Dominik František Bučík
GitHub
commit
700d603645
|
|
@ -55,7 +55,7 @@
|
|||
<logger name="cz.muni.ics" level="${log.level}"/>
|
||||
<logger name="cz.muni.ics.oidc.aop.WebLoggingAspect" level="debug"/>
|
||||
<logger name="cz.muni.ics.oidc.aop.ExecutionTimeLoggingAspect" level="trace"/>
|
||||
<logger name="cz.muni.ics.openid.connect.web.EndSessionEndpoint" level="${log.level}"/>
|
||||
<logger name="cz.muni.ics.openid.connect.web.endpoint.EndSessionEndpoint" level="${log.level}"/>
|
||||
<logger name="cz.muni.ics.openid.connect.config.JsonMessageSource" level="warn"/>
|
||||
|
||||
</configuration>
|
||||
|
|
|
|||
|
|
@ -17,104 +17,16 @@
|
|||
limitations under the License.
|
||||
-->
|
||||
<beans xmlns="http://www.springframework.org/schema/beans"
|
||||
xmlns:mvc="http://www.springframework.org/schema/mvc"
|
||||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||
xmlns:tx="http://www.springframework.org/schema/tx"
|
||||
xmlns:context="http://www.springframework.org/schema/context"
|
||||
xmlns:security="http://www.springframework.org/schema/security"
|
||||
xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
|
||||
xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2
|
||||
http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
|
||||
http://www.springframework.org/schema/mvc
|
||||
http://www.springframework.org/schema/mvc/spring-mvc-4.3.xsd
|
||||
http://www.springframework.org/schema/security
|
||||
http://www.springframework.org/schema/security/spring-security-4.2.xsd
|
||||
xsi:schemaLocation="
|
||||
http://www.springframework.org/schema/beans
|
||||
http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
|
||||
http://www.springframework.org/schema/tx
|
||||
http://www.springframework.org/schema/tx/spring-tx-4.3.xsd
|
||||
http://www.springframework.org/schema/context
|
||||
http://www.springframework.org/schema/context/spring-context-4.3.xsd">
|
||||
|
||||
<!-- Scan for components -->
|
||||
<context:component-scan annotation-config="true" base-package="cz.muni.ics" />
|
||||
|
||||
<!-- Enables the Spring MVC @Controller programming model -->
|
||||
<tx:annotation-driven transaction-manager="transactionManager" />
|
||||
<mvc:annotation-driven ignore-default-model-on-redirect="true">
|
||||
<mvc:message-converters>
|
||||
<bean class="org.springframework.http.converter.StringHttpMessageConverter" />
|
||||
<bean class="org.springframework.http.converter.json.MappingJackson2HttpMessageConverter" />
|
||||
</mvc:message-converters>
|
||||
</mvc:annotation-driven>
|
||||
|
||||
<bean id="userInfoInterceptor" class="cz.muni.ics.openid.connect.web.UserInfoInterceptor" />
|
||||
<bean id="serverConfigInterceptor" class="cz.muni.ics.openid.connect.web.ServerConfigInterceptor" />
|
||||
<bean id="localeChangeInterceptor" class="org.springframework.web.servlet.i18n.LocaleChangeInterceptor">
|
||||
<property name="paramName" value="lang"/>
|
||||
</bean>
|
||||
<mvc:interceptors>
|
||||
<mvc:interceptor>
|
||||
<mvc:mapping path="/**"/>
|
||||
<ref bean="localeChangeInterceptor"/>
|
||||
</mvc:interceptor>
|
||||
<mvc:interceptor>
|
||||
<!-- Exclude APIs and other machine-facing endpoints from these interceptors -->
|
||||
<mvc:mapping path="/**" />
|
||||
<mvc:exclude-mapping path="/token**"/>
|
||||
<mvc:exclude-mapping path="/resources/**" />
|
||||
<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.JWKSetPublishingEndpoint).URL}**" />
|
||||
<mvc:exclude-mapping path="/#{T(cz.muni.ics.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**" />
|
||||
<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.DynamicClientRegistrationEndpoint).URL}/**" />
|
||||
<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.ProtectedResourceRegistrationEndpoint).URL}/**" />
|
||||
<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.UserInfoEndpoint).URL}**" />
|
||||
<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.RootController).API_URL}/**" />
|
||||
<mvc:exclude-mapping path="#{T(cz.muni.ics.oauth2.web.DeviceEndpoint).ENDPOINT_URL}**" />
|
||||
<mvc:exclude-mapping path="#{T(cz.muni.ics.oauth2.web.DeviceEndpoint).REQUEST_USER_CODE_URL}**" />
|
||||
<mvc:exclude-mapping path="#{T(cz.muni.ics.oauth2.web.DeviceEndpoint).DEVICE_APPROVED_URL}**" />
|
||||
<mvc:exclude-mapping path="/#{T(cz.muni.ics.oauth2.web.IntrospectionEndpoint).URL}**" />
|
||||
<mvc:exclude-mapping path="/#{T(cz.muni.ics.oauth2.web.RevocationEndpoint).URL}**" />
|
||||
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.IsTestSpController).MAPPING}**" />
|
||||
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.AupController).URL}**" />
|
||||
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_MAPPING}**" />
|
||||
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_AUTHORIZATION}**" />
|
||||
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_ENSURE_VO_MAPPING}**" />
|
||||
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_IS_CESNET_ELIGIBLE_MAPPING}**" />
|
||||
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_NOT_IN_MANDATORY_VOS_GROUPS}**" />
|
||||
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_NOT_IN_PROD_VOS_GROUPS}**" />
|
||||
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_NOT_IN_TEST_VOS_GROUPS}**" />
|
||||
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_NOT_LOGGED_IN}**" />
|
||||
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_SPECIFIC_MAPPING}**" />
|
||||
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedRegistrationController).REGISTRATION_CONTINUE_MAPPING}**" />
|
||||
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedRegistrationController).REGISTRATION_FORM_MAPPING}**" />
|
||||
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedRegistrationController).REGISTRATION_FORM_SUBMIT_MAPPING}**" />
|
||||
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.RegistrationController).CONTINUE_DIRECT_MAPPING}**" />
|
||||
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.LogoutController).MAPPING_SUCCESS}" />
|
||||
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.LoginController).MAPPING_FAILURE}" />
|
||||
<mvc:exclude-mapping path="/saml**" />
|
||||
<!-- Inject the UserInfo into the response -->
|
||||
<ref bean="userInfoInterceptor" />
|
||||
</mvc:interceptor>
|
||||
<mvc:interceptor>
|
||||
<!-- Exclude APIs and other machine-facing endpoints from these interceptors -->
|
||||
<mvc:mapping path="/**" />
|
||||
<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.JWKSetPublishingEndpoint).URL}**" />
|
||||
<mvc:exclude-mapping path="/#{T(cz.muni.ics.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**" />
|
||||
<mvc:exclude-mapping path="/resources/**" />
|
||||
<mvc:exclude-mapping path="/token**"/>
|
||||
<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.DynamicClientRegistrationEndpoint).URL}/**" />
|
||||
<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.ProtectedResourceRegistrationEndpoint).URL}/**" />
|
||||
<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.UserInfoEndpoint).URL}**" />
|
||||
<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.RootController).API_URL}/**" />
|
||||
<mvc:exclude-mapping path="#{T(cz.muni.ics.oauth2.web.DeviceEndpoint).ENDPOINT_URL}**" />
|
||||
<mvc:exclude-mapping path="/#{T(cz.muni.ics.oauth2.web.IntrospectionEndpoint).URL}**" />
|
||||
<mvc:exclude-mapping path="/#{T(cz.muni.ics.oauth2.web.RevocationEndpoint).URL}**" />
|
||||
<!-- Inject the server configuration into the response -->
|
||||
<ref bean="serverConfigInterceptor"/>
|
||||
</mvc:interceptor>
|
||||
</mvc:interceptors>
|
||||
|
||||
<mvc:default-servlet-handler />
|
||||
<context:component-scan base-package="cz.muni.ics" />
|
||||
|
||||
<!-- Bean to hold configuration properties -->
|
||||
<import resource="server-config.xml" />
|
||||
|
|
@ -122,186 +34,6 @@
|
|||
<!-- Import the data context -->
|
||||
<import resource="data-context.xml" />
|
||||
|
||||
<!-- SPEL processors -->
|
||||
<security:global-method-security pre-post-annotations="enabled" proxy-target-class="true" authentication-manager-ref="authenticationManager">
|
||||
<!--you could also wire in the expression handler up at the layer of the http filters. See https://jira.springsource.org/browse/SEC-1452 -->
|
||||
<security:expression-handler ref="oauthExpressionHandler" />
|
||||
</security:global-method-security>
|
||||
|
||||
<oauth:expression-handler id="oauthExpressionHandler" />
|
||||
|
||||
<oauth:web-expression-handler id="oauthWebExpressionHandler" />
|
||||
|
||||
<bean id="mdcFilter" class="cz.muni.ics.mdc.MultiMDCFilter"/>
|
||||
|
||||
<!-- Spring Security configuration -->
|
||||
|
||||
<oauth:resource-server id="resourceServerFilter" token-services-ref="defaultOAuth2ProviderTokenService" stateless="false" />
|
||||
|
||||
<security:http pattern="/token"
|
||||
create-session="stateless"
|
||||
authentication-manager-ref="clientAuthenticationManager"
|
||||
entry-point-ref="oauthAuthenticationEntryPoint"
|
||||
use-expressions="true">
|
||||
|
||||
<security:intercept-url pattern="/token" access="permitAll" method="OPTIONS" /> <!-- allow OPTIONS calls without auth for CORS stuff -->
|
||||
<security:intercept-url pattern="/token" access="isAuthenticated()" />
|
||||
<security:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
|
||||
<!-- include this only if you need to authenticate clients via request parameters -->
|
||||
<security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
|
||||
<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
|
||||
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
|
||||
<security:custom-filter ref="mdcFilter" before="FIRST"/>
|
||||
<security:access-denied-handler ref="oauthAccessDeniedHandler" />
|
||||
<security:csrf disabled="true"/>
|
||||
</security:http>
|
||||
|
||||
<!-- Allow open access to discovery endpoints -->
|
||||
<security:http pattern="/#{T(cz.muni.ics.openid.connect.web.JWKSetPublishingEndpoint).URL}**" use-expressions="true" entry-point-ref="http403EntryPoint" create-session="stateless">
|
||||
<security:intercept-url pattern="/#{T(cz.muni.ics.openid.connect.web.JWKSetPublishingEndpoint).URL}**" access="permitAll"/>
|
||||
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
|
||||
<security:custom-filter ref="mdcFilter" before="FIRST"/>
|
||||
<security:csrf disabled="true"/>
|
||||
</security:http>
|
||||
<security:http pattern="/#{T(cz.muni.ics.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**" use-expressions="true" entry-point-ref="http403EntryPoint" create-session="stateless">
|
||||
<security:intercept-url pattern="/#{T(cz.muni.ics.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**" access="permitAll"/>
|
||||
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
|
||||
<security:custom-filter ref="mdcFilter" before="FIRST"/>
|
||||
<security:csrf disabled="true"/>
|
||||
</security:http>
|
||||
|
||||
<!-- Allow open access to all static resources -->
|
||||
<security:http pattern="/resources/**" use-expressions="true" entry-point-ref="http403EntryPoint" create-session="stateless">
|
||||
<security:intercept-url pattern="/resources/**" access="permitAll"/>
|
||||
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
|
||||
<security:custom-filter ref="mdcFilter" before="FIRST"/>
|
||||
<security:csrf disabled="true"/>
|
||||
</security:http>
|
||||
|
||||
<!-- OAuth-protect API and other endpoints -->
|
||||
<security:http pattern="/#{T(cz.muni.ics.openid.connect.web.DynamicClientRegistrationEndpoint).URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">
|
||||
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
|
||||
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
|
||||
<security:custom-filter ref="mdcFilter" before="FIRST"/>
|
||||
<security:expression-handler ref="oauthWebExpressionHandler" />
|
||||
<security:intercept-url pattern="/register/**" access="permitAll"/>
|
||||
<security:csrf disabled="true"/>
|
||||
</security:http>
|
||||
|
||||
<security:http pattern="/#{T(cz.muni.ics.openid.connect.web.ProtectedResourceRegistrationEndpoint).URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">
|
||||
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
|
||||
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
|
||||
<security:custom-filter ref="mdcFilter" before="FIRST"/>
|
||||
<security:expression-handler ref="oauthWebExpressionHandler" />
|
||||
<security:intercept-url pattern="/resource/**" access="permitAll"/>
|
||||
<security:csrf disabled="true"/>
|
||||
</security:http>
|
||||
|
||||
<security:http pattern="/#{T(cz.muni.ics.openid.connect.web.UserInfoEndpoint).URL}**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">
|
||||
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
|
||||
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
|
||||
<security:custom-filter ref="mdcFilter" before="FIRST"/>
|
||||
<security:expression-handler ref="oauthWebExpressionHandler" />
|
||||
<security:csrf disabled="true"/>
|
||||
</security:http>
|
||||
|
||||
<security:http pattern="/#{T(cz.muni.ics.openid.connect.web.RootController).API_URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="never">
|
||||
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
|
||||
<security:custom-filter ref="mdcFilter" before="FIRST"/>
|
||||
<security:expression-handler ref="oauthWebExpressionHandler" />
|
||||
<security:csrf disabled="true"/>
|
||||
</security:http>
|
||||
|
||||
<security:http pattern="#{T(cz.muni.ics.oauth2.web.DeviceEndpoint).ENDPOINT_URL}**"
|
||||
use-expressions="true"
|
||||
entry-point-ref="oauthAuthenticationEntryPoint"
|
||||
create-session="stateless"
|
||||
authentication-manager-ref="clientAuthenticationManager">
|
||||
<security:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
|
||||
<!-- include this only if you need to authenticate clients via request parameters -->
|
||||
<security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
|
||||
<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
|
||||
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
|
||||
<security:custom-filter ref="mdcFilter" before="FIRST"/>
|
||||
<security:access-denied-handler ref="oauthAccessDeniedHandler" />
|
||||
<security:csrf disabled="true"/>
|
||||
</security:http>
|
||||
|
||||
<security:http pattern="/#{T(cz.muni.ics.oauth2.web.IntrospectionEndpoint).URL}**"
|
||||
use-expressions="true"
|
||||
entry-point-ref="oauthAuthenticationEntryPoint"
|
||||
create-session="stateless"
|
||||
authentication-manager-ref="clientAuthenticationManager">
|
||||
<security:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
|
||||
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
|
||||
<security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
|
||||
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
|
||||
<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
|
||||
<security:custom-filter ref="mdcFilter" before="FIRST"/>
|
||||
<security:csrf disabled="true"/>
|
||||
</security:http>
|
||||
|
||||
<security:http pattern="/#{T(cz.muni.ics.oauth2.web.RevocationEndpoint).URL}**"
|
||||
use-expressions="true"
|
||||
entry-point-ref="oauthAuthenticationEntryPoint"
|
||||
create-session="stateless"
|
||||
authentication-manager-ref="clientAuthenticationManager">
|
||||
<security:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
|
||||
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
|
||||
<security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
|
||||
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
|
||||
<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
|
||||
<security:custom-filter ref="mdcFilter" before="FIRST"/>
|
||||
<security:csrf disabled="true"/>
|
||||
</security:http>
|
||||
|
||||
<bean id="oauthAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
|
||||
<property name="realmName" value="openidconnect" />
|
||||
</bean>
|
||||
|
||||
<bean id="http403EntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" />
|
||||
|
||||
<!-- Additional endpoints for extensions (such as UMA) -->
|
||||
|
||||
<import resource="endpoint-config.xml" />
|
||||
|
||||
<!-- SECOAUTH Authorization Server -->
|
||||
|
||||
<import resource="authz-config.xml" />
|
||||
|
||||
<bean id="oauth2ExceptionTranslator" class="org.springframework.security.oauth2.provider.error.DefaultWebResponseExceptionTranslator" />
|
||||
|
||||
<bean id="clientAuthMatcher" class="cz.muni.ics.openid.connect.filter.MultiUrlRequestMatcher">
|
||||
<constructor-arg name="filterProcessesUrls">
|
||||
<set>
|
||||
<value>/introspect</value>
|
||||
<value>/revoke</value>
|
||||
<value>/token</value>
|
||||
</set>
|
||||
</constructor-arg>
|
||||
</bean>
|
||||
|
||||
<bean id="clientCredentialsEndpointFilter" class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
|
||||
<property name="authenticationManager" ref="clientAuthenticationManager" />
|
||||
<property name="requiresAuthenticationRequestMatcher" ref="clientAuthMatcher" />
|
||||
</bean>
|
||||
|
||||
<bean id="clientAssertionEndpointFilter" class="cz.muni.ics.openid.connect.assertion.JWTBearerClientAssertionTokenEndpointFilter">
|
||||
<constructor-arg name="additionalMatcher" ref="clientAuthMatcher" />
|
||||
<property name="authenticationManager" ref="clientAssertionAuthenticationManager" />
|
||||
</bean>
|
||||
|
||||
<security:authentication-manager id="clientAuthenticationManager">
|
||||
<security:authentication-provider user-service-ref="clientUserDetailsService" />
|
||||
<security:authentication-provider user-service-ref="uriEncodedClientUserDetailsService" />
|
||||
</security:authentication-manager>
|
||||
|
||||
<security:authentication-manager id="clientAssertionAuthenticationManager">
|
||||
<security:authentication-provider ref="clientAssertionAuthenticationProvider" />
|
||||
</security:authentication-manager>
|
||||
|
||||
<bean id="clientAssertionAuthenticationProvider" class="cz.muni.ics.openid.connect.assertion.JWTBearerAuthenticationProvider" />
|
||||
|
||||
<!-- Configure locale information -->
|
||||
<import resource="locale-config.xml" />
|
||||
|
||||
|
|
@ -311,49 +43,15 @@
|
|||
<!-- assertion processing -->
|
||||
<import resource="assertion-config.xml" />
|
||||
|
||||
<!-- End Spring Security configuration -->
|
||||
|
||||
<!-- JPA -->
|
||||
|
||||
<import resource="jpa-config.xml" />
|
||||
|
||||
<!-- End JPA -->
|
||||
|
||||
<!-- Crypto -->
|
||||
|
||||
<import resource="crypto-config.xml" />
|
||||
|
||||
<!-- End Crypto -->
|
||||
|
||||
<!-- View configuration -->
|
||||
|
||||
<!-- Handles HTTP GET requests for /resources/** by efficiently serving
|
||||
up static resources in the ${webappRoot}/resources directory -->
|
||||
<mvc:resources mapping="/resources/**" location="/resources/" />
|
||||
|
||||
<!-- Resolves views selected for rendering by @Controllers to .jsp resources
|
||||
in the /WEB-INF/views directory -->
|
||||
<bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
|
||||
<property name="viewClass" value="org.springframework.web.servlet.view.JstlView" />
|
||||
<property name="prefix" value="/WEB-INF/views/" />
|
||||
<property name="suffix" value=".jsp" />
|
||||
<property name="order" value="2" />
|
||||
</bean>
|
||||
|
||||
<!-- Resolve views based on string names -->
|
||||
<bean class="org.springframework.web.servlet.view.BeanNameViewResolver">
|
||||
<property name="order" value="1" />
|
||||
</bean>
|
||||
|
||||
<!-- End view configuration -->
|
||||
|
||||
<!--Import scheduled task configuration -->
|
||||
<import resource="task-config.xml" />
|
||||
|
||||
<!-- Import configuration for front-end (JavaScript) UI components -->
|
||||
<import resource="ui-config.xml" />
|
||||
|
||||
<!-- import application-local configuration information (such as bean definitions) -->
|
||||
<import resource="local-config.xml" />
|
||||
<import resource="web-context.xml" />
|
||||
|
||||
</beans>
|
||||
|
|
|
|||
|
|
@ -1,60 +0,0 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!--
|
||||
Copyright 2018 The MIT Internet Trust Consortium
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
-->
|
||||
<beans xmlns="http://www.springframework.org/schema/beans"
|
||||
xmlns:mvc="http://www.springframework.org/schema/mvc"
|
||||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||
xmlns:tx="http://www.springframework.org/schema/tx"
|
||||
xmlns:context="http://www.springframework.org/schema/context"
|
||||
xmlns:security="http://www.springframework.org/schema/security"
|
||||
xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
|
||||
xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
|
||||
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.3.xsd
|
||||
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd
|
||||
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
|
||||
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.3.xsd
|
||||
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.3.xsd">
|
||||
|
||||
|
||||
<oauth:authorization-server
|
||||
client-details-service-ref="defaultOAuth2ClientDetailsEntityService"
|
||||
authorization-request-manager-ref="connectOAuth2RequestFactory"
|
||||
token-services-ref="defaultOAuth2ProviderTokenService"
|
||||
user-approval-handler-ref="tofuUserApprovalHandler"
|
||||
request-validator-ref="oauthRequestValidator"
