|
|
@ -100,6 +100,8 @@
|
|
|
|
|
|
|
|
|
|
|
|
<oauth:web-expression-handler id="oauthWebExpressionHandler" />
|
|
|
|
<oauth:web-expression-handler id="oauthWebExpressionHandler" />
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<bean id="mdcFilter" class="org.mitre.mdc.MultiMDCFilter"/>
|
|
|
|
|
|
|
|
|
|
|
|
<!-- Spring Security configuration -->
|
|
|
|
<!-- Spring Security configuration -->
|
|
|
|
|
|
|
|
|
|
|
|
<oauth:resource-server id="resourceServerFilter" token-services-ref="defaultOAuth2ProviderTokenService" stateless="false" />
|
|
|
|
<oauth:resource-server id="resourceServerFilter" token-services-ref="defaultOAuth2ProviderTokenService" stateless="false" />
|
|
|
@ -117,6 +119,7 @@
|
|
|
|
<security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
|
|
|
|
<security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
|
|
|
|
<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
|
|
|
|
<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
|
|
|
|
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
|
|
|
|
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
|
|
|
|
|
|
|
|
<security:custom-filter ref="mdcFilter" before="FIRST"/>
|
|
|
|
<security:access-denied-handler ref="oauthAccessDeniedHandler" />
|
|
|
|
<security:access-denied-handler ref="oauthAccessDeniedHandler" />
|
|
|
|
<security:csrf disabled="true"/>
|
|
|
|
<security:csrf disabled="true"/>
|
|
|
|
</security:http>
|
|
|
|
</security:http>
|
|
|
@ -125,11 +128,13 @@
|
|
|
|
<security:http pattern="/#{T(org.mitre.openid.connect.web.JWKSetPublishingEndpoint).URL}**" use-expressions="true" entry-point-ref="http403EntryPoint" create-session="stateless">
|
|
|
|
<security:http pattern="/#{T(org.mitre.openid.connect.web.JWKSetPublishingEndpoint).URL}**" use-expressions="true" entry-point-ref="http403EntryPoint" create-session="stateless">
|
|
|
|
<security:intercept-url pattern="/#{T(org.mitre.openid.connect.web.JWKSetPublishingEndpoint).URL}**" access="permitAll"/>
|
|
|
|
<security:intercept-url pattern="/#{T(org.mitre.openid.connect.web.JWKSetPublishingEndpoint).URL}**" access="permitAll"/>
|
|
|
|
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
|
|
|
|
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
|
|
|
|
|
|
|
|
<security:custom-filter ref="mdcFilter" before="FIRST"/>
|
|
|
|
<security:csrf disabled="true"/>
|
|
|
|
<security:csrf disabled="true"/>
|
|
|
|
</security:http>
|
|
|
|
</security:http>
|
|
|
|
<security:http pattern="/#{T(org.mitre.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**" use-expressions="true" entry-point-ref="http403EntryPoint" create-session="stateless">
|
|
|
|
<security:http pattern="/#{T(org.mitre.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**" use-expressions="true" entry-point-ref="http403EntryPoint" create-session="stateless">
|
|
|
|
<security:intercept-url pattern="/#{T(org.mitre.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**" access="permitAll"/>
|
|
|
|
<security:intercept-url pattern="/#{T(org.mitre.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**" access="permitAll"/>
|
|
|
|
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
|
|
|
|
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
|
|
|
|
|
|
|
|
<security:custom-filter ref="mdcFilter" before="FIRST"/>
|
|
|
|
<security:csrf disabled="true"/>
|
|
|
|
<security:csrf disabled="true"/>
|
|
|
|
</security:http>
|
|
|
|
</security:http>
|
|
|
|
|
|
|
|
|
|
|
@ -137,6 +142,7 @@
|
|
|
|
<security:http pattern="/resources/**" use-expressions="true" entry-point-ref="http403EntryPoint" create-session="stateless">
|
|
|
|
<security:http pattern="/resources/**" use-expressions="true" entry-point-ref="http403EntryPoint" create-session="stateless">
|
|
|
|
<security:intercept-url pattern="/resources/**" access="permitAll"/>
|
|
|
|
<security:intercept-url pattern="/resources/**" access="permitAll"/>
|
|
|
|
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
|
|
|
|
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
|
|
|
|
|
|
|
|
<security:custom-filter ref="mdcFilter" before="FIRST"/>
|
|
|
|
<security:csrf disabled="true"/>
|
|
|
|
<security:csrf disabled="true"/>
|
|
|
|
</security:http>
|
|
|
|
</security:http>
|
|
|
|
|
|
|
|
|
|
|
@ -144,6 +150,7 @@
|
|
|
|
<security:http pattern="/#{T(org.mitre.openid.connect.web.DynamicClientRegistrationEndpoint).URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">
|
|
|
|
<security:http pattern="/#{T(org.mitre.openid.connect.web.DynamicClientRegistrationEndpoint).URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">
|
|
|
|
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
|
|
|
|
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
|
|
|
|
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
|
|
|
|
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
|
|
|
|
|
|
|
|
<security:custom-filter ref="mdcFilter" before="FIRST"/>
|
|
|
|
<security:expression-handler ref="oauthWebExpressionHandler" />
|
|
|
|
<security:expression-handler ref="oauthWebExpressionHandler" />
