github
/
OpenID-Connect-Java-Spring-Server
mirror of https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

refactor: 💡 Refactor session invalidating

pull/1580/head
Dominik Frantisek Bucik 2022-01-27 10:27:13 +01:00
parent 50b6051c19
commit cc4add710d
No known key found for this signature in database
GPG Key ID: 25014C8DB2E7E62D
38 changed files with 730 additions and 814 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
perun-oidc-server-webapp/src/main/resources/logback.xml
View File

@ -55,7 +55,7 @@
<logger name="cz.muni.ics" level="${log.level}"/> <logger name="cz.muni.ics" level="${log.level}"/>
<logger name="cz.muni.ics.oidc.aop.WebLoggingAspect" level="debug"/> <logger name="cz.muni.ics.oidc.aop.WebLoggingAspect" level="debug"/>
<logger name="cz.muni.ics.oidc.aop.ExecutionTimeLoggingAspect" level="trace"/> <logger name="cz.muni.ics.oidc.aop.ExecutionTimeLoggingAspect" level="trace"/>
<logger name="cz.muni.ics.openid.connect.web.EndSessionEndpoint" level="${log.level}"/> <logger name="cz.muni.ics.openid.connect.web.endpoint.EndSessionEndpoint" level="${log.level}"/>
<logger name="cz.muni.ics.openid.connect.config.JsonMessageSource" level="warn"/> <logger name="cz.muni.ics.openid.connect.config.JsonMessageSource" level="warn"/>
</configuration> </configuration>

308
perun-oidc-server-webapp/src/main/webapp/WEB-INF/application-context.xml
View File