|
||||
redirect-resolver-ref="blacklistAwareRedirectResolver"
|
||||
authorization-endpoint-url="/authorize"
|
||||
token-endpoint-url="/token"
|
||||
error-page="/error">
|
||||
|
||||
<oauth:authorization-code authorization-code-services-ref="defaultOAuth2AuthorizationCodeService"/>
|
||||
<oauth:implicit/>
|
||||
<oauth:refresh-token/>
|
||||
<oauth:client-credentials/>
|
||||
<oauth:custom-grant token-granter-ref="chainedTokenGranter" />
|
||||
<oauth:custom-grant token-granter-ref="jwtAssertionTokenGranter" />
|
||||
<oauth:custom-grant token-granter-ref="deviceTokenGranter" />
|
||||
|
||||
</oauth:authorization-server>
|
||||
|
||||
<bean id="oauthAccessDeniedHandler" class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />
|
||||
|
||||
<bean id="oauthRequestValidator" class="cz.muni.ics.oauth2.token.ScopeServiceAwareOAuth2RequestValidator" />
|
||||
|
||||
<!-- Error page handler. -->
|
||||
<mvc:view-controller path="/error" view-name="error" />
|
||||
|
||||
</beans>
|
||||
|
|
@ -1,46 +0,0 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!--
|
||||
Copyright 2018 The MIT Internet Trust Consortium
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
-->
|
||||
<beans xmlns="http://www.springframework.org/schema/beans"
|
||||
xmlns:mvc="http://www.springframework.org/schema/mvc"
|
||||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||
xmlns:tx="http://www.springframework.org/schema/tx"
|
||||
xmlns:context="http://www.springframework.org/schema/context"
|
||||
xmlns:security="http://www.springframework.org/schema/security"
|
||||
xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
|
||||
xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
|
||||
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.3.xsd
|
||||
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd
|
||||
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
|
||||
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.3.xsd
|
||||
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.3.xsd">
|
||||
|
||||
|
||||
<security:http pattern="/devicecodeMFA/**"
|
||||
use-expressions="true"
|
||||
entry-point-ref="oauthAuthenticationEntryPoint"
|
||||
create-session="stateless"
|
||||
authentication-manager-ref="clientAuthenticationManager">
|
||||
<security:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
|
||||
<!-- include this only if you need to authenticate clients via request parameters -->
|
||||
<security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
|
||||
<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
|
||||
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
|
||||
<security:access-denied-handler ref="oauthAccessDeniedHandler" />
|
||||
<security:csrf disabled="true"/>
|
||||
</security:http>
|
||||
|
||||
</beans>
|
||||
|
|
@ -1,36 +0,0 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!--
|
||||
Copyright 2018 The MIT Internet Trust Consortium
|
||||
|
||||
Portions copyright 2011-2013 The MITRE Corporation
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
-->
|
||||
<beans xmlns="http://www.springframework.org/schema/beans"
|
||||
xmlns:mvc="http://www.springframework.org/schema/mvc"
|
||||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||
xmlns:tx="http://www.springframework.org/schema/tx"
|
||||
xmlns:context="http://www.springframework.org/schema/context"
|
||||
xmlns:security="http://www.springframework.org/schema/security"
|
||||
xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
|
||||
xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
|
||||
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.3.xsd
|
||||
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd
|
||||
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
|
||||
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.3.xsd
|
||||
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.3.xsd">
|
||||
|
||||
|
||||
<!-- Empty: Override this file in your local project to change configuration options. -->
|
||||
|
||||
</beans>
|
||||
|
|
@ -1,25 +0,0 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!--
|
||||
Copyright 2018 The MIT Internet Trust Consortium
|
||||
|
||||
Portions copyright 2011-2013 The MITRE Corporation
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
-->
|
||||
<beans xmlns="http://www.springframework.org/schema/beans"
|
||||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||
xmlns:task="http://www.springframework.org/schema/task"
|
||||
xsi:schemaLocation="http://www.springframework.org/schema/task http://www.springframework.org/schema/task/spring-task-4.3.xsd
|
||||
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd">
|
||||
|
||||
</beans>
|
||||
|
|
@ -73,8 +73,6 @@
|
|||
<prop key="saml.idp.defaultIdpEntityId"/>
|
||||
<prop key="saml.idp.metadataLocation"/> <!-- i.e. /etc/perun/login-cesnet-metadata.xml -->
|
||||
<prop key="saml.idp.metadataUrl"/> <!-- i.e. https://login.cesnet.cz/proxy/module.php/metadata -->
|
||||
<prop key="saml.proxy.spEntityId"/>
|
||||
<prop key="saml.internalReferrers"/> <!-- comma separated list of URLs (which are matched as prefixes) -->
|
||||
<prop key="saml.acrs.reserverdPrefixes">urn:cesnet:</prop>
|
||||
<prop key="saml.acrs.enableComparison">false</prop>
|
||||
<prop key="saml.acrs.onlyreserved.append">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</prop>
|
||||
|
|
@ -474,295 +472,6 @@
|
|||
<property name="testSpAttr" value="testSp" />
|
||||
</bean>
|
||||
|
||||
<!-- authentication -->
|
||||
|
||||
<!--suppress SpringXmlModelInspection -->
|
||||
<security:http auto-config="false"
|
||||
use-expressions="true"
|
||||
entry-point-ref="samlEntryPoint"
|
||||
create-session="always"
|
||||
authentication-manager-ref="authenticationManager">
|
||||
<security:csrf disabled="true"/>
|
||||
<security:intercept-url pattern="/saml/**" access="permitAll()"/>
|
||||
<security:intercept-url pattern="/logout" access="permitAll()"/>
|
||||
<security:intercept-url pattern="#{T(cz.muni.ics.oidc.web.controllers.LogoutController).MAPPING_SUCCESS}" access="permitAll()"/>
|
||||
<security:intercept-url pattern="#{T(cz.muni.ics.oidc.web.controllers.LoginController).MAPPING_FAILURE}" access="permitAll()"/>
|
||||
<security:intercept-url pattern="/**" access="hasRole('ROLE_USER')"/>
|
||||
<security:custom-filter ref="mdcMuFilter" before="FIRST"/>
|
||||
<security:custom-filter ref="metadataGeneratorFilter" before="CHANNEL_FILTER"/>
|
||||
<security:custom-filter ref="clearSessionFilter" after="CHANNEL_FILTER"/>
|
||||
<security:custom-filter ref="samlFilter" before="CSRF_FILTER"/>
|
||||
<security:custom-filter ref="samlFilter" after="BASIC_AUTH_FILTER"/>
|
||||
<security:custom-filter ref="callPerunFiltersFilter" before="LAST"/>
|
||||
<security:logout logout-url="/saml/logout"/>
|
||||
</security:http>
|
||||
|
||||
<security:authentication-manager id="authenticationManager">
|
||||
<security:authentication-provider ref="authenticationProvider"/>
|
||||
</security:authentication-manager>
|
||||
|
||||
<bean id="mdcMuFilter" class="cz.muni.ics.oidc.server.filters.impl.MultiMDCFilter"/>
|
||||
|
||||
<!-- SAML -->
|
||||
|
||||
<bean id="clearSessionFilter" class="cz.muni.ics.oidc.saml.SamlInvalidateSessionFilter">
|
||||
<constructor-arg name="oidcIssuer" value="${main.oidc.issuer.url}"/>
|
||||
<constructor-arg name="idpEntityId" value="${saml.idp.defaultIdpEntityId}"/>
|
||||
<constructor-arg name="proxySpEntityId" value="${saml.proxy.spEntityId}"/>
|
||||
<constructor-arg name="internalReferrers" value="#{'${saml.internalReferrers}'.split('\s*,\s*')}"/>
|
||||
<constructor-arg name="contextLogoutHandler" ref="logoutHandler"/>
|
||||
</bean>
|
||||
|
||||
<bean id="samlDiscovery" class="org.springframework.security.saml.SAMLDiscovery">
|
||||
<property name="contextProvider" ref="samlContextProvider"/>
|
||||
<property name="samlEntryPoint" ref="samlEntryPoint"/>
|
||||
<property name="metadata" ref="metadata"/>
|
||||
</bean>
|
||||
|
||||
<bean id="successRedirectHandler" class="cz.muni.ics.oidc.saml.PerunSamlAuthenticationSuccessHandler">
|
||||
<property name="defaultTargetUrl" value="#{T(cz.muni.ics.oidc.web.controllers.LoginController).MAPPING_SUCCESS}"/>
|
||||
</bean>
|
||||
|
||||
<bean id="authenticationFailureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
|
||||
<property name="defaultFailureUrl" value="#{T(cz.muni.ics.oidc.web.controllers.LoginController).MAPPING_FAILURE}"/>
|
||||
<property name="useForward" value="true"/>
|
||||
</bean>
|
||||
|
||||
<bean id="successLogoutHandler" class="cz.muni.ics.oidc.saml.PerunOidcLogoutSuccessHandler">
|
||||
<property name="defaultTargetUrl" value="#{T(cz.muni.ics.oidc.web.controllers.LogoutController).MAPPING_SUCCESS}"/>
|
||||
<property name="targetUrlParameter" value="#{T(cz.muni.ics.oidc.server.filters.PerunFilterConstants).PARAM_TARGET}"/>
|
||||
</bean>
|
||||
|
||||
<bean id="logoutHandler" class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler">
|
||||
<property name="clearAuthentication" value="true"/>
|
||||
<property name="invalidateHttpSession" value="true"/>
|
||||
</bean>
|
||||
|
||||
<bean id="samlLogoutProcessingFilter" class="org.springframework.security.saml.SAMLLogoutProcessingFilter">
|
||||
<constructor-arg name="logoutSuccessHandler" ref="successLogoutHandler"/>
|
||||
<constructor-arg name="handlers" ref="logoutHandler"/>
|
||||
</bean>
|
||||
|
||||
<bean id="samlLogoutFilter" class="org.springframework.security.saml.SAMLLogoutFilter">
|
||||
<constructor-arg name="logoutSuccessHandler" ref="successLogoutHandler"/>
|
||||
<constructor-arg name="localHandler" ref="logoutHandler"/>
|
||||
<constructor-arg name="globalHandlers" ref="logoutHandler"/>
|
||||
</bean>
|
||||
|
||||
<bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager">
|
||||
<constructor-arg name="storeFile">
|
||||
<bean class="org.springframework.core.io.FileSystemResource">
|
||||
<constructor-arg name="path" value="${saml.keystore.location}"/>
|
||||
</bean>
|
||||
</constructor-arg>
|
||||
<constructor-arg name="storePass" value="${saml.keystore.password}"/>
|
||||
<constructor-arg name="passwords">
|
||||
<map>
|
||||
<entry key="${saml.keystore.defaultKey}" value="${saml.keystore.defaultKeyPass}"/>
|
||||
</map>
|
||||
</constructor-arg>
|
||||
<constructor-arg name="defaultKey" value="${saml.keystore.defaultKey}"/>
|
||||
</bean>
|
||||
|
||||
<bean id="extendedMetadata" class="org.springframework.security.saml.metadata.ExtendedMetadata">
|
||||
<property name="idpDiscoveryEnabled" value="false"/>
|
||||
</bean>
|
||||
|
||||
<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
|
||||
<constructor-arg name="generator">
|
||||
<bean class="org.springframework.security.saml.metadata.MetadataGenerator">
|
||||
<property name="includeDiscoveryExtension" value="false"/>
|
||||
<property name="entityId" value="${saml.entityID}"/>
|
||||
<property name="extendedMetadata" ref="extendedMetadata"/>
|
||||
<property name="wantAssertionSigned" value="true"/>
|
||||
<property name="requestSigned" value="true"/>
|
||||
</bean>
|
||||
</constructor-arg>
|
||||
<property name="normalizeBaseUrl" value="true"/>
|
||||
</bean>
|
||||
|
||||
<bean id="metadataDisplayFilter" class="org.springframework.security.saml.metadata.MetadataDisplayFilter"/>
|
||||
|
||||
<bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager">
|
||||
<property name="defaultIDP" value="${saml.idp.defaultIdpEntityId}"/>
|
||||
<property name="refreshCheckInterval" value="3600000"/>
|
||||
<property name="refreshRequired" value="true"/>
|
||||
<constructor-arg name="providers">
|
||||
<list>
|
||||
<ref bean="idpMetadata"/>
|
||||
</list>
|
||||
</constructor-arg>
|
||||
</bean>
|
||||
|
||||
<bean id="parserPool" class="org.opensaml.xml.parse.StaticBasicParserPool" init-method="initialize"/>
|
||||
|
||||
<bean id="parserPoolHolder" class="org.springframework.security.saml.parser.ParserPoolHolder"/>
|
||||
|
||||
<bean id="processor" class="org.springframework.security.saml.processor.SAMLProcessorImpl">
|
||||
<constructor-arg name="bindings">
|
||||
<list>
|
||||
<bean id="httpPostBinding" class="org.springframework.security.saml.processor.HTTPPostBinding">
|
||||
<constructor-arg name="parserPool" ref="parserPool"/>
|
||||
<constructor-arg name="encoder">
|
||||
<bean class="cz.muni.ics.oidc.saml.PerunPostEncoder">
|
||||
<constructor-arg name="engine" value="#{T(org.springframework.security.saml.util.VelocityFactory).getEngine()}"/>
|
||||
<constructor-arg name="templateId" value="/templates/saml2-post-binding.vm"/>
|
||||
</bean>
|
||||
</constructor-arg>
|
||||
<constructor-arg name="decoder">
|
||||
<bean class="org.opensaml.saml2.binding.decoding.HTTPPostDecoder">
|
||||
<constructor-arg name="pool" ref="parserPool"/>
|
||||
</bean>
|
||||
</constructor-arg>
|
||||
</bean>
|
||||
<bean id="httpRedirectDeflateBinding" class="org.springframework.security.saml.processor.HTTPRedirectDeflateBinding">
|
||||
<constructor-arg name="encoder">
|
||||
<bean class="cz.muni.ics.oidc.saml.PerunHTTPRedirectDeflateEncoder"/>
|
||||
</constructor-arg>
|
||||
<constructor-arg name="decoder">
|
||||
<bean class="org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder">
|
||||
<constructor-arg name="pool" ref="parserPool"/>
|
||||
</bean>
|
||||
</constructor-arg>
|
||||
</bean>
|
||||
</list>
|
||||
</constructor-arg>
|
||||
</bean>
|
||||
|
||||
<bean id="samlWebSSOProcessingFilter" class="org.springframework.security.saml.SAMLProcessingFilter">
|
||||
<property name="authenticationManager" ref="authenticationManager"/>
|
||||
<property name="authenticationSuccessHandler" ref="successRedirectHandler"/>
|
||||
<property name="authenticationFailureHandler" ref="authenticationFailureHandler"/>
|
||||
</bean>
|
||||
|
||||
<bean id="samlFilter" class="org.springframework.security.web.FilterChainProxy">
|
||||
<constructor-arg name="filterChains">
|
||||
<list>
|
||||
<bean class="org.springframework.security.web.DefaultSecurityFilterChain">
|
||||
<constructor-arg name="requestMatcher">
|
||||
<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
|
||||
<constructor-arg name="pattern"
|
||||
value="#{T(org.springframework.security.saml.metadata.MetadataDisplayFilter).FILTER_URL}/**"/>
|
||||
</bean>
|
||||
</constructor-arg>
|
||||
<constructor-arg name="filters">
|
||||
<list>
|
||||
<ref bean="metadataDisplayFilter"/>
|
||||
</list>
|
||||
</constructor-arg>
|
||||
</bean>
|
||||
<bean class="org.springframework.security.web.DefaultSecurityFilterChain">
|
||||
<constructor-arg name="requestMatcher">
|
||||
<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
|
||||
<constructor-arg name="pattern"
|
||||
value="#{T(org.springframework.security.saml.SAMLProcessingFilter).FILTER_URL}"/>
|
||||
</bean>
|
||||
</constructor-arg>
|
||||
<constructor-arg name="filters">
|
||||
<list>
|
||||
<ref bean="samlWebSSOProcessingFilter"/>
|
||||
</list>
|
||||
</constructor-arg>
|
||||
</bean>
|
||||
<bean class="org.springframework.security.web.DefaultSecurityFilterChain">
|
||||
<constructor-arg name="requestMatcher">
|
||||
<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
|
||||
<constructor-arg name="pattern"
|
||||
value="#{T(org.springframework.security.saml.SAMLDiscovery).FILTER_URL}"/>
|
||||
</bean>
|
||||
</constructor-arg>
|
||||
<constructor-arg name="filters">
|
||||
<list>
|
||||
<ref bean="samlDiscovery"/>
|
||||
</list>
|
||||
</constructor-arg>
|
||||
</bean>
|
||||
<bean class="org.springframework.security.web.DefaultSecurityFilterChain">
|
||||
<constructor-arg name="requestMatcher">
|
||||
<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
|
||||
<constructor-arg name="pattern"
|
||||
value="#{T(org.springframework.security.saml.SAMLEntryPoint).FILTER_URL}"/>
|
||||
</bean>
|
||||
</constructor-arg>
|
||||
<constructor-arg name="filters">
|
||||
<list>
|
||||
<ref bean="samlEntryPoint"/>
|
||||
</list>
|
||||
</constructor-arg>
|
||||
</bean>
|
||||
<bean class="org.springframework.security.web.DefaultSecurityFilterChain">
|
||||
<constructor-arg name="requestMatcher">
|
||||
<bean class="org.springframework.security.web.util.matcher.OrRequestMatcher">
|
||||
<constructor-arg name="requestMatchers">
|
||||
<list>
|
||||
<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
|
||||
<constructor-arg name="pattern"
|
||||
value="#{T(org.springframework.security.saml.SAMLLogoutFilter).FILTER_URL}"/>
|
||||
</bean>
|
||||
<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
|
||||
<constructor-arg name="pattern" value="/logout"/>
|
||||
</bean>
|
||||
</list>
|
||||
</constructor-arg>
|
||||
</bean>
|
||||
</constructor-arg>
|
||||
<constructor-arg name="filters">
|
||||
<list>
|
||||
<ref bean="samlLogoutFilter"/>
|
||||
</list>
|
||||
</constructor-arg>
|
||||
</bean>
|
||||
<bean class="org.springframework.security.web.DefaultSecurityFilterChain">
|
||||
<constructor-arg name="requestMatcher">
|
||||
<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
|
||||
<constructor-arg name="pattern" value="#{T(org.springframework.security.saml.SAMLLogoutProcessingFilter).FILTER_URL}/**"/>
|
||||
</bean>
|
||||
</constructor-arg>
|
||||
<constructor-arg name="filters">
|
||||
<list>
|
||||
<ref bean="samlLogoutProcessingFilter"/>
|
||||
</list>
|
||||
</constructor-arg>
|
||||
</bean>
|
||||
</list>
|
||||
</constructor-arg>
|
||||
</bean>
|
||||
|
||||
<bean id="webSSOProfileOptions" class="org.springframework.security.saml.websso.WebSSOProfileOptions">
|
||||
<property name="includeScoping" value="false"/>
|
||||
</bean>
|
||||
|
||||
<bean id="samlEntryPoint" class="cz.muni.ics.oidc.saml.PerunSamlEntryPoint">
|
||||
<property name="defaultProfileOptions" ref="webSSOProfileOptions"/>
|
||||
</bean>
|
||||
|
||||
<bean id="samlContextProvider" class="org.springframework.security.saml.context.SAMLContextProviderImpl"/>
|
||||
|
||||
<bean id="samlLogger" class="org.springframework.security.saml.log.SAMLDefaultLogger">
|
||||
<property name="logMessagesOnException" value="true"/>
|
||||
<property name="logErrors" value="true"/>
|
||||
</bean>
|
||||
|
||||
<bean id="singleLogoutProfile" class="org.springframework.security.saml.websso.SingleLogoutProfileImpl"/>
|
||||
|
||||
<bean id="webSSOprofileConsumer" class="cz.muni.ics.oidc.saml.PerunWebSSOProfileConsumerImpl">
|
||||
<property name="enableComparison" value="${saml.acrs.enableComparison}"/>
|
||||
<property name="reservedPrefixes" value="#{'${saml.acrs.reserverdPrefixes}'.split('\s*,\s*')}"/>
|
||||
<property name="maxAuthenticationAge" value="360"/>
|
||||
</bean>
|
||||
|
||||
<bean id="webSSOprofile" class="org.springframework.security.saml.websso.WebSSOProfileImpl"/>
|
||||
|
||||
<bean id="hokWebSSOprofileConsumer" class="org.springframework.security.saml.websso.WebSSOProfileConsumerHoKImpl"/>
|
||||
|
||||
<bean id="samlUserDetailsService" class="cz.muni.ics.oidc.saml.PerunSamlUserDetailsService"/>
|
||||
|
||||
<bean id="authenticationProvider" class="cz.muni.ics.oidc.saml.PerunSamlAuthenticationProvider">
|
||||
<constructor-arg name="adminIds" value="#{'${admins}'.split('\s*,\s*')}"/>
|
||||
</bean>
|
||||
|
||||
<bean class="org.springframework.security.saml.SAMLBootstrap"/>
|
||||
|
||||
<!-- END SAML -->
|
||||
|
||||
<bean id="accessTokenClaimsModifier" class="${accessTokenClaimsModifier}"/>
|
||||
|
|
@ -778,7 +487,7 @@
|
|||
|
||||
<bean id="oidcTokenService" class="cz.muni.ics.oidc.server.PerunOIDCTokenService" primary="true"/>
|
||||
|
||||
<bean id="callPerunFiltersFilter" class="cz.muni.ics.oidc.server.filters.CallPerunFiltersFilter"/>
|
||||
<bean id="authProcFilters" class="cz.muni.ics.oidc.server.filters.AuthProcFiltersContainer"/>
|
||||
|
||||
<bean id="htmlClasses" class="cz.muni.ics.oidc.web.WebHtmlClasses">
|
||||
<constructor-arg name="perunOidcConfig" ref="perunOidcConfig"/>
|
||||
|
|
|
|||
|
|
@ -37,7 +37,7 @@
|
|||
</h1>
|
||||
|
||||
<form name="confirmationForm"
|
||||
action="${ config.issuer }${ config.issuer.endsWith('/') ? '' : '/' }authorize" method="post">
|
||||
action="${ config.issuer }${ config.issuer.endsWith('/') ? '' : '/' }auth/authorize" method="post">
|
||||
|
||||
<div class="row">
|
||||
<div class="span5 offset1 well-small" style="text-align: left">
|
||||
|
|
|
|||
|
|
@ -37,7 +37,7 @@
|
|||
</h1>
|
||||
|
||||
<form name="confirmationForm"
|
||||
action="${ config.issuer }${ config.issuer.endsWith('/') ? '' : '/' }device/approved" method="post">
|
||||
action="${ config.issuer }${ config.issuer.endsWith('/') ? '' : '/' }auth/device/approved" method="post">
|
||||
|
||||
<div class="row">
|
||||
<div class="span5 offset1 well-small" style="text-align: left">
|
||||
|
|
|
|||
|
|
@ -39,7 +39,7 @@
|
|||
</c:if>
|
||||
|
||||
|
||||
<form action="${ config.issuer }${ config.issuer.endsWith('/') ? '' : '/' }device/code" method="POST">
|
||||
<form action="${ config.issuer }${ config.issuer.endsWith('/') ? '' : '/' }auth/device" method="POST">
|
||||
|
||||
<div class="row-fluid">
|
||||
<div class="span12">
|
||||
|
|
|
|||
|
|
@ -30,7 +30,7 @@
|
|||
<div id="content">
|
||||
<c:remove scope="session" var="SPRING_SECURITY_LAST_EXCEPTION" />
|
||||
<form name="confirmationForm" method="post" action="${pageContext.request.contextPath.endsWith('/') ?
