.FilterParams;
import cz.muni.ics.oidc.server.filters.FiltersUtils; import cz.muni.ics.oidc.server.filters.FiltersUtils;
import cz.muni.ics.oidc.server.filters.PerunRequestFilter; import cz.muni.ics.oidc.server.filters.AuthProcFilter;
import cz.muni.ics.oidc.server.filters.PerunRequestFilterParams; import cz.muni.ics.oidc.server.filters.AuthProcFilterParams;
import java.sql.Connection; import java.sql.Connection;
import java.sql.Date; import java.sql.Date;
import java.sql.PreparedStatement; import java.sql.PreparedStatement;
@ -17,10 +17,8 @@ import java.sql.ResultSet;
import java.sql.SQLException; import java.sql.SQLException;
import java.time.LocalDate; import java.time.LocalDate;
import java.util.Objects; import java.util.Objects;
import java.util.Properties;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.sql.DataSource; import javax.sql.DataSource;
import lombok.extern.slf4j.Slf4j; import lombok.extern.slf4j.Slf4j;
import org.springframework.security.saml.SAMLCredential; import org.springframework.security.saml.SAMLCredential;
@ -51,7 +49,9 @@ import org.springframework.util.StringUtils;
*/ */
@SuppressWarnings("SqlResolve") @SuppressWarnings("SqlResolve")
@Slf4j @Slf4j
public class ProxyStatisticsFilter extends PerunRequestFilter { public class ProxyStatisticsFilter extends AuthProcFilter {
public static final String APPLIED = "APPLIED_" + ProxyStatisticsFilter.class.getSimpleName();
/* CONFIGURATION OPTIONS */ /* CONFIGURATION OPTIONS */
private static final String IDP_NAME_ATTRIBUTE_NAME = "idpNameAttributeName"; private static final String IDP_NAME_ATTRIBUTE_NAME = "idpNameAttributeName";
@ -77,7 +77,7 @@ public class ProxyStatisticsFilter extends PerunRequestFilter {
private final String filterName; private final String filterName;
private final SamlProperties samlProperties; private final SamlProperties samlProperties;
public ProxyStatisticsFilter(PerunRequestFilterParams params) { public ProxyStatisticsFilter(AuthProcFilterParams params) {
super(params); super(params);
BeanUtil beanUtil = params.getBeanUtil(); BeanUtil beanUtil = params.getBeanUtil();
this.mitreIdStats = beanUtil.getBean("mitreIdStats", DataSource.class); this.mitreIdStats = beanUtil.getBean("mitreIdStats", DataSource.class);
@ -97,9 +97,12 @@ public class ProxyStatisticsFilter extends PerunRequestFilter {
} }
@Override @Override
protected boolean process(ServletRequest req, ServletResponse res, FilterParams params) { protected String getSessionAppliedParamName() {
HttpServletRequest request = (HttpServletRequest) req; return APPLIED;
}
@Override
protected boolean process(HttpServletRequest req, HttpServletResponse res, FilterParams params) {
ClientDetailsEntity client = params.getClient(); ClientDetailsEntity client = params.getClient();
if (client == null) { if (client == null) {
log.warn("{} - skip execution: no client provided", filterName); log.warn("{} - skip execution: no client provided", filterName);
@ -112,7 +115,7 @@ public class ProxyStatisticsFilter extends PerunRequestFilter {
return true; return true;
} }
SAMLCredential samlCredential = FiltersUtils.getSamlCredential(request); SAMLCredential samlCredential = FiltersUtils.getSamlCredential(req);
if (samlCredential == null) { if (samlCredential == null) {
log.warn("{} - skip execution: no authN object available, cannot extract user identifier and idp identifier", log.warn("{} - skip execution: no authN object available, cannot extract user identifier and idp identifier",
filterName); filterName);

28
perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/ValidUserFilter.java
View File