@ -17,104 +17,16 @@
limitations under the License. limitations under the License.
--> -->
<beans xmlns="http://www.springframework.org/schema/beans" <beans xmlns="http://www.springframework.org/schema/beans"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:context="http://www.springframework.org/schema/context" xmlns:context="http://www.springframework.org/schema/context"
xmlns:security="http://www.springframework.org/schema/security" xsi:schemaLocation="
xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2
http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc-4.3.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.2.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.3.xsd http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
http://www.springframework.org/schema/tx
http://www.springframework.org/schema/tx/spring-tx-4.3.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-4.3.xsd"> http://www.springframework.org/schema/context/spring-context-4.3.xsd">
<!-- Scan for components --> <!-- Scan for components -->
<context:component-scan annotation-config="true" base-package="cz.muni.ics" /> <context:component-scan base-package="cz.muni.ics" />
<!-- Enables the Spring MVC @Controller programming model -->
<tx:annotation-driven transaction-manager="transactionManager" />
<mvc:annotation-driven ignore-default-model-on-redirect="true">
<mvc:message-converters>
<bean class="org.springframework.http.converter.StringHttpMessageConverter" />
<bean class="org.springframework.http.converter.json.MappingJackson2HttpMessageConverter" />
</mvc:message-converters>
</mvc:annotation-driven>
<bean id="userInfoInterceptor" class="cz.muni.ics.openid.connect.web.UserInfoInterceptor" />
<bean id="serverConfigInterceptor" class="cz.muni.ics.openid.connect.web.ServerConfigInterceptor" />
<bean id="localeChangeInterceptor" class="org.springframework.web.servlet.i18n.LocaleChangeInterceptor">
<property name="paramName" value="lang"/>
</bean>
<mvc:interceptors>
<mvc:interceptor>
<mvc:mapping path="/**"/>
<ref bean="localeChangeInterceptor"/>
</mvc:interceptor>
<mvc:interceptor>
<!-- Exclude APIs and other machine-facing endpoints from these interceptors -->
<mvc:mapping path="/**" />
<mvc:exclude-mapping path="/token**"/>
<mvc:exclude-mapping path="/resources/**" />
<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.JWKSetPublishingEndpoint).URL}**" />
<mvc:exclude-mapping path="/#{T(cz.muni.ics.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**" />
<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.DynamicClientRegistrationEndpoint).URL}/**" />
<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.ProtectedResourceRegistrationEndpoint).URL}/**" />
<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.UserInfoEndpoint).URL}**" />
<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.RootController).API_URL}/**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oauth2.web.DeviceEndpoint).ENDPOINT_URL}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oauth2.web.DeviceEndpoint).REQUEST_USER_CODE_URL}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oauth2.web.DeviceEndpoint).DEVICE_APPROVED_URL}**" />
<mvc:exclude-mapping path="/#{T(cz.muni.ics.oauth2.web.IntrospectionEndpoint).URL}**" />
<mvc:exclude-mapping path="/#{T(cz.muni.ics.oauth2.web.RevocationEndpoint).URL}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.IsTestSpController).MAPPING}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.AupController).URL}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_MAPPING}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_AUTHORIZATION}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_ENSURE_VO_MAPPING}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_IS_CESNET_ELIGIBLE_MAPPING}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_NOT_IN_MANDATORY_VOS_GROUPS}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_NOT_IN_PROD_VOS_GROUPS}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_NOT_IN_TEST_VOS_GROUPS}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_NOT_LOGGED_IN}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_SPECIFIC_MAPPING}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedRegistrationController).REGISTRATION_CONTINUE_MAPPING}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedRegistrationController).REGISTRATION_FORM_MAPPING}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedRegistrationController).REGISTRATION_FORM_SUBMIT_MAPPING}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.RegistrationController).CONTINUE_DIRECT_MAPPING}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.LogoutController).MAPPING_SUCCESS}" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.LoginController).MAPPING_FAILURE}" />
<mvc:exclude-mapping path="/saml**" />
<!-- Inject the UserInfo into the response -->
<ref bean="userInfoInterceptor" />
</mvc:interceptor>
<mvc:interceptor>
<!-- Exclude APIs and other machine-facing endpoints from these interceptors -->
<mvc:mapping path="/**" />
<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.JWKSetPublishingEndpoint).URL}**" />
<mvc:exclude-mapping path="/#{T(cz.muni.ics.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**" />
<mvc:exclude-mapping path="/resources/**" />
<mvc:exclude-mapping path="/token**"/>
<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.DynamicClientRegistrationEndpoint).URL}/**" />
<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.ProtectedResourceRegistrationEndpoint).URL}/**" />
<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.UserInfoEndpoint).URL}**" />
<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.RootController).API_URL}/**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oauth2.web.DeviceEndpoint).ENDPOINT_URL}**" />
<mvc:exclude-mapping path="/#{T(cz.muni.ics.oauth2.web.IntrospectionEndpoint).URL}**" />
<mvc:exclude-mapping path="/#{T(cz.muni.ics.oauth2.web.RevocationEndpoint).URL}**" />
<!-- Inject the server configuration into the response -->
<ref bean="serverConfigInterceptor"/>
</mvc:interceptor>
</mvc:interceptors>
<mvc:default-servlet-handler />
<!-- Bean to hold configuration properties --> <!-- Bean to hold configuration properties -->
<import resource="server-config.xml" /> <import resource="server-config.xml" />
@ -122,186 +34,6 @@
<!-- Import the data context --> <!-- Import the data context -->
<import resource="data-context.xml" /> <import resource="data-context.xml" />
<!-- SPEL processors -->
<security:global-method-security pre-post-annotations="enabled" proxy-target-class="true" authentication-manager-ref="authenticationManager">
<!--you could also wire in the expression handler up at the layer of the http filters. See https://jira.springsource.org/browse/SEC-1452 -->
<security:expression-handler ref="oauthExpressionHandler" />
</security:global-method-security>
<oauth:expression-handler id="oauthExpressionHandler" />
<oauth:web-expression-handler id="oauthWebExpressionHandler" />
<bean id="mdcFilter" class="cz.muni.ics.mdc.MultiMDCFilter"/>
<!-- Spring Security configuration -->
<oauth:resource-server id="resourceServerFilter" token-services-ref="defaultOAuth2ProviderTokenService" stateless="false" />
<security:http pattern="/token"
create-session="stateless"
authentication-manager-ref="clientAuthenticationManager"
entry-point-ref="oauthAuthenticationEntryPoint"
use-expressions="true">
<security:intercept-url pattern="/token" access="permitAll" method="OPTIONS" /> <!-- allow OPTIONS calls without auth for CORS stuff -->
<security:intercept-url pattern="/token" access="isAuthenticated()" />
<security:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
<!-- include this only if you need to authenticate clients via request parameters -->
<security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:custom-filter ref="mdcFilter" before="FIRST"/>
<security:access-denied-handler ref="oauthAccessDeniedHandler" />
<security:csrf disabled="true"/>
</security:http>
<!-- Allow open access to discovery endpoints -->
<security:http pattern="/#{T(cz.muni.ics.openid.connect.web.JWKSetPublishingEndpoint).URL}**" use-expressions="true" entry-point-ref="http403EntryPoint" create-session="stateless">
<security:intercept-url pattern="/#{T(cz.muni.ics.openid.connect.web.JWKSetPublishingEndpoint).URL}**" access="permitAll"/>
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:custom-filter ref="mdcFilter" before="FIRST"/>
<security:csrf disabled="true"/>
</security:http>
<security:http pattern="/#{T(cz.muni.ics.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**" use-expressions="true" entry-point-ref="http403EntryPoint" create-session="stateless">
<security:intercept-url pattern="/#{T(cz.muni.ics.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**" access="permitAll"/>
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:custom-filter ref="mdcFilter" before="FIRST"/>
<security:csrf disabled="true"/>
</security:http>
<!-- Allow open access to all static resources -->
<security:http pattern="/resources/**" use-expressions="true" entry-point-ref="http403EntryPoint" create-session="stateless">
<security:intercept-url pattern="/resources/**" access="permitAll"/>
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:custom-filter ref="mdcFilter" before="FIRST"/>
<security:csrf disabled="true"/>
</security:http>
<!-- OAuth-protect API and other endpoints -->
<security:http pattern="/#{T(cz.muni.ics.openid.connect.web.DynamicClientRegistrationEndpoint).URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:custom-filter ref="mdcFilter" before="FIRST"/>
<security:expression-handler ref="oauthWebExpressionHandler" />
<security:intercept-url pattern="/register/**" access="permitAll"/>
<security:csrf disabled="true"/>
</security:http>
<security:http pattern="/#{T(cz.muni.ics.openid.connect.web.ProtectedResourceRegistrationEndpoint).URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:custom-filter ref="mdcFilter" before="FIRST"/>
<security:expression-handler ref="oauthWebExpressionHandler" />
<security:intercept-url pattern="/resource/**" access="permitAll"/>
<security:csrf disabled="true"/>
</security:http>
<security:http pattern="/#{T(cz.muni.ics.openid.connect.web.UserInfoEndpoint).URL}**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:custom-filter ref="mdcFilter" before="FIRST"/>
<security:expression-handler ref="oauthWebExpressionHandler" />
<security:csrf disabled="true"/>
</security:http>
<security:http pattern="/#{T(cz.muni.ics.openid.connect.web.RootController).API_URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="never">
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<security:custom-filter ref="mdcFilter" before="FIRST"/>
<security:expression-handler ref="oauthWebExpressionHandler" />
<security:csrf disabled="true"/>
</security:http>
<security:http pattern="#{T(cz.muni.ics.oauth2.web.DeviceEndpoint).ENDPOINT_URL}**"
use-expressions="true"
entry-point-ref="oauthAuthenticationEntryPoint"
create-session="stateless"
authentication-manager-ref="clientAuthenticationManager">
<security:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
<!-- include this only if you need to authenticate clients via request parameters -->
<security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:custom-filter ref="mdcFilter" before="FIRST"/>
<security:access-denied-handler ref="oauthAccessDeniedHandler" />
<security:csrf disabled="true"/>
</security:http>
<security:http pattern="/#{T(cz.muni.ics.oauth2.web.IntrospectionEndpoint).URL}**"
use-expressions="true"
entry-point-ref="oauthAuthenticationEntryPoint"
create-session="stateless"
authentication-manager-ref="clientAuthenticationManager">
<security:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
<security:custom-filter ref="mdcFilter" before="FIRST"/>
<security:csrf disabled="true"/>
</security:http>
<security:http pattern="/#{T(cz.muni.ics.oauth2.web.RevocationEndpoint).URL}**"
use-expressions="true"
entry-point-ref="oauthAuthenticationEntryPoint"
create-session="stateless"
authentication-manager-ref="clientAuthenticationManager">
<security:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
<security:custom-filter ref="mdcFilter" before="FIRST"/>
<security:csrf disabled="true"/>
</security:http>
<bean id="oauthAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
<property name="realmName" value="openidconnect" />
</bean>
<bean id="http403EntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" />
<!-- Additional endpoints for extensions (such as UMA) -->
<import resource="endpoint-config.xml" />
<!-- SECOAUTH Authorization Server -->
<import resource="authz-config.xml" />
<bean id="oauth2ExceptionTranslator" class="org.springframework.security.oauth2.provider.error.DefaultWebResponseExceptionTranslator" />
<bean id="clientAuthMatcher" class="cz.muni.ics.openid.connect.filter.MultiUrlRequestMatcher">
<constructor-arg name="filterProcessesUrls">
<set>
<value>/introspect</value>
<value>/revoke</value>
<value>/token</value>
</set>
</constructor-arg>
</bean>
<bean id="clientCredentialsEndpointFilter" class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
<property name="authenticationManager" ref="clientAuthenticationManager" />
<property name="requiresAuthenticationRequestMatcher" ref="clientAuthMatcher" />
</bean>
<bean id="clientAssertionEndpointFilter" class="cz.muni.ics.openid.connect.assertion.JWTBearerClientAssertionTokenEndpointFilter">
<constructor-arg name="additionalMatcher" ref="clientAuthMatcher" />
<property name="authenticationManager" ref="clientAssertionAuthenticationManager" />
</bean>
<security:authentication-manager id="clientAuthenticationManager">
<security:authentication-provider user-service-ref="clientUserDetailsService" />
<security:authentication-provider user-service-ref="uriEncodedClientUserDetailsService" />
</security:authentication-manager>
<security:authentication-manager id="clientAssertionAuthenticationManager">
<security:authentication-provider ref="clientAssertionAuthenticationProvider" />
</security:authentication-manager>
<bean id="clientAssertionAuthenticationProvider" class="cz.muni.ics.openid.connect.assertion.JWTBearerAuthenticationProvider" />
<!-- Configure locale information --> <!-- Configure locale information -->
<import resource="locale-config.xml" /> <import resource="locale-config.xml" />
@ -311,49 +43,15 @@
<!-- assertion processing --> <!-- assertion processing -->
<import resource="assertion-config.xml" /> <import resource="assertion-config.xml" />
<!-- End Spring Security configuration -->
<!-- JPA --> <!-- JPA -->
<import resource="jpa-config.xml" /> <import resource="jpa-config.xml" />
<!-- End JPA -->
<!-- Crypto --> <!-- Crypto -->
<import resource="crypto-config.xml" /> <import resource="crypto-config.xml" />
<!-- End Crypto -->
<!-- View configuration -->
<!-- Handles HTTP GET requests for /resources/** by efficiently serving
up static resources in the ${webappRoot}/resources directory -->
<mvc:resources mapping="/resources/**" location="/resources/" />
<!-- Resolves views selected for rendering by @Controllers to .jsp resources
in the /WEB-INF/views directory -->
<bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="viewClass" value="org.springframework.web.servlet.view.JstlView" />
<property name="prefix" value="/WEB-INF/views/" />
<property name="suffix" value=".jsp" />
<property name="order" value="2" />
</bean>
<!-- Resolve views based on string names -->
<bean class="org.springframework.web.servlet.view.BeanNameViewResolver">
<property name="order" value="1" />
</bean>
<!-- End view configuration -->
<!--Import scheduled task configuration -->
<import resource="task-config.xml" />
<!-- Import configuration for front-end (JavaScript) UI components --> <!-- Import configuration for front-end (JavaScript) UI components -->
<import resource="ui-config.xml" /> <import resource="ui-config.xml" />
<!-- import application-local configuration information (such as bean definitions) --> <import resource="web-context.xml" />
<import resource="local-config.xml" />
</beans> </beans>