|
||||
pageContext.request.contextPath : pageContext.request.contextPath.concat('/')}authorize">
|
||||
pageContext.request.contextPath : pageContext.request.contextPath.concat('/')}auth/authorize">
|
||||
<p>
|
||||
<c:if test="${not empty client.policyUri}">
|
||||
<spring:message code="consent_privacy_policy"/>${" "}
|
||||
|
|
|
|||
|
|
@ -33,7 +33,7 @@
|
|||
<div id="content">
|
||||
<c:remove scope="session" var="SPRING_SECURITY_LAST_EXCEPTION" />
|
||||
<form name="confirmationForm"
|
||||
action="${ config.issuer }${ config.issuer.endsWith('/') ? '' : '/' }device/approved" method="post">
|
||||
action="${ config.issuer }${ config.issuer.endsWith('/') ? '' : '/' }auth/device/approved" method="post">
|
||||
<p>
|
||||
<c:if test="${not empty client.policyUri}">
|
||||
<spring:message code="device_approve_privacy"/>${" "}<a target='_blank' href='${fn:escapeXml(client.policyUri)}'><em>${fn:escapeXml(client.clientName)}</em></a>
|
||||
|
|
|
|||
|
|
@ -52,7 +52,7 @@
|
|||
</c:choose>
|
||||
|
||||
<form name="confirmationForm" class="mt-2" method="POST"
|
||||
action="${ config.issuer }${ config.issuer.endsWith('/') ? '' : '/' }device/code">
|
||||
action="${ config.issuer }${ config.issuer.endsWith('/') ? '' : '/' }auth/device">
|
||||
<div class="row-fluid">
|
||||
<div class="span12">
|
||||
<div>
|
||||
|
|
|
|||
|
|
@ -0,0 +1,634 @@
|
|||
<beans xmlns="http://www.springframework.org/schema/beans"
|
||||
xmlns:mvc="http://www.springframework.org/schema/mvc"
|
||||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||
xmlns:tx="http://www.springframework.org/schema/tx"
|
||||
xmlns:security="http://www.springframework.org/schema/security"
|
||||
xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
|
||||
xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2
|
||||
http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
|
||||
http://www.springframework.org/schema/mvc
|
||||
http://www.springframework.org/schema/mvc/spring-mvc-4.3.xsd
|
||||
http://www.springframework.org/schema/security
|
||||
http://www.springframework.org/schema/security/spring-security-4.2.xsd
|
||||
http://www.springframework.org/schema/beans
|
||||
http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
|
||||
http://www.springframework.org/schema/tx
|
||||
http://www.springframework.org/schema/tx/spring-tx-4.3.xsd">
|
||||
|
||||
<bean id="userInfoInterceptor" class="cz.muni.ics.openid.connect.web.interceptor.UserInfoInterceptor" />
|
||||
<bean id="serverConfigInterceptor" class="cz.muni.ics.openid.connect.web.interceptor.ServerConfigInterceptor" />
|
||||
<bean id="localeChangeInterceptor" class="org.springframework.web.servlet.i18n.LocaleChangeInterceptor">
|
||||
<property name="paramName" value="lang"/>
|
||||
</bean>
|
||||
|
||||
<!-- Enables the Spring MVC @Controller programming model -->
|
||||
<tx:annotation-driven />
|
||||
|
||||
<bean id="mdcFilter" class="cz.muni.ics.mdc.MultiMDCFilter"/>
|
||||
|
||||
<!-- MVC -->
|
||||
|
||||
<!-- Error page handler. -->
|
||||
<mvc:view-controller path="/error" view-name="error" />
|
||||
|
||||
<mvc:annotation-driven ignore-default-model-on-redirect="true">
|
||||
<mvc:message-converters>
|
||||
<bean class="org.springframework.http.converter.StringHttpMessageConverter" />
|
||||
<bean class="org.springframework.http.converter.json.MappingJackson2HttpMessageConverter" />
|
||||
</mvc:message-converters>
|
||||
</mvc:annotation-driven>
|
||||
|
||||
<mvc:interceptors>
|
||||
<mvc:interceptor>
|
||||
<mvc:mapping path="/**"/>
|
||||
<ref bean="localeChangeInterceptor"/>
|
||||
</mvc:interceptor>
|
||||
<mvc:interceptor>
|
||||
<!-- Exclude APIs and other machine-facing endpoints from these interceptors -->
|
||||
<mvc:mapping path="/**" />
|
||||
<mvc:exclude-mapping path="/token**"/>
|
||||
<mvc:exclude-mapping path="/resources/**" />
|
||||
<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.endpoint.JWKSetPublishingEndpoint).URL}**" />
|
||||
<mvc:exclude-mapping path="/#{T(cz.muni.ics.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**" />
|
||||
<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.endpoint.DynamicClientRegistrationEndpoint).URL}/**" />
|
||||
<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.endpoint.ProtectedResourceRegistrationEndpoint).URL}/**" />
|
||||
<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.endpoint.UserInfoEndpoint).URL}**" />
|
||||
<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.controller.GuiController).API_URL}/**" />
|
||||
<mvc:exclude-mapping path="#{T(cz.muni.ics.oauth2.web.endpoint.DeviceEndpoint).ENDPOINT_URL}**" />
|
||||
<mvc:exclude-mapping path="#{T(cz.muni.ics.oauth2.web.endpoint.DeviceEndpoint).REQUEST_USER_CODE_URL}**" />
|
||||
<mvc:exclude-mapping path="#{T(cz.muni.ics.oauth2.web.endpoint.DeviceEndpoint).REQUEST_USER_CODE_INIT_URL}**" />
|
||||
<mvc:exclude-mapping path="#{T(cz.muni.ics.oauth2.web.endpoint.DeviceEndpoint).DEVICE_APPROVED_URL}**" />
|
||||
<mvc:exclude-mapping path="/#{T(cz.muni.ics.oauth2.web.endpoint.IntrospectionEndpoint).URL}**" />
|
||||
<mvc:exclude-mapping path="/#{T(cz.muni.ics.oauth2.web.endpoint.RevocationEndpoint).URL}**" />
|
||||
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.IsTestSpController).MAPPING}**" />
|
||||
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.AupController).URL}**" />
|
||||
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_MAPPING}**" />
|
||||
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_AUTHORIZATION}**" />
|
||||
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_ENSURE_VO_MAPPING}**" />
|
||||
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_IS_CESNET_ELIGIBLE_MAPPING}**" />
|
||||
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_NOT_IN_MANDATORY_VOS_GROUPS}**" />
|
||||
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_NOT_IN_PROD_VOS_GROUPS}**" />
|
||||
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_NOT_IN_TEST_VOS_GROUPS}**" />
|
||||
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_NOT_LOGGED_IN}**" />
|
||||
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_SPECIFIC_MAPPING}**" />
|
||||
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedRegistrationController).REGISTRATION_CONTINUE_MAPPING}**" />
|
||||
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedRegistrationController).REGISTRATION_FORM_MAPPING}**" />
|
||||
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedRegistrationController).REGISTRATION_FORM_SUBMIT_MAPPING}**" />
|
||||
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.RegistrationController).CONTINUE_DIRECT_MAPPING}**" />
|
||||
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.LogoutController).MAPPING_SUCCESS}" />
|
||||
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.LoginController).MAPPING_FAILURE}" />
|
||||
<mvc:exclude-mapping path="/saml**" />
|
||||
<!-- Inject the UserInfo into the response -->
|
||||
<ref bean="userInfoInterceptor" />
|
||||
</mvc:interceptor>
|
||||
<mvc:interceptor>
|
||||
<!-- Exclude APIs and other machine-facing endpoints from these interceptors -->
|
||||
<mvc:mapping path="/**" />
|
||||
<mvc:exclude-mapping path="/token**"/>
|
||||
<mvc:exclude-mapping path="/resources/**" />
|
||||
<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.endpoint.JWKSetPublishingEndpoint).URL}**" />
|
||||
<mvc:exclude-mapping path="/#{T(cz.muni.ics.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**" />
|
||||
<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.endpoint.DynamicClientRegistrationEndpoint).URL}/**" />
|
||||
<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.endpoint.ProtectedResourceRegistrationEndpoint).URL}/**" />
|
||||
<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.endpoint.UserInfoEndpoint).URL}**" />
|
||||
<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.controller.GuiController).API_URL}/**" />
|
||||
<mvc:exclude-mapping path="#{T(cz.muni.ics.oauth2.web.endpoint.DeviceEndpoint).ENDPOINT_URL}**" />
|
||||
<mvc:exclude-mapping path="/#{T(cz.muni.ics.oauth2.web.endpoint.IntrospectionEndpoint).URL}**" />
|
||||
<mvc:exclude-mapping path="/#{T(cz.muni.ics.oauth2.web.endpoint.RevocationEndpoint).URL}**" />
|
||||
<!-- Inject the server configuration into the response -->
|
||||
<ref bean="serverConfigInterceptor"/>
|
||||
</mvc:interceptor>
|
||||
</mvc:interceptors>
|
||||
|
||||
<!-- Handles HTTP GET requests for /resources/** by efficiently serving
|
||||
up static resources in the ${webappRoot}/resources directory -->
|
||||
<mvc:resources mapping="/resources/**" location="/resources/" />
|
||||
|
||||
<mvc:default-servlet-handler />
|
||||
|
||||
<!-- SECURITY -->
|
||||
|
||||
<!-- SPEL processor -->
|
||||
<security:global-method-security pre-post-annotations="enabled"
|
||||
proxy-target-class="true"
|
||||
authentication-manager-ref="authenticationManager">
|
||||
<security:expression-handler ref="oauthExpressionHandler" />
|
||||
</security:global-method-security>
|
||||
|
||||
<!-- Token endpoint -->
|
||||
<security:http pattern="/token"
|
||||
create-session="stateless"
|
||||
authentication-manager-ref="clientAuthenticationManager"
|
||||
entry-point-ref="oauthAuthenticationEntryPoint"
|
||||
use-expressions="true">
|
||||
<security:intercept-url pattern="/token" access="permitAll" method="OPTIONS" /> <!-- allow OPTIONS calls without auth for CORS stuff -->
|
||||
<security:intercept-url pattern="/token" access="isAuthenticated()" />
|
||||
<security:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
|
||||
<!-- include this only if you need to authenticate clients via request parameters -->
|
||||
<security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
|
||||
<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
|
||||
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
|
||||
<security:custom-filter ref="mdcFilter" before="FIRST"/>
|
||||
<security:access-denied-handler ref="oauthAccessDeniedHandler" />
|
||||
<security:csrf disabled="true"/>
|
||||
</security:http>
|
||||
|
||||
<!-- Userinfo endpoint -->
|
||||
<security:http pattern="/#{T(cz.muni.ics.openid.connect.web.endpoint.UserInfoEndpoint).URL}**"
|
||||
use-expressions="true"
|
||||
entry-point-ref="oauthAuthenticationEntryPoint"
|
||||
create-session="stateless">
|
||||
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
|
||||
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
|
||||
<security:custom-filter ref="mdcFilter" before="FIRST"/>
|
||||
<security:expression-handler ref="oauthWebExpressionHandler" />
|
||||
<security:csrf disabled="true"/>
|
||||
</security:http>
|
||||
|
||||
<!-- Introspection endpoint -->
|
||||
<security:http pattern="/#{T(cz.muni.ics.oauth2.web.endpoint.IntrospectionEndpoint).URL}**"
|
||||
use-expressions="true"
|
||||
entry-point-ref="oauthAuthenticationEntryPoint"
|
||||
create-session="stateless"
|
||||
authentication-manager-ref="clientAuthenticationManager">
|
||||
<security:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
|
||||
<security:custom-filter ref="mdcFilter" before="FIRST"/>
|
||||
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
|
||||
<security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
|
||||
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
|
||||
<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
|
||||
<security:csrf disabled="true"/>
|
||||
</security:http>
|
||||
|
||||
<!-- Revocation endpoint -->
|
||||
<security:http pattern="/#{T(cz.muni.ics.oauth2.web.endpoint.RevocationEndpoint).URL}**"
|
||||
use-expressions="true"
|
||||
entry-point-ref="oauthAuthenticationEntryPoint"
|
||||
create-session="stateless"
|
||||
authentication-manager-ref="clientAuthenticationManager">
|
||||
<security:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
|
||||
<security:custom-filter ref="mdcFilter" before="FIRST"/>
|
||||
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
|
||||
<security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
|
||||
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
|
||||
<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
|
||||
<security:csrf disabled="true"/>
|
||||
</security:http>
|
||||
|
||||
<!-- Device endpoint -->
|
||||
<security:http pattern="#{T(cz.muni.ics.oauth2.web.endpoint.DeviceEndpoint).ENDPOINT_URL}**"
|
||||
use-expressions="true"
|
||||
entry-point-ref="oauthAuthenticationEntryPoint"
|
||||
create-session="stateless"
|
||||
authentication-manager-ref="clientAuthenticationManager">
|
||||
<security:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
|
||||
<!-- include this only if you need to authenticate clients via request parameters -->
|
||||
<security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
|
||||
<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
|
||||
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
|
||||
<security:custom-filter ref="mdcFilter" before="FIRST"/>
|
||||
<security:access-denied-handler ref="oauthAccessDeniedHandler" />
|
||||
<security:csrf disabled="true"/>
|
||||
</security:http>
|
||||
|
||||
<!-- JWK endpoint -->
|
||||
<security:http pattern="/#{T(cz.muni.ics.openid.connect.web.endpoint.JWKSetPublishingEndpoint).URL}**"
|
||||
use-expressions="true"
|
||||
entry-point-ref="http403EntryPoint"
|
||||
create-session="stateless">
|
||||
<security:intercept-url pattern="/#{T(cz.muni.ics.openid.connect.web.endpoint.JWKSetPublishingEndpoint).URL}**" access="permitAll"/>
|
||||
<security:custom-filter ref="mdcFilter" before="FIRST"/>
|
||||
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
|
||||
<security:csrf disabled="true"/>
|
||||
</security:http>
|
||||
|
||||
<!-- Well-known -->
|
||||
<security:http pattern="/#{T(cz.muni.ics.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**"
|
||||
use-expressions="true"
|
||||
entry-point-ref="http403EntryPoint"
|
||||
create-session="stateless">
|
||||
<security:intercept-url pattern="/#{T(cz.muni.ics.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**" access="permitAll"/>
|
||||
<security:custom-filter ref="mdcFilter" before="FIRST"/>
|
||||
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
|
||||
<security:csrf disabled="true"/>
|
||||
</security:http>
|
||||
|
||||
<!--Static resources -->
|
||||
<security:http pattern="/resources/**"
|
||||
use-expressions="true"
|
||||
entry-point-ref="http403EntryPoint"
|
||||
create-session="stateless">
|
||||
<security:intercept-url pattern="/resources/**" access="permitAll"/>
|
||||
<security:custom-filter ref="mdcFilter" before="FIRST"/>
|
||||
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
|
||||
<security:csrf disabled="true"/>
|
||||
</security:http>
|
||||
|
||||
<!-- GUI -->
|
||||
<security:http pattern="/#{T(cz.muni.ics.openid.connect.web.controller.GuiController).API_URL}/**"
|
||||
use-expressions="true"
|
||||
entry-point-ref="oauthAuthenticationEntryPoint"
|
||||
create-session="never">
|
||||
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
|
||||
<security:custom-filter ref="mdcFilter" before="FIRST"/>
|
||||
<security:expression-handler ref="oauthWebExpressionHandler" />
|
||||
<security:csrf disabled="true"/>
|
||||
</security:http>
|
||||
|
||||
<security:http auto-config="false"
|
||||
use-expressions="true"
|
||||
entry-point-ref="samlEntryPoint"
|
||||
create-session="always"
|
||||
authentication-manager-ref="authenticationManager">
|
||||
<security:csrf disabled="true"/>
|
||||
<security:intercept-url pattern="#{T(cz.muni.ics.oauth2.web.endpoint.AuthorizationEndpoint).ENDPOINT_INIT_URL}"
|
||||
access="permitAll()"/>
|
||||
<security:intercept-url pattern="#{T(cz.muni.ics.oauth2.web.endpoint.DeviceEndpoint).REQUEST_USER_CODE_INIT_URL}"
|
||||
access="permitAll()"/>
|
||||
<security:intercept-url pattern="/saml/**" access="permitAll()"/>
|
||||
<security:intercept-url pattern="/logout" access="permitAll()"/>
|
||||
<security:intercept-url pattern="#{T(cz.muni.ics.oidc.web.controllers.LogoutController).MAPPING_SUCCESS}"
|
||||
access="permitAll()"/>
|
||||
<security:intercept-url pattern="#{T(cz.muni.ics.oidc.web.controllers.LoginController).MAPPING_FAILURE}"
|
||||
access="permitAll()"/>
|
||||
<security:intercept-url pattern="/**" access="hasRole('ROLE_USER')"/>
|
||||
<security:custom-filter ref="mdcMuFilter" before="FIRST"/>
|
||||
<security:custom-filter ref="metadataGeneratorFilter" before="CHANNEL_FILTER"/>
|
||||
<security:custom-filter ref="clearSessionFilter" after="CHANNEL_FILTER"/>
|
||||
<security:custom-filter ref="samlFilter" before="CSRF_FILTER"/>
|
||||
<security:custom-filter ref="samlFilter" after="BASIC_AUTH_FILTER"/>
|
||||
<security:custom-filter ref="authProcFilters" before="LAST"/>
|
||||
<security:logout logout-url="/saml/logout"/>
|
||||
</security:http>
|
||||
|
||||
<security:authentication-manager id="clientAuthenticationManager">
|
||||
<security:authentication-provider user-service-ref="clientUserDetailsService" />