|
|
|
|
<security:intercept-url pattern="/register/**" access="permitAll"/>
|
|
|
|
<security:intercept-url pattern="/register/**" access="permitAll"/>
|
|
|
|
<security:csrf disabled="true"/>
|
|
|
|
<security:csrf disabled="true"/>
|
|
|
@ -152,6 +159,7 @@
|
|
|
|
<security:http pattern="/#{T(org.mitre.openid.connect.web.ProtectedResourceRegistrationEndpoint).URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">
|
|
|
|
<security:http pattern="/#{T(org.mitre.openid.connect.web.ProtectedResourceRegistrationEndpoint).URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">
|
|
|
|
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
|
|
|
|
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
|
|
|
|
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
|
|
|
|
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
|
|
|
|
|
|
|
|
<security:custom-filter ref="mdcFilter" before="FIRST"/>
|
|
|
|
<security:expression-handler ref="oauthWebExpressionHandler" />
|
|
|
|
<security:expression-handler ref="oauthWebExpressionHandler" />
|
|
|
|
<security:intercept-url pattern="/resource/**" access="permitAll"/>
|
|
|
|
<security:intercept-url pattern="/resource/**" access="permitAll"/>
|
|
|
|
<security:csrf disabled="true"/>
|
|
|
|
<security:csrf disabled="true"/>
|
|
|
@ -160,12 +168,14 @@
|
|
|
|
<security:http pattern="/#{T(org.mitre.openid.connect.web.UserInfoEndpoint).URL}**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">
|
|
|
|
<security:http pattern="/#{T(org.mitre.openid.connect.web.UserInfoEndpoint).URL}**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">
|
|
|
|
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
|
|
|
|
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
|
|
|
|
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
|
|
|
|
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
|
|
|
|
|
|
|
|
<security:custom-filter ref="mdcFilter" before="FIRST"/>
|
|
|
|
<security:expression-handler ref="oauthWebExpressionHandler" />
|
|
|
|
<security:expression-handler ref="oauthWebExpressionHandler" />
|
|
|
|
<security:csrf disabled="true"/>
|
|
|
|
<security:csrf disabled="true"/>
|
|
|
|
</security:http>
|
|
|
|
</security:http>
|
|
|
|
|
|
|
|
|
|
|
|
<security:http pattern="/#{T(org.mitre.openid.connect.web.RootController).API_URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="never">
|
|
|
|
<security:http pattern="/#{T(org.mitre.openid.connect.web.RootController).API_URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="never">
|
|
|
|
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
|
|
|
|
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
|
|
|
|
|
|
|
|
<security:custom-filter ref="mdcFilter" before="FIRST"/>
|
|
|
|
<security:expression-handler ref="oauthWebExpressionHandler" />
|
|
|
|
<security:expression-handler ref="oauthWebExpressionHandler" />
|
|
|
|
<security:csrf disabled="true"/>
|
|
|
|
<security:csrf disabled="true"/>
|
|
|
|
</security:http>
|
|
|
|
</security:http>
|
|
|
@ -180,6 +190,7 @@
|
|
|
|
<security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
|
|
|
|
<security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
|
|
|
|
<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
|
|
|
|
<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
|
|
|
|
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
|
|
|
|
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
|
|
|
|
|
|
|
|
<security:custom-filter ref="mdcFilter" before="FIRST"/>
|
|
|
|
<security:access-denied-handler ref="oauthAccessDeniedHandler" />
|
|
|
|
<security:access-denied-handler ref="oauthAccessDeniedHandler" />
|
|
|
|
<security:csrf disabled="true"/>
|
|
|
|
<security:csrf disabled="true"/>
|
|
|
|
</security:http>
|
|
|
|
</security:http>
|
|
|
@ -194,6 +205,7 @@
|
|
|
|
<security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
|
|
|
|
<security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
|
|
|
|
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
|
|
|
|
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
|
|
|
|
<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
|
|
|
|
<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
|
|
|
|
|
|
|
|
<security:custom-filter ref="mdcFilter" before="FIRST"/>
|
|
|
|
<security:csrf disabled="true"/>
|
|
|
|
<security:csrf disabled="true"/>
|
|
|
|
</security:http>
|
|
|
|
</security:http>
|
|
|
|
|
|
|
|
|
|
|
@ -207,6 +219,7 @@
|
|
|
|
<security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
|
|
|
|
<security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
|
|
|
|
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
|
|
|
|
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
|
|
|
|
<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
|
|
|
|
<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
|
|
|
|
|
|
|
|
<security:custom-filter ref="mdcFilter" before="FIRST"/>
|
|
|
|
<security:csrf disabled="true"/>
|
|
|
|
<security:csrf disabled="true"/>
|
|
|
|
</security:http>
|
|
|
|
</security:http>
|
|
|
|
|
|
|
|
|
|
|
|