@ -9,14 +9,12 @@ import cz.muni.ics.oidc.server.configurations.FacilityAttrsConfig;
import cz.muni.ics.oidc.server.configurations.PerunOidcConfig; import cz.muni.ics.oidc.server.configurations.PerunOidcConfig;
import cz.muni.ics.oidc.server.filters.FilterParams; import cz.muni.ics.oidc.server.filters.FilterParams;
import cz.muni.ics.oidc.server.filters.FiltersUtils; import cz.muni.ics.oidc.server.filters.FiltersUtils;
import cz.muni.ics.oidc.server.filters.PerunRequestFilter; import cz.muni.ics.oidc.server.filters.AuthProcFilter;
import cz.muni.ics.oidc.server.filters.PerunRequestFilterParams; import cz.muni.ics.oidc.server.filters.AuthProcFilterParams;
import cz.muni.ics.oidc.web.controllers.PerunUnapprovedController; import cz.muni.ics.oidc.web.controllers.PerunUnapprovedController;
import java.util.HashSet; import java.util.HashSet;
import java.util.Map; import java.util.Map;
import java.util.Set; import java.util.Set;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpServletResponse;
import lombok.extern.slf4j.Slf4j; import lombok.extern.slf4j.Slf4j;
@ -46,7 +44,9 @@ import org.springframework.util.StringUtils;
*/ */
@SuppressWarnings("SqlResolve") @SuppressWarnings("SqlResolve")
@Slf4j @Slf4j
public class ValidUserFilter extends PerunRequestFilter { public class ValidUserFilter extends AuthProcFilter {
public static final String APPLIED = "APPLIED_" + ValidUserFilter.class.getSimpleName();
/* CONFIGURATION OPTIONS */ /* CONFIGURATION OPTIONS */
private static final String ALL_ENV_GROUPS = "allEnvGroups"; private static final String ALL_ENV_GROUPS = "allEnvGroups";
@ -69,7 +69,7 @@ public class ValidUserFilter extends PerunRequestFilter {
private final String filterName; private final String filterName;
private final PerunOidcConfig config; private final PerunOidcConfig config;
public ValidUserFilter(PerunRequestFilterParams params) { public ValidUserFilter(AuthProcFilterParams params) {
super(params); super(params);
BeanUtil beanUtil = params.getBeanUtil(); BeanUtil beanUtil = params.getBeanUtil();
this.perunAdapter = beanUtil.getBean(PerunAdapter.class); this.perunAdapter = beanUtil.getBean(PerunAdapter.class);
@ -86,10 +86,12 @@ public class ValidUserFilter extends PerunRequestFilter {
} }
@Override @Override
protected boolean process(ServletRequest req, ServletResponse res, FilterParams params) { protected String getSessionAppliedParamName() {
HttpServletRequest request = (HttpServletRequest) req; return APPLIED;
HttpServletResponse response = (HttpServletResponse) res; }
@Override
protected boolean process(HttpServletRequest req, HttpServletResponse res, FilterParams params) {
Set<Long> additionalVos = new HashSet<>(); Set<Long> additionalVos = new HashSet<>();
Set<Long> additionalGroups = new HashSet<>(); Set<Long> additionalGroups = new HashSet<>();
@ -106,7 +108,7 @@ public class ValidUserFilter extends PerunRequestFilter {
return true; return true;
} }
if (!checkMemberValidInGroupsAndVos(user, facility, response, params, allEnvVos, allEnvGroups, if (!checkMemberValidInGroupsAndVos(user, facility, res, params, allEnvVos, allEnvGroups,
PerunUnapprovedController.UNAPPROVED_NOT_IN_MANDATORY_VOS_GROUPS)) { PerunUnapprovedController.UNAPPROVED_NOT_IN_MANDATORY_VOS_GROUPS)) {
return false; return false;
} }
@ -121,7 +123,7 @@ public class ValidUserFilter extends PerunRequestFilter {
additionalVos.addAll(testEnvVos); additionalVos.addAll(testEnvVos);
additionalGroups.addAll(testEnvGroups); additionalGroups.addAll(testEnvGroups);
if (!checkMemberValidInGroupsAndVos(user, facility, response, params, additionalVos, if (!checkMemberValidInGroupsAndVos(user, facility, res, params, additionalVos,
additionalGroups, PerunUnapprovedController.UNAPPROVED_NOT_IN_TEST_VOS_GROUPS)) { additionalGroups, PerunUnapprovedController.UNAPPROVED_NOT_IN_TEST_VOS_GROUPS)) {
return false; return false;
} }
@ -129,7 +131,7 @@ public class ValidUserFilter extends PerunRequestFilter {
additionalVos.addAll(prodEnvVos); additionalVos.addAll(prodEnvVos);
additionalGroups.addAll(prodEnvGroups); additionalGroups.addAll(prodEnvGroups);
if (!checkMemberValidInGroupsAndVos(user, facility, response, params, additionalVos, if (!checkMemberValidInGroupsAndVos(user, facility, res, params, additionalVos,
additionalGroups, PerunUnapprovedController.UNAPPROVED_NOT_IN_PROD_VOS_GROUPS)) { additionalGroups, PerunUnapprovedController.UNAPPROVED_NOT_IN_PROD_VOS_GROUPS)) {
return false; return false;
} }
@ -139,7 +141,7 @@ public class ValidUserFilter extends PerunRequestFilter {
return true; return true;
} }
private Set<Long> getIdsFromParam(PerunRequestFilterParams params, String propKey) { private Set<Long> getIdsFromParam(AuthProcFilterParams params, String propKey) {
Set<Long> result = new HashSet<>(); Set<Long> result = new HashSet<>();
String prop = params.getProperty(propKey); String prop = params.getProperty(propKey);