|
||||
<security:authentication-provider user-service-ref="uriEncodedClientUserDetailsService" />
|
||||
</security:authentication-manager>
|
||||
|
||||
<security:authentication-manager id="clientAssertionAuthenticationManager">
|
||||
<security:authentication-provider ref="clientAssertionAuthenticationProvider" />
|
||||
</security:authentication-manager>
|
||||
|
||||
<security:authentication-manager id="authenticationManager">
|
||||
<security:authentication-provider ref="authenticationProvider"/>
|
||||
</security:authentication-manager>
|
||||
|
||||
<!-- Dynamic registration endpoint -->
|
||||
<!-- <security:http pattern="/#{T(cz.muni.ics.openid.connect.web.endpoint.DynamicClientRegistrationEndpoint).URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">-->
|
||||
<!-- <security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />-->
|
||||
<!-- <security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />-->
|
||||
<!-- <security:custom-filter ref="mdcFilter" before="FIRST"/>-->
|
||||
<!-- <security:expression-handler ref="oauthWebExpressionHandler" />-->
|
||||
<!-- <security:intercept-url pattern="/register/**" access="permitAll"/>-->
|
||||
<!-- <security:csrf disabled="true"/>-->
|
||||
<!-- </security:http>-->
|
||||
|
||||
<!-- <security:http pattern="/#{T(cz.muni.ics.openid.connect.web.endpoint.ProtectedResourceRegistrationEndpoint).URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">-->
|
||||
<!-- <security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />-->
|
||||
<!-- <security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />-->
|
||||
<!-- <security:custom-filter ref="mdcFilter" before="FIRST"/>-->
|
||||
<!-- <security:expression-handler ref="oauthWebExpressionHandler" />-->
|
||||
<!-- <security:intercept-url pattern="/resource/**" access="permitAll"/>-->
|
||||
<!-- <security:csrf disabled="true"/>-->
|
||||
<!-- </security:http>-->
|
||||
|
||||
<bean id="oauthAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
|
||||
<property name="realmName" value="openidconnect" />
|
||||
</bean>
|
||||
|
||||
<bean id="http403EntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" />
|
||||
|
||||
<bean id="oauth2ExceptionTranslator" class="org.springframework.security.oauth2.provider.error.DefaultWebResponseExceptionTranslator" />
|
||||
|
||||
<bean id="clientAuthMatcher" class="cz.muni.ics.openid.connect.filter.MultiUrlRequestMatcher">
|
||||
<constructor-arg name="filterProcessesUrls">
|
||||
<set>
|
||||
<value>/introspect</value>
|
||||
<value>/revoke</value>
|
||||
<value>/token</value>
|
||||
</set>
|
||||
</constructor-arg>
|
||||
</bean>
|
||||
|
||||
<bean id="clientCredentialsEndpointFilter" class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
|
||||
<property name="authenticationManager" ref="clientAuthenticationManager" />
|
||||
<property name="requiresAuthenticationRequestMatcher" ref="clientAuthMatcher" />
|
||||
</bean>
|
||||
|
||||
<bean id="clientAssertionEndpointFilter" class="cz.muni.ics.openid.connect.assertion.JWTBearerClientAssertionTokenEndpointFilter">
|
||||
<constructor-arg name="additionalMatcher" ref="clientAuthMatcher" />
|
||||
<property name="authenticationManager" ref="clientAssertionAuthenticationManager" />
|
||||
</bean>
|
||||
|
||||
<bean id="clientAssertionAuthenticationProvider" class="cz.muni.ics.openid.connect.assertion.JWTBearerAuthenticationProvider" />
|
||||
|
||||
<!-- Resolves views selected for rendering by @Controllers to .jsp resources
|
||||
in the /WEB-INF/views directory -->
|
||||
<bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
|
||||
<property name="viewClass" value="org.springframework.web.servlet.view.JstlView" />
|
||||
<property name="prefix" value="/WEB-INF/views/" />
|
||||
<property name="suffix" value=".jsp" />
|
||||
<property name="order" value="2" />
|
||||
</bean>
|
||||
|
||||
<!-- Resolve views based on string names -->
|
||||
<bean class="org.springframework.web.servlet.view.BeanNameViewResolver">
|
||||
<property name="order" value="1" />
|
||||
</bean>
|
||||
|
||||
<bean id="mdcMuFilter" class="cz.muni.ics.oidc.server.filters.impl.MultiMDCFilter"/>
|
||||
|
||||
<!-- SAML -->
|
||||
<bean id="clearSessionFilter" class="cz.muni.ics.oidc.saml.SamlInvalidateSessionFilter">
|
||||
<constructor-arg name="contextLogoutHandler" ref="logoutHandler"/>
|
||||
</bean>
|
||||
|
||||
<bean id="samlDiscovery" class="org.springframework.security.saml.SAMLDiscovery">
|
||||
<property name="contextProvider" ref="samlContextProvider"/>
|
||||
<property name="samlEntryPoint" ref="samlEntryPoint"/>
|
||||
<property name="metadata" ref="metadata"/>
|
||||
</bean>
|
||||
|
||||
<bean id="successRedirectHandler" class="cz.muni.ics.oidc.saml.PerunSamlAuthenticationSuccessHandler">
|
||||
<property name="defaultTargetUrl" value="#{T(cz.muni.ics.oidc.web.controllers.LoginController).MAPPING_SUCCESS}"/>
|
||||
</bean>
|
||||
|
||||
<bean id="authenticationFailureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
|
||||
<property name="defaultFailureUrl" value="#{T(cz.muni.ics.oidc.web.controllers.LoginController).MAPPING_FAILURE}"/>
|
||||
<property name="useForward" value="true"/>
|
||||
</bean>
|
||||
|
||||
<bean id="successLogoutHandler" class="cz.muni.ics.oidc.saml.PerunOidcLogoutSuccessHandler">
|
||||
<property name="defaultTargetUrl" value="#{T(cz.muni.ics.oidc.web.controllers.LogoutController).MAPPING_SUCCESS}"/>
|
||||
<property name="targetUrlParameter" value="#{T(cz.muni.ics.oidc.server.filters.PerunFilterConstants).PARAM_TARGET}"/>
|
||||
</bean>
|
||||
|
||||
<bean id="logoutHandler" class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler">
|
||||
<property name="clearAuthentication" value="true"/>
|
||||
<property name="invalidateHttpSession" value="true"/>
|
||||
</bean>
|
||||
|
||||
<bean id="samlLogoutProcessingFilter" class="org.springframework.security.saml.SAMLLogoutProcessingFilter">
|
||||
<constructor-arg name="logoutSuccessHandler" ref="successLogoutHandler"/>
|
||||
<constructor-arg name="handlers" ref="logoutHandler"/>
|
||||
</bean>
|
||||
|
||||
<bean id="samlLogoutFilter" class="org.springframework.security.saml.SAMLLogoutFilter">
|
||||
<constructor-arg name="logoutSuccessHandler" ref="successLogoutHandler"/>
|
||||
<constructor-arg name="localHandler" ref="logoutHandler"/>
|
||||
<constructor-arg name="globalHandlers" ref="logoutHandler"/>
|
||||
</bean>
|
||||
|
||||
<bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager">
|
||||
<constructor-arg name="storeFile">
|
||||
<bean class="org.springframework.core.io.FileSystemResource">
|
||||
<constructor-arg name="path" value="${saml.keystore.location}"/>
|
||||
</bean>
|
||||
</constructor-arg>
|
||||
<constructor-arg name="storePass" value="${saml.keystore.password}"/>
|
||||
<constructor-arg name="passwords">
|
||||
<map>
|
||||
<entry key="${saml.keystore.defaultKey}" value="${saml.keystore.defaultKeyPass}"/>
|
||||
</map>
|
||||
</constructor-arg>
|
||||
<constructor-arg name="defaultKey" value="${saml.keystore.defaultKey}"/>
|
||||
</bean>
|
||||
|
||||
<bean id="extendedMetadata" class="org.springframework.security.saml.metadata.ExtendedMetadata">
|
||||
<property name="idpDiscoveryEnabled" value="false"/>
|
||||
</bean>
|
||||
|
||||
<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
|
||||
<constructor-arg name="generator">
|
||||
<bean class="org.springframework.security.saml.metadata.MetadataGenerator">
|
||||
<property name="includeDiscoveryExtension" value="false"/>
|
||||
<property name="entityId" value="${saml.entityID}"/>
|
||||
<property name="extendedMetadata" ref="extendedMetadata"/>
|
||||
<property name="wantAssertionSigned" value="true"/>
|
||||
<property name="requestSigned" value="true"/>
|
||||
</bean>
|
||||
</constructor-arg>
|
||||
<property name="normalizeBaseUrl" value="true"/>
|
||||
</bean>
|
||||
|
||||
<bean id="metadataDisplayFilter" class="org.springframework.security.saml.metadata.MetadataDisplayFilter"/>
|
||||
|
||||
<bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager">
|
||||
<property name="defaultIDP" value="${saml.idp.defaultIdpEntityId}"/>
|
||||
<property name="refreshCheckInterval" value="3600000"/>
|
||||
<property name="refreshRequired" value="true"/>
|
||||
<constructor-arg name="providers">
|
||||
<list>
|
||||
<ref bean="idpMetadata"/>
|
||||
</list>
|
||||
</constructor-arg>
|
||||
</bean>
|
||||
|
||||
<bean id="parserPool" class="org.opensaml.xml.parse.StaticBasicParserPool" init-method="initialize"/>
|
||||
|
||||
<bean id="parserPoolHolder" class="org.springframework.security.saml.parser.ParserPoolHolder"/>
|
||||
|
||||
<bean id="processor" class="org.springframework.security.saml.processor.SAMLProcessorImpl">
|
||||
<constructor-arg name="bindings">
|
||||
<list>
|
||||
<bean id="httpPostBinding" class="org.springframework.security.saml.processor.HTTPPostBinding">
|
||||
<constructor-arg name="parserPool" ref="parserPool"/>
|
||||
<constructor-arg name="encoder">
|
||||
<bean class="cz.muni.ics.oidc.saml.PerunPostEncoder">
|
||||
<constructor-arg name="engine" value="#{T(org.springframework.security.saml.util.VelocityFactory).getEngine()}"/>
|
||||
<constructor-arg name="templateId" value="/templates/saml2-post-binding.vm"/>
|
||||
</bean>
|
||||
</constructor-arg>
|
||||
<constructor-arg name="decoder">
|
||||
<bean class="org.opensaml.saml2.binding.decoding.HTTPPostDecoder">
|
||||
<constructor-arg name="pool" ref="parserPool"/>
|
||||
</bean>
|
||||
</constructor-arg>
|
||||
</bean>
|
||||
<bean id="httpRedirectDeflateBinding" class="org.springframework.security.saml.processor.HTTPRedirectDeflateBinding">
|
||||
<constructor-arg name="encoder">
|
||||
<bean class="cz.muni.ics.oidc.saml.PerunHTTPRedirectDeflateEncoder"/>
|
||||
</constructor-arg>
|
||||
<constructor-arg name="decoder">
|
||||
<bean class="org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder">
|
||||
<constructor-arg name="pool" ref="parserPool"/>
|
||||
</bean>
|
||||
</constructor-arg>
|
||||
</bean>
|
||||
</list>
|
||||
</constructor-arg>
|
||||
</bean>
|
||||
|
||||
<bean id="samlWebSSOProcessingFilter" class="org.springframework.security.saml.SAMLProcessingFilter">
|
||||
<property name="authenticationManager" ref="authenticationManager"/>
|
||||
<property name="authenticationSuccessHandler" ref="successRedirectHandler"/>
|
||||
<property name="authenticationFailureHandler" ref="authenticationFailureHandler"/>
|
||||
</bean>
|
||||
|
||||
<bean id="samlFilter" class="org.springframework.security.web.FilterChainProxy">
|
||||
<constructor-arg name="filterChains">
|
||||
<list>
|
||||
<bean class="org.springframework.security.web.DefaultSecurityFilterChain">
|
||||
<constructor-arg name="requestMatcher">
|
||||
<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
|
||||
<constructor-arg name="pattern"
|
||||
value="#{T(org.springframework.security.saml.metadata.MetadataDisplayFilter).FILTER_URL}/**"/>
|
||||
</bean>
|
||||
</constructor-arg>
|
||||
<constructor-arg name="filters">
|
||||
<list>
|
||||
<ref bean="metadataDisplayFilter"/>
|
||||
</list>
|
||||
</constructor-arg>
|
||||
</bean>
|
||||
<bean class="org.springframework.security.web.DefaultSecurityFilterChain">
|
||||
<constructor-arg name="requestMatcher">
|
||||
<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
|
||||
<constructor-arg name="pattern"
|
||||
value="#{T(org.springframework.security.saml.SAMLProcessingFilter).FILTER_URL}"/>
|
||||
</bean>
|
||||
</constructor-arg>
|
||||
<constructor-arg name="filters">
|
||||
<list>
|
||||
<ref bean="samlWebSSOProcessingFilter"/>
|
||||
</list>
|
||||
</constructor-arg>
|
||||
</bean>
|
||||
<bean class="org.springframework.security.web.DefaultSecurityFilterChain">
|
||||
<constructor-arg name="requestMatcher">
|
||||
<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
|
||||
<constructor-arg name="pattern"
|
||||
value="#{T(org.springframework.security.saml.SAMLDiscovery).FILTER_URL}"/>
|
||||
</bean>
|
||||
</constructor-arg>
|
||||
<constructor-arg name="filters">
|
||||
<list>
|
||||
<ref bean="samlDiscovery"/>
|
||||
</list>
|
||||
</constructor-arg>
|
||||
</bean>
|
||||
<bean class="org.springframework.security.web.DefaultSecurityFilterChain">
|
||||
<constructor-arg name="requestMatcher">
|
||||
<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
|
||||
<constructor-arg name="pattern"
|
||||
value="#{T(org.springframework.security.saml.SAMLEntryPoint).FILTER_URL}"/>
|
||||
</bean>
|
||||
</constructor-arg>
|
||||
<constructor-arg name="filters">
|
||||
<list>
|
||||
<ref bean="samlEntryPoint"/>
|
||||
</list>
|
||||
</constructor-arg>
|
||||
</bean>
|
||||
<bean class="org.springframework.security.web.DefaultSecurityFilterChain">
|
||||
<constructor-arg name="requestMatcher">
|
||||
<bean class="org.springframework.security.web.util.matcher.OrRequestMatcher">
|
||||
<constructor-arg name="requestMatchers">
|
||||
<list>
|
||||
<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
|
||||
<constructor-arg name="pattern"
|
||||
value="#{T(org.springframework.security.saml.SAMLLogoutFilter).FILTER_URL}"/>
|
||||
</bean>
|
||||
<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
|
||||
<constructor-arg name="pattern" value="/logout"/>
|
||||
</bean>
|
||||
</list>
|
||||
</constructor-arg>
|
||||
</bean>
|
||||
</constructor-arg>
|
||||
<constructor-arg name="filters">
|
||||
<list>
|
||||
<ref bean="samlLogoutFilter"/>
|
||||
</list>
|
||||
</constructor-arg>
|
||||
</bean>
|
||||
<bean class="org.springframework.security.web.DefaultSecurityFilterChain">
|
||||
<constructor-arg name="requestMatcher">
|
||||
<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
|
||||
<constructor-arg name="pattern" value="#{T(org.springframework.security.saml.SAMLLogoutProcessingFilter).FILTER_URL}/**"/>
|
||||
</bean>
|
||||
</constructor-arg>
|
||||
<constructor-arg name="filters">
|
||||
<list>
|
||||
<ref bean="samlLogoutProcessingFilter"/>
|
||||
</list>
|
||||
</constructor-arg>
|
||||
</bean>
|
||||
</list>
|
||||
</constructor-arg>
|
||||
</bean>
|
||||
|
||||
<bean id="webSSOProfileOptions" class="org.springframework.security.saml.websso.WebSSOProfileOptions">
|
||||
<property name="includeScoping" value="false"/>
|
||||
</bean>
|
||||
|
||||
<bean id="samlEntryPoint" class="cz.muni.ics.oidc.saml.PerunSamlEntryPoint">
|
||||
<property name="defaultProfileOptions" ref="webSSOProfileOptions"/>
|
||||
</bean>
|
||||
|
||||
<bean id="samlContextProvider" class="org.springframework.security.saml.context.SAMLContextProviderImpl"/>
|
||||
|
||||
<bean id="samlLogger" class="org.springframework.security.saml.log.SAMLDefaultLogger">
|
||||
<property name="logMessagesOnException" value="true"/>
|
||||
<property name="logErrors" value="true"/>
|
||||
</bean>
|
||||
|
||||
<bean id="singleLogoutProfile" class="org.springframework.security.saml.websso.SingleLogoutProfileImpl"/>
|
||||
|
||||
<bean id="webSSOprofileConsumer" class="cz.muni.ics.oidc.saml.PerunWebSSOProfileConsumerImpl">
|
||||
<property name="enableComparison" value="${saml.acrs.enableComparison}"/>
|
||||
<property name="reservedPrefixes" value="#{'${saml.acrs.reserverdPrefixes}'.split('\s*,\s*')}"/>
|
||||
<property name="maxAuthenticationAge" value="360"/>
|
||||
</bean>
|
||||
|
||||
<bean id="webSSOprofile" class="org.springframework.security.saml.websso.WebSSOProfileImpl"/>
|
||||
|
||||
<bean id="hokWebSSOprofileConsumer" class="org.springframework.security.saml.websso.WebSSOProfileConsumerHoKImpl"/>
|
||||
|
||||
<bean id="samlUserDetailsService" class="cz.muni.ics.oidc.saml.PerunSamlUserDetailsService"/>
|
||||
|
||||
<bean id="authenticationProvider" class="cz.muni.ics.oidc.saml.PerunSamlAuthenticationProvider">
|
||||
<constructor-arg name="adminIds" value="#{'${admins}'.split('\s*,\s*')}"/>
|
||||
</bean>
|
||||
|
||||
<bean class="org.springframework.security.saml.SAMLBootstrap"/>
|
||||
|
||||
<!-- END SAML -->
|
||||
|
||||
<!-- OAuth -->
|
||||
|
||||
<oauth:authorization-server
|
||||
client-details-service-ref="defaultOAuth2ClientDetailsEntityService"
|
||||
authorization-request-manager-ref="connectOAuth2RequestFactory"
|
||||
token-services-ref="defaultOAuth2ProviderTokenService"
|
||||
user-approval-handler-ref="tofuUserApprovalHandler"
|
||||
request-validator-ref="oauthRequestValidator"
|
||||
redirect-resolver-ref="blacklistAwareRedirectResolver"
|
||||
authorization-endpoint-url="/auth/authorize"
|
||||
token-endpoint-url="/token"
|
||||
error-page="/error">
|
||||
|
||||
<oauth:authorization-code authorization-code-services-ref="defaultOAuth2AuthorizationCodeService"/>
|
||||
<oauth:implicit/>
|
||||
<oauth:refresh-token/>
|
||||
<oauth:client-credentials/>
|
||||
<oauth:custom-grant token-granter-ref="chainedTokenGranter" />
|
||||
<oauth:custom-grant token-granter-ref="jwtAssertionTokenGranter" />