60
perun-oidc-server-webapp/src/main/webapp/WEB-INF/authz-config.xml
View File

@ -1,60 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
Copyright 2018 The MIT Internet Trust Consortium
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.3.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.3.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.3.xsd">
<oauth:authorization-server
client-details-service-ref="defaultOAuth2ClientDetailsEntityService"
authorization-request-manager-ref="connectOAuth2RequestFactory"
token-services-ref="defaultOAuth2ProviderTokenService"
user-approval-handler-ref="tofuUserApprovalHandler"
request-validator-ref="oauthRequestValidator"
redirect-resolver-ref="blacklistAwareRedirectResolver"
authorization-endpoint-url="/authorize"
token-endpoint-url="/token"
error-page="/error">
<oauth:authorization-code authorization-code-services-ref="defaultOAuth2AuthorizationCodeService"/>
<oauth:implicit/>
<oauth:refresh-token/>
<oauth:client-credentials/>
<oauth:custom-grant token-granter-ref="chainedTokenGranter" />
<oauth:custom-grant token-granter-ref="jwtAssertionTokenGranter" />
<oauth:custom-grant token-granter-ref="deviceTokenGranter" />
</oauth:authorization-server>
<bean id="oauthAccessDeniedHandler" class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />
<bean id="oauthRequestValidator" class="cz.muni.ics.oauth2.token.ScopeServiceAwareOAuth2RequestValidator" />
<!-- Error page handler. -->
<mvc:view-controller path="/error" view-name="error" />
</beans>

46
perun-oidc-server-webapp/src/main/webapp/WEB-INF/endpoint-config.xml
View File

@ -1,46 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
Copyright 2018 The MIT Internet Trust Consortium
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.3.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.3.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.3.xsd">
<security:http pattern="/devicecodeMFA/**"
use-expressions="true"
entry-point-ref="oauthAuthenticationEntryPoint"
create-session="stateless"
authentication-manager-ref="clientAuthenticationManager">
<security:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
<!-- include this only if you need to authenticate clients via request parameters -->
<security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:access-denied-handler ref="oauthAccessDeniedHandler" />
<security:csrf disabled="true"/>
</security:http>
</beans>

36
perun-oidc-server-webapp/src/main/webapp/WEB-INF/local-config.xml
View File

@ -1,36 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
Copyright 2018 The MIT Internet Trust Consortium
Portions copyright 2011-2013 The MITRE Corporation
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.3.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.3.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.3.xsd">
<!-- Empty: Override this file in your local project to change configuration options. -->
</beans>

25
perun-oidc-server-webapp/src/main/webapp/WEB-INF/task-config.xml
View File

@ -1,25 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
Copyright 2018 The MIT Internet Trust Consortium
Portions copyright 2011-2013 The MITRE Corporation
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:task="http://www.springframework.org/schema/task"
xsi:schemaLocation="http://www.springframework.org/schema/task http://www.springframework.org/schema/task/spring-task-4.3.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd">
</beans>