2
perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/ga4gh/Ga4ghPassportAndVisaClaimSource.java
View File

@ -16,7 +16,7 @@ import cz.muni.ics.oidc.server.claims.ClaimSource;
import cz.muni.ics.oidc.server.claims.ClaimSourceInitContext; import cz.muni.ics.oidc.server.claims.ClaimSourceInitContext;
import cz.muni.ics.oidc.server.claims.ClaimSourceProduceContext; import cz.muni.ics.oidc.server.claims.ClaimSourceProduceContext;
import cz.muni.ics.oidc.server.connectors.Affiliation; import cz.muni.ics.oidc.server.connectors.Affiliation;
import cz.muni.ics.openid.connect.web.JWKSetPublishingEndpoint; import cz.muni.ics.openid.connect.web.endpoint.JWKSetPublishingEndpoint;
import java.io.IOException; import java.io.IOException;
import java.net.URI; import java.net.URI;
import java.net.URISyntaxException; import java.net.URISyntaxException;

5
perun-oidc-server/src/main/java/cz/muni/ics/oidc/web/controllers/ControllerUtils.java
View File

@ -1,7 +1,7 @@
package cz.muni.ics.oidc.web.controllers; package cz.muni.ics.oidc.web.controllers;
import static cz.muni.ics.oauth2.web.OAuthConfirmationController.CLAIMS; import static cz.muni.ics.oauth2.web.controller.OAuthConfirmationController.CLAIMS;
import static cz.muni.ics.oauth2.web.OAuthConfirmationController.SCOPES; import static cz.muni.ics.oauth2.web.controller.OAuthConfirmationController.SCOPES;
import com.google.common.base.Strings; import com.google.common.base.Strings;
import com.google.common.collect.Sets; import com.google.common.collect.Sets;
@ -29,7 +29,6 @@ import java.util.Set;
import java.util.stream.Collectors; import java.util.stream.Collectors;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import cz.muni.ics.openid.connect.service.ScopeClaimTranslationService;
import lombok.extern.slf4j.Slf4j; import lombok.extern.slf4j.Slf4j;
import org.apache.http.NameValuePair; import org.apache.http.NameValuePair;
import org.apache.http.client.utils.URIBuilder; import org.apache.http.client.utils.URIBuilder;

2
perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/filter/AuthorizationRequestFilter.java
View File

@ -78,7 +78,7 @@ public class AuthorizationRequestFilter extends GenericFilterBean {
@Autowired(required = false) @Autowired(required = false)
private LoginHintExtracter loginHintExtracter = new RemoveLoginHintsWithHTTP(); private LoginHintExtracter loginHintExtracter = new RemoveLoginHintsWithHTTP();
private RequestMatcher requestMatcher = new AntPathRequestMatcher("/authorize"); private RequestMatcher requestMatcher = new AntPathRequestMatcher("/auth/authorize");
/** /**
* *

5
perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/ApprovedSiteAPI.java → perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/api/ApprovedSiteAPI.java
View File