|
||||
<oauth:custom-grant token-granter-ref="deviceTokenGranter" />
|
||||
|
||||
</oauth:authorization-server>
|
||||
|
||||
<oauth:resource-server id="resourceServerFilter"
|
||||
token-services-ref="defaultOAuth2ProviderTokenService"
|
||||
stateless="false" />
|
||||
|
||||
<oauth:expression-handler id="oauthExpressionHandler" />
|
||||
|
||||
<oauth:web-expression-handler id="oauthWebExpressionHandler" />
|
||||
|
||||
<bean id="oauthAccessDeniedHandler" class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />
|
||||
|
||||
<bean id="oauthRequestValidator" class="cz.muni.ics.oauth2.token.ScopeServiceAwareOAuth2RequestValidator" />
|
||||
|
||||
</beans>
|
||||
|
|
@ -28,18 +28,18 @@ import cz.muni.ics.jwt.encryption.service.JWTEncryptionAndDecryptionService;
|
|||
import cz.muni.ics.jwt.signer.service.JWTSigningAndValidationService;
|
||||
import cz.muni.ics.oauth2.model.PKCEAlgorithm;
|
||||
import cz.muni.ics.oauth2.service.SystemScopeService;
|
||||
import cz.muni.ics.oauth2.web.DeviceEndpoint;
|
||||
import cz.muni.ics.oauth2.web.IntrospectionEndpoint;
|
||||
import cz.muni.ics.oauth2.web.RevocationEndpoint;
|
||||
import cz.muni.ics.oauth2.web.endpoint.DeviceEndpoint;
|
||||
import cz.muni.ics.oauth2.web.endpoint.IntrospectionEndpoint;
|
||||
import cz.muni.ics.oauth2.web.endpoint.RevocationEndpoint;
|
||||
import cz.muni.ics.openid.connect.config.ConfigurationPropertiesBean;
|
||||
import cz.muni.ics.openid.connect.model.UserInfo;
|
||||
import cz.muni.ics.openid.connect.service.UserInfoService;
|
||||
import cz.muni.ics.openid.connect.view.HttpCodeView;
|
||||
import cz.muni.ics.openid.connect.view.JsonEntityView;
|
||||
import cz.muni.ics.openid.connect.web.DynamicClientRegistrationEndpoint;
|
||||
import cz.muni.ics.openid.connect.web.EndSessionEndpoint;
|
||||
import cz.muni.ics.openid.connect.web.JWKSetPublishingEndpoint;
|
||||
import cz.muni.ics.openid.connect.web.UserInfoEndpoint;
|
||||
import cz.muni.ics.openid.connect.web.endpoint.DynamicClientRegistrationEndpoint;
|
||||
import cz.muni.ics.openid.connect.web.endpoint.EndSessionEndpoint;
|
||||
import cz.muni.ics.openid.connect.web.endpoint.JWKSetPublishingEndpoint;
|
||||
import cz.muni.ics.openid.connect.web.endpoint.UserInfoEndpoint;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Collection;
|
||||
import java.util.HashMap;
|
||||
|
|
|
|||
|
|
@ -20,7 +20,7 @@ import cz.muni.ics.oauth2.exception.AuthorizationPendingException;
|
|||
import cz.muni.ics.oauth2.exception.DeviceCodeExpiredException;
|
||||
import cz.muni.ics.oauth2.model.DeviceCode;
|
||||
import cz.muni.ics.oauth2.service.DeviceCodeService;
|
||||
import cz.muni.ics.oauth2.web.DeviceEndpoint;
|
||||
import cz.muni.ics.oauth2.web.endpoint.DeviceEndpoint;
|
||||
import java.util.Date;
|
||||
import lombok.extern.slf4j.Slf4j;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@
|
|||
/**
|
||||
*
|
||||
*/
|
||||
package cz.muni.ics.oauth2.web;
|
||||
package cz.muni.ics.oauth2.web.api;
|
||||
|
||||
import com.google.gson.Gson;
|
||||
import cz.muni.ics.oauth2.model.SystemScope;
|
||||
|
|
@ -26,7 +26,7 @@ import cz.muni.ics.oauth2.service.SystemScopeService;
|
|||
import cz.muni.ics.openid.connect.view.HttpCodeView;
|
||||
import cz.muni.ics.openid.connect.view.JsonEntityView;
|
||||
import cz.muni.ics.openid.connect.view.JsonErrorView;
|
||||
import cz.muni.ics.openid.connect.web.RootController;
|
||||
import cz.muni.ics.openid.connect.web.controller.GuiController;
|
||||
import java.util.Set;
|
||||
import lombok.extern.slf4j.Slf4j;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
|
|
@ -50,7 +50,7 @@ import org.springframework.web.bind.annotation.RequestMethod;
|
|||
@Slf4j
|
||||
public class ScopeAPI {
|
||||
|
||||
public static final String URL = RootController.API_URL + "/scopes";
|
||||
public static final String URL = GuiController.API_URL + "/scopes";
|
||||
|
||||
@Autowired
|
||||
private SystemScopeService scopeService;
|
||||
|
|
@ -15,7 +15,7 @@
|
|||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*******************************************************************************/
|
||||
package cz.muni.ics.oauth2.web;
|
||||
package cz.muni.ics.oauth2.web.api;
|
||||
|
||||
import cz.muni.ics.oauth2.model.ClientDetailsEntity;
|
||||
import cz.muni.ics.oauth2.model.OAuth2AccessTokenEntity;
|
||||
|
|
@ -27,7 +27,7 @@ import cz.muni.ics.openid.connect.service.OIDCTokenService;
|
|||
import cz.muni.ics.openid.connect.view.HttpCodeView;
|
||||
import cz.muni.ics.openid.connect.view.JsonEntityView;
|
||||
import cz.muni.ics.openid.connect.view.JsonErrorView;
|
||||
import cz.muni.ics.openid.connect.web.RootController;
|
||||
import cz.muni.ics.openid.connect.web.controller.GuiController;
|
||||
import java.security.Principal;
|
||||
import java.util.List;
|
||||
import java.util.Set;
|
||||
|
|
@ -53,7 +53,7 @@ import org.springframework.web.bind.annotation.RequestMethod;
|
|||
@Slf4j
|
||||
public class TokenAPI {
|
||||
|
||||
public static final String URL = RootController.API_URL + "/tokens";
|
||||
public static final String URL = GuiController.API_URL + "/tokens";
|
||||
|
||||
@Autowired
|
||||
private OAuth2TokenEntityService tokenService;
|
||||
|
|
@ -18,7 +18,7 @@
|
|||
/**
|
||||
*
|
||||
*/
|
||||
package cz.muni.ics.oauth2.web;
|
||||
package cz.muni.ics.oauth2.web.controller;
|
||||
|
||||
import com.google.common.base.Joiner;
|
||||
import com.google.common.base.Splitter;
|
||||
|
|
@ -0,0 +1,25 @@
|
|||
package cz.muni.ics.oauth2.web.endpoint;
|
||||
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import lombok.extern.slf4j.Slf4j;
|
||||
import org.springframework.stereotype.Controller;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.servlet.view.RedirectView;
|
||||
|
||||
@Controller
|
||||
@Slf4j
|
||||
public class AuthorizationEndpoint {
|
||||
|
||||
public static final String ENDPOINT_INIT_URL = "/authorize";
|
||||
public static final String ENDPOINT_URL = "/auth/authorize";
|
||||
|
||||
@RequestMapping(value = ENDPOINT_INIT_URL)
|
||||
public RedirectView authorize(HttpServletRequest req) {
|
||||
String redirect = ENDPOINT_URL + '?' + req.getQueryString();
|
||||
RedirectView view = new RedirectView(redirect);
|
||||
view.setContextRelative(true);
|
||||
log.debug("Authorization endpoint - {}: user is being redirected to to: {}", ENDPOINT_INIT_URL, redirect);
|
||||
return view;
|
||||
}
|
||||
|
||||
}
|
||||
|
|
@ -14,7 +14,7 @@
|
|||
* limitations under the License.
|
||||
*******************************************************************************/
|
||||
|
||||
package cz.muni.ics.oauth2.web;
|
||||
package cz.muni.ics.oauth2.web.endpoint;
|
||||
|
||||
import cz.muni.ics.oauth2.exception.DeviceCodeCreationException;
|
||||
import cz.muni.ics.oauth2.model.ClientDetailsEntity;
|
||||
|
|
@ -35,7 +35,6 @@ import cz.muni.ics.openid.connect.view.HttpCodeView;
|
|||
import cz.muni.ics.openid.connect.view.JsonEntityView;
|
||||
import cz.muni.ics.openid.connect.view.JsonErrorView;
|
||||
import java.net.URISyntaxException;
|
||||
import java.security.Principal;
|
||||
import java.util.Collection;
|
||||
import java.util.Date;
|
||||
import java.util.HashMap;
|
||||
|
|
@ -57,13 +56,14 @@ import org.springframework.security.oauth2.provider.AuthorizationRequest;
|
|||
import org.springframework.security.oauth2.provider.OAuth2Authentication;
|
||||
import org.springframework.security.oauth2.provider.OAuth2Request;
|
||||
import org.springframework.security.oauth2.provider.OAuth2RequestFactory;
|
||||
import org.springframework.security.saml.SAMLCredential;
|
||||
import org.springframework.stereotype.Controller;
|
||||
import org.springframework.ui.ModelMap;
|
||||
import org.springframework.util.StringUtils;
|
||||
import org.springframework.web.bind.annotation.GetMapping;
|
||||
import org.springframework.web.bind.annotation.PostMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
import org.springframework.web.servlet.view.RedirectView;
|
||||
|
||||
/**
|
||||
* Implements https://tools.ietf.org/html/draft-ietf-oauth-device-flow
|
||||
|
|
@ -120,9 +120,10 @@ public class DeviceEndpoint {
|
|||
// other
|
||||
public static final String DEFAULT = "default";
|
||||
public static final String ENDPOINT_URL = "/devicecode";
|
||||
public static final String REQUEST_USER_CODE_URL = "/device/code";
|
||||
public static final String CHECK_USER_CODE_URL = "/device/checkcode";
|
||||
public static final String DEVICE_APPROVED_URL = "/device/approved";
|
||||
public static final String REQUEST_USER_CODE_INIT_URL = "/device";
|
||||
public static final String REQUEST_USER_CODE_URL = "/auth/device";
|
||||
public static final String CHECK_USER_CODE_URL = "/auth/device/authorize";
|
||||
public static final String DEVICE_APPROVED_URL = "/auth/device/approved";
|
||||
|
||||
private final ClientDetailsEntityService clientService;
|
||||
private final SystemScopeService scopeService;
|
||||
|
|
@ -184,7 +185,7 @@ public class DeviceEndpoint {
|
|||
if (StringUtils.hasText(acrValues)) {
|
||||
uriParams.put(ACR_VALUES, acrValues);
|
||||
}
|
||||
String uriBase = perunOidcConfig.getConfigBean().getIssuer(false) + REQUEST_USER_CODE_URL;
|
||||
String uriBase = perunOidcConfig.getConfigBean().getIssuer(false) + REQUEST_USER_CODE_INIT_URL;
|
||||
response.put(VERIFICATION_URI, constructVerificationURI(uriBase, uriParams));
|
||||
|
||||
if (perunOidcConfig.getConfigBean().isAllowCompleteDeviceCodeUri()) {
|
||||
|
|
@ -210,6 +211,16 @@ public class DeviceEndpoint {
|
|||
}
|
||||
}
|
||||
|
||||
@RequestMapping(value = REQUEST_USER_CODE_INIT_URL)
|
||||
public RedirectView authorize(HttpServletRequest req) {
|
||||
String redirect = REQUEST_USER_CODE_URL
|
||||
+ (StringUtils.hasText(req.getQueryString()) ? '?' + req.getQueryString() : "");
|
||||
RedirectView view = new RedirectView(redirect);
|
||||
view.setContextRelative(true);
|
||||
log.debug("User device endpoint - {}: user is being redirected to to: {}", REQUEST_USER_CODE_INIT_URL, redirect);
|
||||
return view;
|
||||
}
|
||||
|
||||
@PreAuthorize("hasRole('ROLE_USER')")
|
||||
@GetMapping(value = REQUEST_USER_CODE_URL)
|
||||
public String requestUserCode(@RequestParam(value = USER_CODE, required = false) String userCode,
|
||||
|
|
@ -15,7 +15,7 @@
|
|||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*******************************************************************************/
|
||||
package cz.muni.ics.oauth2.web;
|
||||
package cz.muni.ics.oauth2.web.endpoint;
|
||||
|
||||
import com.google.common.base.Strings;
|
||||
import com.google.common.collect.ImmutableMap;
|
||||
|
|
@ -26,6 +26,7 @@ import cz.muni.ics.oauth2.service.ClientDetailsEntityService;
|
|||
import cz.muni.ics.oauth2.service.IntrospectionResultAssembler;
|
||||
import cz.muni.ics.oauth2.service.OAuth2TokenEntityService;
|
||||
import cz.muni.ics.oauth2.service.SystemScopeService;
|
||||
import cz.muni.ics.oauth2.web.AuthenticationUtilities;
|
||||
import cz.muni.ics.openid.connect.model.UserInfo;
|
||||
import cz.muni.ics.openid.connect.service.UserInfoService;
|
||||
import cz.muni.ics.openid.connect.view.HttpCodeView;
|
||||
|
|
@ -15,7 +15,7 @@
|
|||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*******************************************************************************/
|
||||
package cz.muni.ics.oauth2.web;
|
||||
package cz.muni.ics.oauth2.web.endpoint;
|
||||
|
||||
import static cz.muni.ics.oauth2.web.AuthenticationUtilities.ensureOAuthScope;
|
||||
|
||||
|
|
@ -18,7 +18,7 @@
|
|||
/**
|
||||
*
|
||||
*/
|
||||
package cz.muni.ics.oauth2.web;
|
||||
package cz.muni.ics.oauth2.web.filter;
|
||||
|
||||
import java.io.IOException;
|
||||
import javax.servlet.FilterChain;
|
||||
|
|
@ -1,14 +1,6 @@
|
|||
package cz.muni.ics.oidc.saml;
|
||||
|
||||
import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.AUTHORIZE_REQ_PATTERN;
|
||||
import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.DEVICE_APPROVE_REQ_PATTERN;
|
||||
import static org.springframework.http.HttpHeaders.REFERER;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Arrays;
|
||||
import java.util.List;
|
||||
import java.util.stream.Collectors;
|
||||
import javax.servlet.FilterChain;
|
||||
import javax.servlet.ServletException;
|
||||
import javax.servlet.ServletRequest;
|
||||
|
|
@ -20,45 +12,20 @@ import org.springframework.security.web.authentication.logout.SecurityContextLog
|
|||
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
|
||||
import org.springframework.security.web.util.matcher.OrRequestMatcher;
|
||||
import org.springframework.security.web.util.matcher.RequestMatcher;
|
||||
import org.springframework.util.StringUtils;
|
||||
import org.springframework.web.filter.GenericFilterBean;
|
||||
|
||||
@Slf4j
|
||||
public class SamlInvalidateSessionFilter extends GenericFilterBean {
|
||||
|
||||
private static final RequestMatcher AUTHORIZE_MATCHER = new AntPathRequestMatcher(AUTHORIZE_REQ_PATTERN);
|
||||
private static final RequestMatcher AUTHORIZE_ALL_MATCHER = new AntPathRequestMatcher(AUTHORIZE_REQ_PATTERN + "/**");
|
||||
private static final RequestMatcher DEVICE_CODE_MATCHER = new AntPathRequestMatcher(DEVICE_APPROVE_REQ_PATTERN);
|
||||
private static final RequestMatcher DEVICE_CODE_ALL_MATCHER = new AntPathRequestMatcher(DEVICE_APPROVE_REQ_PATTERN + "/**");
|
||||
private static final RequestMatcher MATCHER = new OrRequestMatcher(
|
||||
Arrays.asList(AUTHORIZE_MATCHER, AUTHORIZE_ALL_MATCHER, DEVICE_CODE_MATCHER, DEVICE_CODE_ALL_MATCHER));
|
||||
new AntPathRequestMatcher("/authorize"),
|
||||
new AntPathRequestMatcher("/device")
|
||||
);
|
||||
|
||||
private final SecurityContextLogoutHandler contextLogoutHandler;
|
||||
private final List<String> internalReferrers = new ArrayList<>();
|
||||
|
||||
public SamlInvalidateSessionFilter(String idpEntityId,
|
||||
String oidcIssuer,
|
||||
String proxySpEntityId,
|
||||
SecurityContextLogoutHandler contextLogoutHandler,
|
||||
String[] internalReferrers)
|
||||
{
|
||||
if (StringUtils.hasText(idpEntityId)) {
|
||||
this.internalReferrers.add(idpEntityId);
|
||||
}
|
||||
if (StringUtils.hasText(oidcIssuer)) {
|
||||
this.internalReferrers.add(oidcIssuer);
|
||||
}
|
||||
if (StringUtils.hasText(proxySpEntityId)) {
|
||||
this.internalReferrers.add(proxySpEntityId);
|
||||
}
|
||||
public SamlInvalidateSessionFilter(SecurityContextLogoutHandler contextLogoutHandler) {
|
||||
this.contextLogoutHandler = contextLogoutHandler;
|
||||
if (internalReferrers != null && internalReferrers.length > 0) {
|
||||
List<String> referrers = Arrays.asList(internalReferrers);
|
||||
referrers = referrers.stream().filter(StringUtils::hasText).collect(Collectors.toList());
|
||||
if (!referrers.isEmpty()) {
|
||||
this.internalReferrers.addAll(referrers);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
|
|
@ -68,25 +35,10 @@ public class SamlInvalidateSessionFilter extends GenericFilterBean {
|
|||
HttpServletRequest req = (HttpServletRequest) request;
|
||||
HttpServletResponse res = (HttpServletResponse) response;
|
||||
if (MATCHER.matches(req)) {
|
||||
String referer = req.getHeader(REFERER);
|
||||
if (!isInternalReferer(referer)) {
|
||||
log.debug("Got external referer, clear session to reauthenticate");
|
||||
contextLogoutHandler.logout(req, res, null);
|
||||
}
|
||||
log.debug("Invalidate session to enable SAML IdP re-authentication");
|
||||
contextLogoutHandler.logout(req, res, null);
|
||||
}
|
||||
chain.doFilter(req, res);
|
||||
}
|
||||
|
||||
private boolean isInternalReferer(String referer) {
|
||||
if (!StringUtils.hasText(referer)) {
|
||||
return false;
|
||||
}
|
||||
for (String internal : internalReferrers) {
|
||||
if (referer.startsWith(internal)) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,20 +1,14 @@
|
|||
package cz.muni.ics.oidc.server.filters;
|
||||
|
||||
import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.AUTHORIZE_REQ_PATTERN;
|
||||
import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.DEVICE_APPROVE_REQ_PATTERN;
|
||||
import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.DEVICE_CHECK_CODE_REQ_PATTERN;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.security.Principal;
|
||||
import java.util.Arrays;
|
||||
import java.util.HashSet;
|
||||
import java.util.Set;
|
||||
import javax.servlet.ServletRequest;
|
||||
import javax.servlet.ServletResponse;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
import javax.servlet.http.HttpSession;
|
||||
import lombok.extern.slf4j.Slf4j;
|
||||
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
|
||||
import org.springframework.security.web.util.matcher.OrRequestMatcher;
|
||||
import org.springframework.security.web.util.matcher.RequestMatcher;
|
||||
|
||||
/**
|
||||
* Abstract class for Perun filters. All filters called in CallPerunFiltersFilter has to extend this.