289
perun-oidc-server-webapp/src/main/webapp/WEB-INF/user-context.xml
View File

@ -474,295 +474,6 @@
<property name="testSpAttr" value="testSp" /> <property name="testSpAttr" value="testSp" />
</bean> </bean>
<!-- authentication -->
<!--suppress SpringXmlModelInspection -->
<security:http auto-config="false"
use-expressions="true"
entry-point-ref="samlEntryPoint"
create-session="always"
authentication-manager-ref="authenticationManager">
<security:csrf disabled="true"/>
<security:intercept-url pattern="/saml/**" access="permitAll()"/>
<security:intercept-url pattern="/logout" access="permitAll()"/>
<security:intercept-url pattern="#{T(cz.muni.ics.oidc.web.controllers.LogoutController).MAPPING_SUCCESS}" access="permitAll()"/>
<security:intercept-url pattern="#{T(cz.muni.ics.oidc.web.controllers.LoginController).MAPPING_FAILURE}" access="permitAll()"/>
<security:intercept-url pattern="/**" access="hasRole('ROLE_USER')"/>
<security:custom-filter ref="mdcMuFilter" before="FIRST"/>
<security:custom-filter ref="metadataGeneratorFilter" before="CHANNEL_FILTER"/>
<security:custom-filter ref="clearSessionFilter" after="CHANNEL_FILTER"/>
<security:custom-filter ref="samlFilter" before="CSRF_FILTER"/>
<security:custom-filter ref="samlFilter" after="BASIC_AUTH_FILTER"/>
<security:custom-filter ref="callPerunFiltersFilter" before="LAST"/>
<security:logout logout-url="/saml/logout"/>
</security:http>
<security:authentication-manager id="authenticationManager">
<security:authentication-provider ref="authenticationProvider"/>
</security:authentication-manager>
<bean id="mdcMuFilter" class="cz.muni.ics.oidc.server.filters.impl.MultiMDCFilter"/>
<!-- SAML -->
<bean id="clearSessionFilter" class="cz.muni.ics.oidc.saml.SamlInvalidateSessionFilter">
<constructor-arg name="oidcIssuer" value="${main.oidc.issuer.url}"/>
<constructor-arg name="idpEntityId" value="${saml.idp.defaultIdpEntityId}"/>
<constructor-arg name="proxySpEntityId" value="${saml.proxy.spEntityId}"/>
<constructor-arg name="internalReferrers" value="#{'${saml.internalReferrers}'.split('\s*,\s*')}"/>
<constructor-arg name="contextLogoutHandler" ref="logoutHandler"/>
</bean>
<bean id="samlDiscovery" class="org.springframework.security.saml.SAMLDiscovery">
<property name="contextProvider" ref="samlContextProvider"/>
<property name="samlEntryPoint" ref="samlEntryPoint"/>
<property name="metadata" ref="metadata"/>
</bean>
<bean id="successRedirectHandler" class="cz.muni.ics.oidc.saml.PerunSamlAuthenticationSuccessHandler">
<property name="defaultTargetUrl" value="#{T(cz.muni.ics.oidc.web.controllers.LoginController).MAPPING_SUCCESS}"/>
</bean>
<bean id="authenticationFailureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<property name="defaultFailureUrl" value="#{T(cz.muni.ics.oidc.web.controllers.LoginController).MAPPING_FAILURE}"/>
<property name="useForward" value="true"/>
</bean>
<bean id="successLogoutHandler" class="cz.muni.ics.oidc.saml.PerunOidcLogoutSuccessHandler">
<property name="defaultTargetUrl" value="#{T(cz.muni.ics.oidc.web.controllers.LogoutController).MAPPING_SUCCESS}"/>
<property name="targetUrlParameter" value="#{T(cz.muni.ics.oidc.server.filters.PerunFilterConstants).PARAM_TARGET}"/>
</bean>
<bean id="logoutHandler" class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler">
<property name="clearAuthentication" value="true"/>
<property name="invalidateHttpSession" value="true"/>
</bean>
<bean id="samlLogoutProcessingFilter" class="org.springframework.security.saml.SAMLLogoutProcessingFilter">
<constructor-arg name="logoutSuccessHandler" ref="successLogoutHandler"/>
<constructor-arg name="handlers" ref="logoutHandler"/>
</bean>
<bean id="samlLogoutFilter" class="org.springframework.security.saml.SAMLLogoutFilter">
<constructor-arg name="logoutSuccessHandler" ref="successLogoutHandler"/>
<constructor-arg name="localHandler" ref="logoutHandler"/>
<constructor-arg name="globalHandlers" ref="logoutHandler"/>
</bean>
<bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager">
<constructor-arg name="storeFile">
<bean class="org.springframework.core.io.FileSystemResource">
<constructor-arg name="path" value="${saml.keystore.location}"/>
</bean>
</constructor-arg>
<constructor-arg name="storePass" value="${saml.keystore.password}"/>
<constructor-arg name="passwords">
<map>
<entry key="${saml.keystore.defaultKey}" value="${saml.keystore.defaultKeyPass}"/>
</map>
</constructor-arg>
<constructor-arg name="defaultKey" value="${saml.keystore.defaultKey}"/>
</bean>
<bean id="extendedMetadata" class="org.springframework.security.saml.metadata.ExtendedMetadata">
<property name="idpDiscoveryEnabled" value="false"/>
</bean>
<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
<constructor-arg name="generator">
<bean class="org.springframework.security.saml.metadata.MetadataGenerator">
<property name="includeDiscoveryExtension" value="false"/>
<property name="entityId" value="${saml.entityID}"/>
<property name="extendedMetadata" ref="extendedMetadata"/>
<property name="wantAssertionSigned" value="true"/>
<property name="requestSigned" value="true"/>
</bean>
</constructor-arg>
<property name="normalizeBaseUrl" value="true"/>
</bean>
<bean id="metadataDisplayFilter" class="org.springframework.security.saml.metadata.MetadataDisplayFilter"/>
<bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager">
<property name="defaultIDP" value="${saml.idp.defaultIdpEntityId}"/>
<property name="refreshCheckInterval" value="3600000"/>
<property name="refreshRequired" value="true"/>
<constructor-arg name="providers">
<list>
<ref bean="idpMetadata"/>
</list>
</constructor-arg>
</bean>
<bean id="parserPool" class="org.opensaml.xml.parse.StaticBasicParserPool" init-method="initialize"/>
<bean id="parserPoolHolder" class="org.springframework.security.saml.parser.ParserPoolHolder"/>
<bean id="processor" class="org.springframework.security.saml.processor.SAMLProcessorImpl">
<constructor-arg name="bindings">
<list>
<bean id="httpPostBinding" class="org.springframework.security.saml.processor.HTTPPostBinding">
<constructor-arg name="parserPool" ref="parserPool"/>
<constructor-arg name="encoder">
<bean class="cz.muni.ics.oidc.saml.PerunPostEncoder">
<constructor-arg name="engine" value="#{T(org.springframework.security.saml.util.VelocityFactory).getEngine()}"/>
<constructor-arg name="templateId" value="/templates/saml2-post-binding.vm"/>
</bean>
</constructor-arg>
<constructor-arg name="decoder">
<bean class="org.opensaml.saml2.binding.decoding.HTTPPostDecoder">
<constructor-arg name="pool" ref="parserPool"/>
</bean>
</constructor-arg>
</bean>
<bean id="httpRedirectDeflateBinding" class="org.springframework.security.saml.processor.HTTPRedirectDeflateBinding">
<constructor-arg name="encoder">
<bean class="cz.muni.ics.oidc.saml.PerunHTTPRedirectDeflateEncoder"/>
</constructor-arg>
<constructor-arg name="decoder">
<bean class="org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder">
<constructor-arg name="pool" ref="parserPool"/>
</bean>
</constructor-arg>
</bean>
</list>
</constructor-arg>
</bean>
<bean id="samlWebSSOProcessingFilter" class="org.springframework.security.saml.SAMLProcessingFilter">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="authenticationSuccessHandler" ref="successRedirectHandler"/>
<property name="authenticationFailureHandler" ref="authenticationFailureHandler"/>
</bean>
<bean id="samlFilter" class="org.springframework.security.web.FilterChainProxy">
<constructor-arg name="filterChains">
<list>
<bean class="org.springframework.security.web.DefaultSecurityFilterChain">
<constructor-arg name="requestMatcher">
<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
<constructor-arg name="pattern"
value="#{T(org.springframework.security.saml.metadata.MetadataDisplayFilter).FILTER_URL}/**"/>
</bean>
</constructor-arg>
<constructor-arg name="filters">
<list>
<ref bean="metadataDisplayFilter"/>
</list>
</constructor-arg>
</bean>
<bean class="org.springframework.security.web.DefaultSecurityFilterChain">
<constructor-arg name="requestMatcher">
<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
<constructor-arg name="pattern"
value="#{T(org.springframework.security.saml.SAMLProcessingFilter).FILTER_URL}"/>
</bean>
</constructor-arg>
<constructor-arg name="filters">
<list>
<ref bean="samlWebSSOProcessingFilter"/>
</list>
</constructor-arg>
</bean>
<bean class="org.springframework.security.web.DefaultSecurityFilterChain">
<constructor-arg name="requestMatcher">
<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
<constructor-arg name="pattern"
value="#{T(org.springframework.security.saml.SAMLDiscovery).FILTER_URL}"/>
</bean>
</constructor-arg>
<constructor-arg name="filters">
<list>
<ref bean="samlDiscovery"/>
</list>
</constructor-arg>
</bean>
<bean class="org.springframework.security.web.DefaultSecurityFilterChain">
<constructor-arg name="requestMatcher">
<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
<constructor-arg name="pattern"
value="#{T(org.springframework.security.saml.SAMLEntryPoint).FILTER_URL}"/>
</bean>
</constructor-arg>
<constructor-arg name="filters">
<list>
<ref bean="samlEntryPoint"/>
</list>
</constructor-arg>
</bean>
<bean class="org.springframework.security.web.DefaultSecurityFilterChain">
<constructor-arg name="requestMatcher">
<bean class="org.springframework.security.web.util.matcher.OrRequestMatcher">
<constructor-arg name="requestMatchers">
<list>
<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
<constructor-arg name="pattern"
value="#{T(org.springframework.security.saml.SAMLLogoutFilter).FILTER_URL}"/>
</bean>
<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
<constructor-arg name="pattern" value="/logout"/>
</bean>
</list>
</constructor-arg>
</bean>
</constructor-arg>
<constructor-arg name="filters">
<list>
<ref bean="samlLogoutFilter"/>
</list>
</constructor-arg>
</bean>
<bean class="org.springframework.security.web.DefaultSecurityFilterChain">
<constructor-arg name="requestMatcher">
<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
<constructor-arg name="pattern" value="#{T(org.springframework.security.saml.SAMLLogoutProcessingFilter).FILTER_URL}/**"/>
</bean>
</constructor-arg>
<constructor-arg name="filters">
<list>
<ref bean="samlLogoutProcessingFilter"/>
</list>
</constructor-arg>
</bean>
</list>
</constructor-arg>
</bean>
<bean id="webSSOProfileOptions" class="org.springframework.security.saml.websso.WebSSOProfileOptions">
<property name="includeScoping" value="false"/>
</bean>
<bean id="samlEntryPoint" class="cz.muni.ics.oidc.saml.PerunSamlEntryPoint">
<property name="defaultProfileOptions" ref="webSSOProfileOptions"/>
</bean>
<bean id="samlContextProvider" class="org.springframework.security.saml.context.SAMLContextProviderImpl"/>
<bean id="samlLogger" class="org.springframework.security.saml.log.SAMLDefaultLogger">
<property name="logMessagesOnException" value="true"/>
<property name="logErrors" value="true"/>
</bean>
<bean id="singleLogoutProfile" class="org.springframework.security.saml.websso.SingleLogoutProfileImpl"/>
<bean id="webSSOprofileConsumer" class="cz.muni.ics.oidc.saml.PerunWebSSOProfileConsumerImpl">
<property name="enableComparison" value="${saml.acrs.enableComparison}"/>
<property name="reservedPrefixes" value="#{'${saml.acrs.reserverdPrefixes}'.split('\s*,\s*')}"/>
<property name="maxAuthenticationAge" value="360"/>
</bean>
<bean id="webSSOprofile" class="org.springframework.security.saml.websso.WebSSOProfileImpl"/>
<bean id="hokWebSSOprofileConsumer" class="org.springframework.security.saml.websso.WebSSOProfileConsumerHoKImpl"/>
<bean id="samlUserDetailsService" class="cz.muni.ics.oidc.saml.PerunSamlUserDetailsService"/>
<bean id="authenticationProvider" class="cz.muni.ics.oidc.saml.PerunSamlAuthenticationProvider">
<constructor-arg name="adminIds" value="#{'${admins}'.split('\s*,\s*')}"/>
</bean>
<bean class="org.springframework.security.saml.SAMLBootstrap"/>
<!-- END SAML --> <!-- END SAML -->
<bean id="accessTokenClaimsModifier" class="${accessTokenClaimsModifier}"/> <bean id="accessTokenClaimsModifier" class="${accessTokenClaimsModifier}"/>

2
perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/approve.jsp
View File

@ -37,7 +37,7 @@
</h1> </h1>
<form name="confirmationForm" <form name="confirmationForm"
action="${ config.issuer }${ config.issuer.endsWith('/') ? '' : '/' }authorize" method="post"> action="${ config.issuer }${ config.issuer.endsWith('/') ? '' : '/' }auth/authorize" method="post">
<div class="row"> <div class="row">
<div class="span5 offset1 well-small" style="text-align: left"> <div class="span5 offset1 well-small" style="text-align: left">

2
perun-oidc-server-webapp/src/main/webapp/WEB-INF/views/themedApprove.jsp
View File

@ -30,7 +30,7 @@
<div id="content"> <div id="content">
<c:remove scope="session" var="SPRING_SECURITY_LAST_EXCEPTION" /> <c:remove scope="session" var="SPRING_SECURITY_LAST_EXCEPTION" />
<form name="confirmationForm" method="post" action="${pageContext.request.contextPath.endsWith('/') ? <form name="confirmationForm" method="post" action="${pageContext.request.contextPath.endsWith('/') ?
pageContext.request.contextPath : pageContext.request.contextPath.concat('/')}authorize"> pageContext.request.contextPath : pageContext.request.contextPath.concat('/')}auth/authorize">
<p> <p>
<c:if test="${not empty client.policyUri}"> <c:if test="${not empty client.policyUri}">
<spring:message code="consent_privacy_policy"/>${" "} <spring:message code="consent_privacy_policy"/>${" "}