@ -18,7 +18,7 @@
/** /**
* *
*/ */
package cz.muni.ics.openid.connect.web; package cz.muni.ics.openid.connect.web.api;
import cz.muni.ics.openid.connect.model.ApprovedSite; import cz.muni.ics.openid.connect.model.ApprovedSite;
import cz.muni.ics.openid.connect.service.ApprovedSiteService; import cz.muni.ics.openid.connect.service.ApprovedSiteService;
@ -26,6 +26,7 @@ import cz.muni.ics.openid.connect.view.HttpCodeView;
import cz.muni.ics.openid.connect.view.JsonApprovedSiteView; import cz.muni.ics.openid.connect.view.JsonApprovedSiteView;
import cz.muni.ics.openid.connect.view.JsonEntityView; import cz.muni.ics.openid.connect.view.JsonEntityView;
import cz.muni.ics.openid.connect.view.JsonErrorView; import cz.muni.ics.openid.connect.view.JsonErrorView;
import cz.muni.ics.openid.connect.web.controller.GuiController;
import java.security.Principal; import java.security.Principal;
import java.util.Collection; import java.util.Collection;
import lombok.extern.slf4j.Slf4j; import lombok.extern.slf4j.Slf4j;
@ -49,7 +50,7 @@ import org.springframework.web.bind.annotation.RequestMethod;
@Slf4j @Slf4j
public class ApprovedSiteAPI { public class ApprovedSiteAPI {
public static final String URL = RootController.API_URL + "/approved"; public static final String URL = GuiController.API_URL + "/approved";
@Autowired @Autowired
private ApprovedSiteService approvedSiteService; private ApprovedSiteService approvedSiteService;

5
perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/BlacklistAPI.java → perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/api/BlacklistAPI.java
View File

@ -18,7 +18,7 @@
/** /**
* *
*/ */
package cz.muni.ics.openid.connect.web; package cz.muni.ics.openid.connect.web.api;
import com.google.gson.Gson; import com.google.gson.Gson;
import com.google.gson.JsonObject; import com.google.gson.JsonObject;
@ -29,6 +29,7 @@ import cz.muni.ics.openid.connect.service.BlacklistedSiteService;
import cz.muni.ics.openid.connect.view.HttpCodeView; import cz.muni.ics.openid.connect.view.HttpCodeView;
import cz.muni.ics.openid.connect.view.JsonEntityView; import cz.muni.ics.openid.connect.view.JsonEntityView;
import cz.muni.ics.openid.connect.view.JsonErrorView; import cz.muni.ics.openid.connect.view.JsonErrorView;
import cz.muni.ics.openid.connect.web.controller.GuiController;
import java.security.Principal; import java.security.Principal;
import java.util.Collection; import java.util.Collection;
import lombok.extern.slf4j.Slf4j; import lombok.extern.slf4j.Slf4j;
@ -53,7 +54,7 @@ import org.springframework.web.bind.annotation.RequestMethod;
@Slf4j @Slf4j
public class BlacklistAPI { public class BlacklistAPI {
public static final String URL = RootController.API_URL + "/blacklist"; public static final String URL = GuiController.API_URL + "/blacklist";
@Autowired @Autowired
private BlacklistedSiteService blacklistService; private BlacklistedSiteService blacklistService;

5
perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/ClientAPI.java → perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/api/ClientAPI.java
View File