|
||||
|
|
@ -39,7 +33,7 @@ import org.springframework.security.web.util.matcher.RequestMatcher;
|
|||
* @author Dominik Frantisek Bucik <bucik@ics.muni.cz>
|
||||
*/
|
||||
@Slf4j
|
||||
public abstract class PerunRequestFilter {
|
||||
public abstract class AuthProcFilter {
|
||||
|
||||
private static final String DELIMITER = ",";
|
||||
private static final String CLIENT_IDS = "clientIds";
|
||||
|
|
@ -49,7 +43,7 @@ public abstract class PerunRequestFilter {
|
|||
private Set<String> clientIds = new HashSet<>();
|
||||
private Set<String> subs = new HashSet<>();
|
||||
|
||||
public PerunRequestFilter(PerunRequestFilterParams params) {
|
||||
public AuthProcFilter(AuthProcFilterParams params) {
|
||||
filterName = params.getFilterName();
|
||||
|
||||
if (params.hasProperty(CLIENT_IDS)) {
|
||||
|
|
@ -65,6 +59,8 @@ public abstract class PerunRequestFilter {
|
|||
log.debug("{} - skip execution for clients with CLIENT_ID in: {}", filterName, clientIds);
|
||||
}
|
||||
|
||||
protected abstract String getSessionAppliedParamName();
|
||||
|
||||
/**
|
||||
* In this method is done whole logic of filer
|
||||
*
|
||||
|
|
@ -73,31 +69,51 @@ public abstract class PerunRequestFilter {
|
|||
* @return boolean if filter was successfully done
|
||||
* @throws IOException this exception could be thrown because of failed or interrupted I/O operation
|
||||
*/
|
||||
protected abstract boolean process(ServletRequest request, ServletResponse response, FilterParams params)
|
||||
protected abstract boolean process(HttpServletRequest request, HttpServletResponse response, FilterParams params)
|
||||
throws IOException;
|
||||
|
||||
public boolean doFilter(ServletRequest req, ServletResponse res, FilterParams params) throws IOException {
|
||||
HttpServletRequest request = (HttpServletRequest) req;
|
||||
if (!skip(request)) {
|
||||
public boolean doFilter(HttpServletRequest req, HttpServletResponse res, FilterParams params) throws IOException {
|
||||
if (!skip(req)) {
|
||||
log.trace("{} - executing filter", filterName);
|
||||
return this.process(req, res, params);
|
||||
return process(req, res, params);
|
||||
} else {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
||||
private boolean skip(HttpServletRequest request) {
|
||||
String sub = (request.getUserPrincipal() != null) ? request.getUserPrincipal().getName() : null;
|
||||
String clientId = request.getParameter(PerunFilterConstants.PARAM_CLIENT_ID);
|
||||
if (hasBeenApplied(request.getSession(true))) {
|
||||
return true;
|
||||
}
|
||||
log.debug("{} - marking filter as applied", filterName);
|
||||
request.getSession(true).setAttribute(getSessionAppliedParamName(), true);
|
||||
return skipForSub(request.getUserPrincipal())
|
||||
|| skipForClientId(request.getParameter(PerunFilterConstants.PARAM_CLIENT_ID));
|
||||
}
|
||||
|
||||
private boolean hasBeenApplied(HttpSession sess) {
|
||||
String sessionParamName = getSessionAppliedParamName();
|
||||
if (sess.getAttribute(sessionParamName) != null) {
|
||||
log.debug("{} - skip filter execution: filter has been already applied", filterName);
|
||||
return true;
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
private boolean skipForSub(Principal p) {
|
||||
String sub = (p != null) ? p.getName() : null;
|
||||
if (sub != null && subs.contains(sub)) {
|
||||
log.debug("{} - skip filter execution: matched one of the ignored SUBS ({})", filterName, sub);
|
||||
return true;
|
||||
} else if (clientId != null && clientIds.contains(clientId)){
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
private boolean skipForClientId(String clientId) {
|
||||
if (clientId != null && clientIds.contains(clientId)){
|
||||
log.debug("{} - skip filter execution: matched one of the ignored CLIENT_IDS ({})", filterName, clientId);
|
||||
return true;
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
|
|
@ -8,7 +8,7 @@ import java.util.Properties;
|
|||
*
|
||||
* @author Dominik Frantisek Bucik <bucik@ics.muni.cz>
|
||||
*/
|
||||
public class PerunRequestFilterParams {
|
||||
public class AuthProcFilterParams {
|
||||
|
||||
private final String filterName;
|
||||
|
||||
|
|
@ -16,7 +16,7 @@ public class PerunRequestFilterParams {
|
|||
private final Properties properties;
|
||||
private final BeanUtil beanUtil;
|
||||
|
||||
public PerunRequestFilterParams(String filterName, String propertyPrefix, Properties properties, BeanUtil beanUtil) {
|
||||
public AuthProcFilterParams(String filterName, String propertyPrefix, Properties properties, BeanUtil beanUtil) {
|
||||
this.filterName = filterName;
|
||||
this.propertyPrefix = propertyPrefix;
|
||||
this.properties = properties;
|
||||
|
|
@ -1,7 +1,7 @@
|
|||
package cz.muni.ics.oidc.server.filters;
|
||||
|
||||
import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.AUTHORIZE_REQ_PATTERN;
|
||||
import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.DEVICE_CHECK_CODE_REQ_PATTERN;
|
||||
import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.DEVICE_APPROVE_REQ_PATTERN;
|
||||
|
||||
import cz.muni.ics.oauth2.model.ClientDetailsEntity;
|
||||
import cz.muni.ics.oauth2.service.ClientDetailsEntityService;
|
||||
|
|
@ -20,6 +20,7 @@ import javax.servlet.ServletException;
|
|||
import javax.servlet.ServletRequest;
|
||||
import javax.servlet.ServletResponse;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
import lombok.extern.slf4j.Slf4j;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.security.oauth2.provider.OAuth2RequestFactory;
|
||||
|
|
@ -36,12 +37,12 @@ import org.springframework.web.filter.GenericFilterBean;
|
|||
* @author Dominik Frantisek Bucik <bucik@ics.muni.cz>
|
||||
*/
|
||||
@Slf4j
|
||||
public class CallPerunFiltersFilter extends GenericFilterBean {
|
||||
public class AuthProcFiltersContainer extends GenericFilterBean {
|
||||
|
||||
private static final RequestMatcher AUTHORIZE_MATCHER = new AntPathRequestMatcher(AUTHORIZE_REQ_PATTERN);
|
||||
private static final RequestMatcher AUTHORIZE_ALL_MATCHER = new AntPathRequestMatcher(AUTHORIZE_REQ_PATTERN + "/**");
|
||||
private static final RequestMatcher DEVICE_CODE_MATCHER = new AntPathRequestMatcher(DEVICE_CHECK_CODE_REQ_PATTERN);
|
||||
private static final RequestMatcher DEVICE_CODE_ALL_MATCHER = new AntPathRequestMatcher(DEVICE_CHECK_CODE_REQ_PATTERN + "/**");
|
||||
private static final RequestMatcher DEVICE_CODE_MATCHER = new AntPathRequestMatcher(DEVICE_APPROVE_REQ_PATTERN);
|
||||
private static final RequestMatcher DEVICE_CODE_ALL_MATCHER = new AntPathRequestMatcher(DEVICE_APPROVE_REQ_PATTERN + "/**");
|
||||
private static final RequestMatcher MATCHER = new OrRequestMatcher(
|
||||
Arrays.asList(AUTHORIZE_MATCHER, AUTHORIZE_ALL_MATCHER, DEVICE_CODE_MATCHER, DEVICE_CODE_ALL_MATCHER));
|
||||
|
||||
|
|
@ -63,24 +64,25 @@ public class CallPerunFiltersFilter extends GenericFilterBean {
|
|||
@Autowired
|
||||
private SamlProperties samlProperties;
|
||||
|
||||
private PerunFiltersContext perunFiltersContext;
|
||||
private AuthProcFiltersContext perunFiltersContext;
|
||||
|
||||
@PostConstruct
|
||||
public void postConstruct() {
|
||||
this.perunFiltersContext = new PerunFiltersContext(coreProperties, beanUtil);
|
||||
this.perunFiltersContext = new AuthProcFiltersContext(coreProperties, beanUtil);
|
||||
}
|
||||
|
||||
@Override
|
||||
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain)
|
||||
throws IOException, ServletException
|
||||
{
|
||||
HttpServletRequest request = (HttpServletRequest) servletRequest;
|
||||
if (!MATCHER.matches(request)) {
|
||||
log.debug("Custom filters have been skipped, did not match '/authorize' nor '/device/code' request");
|
||||
HttpServletRequest req = (HttpServletRequest) servletRequest;
|
||||
HttpServletResponse res = (HttpServletResponse) servletResponse;
|
||||
if (!MATCHER.matches(req)) {
|
||||
log.debug("AuthProc filters have been skipped, did not match authorization nor device req URL");
|
||||
} else {
|
||||
List<PerunRequestFilter> filters = perunFiltersContext.getFilters();
|
||||
List<AuthProcFilter> filters = perunFiltersContext.getFilters();
|
||||
if (filters != null && !filters.isEmpty()) {
|
||||
ClientDetailsEntity client = FiltersUtils.extractClientFromRequest(request, authRequestFactory,
|
||||
ClientDetailsEntity client = FiltersUtils.extractClientFromRequest(req, authRequestFactory,
|
||||
clientDetailsEntityService);
|
||||
Facility facility = null;
|
||||
if (client != null && StringUtils.hasText(client.getClientId())) {
|
||||
|
|
@ -88,20 +90,20 @@ public class CallPerunFiltersFilter extends GenericFilterBean {
|
|||
facility = perunAdapter.getFacilityByClientId(client.getClientId());
|
||||
} catch (Exception e) {
|
||||
log.warn("{} - could not fetch facility for client_id '{}'",
|
||||
CallPerunFiltersFilter.class.getSimpleName(), client.getClientId(), e);
|
||||
AuthProcFiltersContainer.class.getSimpleName(), client.getClientId(), e);
|
||||
}
|
||||
}
|
||||
PerunUser user = FiltersUtils.getPerunUser(request, perunAdapter,
|
||||
PerunUser user = FiltersUtils.getPerunUser(req, perunAdapter,
|
||||
samlProperties.getUserIdentifierAttribute());
|
||||
FilterParams params = new FilterParams(client, facility, user);
|
||||
for (PerunRequestFilter filter : filters) {
|
||||
if (!filter.doFilter(servletRequest, servletResponse, params)) {
|
||||
for (AuthProcFilter filter : filters) {
|
||||
if (!filter.doFilter(req, res, params)) {
|
||||
return;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
filterChain.doFilter(servletRequest, servletResponse);
|
||||
filterChain.doFilter(req, res);
|
||||
}
|
||||
|
||||
}
|
||||
|
|
@ -16,22 +16,22 @@ import org.springframework.util.StringUtils;
|
|||
* Filters are configured from configuration file in following way:
|
||||
* filter.names=filterName1,filterName2,...
|
||||
*
|
||||
* @see PerunRequestFilter for configuration of filter
|
||||
* @see AuthProcFilter for configuration of filter
|
||||
*
|
||||
* @author Dominik Frantisek Bucik <bucik@ics.muni.cz>
|
||||
*/
|
||||
@Slf4j
|
||||
public class PerunFiltersContext {
|
||||
public class AuthProcFiltersContext {
|
||||
|
||||
private static final String FILTER_NAMES = "filter.names";
|
||||
private static final String FILTER_CLASS = ".class";
|
||||
private static final String PREFIX = "filter.";
|
||||
|
||||
private final List<PerunRequestFilter> filters;
|
||||
private final List<AuthProcFilter> filters;
|
||||
private final Properties properties;
|
||||
private final BeanUtil beanUtil;
|
||||
|
||||
public PerunFiltersContext(Properties properties, BeanUtil beanUtil) {
|
||||
public AuthProcFiltersContext(Properties properties, BeanUtil beanUtil) {
|
||||
this.properties = properties;
|
||||
this.beanUtil = beanUtil;
|
||||
this.filters = new LinkedList<>();
|
||||
|
|
@ -41,18 +41,18 @@ public class PerunFiltersContext {
|
|||
|
||||
log.debug("--------------------------------");
|
||||
for (String filterName: filterNames.split(",")) {
|
||||
PerunRequestFilter requestFilter = loadFilter(filterName);
|
||||
AuthProcFilter requestFilter = loadFilter(filterName);
|
||||
filters.add(requestFilter);
|
||||
log.debug("--------------------------------");
|
||||
}
|
||||
}
|
||||
|
||||
public List<PerunRequestFilter> getFilters() {
|
||||
public List<AuthProcFilter> getFilters() {
|
||||
return filters;
|
||||
}
|
||||
|
||||
private PerunRequestFilter loadFilter(String filterName) {
|
||||
String propPrefix = PerunFiltersContext.PREFIX + filterName;
|
||||
private AuthProcFilter loadFilter(String filterName) {
|
||||
String propPrefix = AuthProcFiltersContext.PREFIX + filterName;
|
||||
String filterClass = properties.getProperty(propPrefix + FILTER_CLASS, null);
|
||||
if (!StringUtils.hasText(filterClass)) {
|
||||
log.warn("{} - failed to initialized filter: no class has ben configured", filterName);
|
||||
|
|
@ -62,15 +62,15 @@ public class PerunFiltersContext {
|
|||
|
||||
try {
|
||||
Class<?> rawClazz = Class.forName(filterClass);
|
||||
if (!PerunRequestFilter.class.isAssignableFrom(rawClazz)) {
|
||||
log.warn("{} - failed to initialized filter: class '{}' does not extend PerunRequestFilter",
|
||||
if (!AuthProcFilter.class.isAssignableFrom(rawClazz)) {
|
||||
log.warn("{} - failed to initialized filter: class '{}' does not extend AuthProcFilter",
|
||||
filterName, filterClass);
|
||||
return null;
|
||||
}
|
||||
|
||||
@SuppressWarnings("unchecked") Class<PerunRequestFilter> clazz = (Class<PerunRequestFilter>) rawClazz;
|
||||
Constructor<PerunRequestFilter> constructor = clazz.getConstructor(PerunRequestFilterParams.class);
|
||||
PerunRequestFilterParams params = new PerunRequestFilterParams(filterName, propPrefix, properties, beanUtil);
|
||||
@SuppressWarnings("unchecked") Class<AuthProcFilter> clazz = (Class<AuthProcFilter>) rawClazz;
|
||||
Constructor<AuthProcFilter> constructor = clazz.getConstructor(AuthProcFilterParams.class);
|
||||
AuthProcFilterParams params = new AuthProcFilterParams(filterName, propPrefix, properties, beanUtil);
|
||||
return constructor.newInstance(params);
|
||||
} catch (ClassNotFoundException e) {
|
||||
log.warn("{} - failed to initialize filter: class '{}' was not found", filterName, filterClass);
|
||||
|
|
@ -1,6 +1,6 @@
|
|||
package cz.muni.ics.oidc.server.filters;
|
||||
|
||||
import static cz.muni.ics.oauth2.web.DeviceEndpoint.DEVICE_CODE_SESSION_ATTRIBUTE;
|
||||
import static cz.muni.ics.oauth2.web.endpoint.DeviceEndpoint.DEVICE_CODE_SESSION_ATTRIBUTE;
|
||||
import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.PARAM_FORCE_AUTHN;
|
||||
|
||||
import cz.muni.ics.oauth2.model.ClientDetailsEntity;
|
||||
|
|
@ -278,7 +278,7 @@ public class FiltersUtils {
|
|||
|
||||
public static String fillStringMandatoryProperty(String propertyName,
|
||||
String filterName,
|
||||
PerunRequestFilterParams params) {
|
||||
AuthProcFilterParams params) {
|
||||
String filled = params.getProperty(propertyName);
|
||||
|
||||
if (!StringUtils.hasText(filled)) {
|
||||
|
|
|
|||
|
|
@ -11,9 +11,8 @@ import java.util.Map;
|
|||
*/
|
||||
public class PerunFilterConstants {
|
||||
|
||||
public static final String AUTHORIZE_REQ_PATTERN = "/authorize";
|
||||
public static final String DEVICE_APPROVE_REQ_PATTERN = "/device/code";
|
||||
public static final String DEVICE_CHECK_CODE_REQ_PATTERN = "/device/checkcode";
|
||||
public static final String AUTHORIZE_REQ_PATTERN = "/auth/authorize";
|
||||
public static final String DEVICE_APPROVE_REQ_PATTERN = "/auth/device/authorize";
|
||||
|
||||
public static final String PARAM_CLIENT_ID = "client_id";
|
||||
public static final String PARAM_SCOPE = "scope";
|
||||
|
|
|
|||
|
|
@ -9,12 +9,10 @@ import cz.muni.ics.oidc.server.configurations.FacilityAttrsConfig;
|
|||
import cz.muni.ics.oidc.server.configurations.PerunOidcConfig;
|
||||
import cz.muni.ics.oidc.server.filters.FilterParams;
|
||||
import cz.muni.ics.oidc.server.filters.FiltersUtils;
|
||||
import cz.muni.ics.oidc.server.filters.PerunRequestFilter;
|
||||
import cz.muni.ics.oidc.server.filters.PerunRequestFilterParams;
|
||||
import cz.muni.ics.oidc.server.filters.AuthProcFilter;
|
||||
import cz.muni.ics.oidc.server.filters.AuthProcFilterParams;
|
||||
import cz.muni.ics.oidc.web.controllers.PerunUnapprovedController;
|
||||
import java.util.Map;
|
||||
import javax.servlet.ServletRequest;
|
||||
import javax.servlet.ServletResponse;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
import lombok.extern.slf4j.Slf4j;
|
||||
|
|
@ -31,14 +29,16 @@ import lombok.extern.slf4j.Slf4j;
|
|||
* @author Dominik Frantisek Bucik <bucik@ics.muni.cz>
|
||||
*/
|
||||
@Slf4j
|
||||
public class PerunAuthorizationFilter extends PerunRequestFilter {
|
||||
public class PerunAuthorizationFilter extends AuthProcFilter {
|
||||
|
||||
public static final String APPLIED = "APPLIED_" + PerunAuthorizationFilter.class.getSimpleName();
|
||||
|
||||
private final PerunAdapter perunAdapter;
|
||||
private final FacilityAttrsConfig facilityAttrsConfig;
|
||||
private final String filterName;
|
||||
private final PerunOidcConfig config;
|
||||
|
||||
public PerunAuthorizationFilter(PerunRequestFilterParams params) {
|
||||
public PerunAuthorizationFilter(AuthProcFilterParams params) {
|
||||
super(params);
|
||||
BeanUtil beanUtil = params.getBeanUtil();
|
||||
this.perunAdapter = beanUtil.getBean(PerunAdapter.class);
|
||||
|
|
@ -48,10 +48,12 @@ public class PerunAuthorizationFilter extends PerunRequestFilter {
|
|||
}
|
||||
|
||||
@Override
|
||||
protected boolean process(ServletRequest req, ServletResponse res, FilterParams params) {
|
||||
HttpServletRequest request = (HttpServletRequest) req;
|
||||
HttpServletResponse response = (HttpServletResponse) res;
|
||||
protected String getSessionAppliedParamName() {
|
||||
return APPLIED;
|
||||
}
|
||||
|
||||
@Override
|
||||
protected boolean process(HttpServletRequest req, HttpServletResponse res, FilterParams params) {
|
||||
Facility facility = params.getFacility();
|
||||
if (facility == null || facility.getId() == null) {
|
||||
log.debug("{} - skip filter execution: no facility provided", filterName);
|
||||
|
|
@ -64,7 +66,7 @@ public class PerunAuthorizationFilter extends PerunRequestFilter {
|
|||
return true;
|
||||
}
|
||||
|
||||
return this.decideAccess(facility, user, request, response, params.getClientIdentifier(),
|
||||
return this.decideAccess(facility, user, req, res, params.getClientIdentifier(),
|
||||
perunAdapter, facilityAttrsConfig);
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -7,20 +7,15 @@ import cz.muni.ics.oidc.server.adapters.PerunAdapter;
|
|||
import cz.muni.ics.oidc.server.configurations.PerunOidcConfig;
|
||||
import cz.muni.ics.oidc.server.filters.FilterParams;
|
||||
import cz.muni.ics.oidc.server.filters.FiltersUtils;
|
||||
import cz.muni.ics.oidc.server.filters.PerunRequestFilter;
|
||||
import cz.muni.ics.oidc.server.filters.PerunRequestFilterParams;
|
||||
import cz.muni.ics.oidc.server.filters.AuthProcFilter;
|
||||
import cz.muni.ics.oidc.server.filters.AuthProcFilterParams;
|
||||
import cz.muni.ics.oidc.web.controllers.ControllerUtils;
|
||||
import cz.muni.ics.oidc.web.controllers.PerunUnapprovedController;
|
||||
import cz.muni.ics.oidc.web.controllers.RegistrationController;
|
||||
import java.io.IOException;
|
||||
import java.util.Arrays;
|
||||
import java.util.Collections;
|
||||
import java.util.HashMap;
|
||||
import java.util.HashSet;
|
||||
import java.util.Map;
|
||||
import java.util.Set;
|
||||
import javax.servlet.ServletRequest;
|
||||
import javax.servlet.ServletResponse;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
import lombok.extern.slf4j.Slf4j;
|
||||
import org.apache.http.HttpHeaders;
|
||||
|
|
@ -39,7 +34,9 @@ import org.springframework.util.StringUtils;
|
|||
* @author Dominik Frantisek Bucik <bucik@ics.muni.cz>
|
||||
*/
|
||||
@Slf4j
|
||||
public class PerunEnsureVoMember extends PerunRequestFilter {
|
||||
public class PerunEnsureVoMember extends AuthProcFilter {
|
||||
|
||||
public static final String APPLIED = "APPLIED_" + PerunEnsureVoMember.class.getSimpleName();
|
||||
|
||||
private static final String TRIGGER_ATTR = "triggerAttr";
|
||||
private static final String VO_DEFS_ATTR = "voDefsAttr";
|
||||
|
|
@ -52,7 +49,7 @@ public class PerunEnsureVoMember extends PerunRequestFilter {
|
|||
private final String filterName;
|
||||
private final PerunOidcConfig perunOidcConfig;
|
||||
|
||||
public PerunEnsureVoMember(PerunRequestFilterParams params) {
|
||||
public PerunEnsureVoMember(AuthProcFilterParams params) {
|
||||
super(params);
|
||||
BeanUtil beanUtil = params.getBeanUtil();
|
||||
|
||||
|
|
@ -68,9 +65,12 @@ public class PerunEnsureVoMember extends PerunRequestFilter {
|
|||
}
|
||||
|
||||
@Override
|
||||
protected boolean process(ServletRequest req, ServletResponse res, FilterParams params) throws IOException {
|
||||
HttpServletResponse response = (HttpServletResponse) res;
|
||||
protected String getSessionAppliedParamName() {
|
||||
return APPLIED;
|
||||
}
|
||||
|
||||
@Override
|
||||
protected boolean process(HttpServletRequest req, HttpServletResponse res, FilterParams params) {
|
||||
Facility facility = params.getFacility();
|
||||
if (facility == null || facility.getId() == null) {
|
||||
log.debug("{} - skip execution: no facility provided", filterName);
|
||||
|
|
@ -100,7 +100,7 @@ public class PerunEnsureVoMember extends PerunRequestFilter {
|
|||
log.debug("{} - user allowed to continue", filterName);
|
||||
return true;
|
||||
} else {
|
||||
redirect(response, getLoginUrl(facility.getId()), voShortName);
|
||||
redirect(res, getLoginUrl(facility.getId()), voShortName);
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
|
@ -133,17 +133,6 @@ public class PerunEnsureVoMember extends PerunRequestFilter {
|
|||
return attrValue;
|
||||
}
|
||||
|
||||
private boolean canAccess(PerunAttributeValue attrValue, Set<String> memberShortNames) {
|
||||
if (attrValue.valueAsJson().isArray()) {
|
||||
Set<String> val = attrValue.valueAsList() == null ?