632
perun-oidc-server-webapp/src/main/webapp/WEB-INF/web-context.xml Normal file
View File

@ -0,0 +1,632 @@
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2
http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc-4.3.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.2.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
http://www.springframework.org/schema/tx
http://www.springframework.org/schema/tx/spring-tx-4.3.xsd">
<bean id="userInfoInterceptor" class="cz.muni.ics.openid.connect.web.interceptor.UserInfoInterceptor" />
<bean id="serverConfigInterceptor" class="cz.muni.ics.openid.connect.web.interceptor.ServerConfigInterceptor" />
<bean id="localeChangeInterceptor" class="org.springframework.web.servlet.i18n.LocaleChangeInterceptor">
<property name="paramName" value="lang"/>
</bean>
<!-- Enables the Spring MVC @Controller programming model -->
<tx:annotation-driven />
<bean id="mdcFilter" class="cz.muni.ics.mdc.MultiMDCFilter"/>
<!-- MVC -->
<!-- Error page handler. -->
<mvc:view-controller path="/error" view-name="error" />
<mvc:annotation-driven ignore-default-model-on-redirect="true">
<mvc:message-converters>
<bean class="org.springframework.http.converter.StringHttpMessageConverter" />
<bean class="org.springframework.http.converter.json.MappingJackson2HttpMessageConverter" />
</mvc:message-converters>
</mvc:annotation-driven>
<mvc:interceptors>
<mvc:interceptor>
<mvc:mapping path="/**"/>
<ref bean="localeChangeInterceptor"/>
</mvc:interceptor>
<mvc:interceptor>
<!-- Exclude APIs and other machine-facing endpoints from these interceptors -->
<mvc:mapping path="/**" />
<mvc:exclude-mapping path="/token**"/>
<mvc:exclude-mapping path="/resources/**" />
<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.endpoint.JWKSetPublishingEndpoint).URL}**" />
<mvc:exclude-mapping path="/#{T(cz.muni.ics.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**" />
<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.endpoint.DynamicClientRegistrationEndpoint).URL}/**" />
<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.endpoint.ProtectedResourceRegistrationEndpoint).URL}/**" />
<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.endpoint.UserInfoEndpoint).URL}**" />
<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.controller.GuiController).API_URL}/**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oauth2.web.endpoint.DeviceEndpoint).ENDPOINT_URL}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oauth2.web.endpoint.DeviceEndpoint).REQUEST_USER_CODE_URL}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oauth2.web.endpoint.DeviceEndpoint).DEVICE_APPROVED_URL}**" />
<mvc:exclude-mapping path="/#{T(cz.muni.ics.oauth2.web.endpoint.IntrospectionEndpoint).URL}**" />
<mvc:exclude-mapping path="/#{T(cz.muni.ics.oauth2.web.endpoint.RevocationEndpoint).URL}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.IsTestSpController).MAPPING}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.AupController).URL}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_MAPPING}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_AUTHORIZATION}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_ENSURE_VO_MAPPING}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_IS_CESNET_ELIGIBLE_MAPPING}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_NOT_IN_MANDATORY_VOS_GROUPS}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_NOT_IN_PROD_VOS_GROUPS}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_NOT_IN_TEST_VOS_GROUPS}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_NOT_LOGGED_IN}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedController).UNAPPROVED_SPECIFIC_MAPPING}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedRegistrationController).REGISTRATION_CONTINUE_MAPPING}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedRegistrationController).REGISTRATION_FORM_MAPPING}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.PerunUnapprovedRegistrationController).REGISTRATION_FORM_SUBMIT_MAPPING}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.RegistrationController).CONTINUE_DIRECT_MAPPING}**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.LogoutController).MAPPING_SUCCESS}" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oidc.web.controllers.LoginController).MAPPING_FAILURE}" />
<mvc:exclude-mapping path="/saml**" />
<!-- Inject the UserInfo into the response -->
<ref bean="userInfoInterceptor" />
</mvc:interceptor>
<mvc:interceptor>
<!-- Exclude APIs and other machine-facing endpoints from these interceptors -->
<mvc:mapping path="/**" />
<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.endpoint.JWKSetPublishingEndpoint).URL}**" />
<mvc:exclude-mapping path="/#{T(cz.muni.ics.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**" />
<mvc:exclude-mapping path="/resources/**" />
<mvc:exclude-mapping path="/token**"/>
<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.endpoint.DynamicClientRegistrationEndpoint).URL}/**" />
<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.endpoint.ProtectedResourceRegistrationEndpoint).URL}/**" />
<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.endpoint.UserInfoEndpoint).URL}**" />
<mvc:exclude-mapping path="/#{T(cz.muni.ics.openid.connect.web.controller.GuiController).API_URL}/**" />
<mvc:exclude-mapping path="#{T(cz.muni.ics.oauth2.web.endpoint.DeviceEndpoint).ENDPOINT_URL}**" />
<mvc:exclude-mapping path="/#{T(cz.muni.ics.oauth2.web.endpoint.IntrospectionEndpoint).URL}**" />
<mvc:exclude-mapping path="/#{T(cz.muni.ics.oauth2.web.endpoint.RevocationEndpoint).URL}**" />
<!-- Inject the server configuration into the response -->
<ref bean="serverConfigInterceptor"/>
</mvc:interceptor>
</mvc:interceptors>
<!-- Handles HTTP GET requests for /resources/** by efficiently serving
up static resources in the ${webappRoot}/resources directory -->
<mvc:resources mapping="/resources/**" location="/resources/" />
<mvc:default-servlet-handler />
<!-- SECURITY -->
<!-- SPEL processor -->
<security:global-method-security pre-post-annotations="enabled"
proxy-target-class="true"
authentication-manager-ref="authenticationManager">
<security:expression-handler ref="oauthExpressionHandler" />
</security:global-method-security>
<!-- Token endpoint -->
<security:http pattern="/token"
create-session="stateless"
authentication-manager-ref="clientAuthenticationManager"
entry-point-ref="oauthAuthenticationEntryPoint"
use-expressions="true">
<security:intercept-url pattern="/token" access="permitAll" method="OPTIONS" /> <!-- allow OPTIONS calls without auth for CORS stuff -->
<security:intercept-url pattern="/token" access="isAuthenticated()" />
<security:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
<!-- include this only if you need to authenticate clients via request parameters -->
<security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:custom-filter ref="mdcFilter" before="FIRST"/>
<security:access-denied-handler ref="oauthAccessDeniedHandler" />
<security:csrf disabled="true"/>
</security:http>
<!-- Userinfo endpoint -->
<security:http pattern="/#{T(cz.muni.ics.openid.connect.web.endpoint.UserInfoEndpoint).URL}**"
use-expressions="true"
entry-point-ref="oauthAuthenticationEntryPoint"
create-session="stateless">
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:custom-filter ref="mdcFilter" before="FIRST"/>
<security:expression-handler ref="oauthWebExpressionHandler" />
<security:csrf disabled="true"/>
</security:http>
<!-- Introspection endpoint -->
<security:http pattern="/#{T(cz.muni.ics.oauth2.web.endpoint.IntrospectionEndpoint).URL}**"
use-expressions="true"
entry-point-ref="oauthAuthenticationEntryPoint"
create-session="stateless"
authentication-manager-ref="clientAuthenticationManager">
<security:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
<security:custom-filter ref="mdcFilter" before="FIRST"/>
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
<security:csrf disabled="true"/>
</security:http>
<!-- Revocation endpoint -->
<security:http pattern="/#{T(cz.muni.ics.oauth2.web.endpoint.RevocationEndpoint).URL}**"
use-expressions="true"
entry-point-ref="oauthAuthenticationEntryPoint"
create-session="stateless"
authentication-manager-ref="clientAuthenticationManager">
<security:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
<security:custom-filter ref="mdcFilter" before="FIRST"/>
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
<security:csrf disabled="true"/>
</security:http>
<!-- Device endpoint -->
<security:http pattern="#{T(cz.muni.ics.oauth2.web.endpoint.DeviceEndpoint).ENDPOINT_URL}**"
use-expressions="true"
entry-point-ref="oauthAuthenticationEntryPoint"
create-session="stateless"
authentication-manager-ref="clientAuthenticationManager">
<security:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
<!-- include this only if you need to authenticate clients via request parameters -->
<security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:custom-filter ref="mdcFilter" before="FIRST"/>
<security:access-denied-handler ref="oauthAccessDeniedHandler" />
<security:csrf disabled="true"/>
</security:http>
<!-- JWK endpoint -->