@ -15,7 +15,7 @@
* See the License for the specific language governing permissions and * See the License for the specific language governing permissions and
* limitations under the License. * limitations under the License.
*******************************************************************************/ *******************************************************************************/
package cz.muni.ics.openid.connect.web; package cz.muni.ics.openid.connect.web.api;
import static cz.muni.ics.oauth2.model.RegisteredClientFields.APPLICATION_TYPE; import static cz.muni.ics.oauth2.model.RegisteredClientFields.APPLICATION_TYPE;
import static cz.muni.ics.oauth2.model.RegisteredClientFields.CLAIMS_REDIRECT_URIS; import static cz.muni.ics.oauth2.model.RegisteredClientFields.CLAIMS_REDIRECT_URIS;
@ -88,6 +88,7 @@ import cz.muni.ics.openid.connect.view.ClientEntityViewForUsers;
import cz.muni.ics.openid.connect.view.HttpCodeView; import cz.muni.ics.openid.connect.view.HttpCodeView;
import cz.muni.ics.openid.connect.view.JsonEntityView; import cz.muni.ics.openid.connect.view.JsonEntityView;
import cz.muni.ics.openid.connect.view.JsonErrorView; import cz.muni.ics.openid.connect.view.JsonErrorView;
import cz.muni.ics.openid.connect.web.controller.GuiController;
import java.lang.reflect.Type; import java.lang.reflect.Type;
import java.sql.SQLIntegrityConstraintViolationException; import java.sql.SQLIntegrityConstraintViolationException;
import java.text.ParseException; import java.text.ParseException;
@ -120,7 +121,7 @@ import org.springframework.web.servlet.ModelAndView;
@Slf4j @Slf4j
public class ClientAPI { public class ClientAPI {
public static final String URL = RootController.API_URL + "/clients"; public static final String URL = GuiController.API_URL + "/clients";
@Autowired @Autowired
private ClientDetailsEntityService clientService; private ClientDetailsEntityService clientService;

5
perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/WhitelistAPI.java → perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/api/WhitelistAPI.java
View File

@ -18,7 +18,7 @@
/** /**
* *
*/ */
package cz.muni.ics.openid.connect.web; package cz.muni.ics.openid.connect.web.api;
import com.google.gson.Gson; import com.google.gson.Gson;
import com.google.gson.JsonObject; import com.google.gson.JsonObject;
@ -29,6 +29,7 @@ import cz.muni.ics.openid.connect.service.WhitelistedSiteService;
import cz.muni.ics.openid.connect.view.HttpCodeView; import cz.muni.ics.openid.connect.view.HttpCodeView;
import cz.muni.ics.openid.connect.view.JsonEntityView; import cz.muni.ics.openid.connect.view.JsonEntityView;
import cz.muni.ics.openid.connect.view.JsonErrorView; import cz.muni.ics.openid.connect.view.JsonErrorView;
import cz.muni.ics.openid.connect.web.controller.GuiController;
import java.security.Principal; import java.security.Principal;
import java.util.Collection; import java.util.Collection;
import lombok.extern.slf4j.Slf4j; import lombok.extern.slf4j.Slf4j;
@ -53,7 +54,7 @@ import org.springframework.web.bind.annotation.RequestMethod;
@Slf4j @Slf4j
public class WhitelistAPI { public class WhitelistAPI {
public static final String URL = RootController.API_URL + "/whitelist"; public static final String URL = GuiController.API_URL + "/whitelist";
@Autowired @Autowired
private WhitelistedSiteService whitelistService; private WhitelistedSiteService whitelistService;

4
perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/RootController.java → perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/controller/GuiController.java
View File

@ -15,7 +15,7 @@
* See the License for the specific language governing permissions and * See the License for the specific language governing permissions and
* limitations under the License. * limitations under the License.
*******************************************************************************/ *******************************************************************************/
package cz.muni.ics.openid.connect.web; package cz.muni.ics.openid.connect.web.controller;
import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.stereotype.Controller; import org.springframework.stereotype.Controller;
@ -27,7 +27,7 @@ import org.springframework.web.bind.annotation.RequestMapping;
*/ */
@Controller @Controller
public class RootController { public class GuiController {
public static final String API_URL = "api"; public static final String API_URL = "api";

2
perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/DynamicClientRegistrationEndpoint.java → perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/DynamicClientRegistrationEndpoint.java
View File

@ -15,7 +15,7 @@
* See the License for the specific language governing permissions and * See the License for the specific language governing permissions and
* limitations under the License. * limitations under the License.
*******************************************************************************/ *******************************************************************************/
package cz.muni.ics.openid.connect.web; package cz.muni.ics.openid.connect.web.endpoint;
import static cz.muni.ics.oauth2.model.RegisteredClientFields.APPLICATION_TYPE; import static cz.muni.ics.oauth2.model.RegisteredClientFields.APPLICATION_TYPE;
import static cz.muni.ics.oauth2.model.RegisteredClientFields.CLAIMS_REDIRECT_URIS; import static cz.muni.ics.oauth2.model.RegisteredClientFields.CLAIMS_REDIRECT_URIS;