|
||||
Collections.emptySet() : new HashSet<>(attrValue.valueAsList());
|
||||
return !Collections.disjoint(val, memberShortNames);
|
||||
} else {
|
||||
String val = attrValue.valueAsString();
|
||||
return memberShortNames.contains(val);
|
||||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
public String toString() {
|
||||
return "PerunEnsureVoMember{" +
|
||||
|
|
|
|||
|
|
@ -14,8 +14,8 @@ import cz.muni.ics.oidc.server.adapters.PerunAdapter;
|
|||
import cz.muni.ics.oidc.server.configurations.PerunOidcConfig;
|
||||
import cz.muni.ics.oidc.server.filters.FilterParams;
|
||||
import cz.muni.ics.oidc.server.filters.FiltersUtils;
|
||||
import cz.muni.ics.oidc.server.filters.PerunRequestFilter;
|
||||
import cz.muni.ics.oidc.server.filters.PerunRequestFilterParams;
|
||||
import cz.muni.ics.oidc.server.filters.AuthProcFilter;
|
||||
import cz.muni.ics.oidc.server.filters.AuthProcFilterParams;
|
||||
import cz.muni.ics.oidc.web.controllers.AupController;
|
||||
import java.io.IOException;
|
||||
import java.text.ParseException;
|
||||
|
|
@ -27,8 +27,6 @@ import java.util.HashMap;
|
|||
import java.util.LinkedHashMap;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
import javax.servlet.ServletRequest;
|
||||
import javax.servlet.ServletResponse;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
import lombok.extern.slf4j.Slf4j;
|
||||
|
|
@ -52,7 +50,9 @@ import org.springframework.util.StringUtils;
|
|||
* @author Dominik Frantisek Bucik <bucik@ics.muni.cz>
|
||||
*/
|
||||
@Slf4j
|
||||
public class PerunForceAupFilter extends PerunRequestFilter {
|
||||
public class PerunForceAupFilter extends AuthProcFilter {
|
||||
|
||||
public static final String APPLIED = "APPLIED_" + PerunForceAupFilter.class.getSimpleName();
|
||||
|
||||
private static final String DATE_FORMAT = "yyyy-MM-dd";
|
||||
|
||||
|
|
@ -77,7 +77,7 @@ public class PerunForceAupFilter extends PerunRequestFilter {
|
|||
private final SamlProperties samlProperties;
|
||||
private final String filterName;
|
||||
|
||||
public PerunForceAupFilter(PerunRequestFilterParams params) {
|
||||
public PerunForceAupFilter(AuthProcFilterParams params) {
|
||||
super(params);
|
||||
BeanUtil beanUtil = params.getBeanUtil();
|
||||
this.perunAdapter = beanUtil.getBean(PerunAdapter.class);
|
||||
|
|
@ -93,18 +93,20 @@ public class PerunForceAupFilter extends PerunRequestFilter {
|
|||
}
|
||||
|
||||
@Override
|
||||
protected boolean process(ServletRequest req, ServletResponse res, FilterParams params) throws IOException {
|
||||
HttpServletRequest request = (HttpServletRequest) req;
|
||||
HttpServletResponse response = (HttpServletResponse) res;
|
||||
protected String getSessionAppliedParamName() {
|
||||
return APPLIED;
|
||||
}
|
||||
|
||||
if (request.getSession() != null && request.getSession().getAttribute(APPROVED) != null) {
|
||||
request.getSession().removeAttribute(APPROVED);
|
||||
@Override
|
||||
protected boolean process(HttpServletRequest req, HttpServletResponse res, FilterParams params) throws IOException {
|
||||
if (req.getSession() != null && req.getSession().getAttribute(APPROVED) != null) {
|
||||
req.getSession().removeAttribute(APPROVED);
|
||||
log.debug("{} - skip filter execution: aups are already approved, check at next access to the service due" +
|
||||
" to a delayed propagation to LDAP", filterName);
|
||||
return true;
|
||||
}
|
||||
|
||||
PerunUser user = FiltersUtils.getPerunUser(request, perunAdapter, samlProperties.getUserIdentifierAttribute());
|
||||
PerunUser user = FiltersUtils.getPerunUser(req, perunAdapter, samlProperties.getUserIdentifierAttribute());
|
||||
if (user == null || user.getId() == null) {
|
||||
log.debug("{} - skip filter execution: no user provider", filterName);
|
||||
return true;
|
||||
|
|
@ -147,13 +149,13 @@ public class PerunForceAupFilter extends PerunRequestFilter {
|
|||
log.trace("{} - AUPS to be approved: '{}'", filterName, newAups);
|
||||
String newAupsString = mapper.writeValueAsString(newAups);
|
||||
|
||||
request.getSession().setAttribute(AupController.RETURN_URL, request.getRequestURI()
|
||||
.replace(request.getContextPath(), "") + '?' + request.getQueryString());
|
||||
request.getSession().setAttribute(AupController.NEW_AUPS, newAupsString);
|
||||
request.getSession().setAttribute(AupController.USER_ATTR, perunUserAupsAttrName);
|
||||
req.getSession().setAttribute(AupController.RETURN_URL, req.getRequestURI()
|
||||
.replace(req.getContextPath(), "") + '?' + req.getQueryString());
|
||||
req.getSession().setAttribute(AupController.NEW_AUPS, newAupsString);
|
||||
req.getSession().setAttribute(AupController.USER_ATTR, perunUserAupsAttrName);
|
||||
|
||||
log.debug("{} - redirecting user '{}' to AUPs approval page", filterName, user);
|
||||
response.sendRedirect(request.getContextPath() + '/' + AupController.URL);
|
||||
res.sendRedirect(req.getContextPath() + '/' + AupController.URL);
|
||||
return false;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -14,9 +14,8 @@ import cz.muni.ics.oidc.server.adapters.PerunAdapter;
|
|||
import cz.muni.ics.oidc.server.configurations.PerunOidcConfig;
|
||||
import cz.muni.ics.oidc.server.filters.FilterParams;
|
||||
import cz.muni.ics.oidc.server.filters.FiltersUtils;
|
||||
import cz.muni.ics.oidc.server.filters.PerunFilterConstants;
|
||||
import cz.muni.ics.oidc.server.filters.PerunRequestFilter;
|
||||
import cz.muni.ics.oidc.server.filters.PerunRequestFilterParams;
|
||||
import cz.muni.ics.oidc.server.filters.AuthProcFilter;
|
||||
import cz.muni.ics.oidc.server.filters.AuthProcFilterParams;
|
||||
import cz.muni.ics.oidc.web.controllers.ControllerUtils;
|
||||
import cz.muni.ics.oidc.web.controllers.PerunUnapprovedController;
|
||||
import java.time.LocalDateTime;
|
||||
|
|
@ -25,8 +24,6 @@ import java.time.format.DateTimeParseException;
|
|||
import java.util.Collections;
|
||||
import java.util.HashMap;
|
||||
import java.util.Map;
|
||||
import javax.servlet.ServletRequest;
|
||||
import javax.servlet.ServletResponse;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
import lombok.extern.slf4j.Slf4j;
|
||||
|
|
@ -46,7 +43,9 @@ import org.apache.http.HttpHeaders;
|
|||
* @author Dominik Frantisek Bucik <bucik@ics.muni.cz>
|
||||
*/
|
||||
@Slf4j
|
||||
public class PerunIsCesnetEligibleFilter extends PerunRequestFilter {
|
||||
public class PerunIsCesnetEligibleFilter extends AuthProcFilter {
|
||||
|
||||
public static final String APPLIED = "APPLIED_" + PerunIsCesnetEligibleFilter.class.getSimpleName();
|
||||
|
||||
/* CONFIGURATION PROPERTIES */
|
||||
private static final String IS_CESNET_ELIGIBLE_ATTR_NAME = "isCesnetEligibleAttr";
|
||||
|
|
@ -63,7 +62,7 @@ public class PerunIsCesnetEligibleFilter extends PerunRequestFilter {
|
|||
private final PerunAdapter perunAdapter;
|
||||
private final String filterName;
|
||||
|
||||
public PerunIsCesnetEligibleFilter(PerunRequestFilterParams params) {
|
||||
public PerunIsCesnetEligibleFilter(AuthProcFilterParams params) {
|
||||
super(params);
|
||||
BeanUtil beanUtil = params.getBeanUtil();
|
||||
this.config = beanUtil.getBean(PerunOidcConfig.class);
|
||||
|
|
@ -84,11 +83,13 @@ public class PerunIsCesnetEligibleFilter extends PerunRequestFilter {
|
|||
}
|
||||
|
||||
@Override
|
||||
protected boolean process(ServletRequest req, ServletResponse res, FilterParams params) {
|
||||
HttpServletRequest request = (HttpServletRequest) req;
|
||||
HttpServletResponse response = (HttpServletResponse) res;
|
||||
protected String getSessionAppliedParamName() {
|
||||
return APPLIED;
|
||||
}
|
||||
|
||||
if (!FiltersUtils.isScopePresent(request.getParameter(PARAM_SCOPE), triggerScope)) {
|
||||
@Override
|
||||
protected boolean process(HttpServletRequest req, HttpServletResponse res, FilterParams params) {
|
||||
if (!FiltersUtils.isScopePresent(req.getParameter(PARAM_SCOPE), triggerScope)) {
|
||||
log.debug("{} - skip execution: scope '{}' is not present in request", filterName, triggerScope);
|
||||
return true;
|
||||
}
|
||||
|
|
@ -124,7 +125,7 @@ public class PerunIsCesnetEligibleFilter extends PerunRequestFilter {
|
|||
}
|
||||
|
||||
log.debug("{} - attribute '{}' value is invalid, stop user at this point", filterName, attrValue);
|
||||
this.redirect(request, response, reason);
|
||||
this.redirect(req, res, reason);
|
||||
return false;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -10,16 +10,13 @@ import cz.muni.ics.oidc.server.adapters.PerunAdapter;
|
|||
import cz.muni.ics.oidc.server.configurations.PerunOidcConfig;
|
||||
import cz.muni.ics.oidc.server.filters.FilterParams;
|
||||
import cz.muni.ics.oidc.server.filters.FiltersUtils;
|
||||
import cz.muni.ics.oidc.server.filters.PerunFilterConstants;
|
||||
import cz.muni.ics.oidc.server.filters.PerunRequestFilter;
|
||||
import cz.muni.ics.oidc.server.filters.PerunRequestFilterParams;
|
||||
import cz.muni.ics.oidc.server.filters.AuthProcFilter;
|
||||
import cz.muni.ics.oidc.server.filters.AuthProcFilterParams;
|
||||
import cz.muni.ics.oidc.web.controllers.ControllerUtils;
|
||||
import cz.muni.ics.oidc.web.controllers.IsTestSpController;
|
||||
import java.io.IOException;
|
||||
import java.util.HashMap;
|
||||
import java.util.Map;
|
||||
import javax.servlet.ServletRequest;
|
||||
import javax.servlet.ServletResponse;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
import lombok.extern.slf4j.Slf4j;
|
||||
|
|
@ -37,7 +34,9 @@ import org.apache.http.HttpHeaders;
|
|||
* @author Pavol Pluta <500348@mail.muni.cz>
|
||||
*/
|
||||
@Slf4j
|
||||
public class PerunIsTestSpFilter extends PerunRequestFilter {
|
||||
public class PerunIsTestSpFilter extends AuthProcFilter {
|
||||
|
||||
public static final String APPLIED = "APPLIED_" + PerunIsTestSpFilter.class.getSimpleName();
|
||||
|
||||
private static final String IS_TEST_SP_ATTR_NAME = "isTestSpAttr";
|
||||
|
||||
|
|
@ -46,7 +45,7 @@ public class PerunIsTestSpFilter extends PerunRequestFilter {
|
|||
private final String filterName;
|
||||
private final PerunOidcConfig config;
|
||||
|
||||
public PerunIsTestSpFilter(PerunRequestFilterParams params) {
|
||||
public PerunIsTestSpFilter(AuthProcFilterParams params) {
|
||||
super(params);
|
||||
BeanUtil beanUtil = params.getBeanUtil();
|
||||
this.perunAdapter = beanUtil.getBean(PerunAdapter.class);
|
||||
|
|
@ -56,14 +55,17 @@ public class PerunIsTestSpFilter extends PerunRequestFilter {
|
|||
}
|
||||
|
||||
@Override
|
||||
protected boolean process(ServletRequest req, ServletResponse res, FilterParams params) throws IOException {
|
||||
HttpServletRequest request = (HttpServletRequest) req;
|
||||
HttpServletResponse response = (HttpServletResponse) res;
|
||||
protected String getSessionAppliedParamName() {
|
||||
return APPLIED;
|
||||
}
|
||||
|
||||
@Override
|
||||
protected boolean process(HttpServletRequest req, HttpServletResponse res, FilterParams params) throws IOException {
|
||||
Facility facility = params.getFacility();
|
||||
if (facility == null || facility.getId() == null) {
|
||||
log.debug("{} - skip execution: no facility provided", filterName);
|
||||
return true;
|
||||
} else if (testSpWarningApproved(request)){
|
||||
} else if (testSpWarningApproved(req)){
|
||||
log.debug("{} - skip execution: warning already approved", filterName);
|
||||
return true;
|
||||
}
|
||||
|
|
@ -74,7 +76,7 @@ public class PerunIsTestSpFilter extends PerunRequestFilter {
|
|||
return true;
|
||||
} else if (attrValue.valueAsBoolean()) {
|
||||
log.debug("{} - redirecting user to test SP warning page", filterName);
|
||||
this.redirect(request, response);
|
||||
this.redirect(req, res);
|
||||
return false;
|
||||
}
|
||||
log.debug("{} - service is not testing, let user access it", filterName);
|
||||
|
|
|
|||
|
|
@ -8,8 +8,8 @@ import cz.muni.ics.oidc.BeanUtil;
|
|||
import cz.muni.ics.oidc.saml.SamlProperties;
|
||||
import cz.muni.ics.oidc.server.filters.FilterParams;
|
||||
import cz.muni.ics.oidc.server.filters.FiltersUtils;
|
||||
import cz.muni.ics.oidc.server.filters.PerunRequestFilter;
|
||||
import cz.muni.ics.oidc.server.filters.PerunRequestFilterParams;
|
||||
import cz.muni.ics.oidc.server.filters.AuthProcFilter;
|
||||
import cz.muni.ics.oidc.server.filters.AuthProcFilterParams;
|
||||
import java.sql.Connection;
|
||||
import java.sql.Date;
|
||||
import java.sql.PreparedStatement;
|
||||
|
|
@ -17,10 +17,8 @@ import java.sql.ResultSet;
|
|||
import java.sql.SQLException;
|
||||
import java.time.LocalDate;
|
||||
import java.util.Objects;
|
||||
import java.util.Properties;
|
||||
import javax.servlet.ServletRequest;
|
||||
import javax.servlet.ServletResponse;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
import javax.sql.DataSource;
|
||||
import lombok.extern.slf4j.Slf4j;
|
||||
import org.springframework.security.saml.SAMLCredential;
|
||||
|
|
@ -51,7 +49,9 @@ import org.springframework.util.StringUtils;
|
|||
*/
|
||||
@SuppressWarnings("SqlResolve")
|
||||
@Slf4j
|
||||
public class ProxyStatisticsFilter extends PerunRequestFilter {
|
||||
public class ProxyStatisticsFilter extends AuthProcFilter {
|
||||
|
||||
public static final String APPLIED = "APPLIED_" + ProxyStatisticsFilter.class.getSimpleName();
|
||||
|
||||
/* CONFIGURATION OPTIONS */
|
||||
private static final String IDP_NAME_ATTRIBUTE_NAME = "idpNameAttributeName";
|
||||
|
|
@ -77,7 +77,7 @@ public class ProxyStatisticsFilter extends PerunRequestFilter {
|
|||
private final String filterName;
|
||||
private final SamlProperties samlProperties;
|
||||
|
||||
public ProxyStatisticsFilter(PerunRequestFilterParams params) {
|
||||
public ProxyStatisticsFilter(AuthProcFilterParams params) {
|
||||
super(params);
|
||||
BeanUtil beanUtil = params.getBeanUtil();
|
||||
this.mitreIdStats = beanUtil.getBean("mitreIdStats", DataSource.class);
|
||||
|
|
@ -97,9 +97,12 @@ public class ProxyStatisticsFilter extends PerunRequestFilter {
|
|||
}
|
||||
|
||||
@Override
|
||||
protected boolean process(ServletRequest req, ServletResponse res, FilterParams params) {
|
||||
HttpServletRequest request = (HttpServletRequest) req;
|
||||
protected String getSessionAppliedParamName() {
|
||||
return APPLIED;
|
||||
}
|
||||
|
||||
@Override
|
||||
protected boolean process(HttpServletRequest req, HttpServletResponse res, FilterParams params) {
|
||||
ClientDetailsEntity client = params.getClient();
|
||||
if (client == null) {
|
||||
log.warn("{} - skip execution: no client provided", filterName);
|
||||
|
|
@ -112,7 +115,7 @@ public class ProxyStatisticsFilter extends PerunRequestFilter {
|
|||
return true;
|
||||
}
|
||||
|
||||
SAMLCredential samlCredential = FiltersUtils.getSamlCredential(request);
|
||||