<security:http pattern="/#{T(cz.muni.ics.openid.connect.web.endpoint.JWKSetPublishingEndpoint).URL}**"
use-expressions="true"
entry-point-ref="http403EntryPoint"
create-session="stateless">
<security:intercept-url pattern="/#{T(cz.muni.ics.openid.connect.web.endpoint.JWKSetPublishingEndpoint).URL}**" access="permitAll"/>
<security:custom-filter ref="mdcFilter" before="FIRST"/>
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:csrf disabled="true"/>
</security:http>
<!-- Well-known -->
<security:http pattern="/#{T(cz.muni.ics.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**"
use-expressions="true"
entry-point-ref="http403EntryPoint"
create-session="stateless">
<security:intercept-url pattern="/#{T(cz.muni.ics.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**" access="permitAll"/>
<security:custom-filter ref="mdcFilter" before="FIRST"/>
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:csrf disabled="true"/>
</security:http>
<!--Static resources -->
<security:http pattern="/resources/**"
use-expressions="true"
entry-point-ref="http403EntryPoint"
create-session="stateless">
<security:intercept-url pattern="/resources/**" access="permitAll"/>
<security:custom-filter ref="mdcFilter" before="FIRST"/>
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:csrf disabled="true"/>
</security:http>
<!-- GUI -->
<security:http pattern="/#{T(cz.muni.ics.openid.connect.web.controller.GuiController).API_URL}/**"
use-expressions="true"
entry-point-ref="oauthAuthenticationEntryPoint"
create-session="never">
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<security:custom-filter ref="mdcFilter" before="FIRST"/>
<security:expression-handler ref="oauthWebExpressionHandler" />
<security:csrf disabled="true"/>
</security:http>
<security:http auto-config="false"
use-expressions="true"
entry-point-ref="samlEntryPoint"
create-session="always"
authentication-manager-ref="authenticationManager">
<security:csrf disabled="true"/>
<security:intercept-url pattern="/authorize" access="permitAll()"/>
<security:intercept-url pattern="/saml/**" access="permitAll()"/>
<security:intercept-url pattern="/logout" access="permitAll()"/>
<security:intercept-url pattern="#{T(cz.muni.ics.oidc.web.controllers.LogoutController).MAPPING_SUCCESS}" access="permitAll()"/>
<security:intercept-url pattern="#{T(cz.muni.ics.oidc.web.controllers.LoginController).MAPPING_FAILURE}" access="permitAll()"/>
<security:intercept-url pattern="/**" access="hasRole('ROLE_USER')"/>
<security:custom-filter ref="mdcMuFilter" before="FIRST"/>
<security:custom-filter ref="metadataGeneratorFilter" before="CHANNEL_FILTER"/>
<security:custom-filter ref="clearSessionFilter" after="CHANNEL_FILTER"/>
<security:custom-filter ref="samlFilter" before="CSRF_FILTER"/>
<security:custom-filter ref="samlFilter" after="BASIC_AUTH_FILTER"/>
<security:custom-filter ref="callPerunFiltersFilter" before="LAST"/>
<security:logout logout-url="/saml/logout"/>
</security:http>
<security:authentication-manager id="clientAuthenticationManager">
<security:authentication-provider user-service-ref="clientUserDetailsService" />
<security:authentication-provider user-service-ref="uriEncodedClientUserDetailsService" />
</security:authentication-manager>
<security:authentication-manager id="clientAssertionAuthenticationManager">
<security:authentication-provider ref="clientAssertionAuthenticationProvider" />
</security:authentication-manager>
<security:authentication-manager id="authenticationManager">
<security:authentication-provider ref="authenticationProvider"/>
</security:authentication-manager>
<!-- Dynamic registration endpoint -->
<!-- <security:http pattern="/#{T(cz.muni.ics.openid.connect.web.endpoint.DynamicClientRegistrationEndpoint).URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">-->
<!-- <security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />-->
<!-- <security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />-->
<!-- <security:custom-filter ref="mdcFilter" before="FIRST"/>-->
<!-- <security:expression-handler ref="oauthWebExpressionHandler" />-->
<!-- <security:intercept-url pattern="/register/**" access="permitAll"/>-->
<!-- <security:csrf disabled="true"/>-->
<!-- </security:http>-->
<!-- <security:http pattern="/#{T(cz.muni.ics.openid.connect.web.endpoint.ProtectedResourceRegistrationEndpoint).URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">-->
<!-- <security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />-->
<!-- <security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />-->
<!-- <security:custom-filter ref="mdcFilter" before="FIRST"/>-->
<!-- <security:expression-handler ref="oauthWebExpressionHandler" />-->
<!-- <security:intercept-url pattern="/resource/**" access="permitAll"/>-->
<!-- <security:csrf disabled="true"/>-->
<!-- </security:http>-->
<bean id="oauthAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
<property name="realmName" value="openidconnect" />
</bean>
<bean id="http403EntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" />
<bean id="oauth2ExceptionTranslator" class="org.springframework.security.oauth2.provider.error.DefaultWebResponseExceptionTranslator" />
<bean id="clientAuthMatcher" class="cz.muni.ics.openid.connect.filter.MultiUrlRequestMatcher">
<constructor-arg name="filterProcessesUrls">
<set>
<value>/introspect</value>
<value>/revoke</value>
<value>/token</value>
</set>
</constructor-arg>
</bean>
<bean id="clientCredentialsEndpointFilter" class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
<property name="authenticationManager" ref="clientAuthenticationManager" />
<property name="requiresAuthenticationRequestMatcher" ref="clientAuthMatcher" />
</bean>
<bean id="clientAssertionEndpointFilter" class="cz.muni.ics.openid.connect.assertion.JWTBearerClientAssertionTokenEndpointFilter">
<constructor-arg name="additionalMatcher" ref="clientAuthMatcher" />
<property name="authenticationManager" ref="clientAssertionAuthenticationManager" />
</bean>
<bean id="clientAssertionAuthenticationProvider" class="cz.muni.ics.openid.connect.assertion.JWTBearerAuthenticationProvider" />
<!-- Resolves views selected for rendering by @Controllers to .jsp resources
in the /WEB-INF/views directory -->
<bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="viewClass" value="org.springframework.web.servlet.view.JstlView" />
<property name="prefix" value="/WEB-INF/views/" />
<property name="suffix" value=".jsp" />
<property name="order" value="2" />
</bean>
<!-- Resolve views based on string names -->
<bean class="org.springframework.web.servlet.view.BeanNameViewResolver">
<property name="order" value="1" />
</bean>
<bean id="mdcMuFilter" class="cz.muni.ics.oidc.server.filters.impl.MultiMDCFilter"/>
<!-- SAML -->
<bean id="clearSessionFilter" class="cz.muni.ics.oidc.saml.SamlInvalidateSessionFilter">
<!-- <constructor-arg name="oidcIssuer" value="${main.oidc.issuer.url}"/>-->
<!-- <constructor-arg name="idpEntityId" value="${saml.idp.defaultIdpEntityId}"/>-->
<!-- <constructor-arg name="proxySpEntityId" value="${saml.proxy.spEntityId}"/>-->
<!-- <constructor-arg name="internalReferrers" value="#{'${saml.internalReferrers}'.split('\s*,\s*')}"/>-->
<constructor-arg name="contextLogoutHandler" ref="logoutHandler"/>
</bean>
<bean id="samlDiscovery" class="org.springframework.security.saml.SAMLDiscovery">
<property name="contextProvider" ref="samlContextProvider"/>
<property name="samlEntryPoint" ref="samlEntryPoint"/>
<property name="metadata" ref="metadata"/>
</bean>
<bean id="successRedirectHandler" class="cz.muni.ics.oidc.saml.PerunSamlAuthenticationSuccessHandler">
<property name="defaultTargetUrl" value="#{T(cz.muni.ics.oidc.web.controllers.LoginController).MAPPING_SUCCESS}"/>
</bean>
<bean id="authenticationFailureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<property name="defaultFailureUrl" value="#{T(cz.muni.ics.oidc.web.controllers.LoginController).MAPPING_FAILURE}"/>
<property name="useForward" value="true"/>
</bean>
<bean id="successLogoutHandler" class="cz.muni.ics.oidc.saml.PerunOidcLogoutSuccessHandler">
<property name="defaultTargetUrl" value="#{T(cz.muni.ics.oidc.web.controllers.LogoutController).MAPPING_SUCCESS}"/>
<property name="targetUrlParameter" value="#{T(cz.muni.ics.oidc.server.filters.PerunFilterConstants).PARAM_TARGET}"/>
</bean>
<bean id="logoutHandler" class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler">
<property name="clearAuthentication" value="true"/>
<property name="invalidateHttpSession" value="true"/>
</bean>
<bean id="samlLogoutProcessingFilter" class="org.springframework.security.saml.SAMLLogoutProcessingFilter">
<constructor-arg name="logoutSuccessHandler" ref="successLogoutHandler"/>
<constructor-arg name="handlers" ref="logoutHandler"/>
</bean>
<bean id="samlLogoutFilter" class="org.springframework.security.saml.SAMLLogoutFilter">
<constructor-arg name="logoutSuccessHandler" ref="successLogoutHandler"/>
<constructor-arg name="localHandler" ref="logoutHandler"/>
<constructor-arg name="globalHandlers" ref="logoutHandler"/>
</bean>
<bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager">
<constructor-arg name="storeFile">
<bean class="org.springframework.core.io.FileSystemResource">