2
perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/EndSessionEndpoint.java → perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/EndSessionEndpoint.java
View File

@ -14,7 +14,7 @@
* limitations under the License. * limitations under the License.
*******************************************************************************/ *******************************************************************************/
package cz.muni.ics.openid.connect.web; package cz.muni.ics.openid.connect.web.endpoint;
import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.PARAM_POST_LOGOUT_REDIRECT_URI; import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.PARAM_POST_LOGOUT_REDIRECT_URI;
import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.PARAM_STATE; import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.PARAM_STATE;

2
perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/JWKSetPublishingEndpoint.java → perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/JWKSetPublishingEndpoint.java
View File

@ -15,7 +15,7 @@
* See the License for the specific language governing permissions and * See the License for the specific language governing permissions and
* limitations under the License. * limitations under the License.
*******************************************************************************/ *******************************************************************************/
package cz.muni.ics.openid.connect.web; package cz.muni.ics.openid.connect.web.endpoint;
import com.nimbusds.jose.jwk.JWK; import com.nimbusds.jose.jwk.JWK;
import cz.muni.ics.jwt.signer.service.JWTSigningAndValidationService; import cz.muni.ics.jwt.signer.service.JWTSigningAndValidationService;

2
perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/ProtectedResourceRegistrationEndpoint.java → perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/ProtectedResourceRegistrationEndpoint.java
View File

@ -13,7 +13,7 @@
* See the License for the specific language governing permissions and * See the License for the specific language governing permissions and
* limitations under the License. * limitations under the License.
*******************************************************************************/ *******************************************************************************/
package cz.muni.ics.openid.connect.web; package cz.muni.ics.openid.connect.web.endpoint;
import com.google.common.base.Strings; import com.google.common.base.Strings;
import com.google.gson.JsonSyntaxException; import com.google.gson.JsonSyntaxException;

3
perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/UserInfoEndpoint.java → perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/UserInfoEndpoint.java
View File

@ -15,11 +15,10 @@
* See the License for the specific language governing permissions and * See the License for the specific language governing permissions and
* limitations under the License. * limitations under the License.
*******************************************************************************/ *******************************************************************************/
package cz.muni.ics.openid.connect.web; package cz.muni.ics.openid.connect.web.endpoint;
import com.google.common.base.Strings; import com.google.common.base.Strings;
import cz.muni.ics.oauth2.model.ClientDetailsEntity; import cz.muni.ics.oauth2.model.ClientDetailsEntity;
import cz.muni.ics.oauth2.model.OAuth2AccessTokenEntity;
import cz.muni.ics.oauth2.model.SavedUserAuthentication; import cz.muni.ics.oauth2.model.SavedUserAuthentication;
import cz.muni.ics.oauth2.service.ClientDetailsEntityService; import cz.muni.ics.oauth2.service.ClientDetailsEntityService;
import cz.muni.ics.oauth2.service.SystemScopeService; import cz.muni.ics.oauth2.service.SystemScopeService;

2
perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/ServerConfigInterceptor.java → perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/interceptor/ServerConfigInterceptor.java
View File

@ -18,7 +18,7 @@
/** /**
* *
*/ */
package cz.muni.ics.openid.connect.web; package cz.muni.ics.openid.connect.web.interceptor;
import cz.muni.ics.openid.connect.config.ConfigurationPropertiesBean; import cz.muni.ics.openid.connect.config.ConfigurationPropertiesBean;
import cz.muni.ics.openid.connect.config.UIConfiguration; import cz.muni.ics.openid.connect.config.UIConfiguration;

2
perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/UserInfoInterceptor.java → perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/interceptor/UserInfoInterceptor.java
View File

@ -18,7 +18,7 @@
/** /**
* *
*/ */
package cz.muni.ics.openid.connect.web; package cz.muni.ics.openid.connect.web.interceptor;
import static cz.muni.ics.openid.connect.request.ConnectRequestParameters.CLIENT_ID; import static cz.muni.ics.openid.connect.request.ConnectRequestParameters.CLIENT_ID;
import static cz.muni.ics.openid.connect.request.ConnectRequestParameters.SCOPE; import static cz.muni.ics.openid.connect.request.ConnectRequestParameters.SCOPE;