SAMLCredential samlCredential = FiltersUtils.getSamlCredential(req);
|
||||
if (samlCredential == null) {
|
||||
log.warn("{} - skip execution: no authN object available, cannot extract user identifier and idp identifier",
|
||||
filterName);
|
||||
|
|
|
|||
|
|
@ -9,14 +9,12 @@ import cz.muni.ics.oidc.server.configurations.FacilityAttrsConfig;
|
|||
import cz.muni.ics.oidc.server.configurations.PerunOidcConfig;
|
||||
import cz.muni.ics.oidc.server.filters.FilterParams;
|
||||
import cz.muni.ics.oidc.server.filters.FiltersUtils;
|
||||
import cz.muni.ics.oidc.server.filters.PerunRequestFilter;
|
||||
import cz.muni.ics.oidc.server.filters.PerunRequestFilterParams;
|
||||
import cz.muni.ics.oidc.server.filters.AuthProcFilter;
|
||||
import cz.muni.ics.oidc.server.filters.AuthProcFilterParams;
|
||||
import cz.muni.ics.oidc.web.controllers.PerunUnapprovedController;
|
||||
import java.util.HashSet;
|
||||
import java.util.Map;
|
||||
import java.util.Set;
|
||||
import javax.servlet.ServletRequest;
|
||||
import javax.servlet.ServletResponse;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
import lombok.extern.slf4j.Slf4j;
|
||||
|
|
@ -46,7 +44,9 @@ import org.springframework.util.StringUtils;
|
|||
*/
|
||||
@SuppressWarnings("SqlResolve")
|
||||
@Slf4j
|
||||
public class ValidUserFilter extends PerunRequestFilter {
|
||||
public class ValidUserFilter extends AuthProcFilter {
|
||||
|
||||
public static final String APPLIED = "APPLIED_" + ValidUserFilter.class.getSimpleName();
|
||||
|
||||
/* CONFIGURATION OPTIONS */
|
||||
private static final String ALL_ENV_GROUPS = "allEnvGroups";
|
||||
|
|
@ -69,7 +69,7 @@ public class ValidUserFilter extends PerunRequestFilter {
|
|||
private final String filterName;
|
||||
private final PerunOidcConfig config;
|
||||
|
||||
public ValidUserFilter(PerunRequestFilterParams params) {
|
||||
public ValidUserFilter(AuthProcFilterParams params) {
|
||||
super(params);
|
||||
BeanUtil beanUtil = params.getBeanUtil();
|
||||
this.perunAdapter = beanUtil.getBean(PerunAdapter.class);
|
||||
|
|
@ -86,10 +86,12 @@ public class ValidUserFilter extends PerunRequestFilter {
|
|||
}
|
||||
|
||||
@Override
|
||||
protected boolean process(ServletRequest req, ServletResponse res, FilterParams params) {
|
||||
HttpServletRequest request = (HttpServletRequest) req;
|
||||
HttpServletResponse response = (HttpServletResponse) res;
|
||||
protected String getSessionAppliedParamName() {
|
||||
return APPLIED;
|
||||
}
|
||||
|
||||
@Override
|
||||
protected boolean process(HttpServletRequest req, HttpServletResponse res, FilterParams params) {
|
||||
Set<Long> additionalVos = new HashSet<>();
|
||||
Set<Long> additionalGroups = new HashSet<>();
|
||||
|
||||
|
|
@ -106,7 +108,7 @@ public class ValidUserFilter extends PerunRequestFilter {
|
|||
return true;
|
||||
}
|
||||
|
||||
if (!checkMemberValidInGroupsAndVos(user, facility, response, params, allEnvVos, allEnvGroups,
|
||||
if (!checkMemberValidInGroupsAndVos(user, facility, res, params, allEnvVos, allEnvGroups,
|
||||
PerunUnapprovedController.UNAPPROVED_NOT_IN_MANDATORY_VOS_GROUPS)) {
|
||||
return false;
|
||||
}
|
||||
|
|
@ -121,7 +123,7 @@ public class ValidUserFilter extends PerunRequestFilter {
|
|||
additionalVos.addAll(testEnvVos);
|
||||
additionalGroups.addAll(testEnvGroups);
|
||||
|
||||
if (!checkMemberValidInGroupsAndVos(user, facility, response, params, additionalVos,
|
||||
if (!checkMemberValidInGroupsAndVos(user, facility, res, params, additionalVos,
|
||||
additionalGroups, PerunUnapprovedController.UNAPPROVED_NOT_IN_TEST_VOS_GROUPS)) {
|
||||
return false;
|
||||
}
|
||||
|
|
@ -129,7 +131,7 @@ public class ValidUserFilter extends PerunRequestFilter {
|
|||
additionalVos.addAll(prodEnvVos);
|
||||
additionalGroups.addAll(prodEnvGroups);
|
||||
|
||||
if (!checkMemberValidInGroupsAndVos(user, facility, response, params, additionalVos,
|
||||
if (!checkMemberValidInGroupsAndVos(user, facility, res, params, additionalVos,
|
||||
additionalGroups, PerunUnapprovedController.UNAPPROVED_NOT_IN_PROD_VOS_GROUPS)) {
|
||||
return false;
|
||||
}
|
||||
|
|
@ -139,7 +141,7 @@ public class ValidUserFilter extends PerunRequestFilter {
|
|||
return true;
|
||||
}
|
||||
|
||||
private Set<Long> getIdsFromParam(PerunRequestFilterParams params, String propKey) {
|
||||
private Set<Long> getIdsFromParam(AuthProcFilterParams params, String propKey) {
|
||||
Set<Long> result = new HashSet<>();
|
||||
|
||||
String prop = params.getProperty(propKey);
|
||||
|
|
|
|||
|
|
@ -16,7 +16,7 @@ import cz.muni.ics.oidc.server.claims.ClaimSource;
|
|||
import cz.muni.ics.oidc.server.claims.ClaimSourceInitContext;
|
||||
import cz.muni.ics.oidc.server.claims.ClaimSourceProduceContext;
|
||||
import cz.muni.ics.oidc.server.connectors.Affiliation;
|
||||
import cz.muni.ics.openid.connect.web.JWKSetPublishingEndpoint;
|
||||
import cz.muni.ics.openid.connect.web.endpoint.JWKSetPublishingEndpoint;
|
||||
import java.io.IOException;
|
||||
import java.net.URI;
|
||||
import java.net.URISyntaxException;
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
package cz.muni.ics.oidc.web.controllers;
|
||||
|
||||
import static cz.muni.ics.oauth2.web.OAuthConfirmationController.CLAIMS;
|
||||
import static cz.muni.ics.oauth2.web.OAuthConfirmationController.SCOPES;
|
||||
import static cz.muni.ics.oauth2.web.controller.OAuthConfirmationController.CLAIMS;
|
||||
import static cz.muni.ics.oauth2.web.controller.OAuthConfirmationController.SCOPES;
|
||||
|
||||
import com.google.common.base.Strings;
|
||||
import com.google.common.collect.Sets;
|
||||
|
|
@ -29,7 +29,6 @@ import java.util.Set;
|
|||
import java.util.stream.Collectors;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
|
||||
import cz.muni.ics.openid.connect.service.ScopeClaimTranslationService;
|
||||
import lombok.extern.slf4j.Slf4j;
|
||||
import org.apache.http.NameValuePair;
|
||||
import org.apache.http.client.utils.URIBuilder;
|
||||
|
|
|
|||
|
|
@ -78,7 +78,7 @@ public class AuthorizationRequestFilter extends GenericFilterBean {
|
|||
@Autowired(required = false)
|
||||
private LoginHintExtracter loginHintExtracter = new RemoveLoginHintsWithHTTP();
|
||||
|
||||
private RequestMatcher requestMatcher = new AntPathRequestMatcher("/authorize");
|
||||
private RequestMatcher requestMatcher = new AntPathRequestMatcher("/auth/authorize");
|
||||
|
||||
/**
|
||||
*
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@
|
|||
/**
|
||||
*
|
||||
*/
|
||||
package cz.muni.ics.openid.connect.web;
|
||||
package cz.muni.ics.openid.connect.web.api;
|
||||
|
||||
import cz.muni.ics.openid.connect.model.ApprovedSite;
|
||||
import cz.muni.ics.openid.connect.service.ApprovedSiteService;
|
||||
|
|
@ -26,6 +26,7 @@ import cz.muni.ics.openid.connect.view.HttpCodeView;
|
|||
import cz.muni.ics.openid.connect.view.JsonApprovedSiteView;
|
||||
import cz.muni.ics.openid.connect.view.JsonEntityView;
|
||||
import cz.muni.ics.openid.connect.view.JsonErrorView;
|
||||
import cz.muni.ics.openid.connect.web.controller.GuiController;
|
||||
import java.security.Principal;
|
||||
import java.util.Collection;
|
||||
import lombok.extern.slf4j.Slf4j;
|
||||
|
|
@ -49,7 +50,7 @@ import org.springframework.web.bind.annotation.RequestMethod;
|
|||
@Slf4j
|
||||
public class ApprovedSiteAPI {
|
||||
|
||||
public static final String URL = RootController.API_URL + "/approved";
|
||||
public static final String URL = GuiController.API_URL + "/approved";
|
||||
|
||||
@Autowired
|
||||
private ApprovedSiteService approvedSiteService;
|
||||
|
|
@ -18,7 +18,7 @@
|
|||
/**
|
||||
*
|
||||
*/
|
||||
package cz.muni.ics.openid.connect.web;
|
||||
package cz.muni.ics.openid.connect.web.api;
|
||||
|
||||
import com.google.gson.Gson;
|
||||
import com.google.gson.JsonObject;
|
||||
|
|
@ -29,6 +29,7 @@ import cz.muni.ics.openid.connect.service.BlacklistedSiteService;
|
|||
import cz.muni.ics.openid.connect.view.HttpCodeView;
|
||||
import cz.muni.ics.openid.connect.view.JsonEntityView;
|
||||
import cz.muni.ics.openid.connect.view.JsonErrorView;
|
||||
import cz.muni.ics.openid.connect.web.controller.GuiController;
|
||||
import java.security.Principal;
|
||||
import java.util.Collection;
|
||||
import lombok.extern.slf4j.Slf4j;
|
||||
|
|
@ -53,7 +54,7 @@ import org.springframework.web.bind.annotation.RequestMethod;
|
|||
@Slf4j
|
||||
public class BlacklistAPI {
|
||||
|
||||
public static final String URL = RootController.API_URL + "/blacklist";
|
||||
public static final String URL = GuiController.API_URL + "/blacklist";
|
||||
|
||||
@Autowired
|
||||
private BlacklistedSiteService blacklistService;
|
||||
|
|
@ -15,7 +15,7 @@
|
|||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*******************************************************************************/
|
||||
package cz.muni.ics.openid.connect.web;
|
||||
package cz.muni.ics.openid.connect.web.api;
|
||||
|
||||
import static cz.muni.ics.oauth2.model.RegisteredClientFields.APPLICATION_TYPE;
|
||||
import static cz.muni.ics.oauth2.model.RegisteredClientFields.CLAIMS_REDIRECT_URIS;
|
||||
|
|
@ -88,6 +88,7 @@ import cz.muni.ics.openid.connect.view.ClientEntityViewForUsers;
|
|||
import cz.muni.ics.openid.connect.view.HttpCodeView;
|
||||
import cz.muni.ics.openid.connect.view.JsonEntityView;
|
||||
import cz.muni.ics.openid.connect.view.JsonErrorView;
|
||||
import cz.muni.ics.openid.connect.web.controller.GuiController;
|
||||
import java.lang.reflect.Type;
|
||||
import java.sql.SQLIntegrityConstraintViolationException;
|
||||
import java.text.ParseException;
|
||||
|
|
@ -120,7 +121,7 @@ import org.springframework.web.servlet.ModelAndView;
|
|||
@Slf4j
|
||||
public class ClientAPI {
|
||||
|
||||
public static final String URL = RootController.API_URL + "/clients";
|
||||
public static final String URL = GuiController.API_URL + "/clients";
|
||||
|
||||
@Autowired
|
||||
private ClientDetailsEntityService clientService;
|
||||
|
|
@ -18,7 +18,7 @@
|
|||
/**
|
||||
*
|
||||
*/
|
||||
package cz.muni.ics.openid.connect.web;
|
||||
package cz.muni.ics.openid.connect.web.api;
|
||||
|
||||
import com.google.gson.Gson;
|
||||
import com.google.gson.JsonObject;
|
||||
|
|
@ -29,6 +29,7 @@ import cz.muni.ics.openid.connect.service.WhitelistedSiteService;
|
|||
import cz.muni.ics.openid.connect.view.HttpCodeView;
|
||||
import cz.muni.ics.openid.connect.view.JsonEntityView;
|
||||
import cz.muni.ics.openid.connect.view.JsonErrorView;
|
||||
import cz.muni.ics.openid.connect.web.controller.GuiController;
|
||||
import java.security.Principal;
|
||||
import java.util.Collection;
|
||||
import lombok.extern.slf4j.Slf4j;
|
||||
|
|
@ -53,7 +54,7 @@ import org.springframework.web.bind.annotation.RequestMethod;
|
|||
@Slf4j
|
||||
public class WhitelistAPI {
|
||||
|
||||
public static final String URL = RootController.API_URL + "/whitelist";
|
||||
public static final String URL = GuiController.API_URL + "/whitelist";
|
||||
|
||||
@Autowired
|
||||
private WhitelistedSiteService whitelistService;
|
||||
|
|
@ -15,7 +15,7 @@
|
|||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*******************************************************************************/
|
||||
package cz.muni.ics.openid.connect.web;
|
||||
package cz.muni.ics.openid.connect.web.controller;
|
||||
|
||||
import org.springframework.security.access.prepost.PreAuthorize;
|
||||
import org.springframework.stereotype.Controller;
|
||||
|
|
@ -27,7 +27,7 @@ import org.springframework.web.bind.annotation.RequestMapping;
|
|||
*/
|
||||
|
||||
@Controller
|
||||
public class RootController {
|
||||
public class GuiController {
|
||||
|
||||
public static final String API_URL = "api";
|
||||
|
||||
|
|
@ -15,7 +15,7 @@
|
|||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*******************************************************************************/
|
||||
package cz.muni.ics.openid.connect.web;
|
||||
package cz.muni.ics.openid.connect.web.endpoint;
|
||||
|
||||
import static cz.muni.ics.oauth2.model.RegisteredClientFields.APPLICATION_TYPE;
|
||||
import static cz.muni.ics.oauth2.model.RegisteredClientFields.CLAIMS_REDIRECT_URIS;
|
||||
|
|
@ -14,7 +14,7 @@
|
|||
* limitations under the License.
|
||||
*******************************************************************************/
|
||||
|
||||
package cz.muni.ics.openid.connect.web;
|
||||
package cz.muni.ics.openid.connect.web.endpoint;
|
||||
|
||||
import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.PARAM_POST_LOGOUT_REDIRECT_URI;
|
||||
import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.PARAM_STATE;
|
||||
|
|
@ -15,7 +15,7 @@
|
|||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*******************************************************************************/
|
||||
package cz.muni.ics.openid.connect.web;
|
||||
package cz.muni.ics.openid.connect.web.endpoint;
|
||||
|
||||
import com.nimbusds.jose.jwk.JWK;
|
||||
import cz.muni.ics.jwt.signer.service.JWTSigningAndValidationService;
|
||||
|
|
@ -13,7 +13,7 @@
|
|||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*******************************************************************************/
|
||||
package cz.muni.ics.openid.connect.web;
|
||||
package cz.muni.ics.openid.connect.web.endpoint;
|
||||
|
||||
import com.google.common.base.Strings;
|
||||
import com.google.gson.JsonSyntaxException;
|
||||
|
|
@ -15,11 +15,10 @@
|
|||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*******************************************************************************/
|
||||
package cz.muni.ics.openid.connect.web;
|
||||
package cz.muni.ics.openid.connect.web.endpoint;
|
||||
|
||||
import com.google.common.base.Strings;
|
||||
import cz.muni.ics.oauth2.model.ClientDetailsEntity;
|
||||
import cz.muni.ics.oauth2.model.OAuth2AccessTokenEntity;
|
||||
import cz.muni.ics.oauth2.model.SavedUserAuthentication;
|
||||
import cz.muni.ics.oauth2.service.ClientDetailsEntityService;
|
||||
import cz.muni.ics.oauth2.service.SystemScopeService;
|
||||
|
|
@ -18,7 +18,7 @@
|
|||
/**
|
||||
*
|
||||
*/
|
||||
package cz.muni.ics.openid.connect.web;
|
||||
package cz.muni.ics.openid.connect.web.interceptor;
|
||||
|
||||
import cz.muni.ics.openid.connect.config.ConfigurationPropertiesBean;
|
||||
import cz.muni.ics.openid.connect.config.UIConfiguration;
|
||||
|
|
@ -18,7 +18,7 @@
|
|||
/**
|
||||
*
|
||||
*/
|
||||
package cz.muni.ics.openid.connect.web;
|
||||
package cz.muni.ics.openid.connect.web.interceptor;
|
||||
|
||||
import static cz.muni.ics.openid.connect.request.ConnectRequestParameters.CLIENT_ID;
|
||||
import static cz.muni.ics.openid.connect.request.ConnectRequestParameters.SCOPE;
|
||||
Loading…
Reference in New Issue