<constructor-arg name="path" value="${saml.keystore.location}"/>
</bean>
</constructor-arg>
<constructor-arg name="storePass" value="${saml.keystore.password}"/>
<constructor-arg name="passwords">
<map>
<entry key="${saml.keystore.defaultKey}" value="${saml.keystore.defaultKeyPass}"/>
</map>
</constructor-arg>
<constructor-arg name="defaultKey" value="${saml.keystore.defaultKey}"/>
</bean>
<bean id="extendedMetadata" class="org.springframework.security.saml.metadata.ExtendedMetadata">
<property name="idpDiscoveryEnabled" value="false"/>
</bean>
<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
<constructor-arg name="generator">
<bean class="org.springframework.security.saml.metadata.MetadataGenerator">
<property name="includeDiscoveryExtension" value="false"/>
<property name="entityId" value="${saml.entityID}"/>
<property name="extendedMetadata" ref="extendedMetadata"/>
<property name="wantAssertionSigned" value="true"/>
<property name="requestSigned" value="true"/>
</bean>
</constructor-arg>
<property name="normalizeBaseUrl" value="true"/>
</bean>
<bean id="metadataDisplayFilter" class="org.springframework.security.saml.metadata.MetadataDisplayFilter"/>
<bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager">
<property name="defaultIDP" value="${saml.idp.defaultIdpEntityId}"/>
<property name="refreshCheckInterval" value="3600000"/>
<property name="refreshRequired" value="true"/>
<constructor-arg name="providers">
<list>
<ref bean="idpMetadata"/>
</list>
</constructor-arg>
</bean>
<bean id="parserPool" class="org.opensaml.xml.parse.StaticBasicParserPool" init-method="initialize"/>
<bean id="parserPoolHolder" class="org.springframework.security.saml.parser.ParserPoolHolder"/>
<bean id="processor" class="org.springframework.security.saml.processor.SAMLProcessorImpl">
<constructor-arg name="bindings">
<list>
<bean id="httpPostBinding" class="org.springframework.security.saml.processor.HTTPPostBinding">
<constructor-arg name="parserPool" ref="parserPool"/>
<constructor-arg name="encoder">
<bean class="cz.muni.ics.oidc.saml.PerunPostEncoder">
<constructor-arg name="engine" value="#{T(org.springframework.security.saml.util.VelocityFactory).getEngine()}"/>
<constructor-arg name="templateId" value="/templates/saml2-post-binding.vm"/>
</bean>
</constructor-arg>
<constructor-arg name="decoder">
<bean class="org.opensaml.saml2.binding.decoding.HTTPPostDecoder">
<constructor-arg name="pool" ref="parserPool"/>
</bean>
</constructor-arg>
</bean>
<bean id="httpRedirectDeflateBinding" class="org.springframework.security.saml.processor.HTTPRedirectDeflateBinding">
<constructor-arg name="encoder">
<bean class="cz.muni.ics.oidc.saml.PerunHTTPRedirectDeflateEncoder"/>
</constructor-arg>
<constructor-arg name="decoder">
<bean class="org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder">
<constructor-arg name="pool" ref="parserPool"/>
</bean>
</constructor-arg>
</bean>
</list>
</constructor-arg>
</bean>
<bean id="samlWebSSOProcessingFilter" class="org.springframework.security.saml.SAMLProcessingFilter">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="authenticationSuccessHandler" ref="successRedirectHandler"/>
<property name="authenticationFailureHandler" ref="authenticationFailureHandler"/>
</bean>
<bean id="samlFilter" class="org.springframework.security.web.FilterChainProxy">
<constructor-arg name="filterChains">
<list>
<bean class="org.springframework.security.web.DefaultSecurityFilterChain">
<constructor-arg name="requestMatcher">
<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
<constructor-arg name="pattern"
value="#{T(org.springframework.security.saml.metadata.MetadataDisplayFilter).FILTER_URL}/**"/>
</bean>
</constructor-arg>
<constructor-arg name="filters">
<list>
<ref bean="metadataDisplayFilter"/>
</list>
</constructor-arg>
</bean>
<bean class="org.springframework.security.web.DefaultSecurityFilterChain">
<constructor-arg name="requestMatcher">
<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
<constructor-arg name="pattern"
value="#{T(org.springframework.security.saml.SAMLProcessingFilter).FILTER_URL}"/>
</bean>
</constructor-arg>
<constructor-arg name="filters">
<list>
<ref bean="samlWebSSOProcessingFilter"/>
</list>
</constructor-arg>
</bean>
<bean class="org.springframework.security.web.DefaultSecurityFilterChain">
<constructor-arg name="requestMatcher">
<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
<constructor-arg name="pattern"
value="#{T(org.springframework.security.saml.SAMLDiscovery).FILTER_URL}"/>
</bean>
</constructor-arg>
<constructor-arg name="filters">
<list>
<ref bean="samlDiscovery"/>
</list>
</constructor-arg>
</bean>
<bean class="org.springframework.security.web.DefaultSecurityFilterChain">
<constructor-arg name="requestMatcher">
<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
<constructor-arg name="pattern"
value="#{T(org.springframework.security.saml.SAMLEntryPoint).FILTER_URL}"/>
</bean>
</constructor-arg>
<constructor-arg name="filters">
<list>
<ref bean="samlEntryPoint"/>
</list>
</constructor-arg>
</bean>
<bean class="org.springframework.security.web.DefaultSecurityFilterChain">
<constructor-arg name="requestMatcher">
<bean class="org.springframework.security.web.util.matcher.OrRequestMatcher">
<constructor-arg name="requestMatchers">
<list>
<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
<constructor-arg name="pattern"
value="#{T(org.springframework.security.saml.SAMLLogoutFilter).FILTER_URL}"/>
</bean>
<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
<constructor-arg name="pattern" value="/logout"/>
</bean>
</list>
</constructor-arg>
</bean>
</constructor-arg>
<constructor-arg name="filters">
<list>
<ref bean="samlLogoutFilter"/>
</list>
</constructor-arg>
</bean>
<bean class="org.springframework.security.web.DefaultSecurityFilterChain">
<constructor-arg name="requestMatcher">
<bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher">
<constructor-arg name="pattern" value="#{T(org.springframework.security.saml.SAMLLogoutProcessingFilter).FILTER_URL}/**"/>
</bean>
</constructor-arg>
<constructor-arg name="filters">
<list>
<ref bean="samlLogoutProcessingFilter"/>
</list>
</constructor-arg>
</bean>
</list>
</constructor-arg>
</bean>
<bean id="webSSOProfileOptions" class="org.springframework.security.saml.websso.WebSSOProfileOptions">
<property name="includeScoping" value="false"/>
</bean>
<bean id="samlEntryPoint" class="cz.muni.ics.oidc.saml.PerunSamlEntryPoint">
<property name="defaultProfileOptions" ref="webSSOProfileOptions"/>
</bean>
<bean id="samlContextProvider" class="org.springframework.security.saml.context.SAMLContextProviderImpl"/>
<bean id="samlLogger" class="org.springframework.security.saml.log.SAMLDefaultLogger">
<property name="logMessagesOnException" value="true"/>
<property name="logErrors" value="true"/>
</bean>
<bean id="singleLogoutProfile" class="org.springframework.security.saml.websso.SingleLogoutProfileImpl"/>
<bean id="webSSOprofileConsumer" class="cz.muni.ics.oidc.saml.PerunWebSSOProfileConsumerImpl">
<property name="enableComparison" value="${saml.acrs.enableComparison}"/>
<property name="reservedPrefixes" value="#{'${saml.acrs.reserverdPrefixes}'.split('\s*,\s*')}"/>
<property name="maxAuthenticationAge" value="360"/>
</bean>
<bean id="webSSOprofile" class="org.springframework.security.saml.websso.WebSSOProfileImpl"/>
<bean id="hokWebSSOprofileConsumer" class="org.springframework.security.saml.websso.WebSSOProfileConsumerHoKImpl"/>
<bean id="samlUserDetailsService" class="cz.muni.ics.oidc.saml.PerunSamlUserDetailsService"/>
<bean id="authenticationProvider" class="cz.muni.ics.oidc.saml.PerunSamlAuthenticationProvider">
<constructor-arg name="adminIds" value="#{'${admins}'.split('\s*,\s*')}"/>
</bean>
<bean class="org.springframework.security.saml.SAMLBootstrap"/>
<!-- END SAML -->
<!-- OAuth -->
<oauth:authorization-server
client-details-service-ref="defaultOAuth2ClientDetailsEntityService"
authorization-request-manager-ref="connectOAuth2RequestFactory"
token-services-ref="defaultOAuth2ProviderTokenService"
user-approval-handler-ref="tofuUserApprovalHandler"
request-validator-ref="oauthRequestValidator"
redirect-resolver-ref="blacklistAwareRedirectResolver"
authorization-endpoint-url="/auth/authorize"
token-endpoint-url="/token"
error-page="/error">
<oauth:authorization-code authorization-code-services-ref="defaultOAuth2AuthorizationCodeService"/>
<oauth:implicit/>
<oauth:refresh-token/>
<oauth:client-credentials/>
<oauth:custom-grant token-granter-ref="chainedTokenGranter" />
<oauth:custom-grant token-granter-ref="jwtAssertionTokenGranter" />
<oauth:custom-grant token-granter-ref="deviceTokenGranter" />
</oauth:authorization-server>
<oauth:resource-server id="resourceServerFilter"
token-services-ref="defaultOAuth2ProviderTokenService"
stateless="false" />
<oauth:expression-handler id="oauthExpressionHandler" />
<oauth:web-expression-handler id="oauthWebExpressionHandler" />
<bean id="oauthAccessDeniedHandler" class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />
<bean id="oauthRequestValidator" class="cz.muni.ics.oauth2.token.ScopeServiceAwareOAuth2RequestValidator" />
</beans>

14
perun-oidc-server/src/main/java/cz/muni/ics/discovery/web/DiscoveryEndpoint.java
View File

@ -28,18 +28,18 @@ import cz.muni.ics.jwt.encryption.service.JWTEncryptionAndDecryptionService;
import cz.muni.ics.jwt.signer.service.JWTSigningAndValidationService; import cz.muni.ics.jwt.signer.service.JWTSigningAndValidationService;
import cz.muni.ics.oauth2.model.PKCEAlgorithm; import cz.muni.ics.oauth2.model.PKCEAlgorithm;
import cz.muni.ics.oauth2.service.SystemScopeService; import cz.muni.ics.oauth2.service.SystemScopeService;
import cz.muni.ics.oauth2.web.DeviceEndpoint; import cz.muni.ics.oauth2.web.endpoint.DeviceEndpoint;
import cz.muni.ics.oauth2.web.IntrospectionEndpoint; import cz.muni.ics.oauth2.web.endpoint.IntrospectionEndpoint;
import cz.muni.ics.oauth2.web.RevocationEndpoint; import cz.muni.ics.oauth2.web.endpoint.RevocationEndpoint;
import cz.muni.ics.openid.connect.config.ConfigurationPropertiesBean; import cz.muni.ics.openid.connect.config.ConfigurationPropertiesBean;
import cz.muni.ics.openid.connect.model.UserInfo; import cz.muni.ics.openid.connect.model.UserInfo;
import cz.muni.ics.openid.connect.service.UserInfoService; import cz.muni.ics.openid.connect.service.UserInfoService;
import cz.muni.ics.openid.connect.view.HttpCodeView; import cz.muni.ics.openid.connect.view.HttpCodeView;
import cz.muni.ics.openid.connect.view.JsonEntityView; import cz.muni.ics.openid.connect.view.JsonEntityView;
import cz.muni.ics.openid.connect.web.DynamicClientRegistrationEndpoint; import cz.muni.ics.openid.connect.web.endpoint.DynamicClientRegistrationEndpoint;
import cz.muni.ics.openid.connect.web.EndSessionEndpoint; import cz.muni.ics.openid.connect.web.endpoint.EndSessionEndpoint;
import cz.muni.ics.openid.connect.web.JWKSetPublishingEndpoint; import cz.muni.ics.openid.connect.web.endpoint.JWKSetPublishingEndpoint;
import cz.muni.ics.openid.connect.web.UserInfoEndpoint; import cz.muni.ics.openid.connect.web.endpoint.UserInfoEndpoint;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.Collection; import java.util.Collection;
import java.util.HashMap; import java.util.HashMap;

2
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/token/DeviceTokenGranter.java
View File

@ -20,7 +20,7 @@ import cz.muni.ics.oauth2.exception.AuthorizationPendingException;
import cz.muni.ics.oauth2.exception.DeviceCodeExpiredException; import cz.muni.ics.oauth2.exception.DeviceCodeExpiredException;
import cz.muni.ics.oauth2.model.DeviceCode; import cz.muni.ics.oauth2.model.DeviceCode;
import cz.muni.ics.oauth2.service.DeviceCodeService; import cz.muni.ics.oauth2.service.DeviceCodeService;
import cz.muni.ics.oauth2.web.DeviceEndpoint; import cz.muni.ics.oauth2.web.endpoint.DeviceEndpoint;
import java.util.Date; import java.util.Date;
import lombok.extern.slf4j.Slf4j; import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Autowired;

6
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/ScopeAPI.java → perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/api/ScopeAPI.java
View File

@ -18,7 +18,7 @@
/** /**
* *
*/ */
package cz.muni.ics.oauth2.web; package cz.muni.ics.oauth2.web.api;
import com.google.gson.Gson; import com.google.gson.Gson;
import cz.muni.ics.oauth2.model.SystemScope; import cz.muni.ics.oauth2.model.SystemScope;
@ -26,7 +26,7 @@ import cz.muni.ics.oauth2.service.SystemScopeService;
import cz.muni.ics.openid.connect.view.HttpCodeView; import cz.muni.ics.openid.connect.view.HttpCodeView;
import cz.muni.ics.openid.connect.view.JsonEntityView; import cz.muni.ics.openid.connect.view.JsonEntityView;
import cz.muni.ics.openid.connect.view.JsonErrorView; import cz.muni.ics.openid.connect.view.JsonErrorView;
import cz.muni.ics.openid.connect.web.RootController; import cz.muni.ics.openid.connect.web.controller.GuiController;
import java.util.Set; import java.util.Set;
import lombok.extern.slf4j.Slf4j; import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Autowired;
@ -50,7 +50,7 @@ import org.springframework.web.bind.annotation.RequestMethod;
@Slf4j @Slf4j
public class ScopeAPI { public class ScopeAPI {
public static final String URL = RootController.API_URL + "/scopes"; public static final String URL = GuiController.API_URL + "/scopes";
@Autowired @Autowired
private SystemScopeService scopeService; private SystemScopeService scopeService;

6
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/TokenAPI.java → perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/api/TokenAPI.java
View File

@ -15,7 +15,7 @@
* See the License for the specific language governing permissions and * See the License for the specific language governing permissions and
* limitations under the License. * limitations under the License.
*******************************************************************************/ *******************************************************************************/
package cz.muni.ics.oauth2.web; package cz.muni.ics.oauth2.web.api;
import cz.muni.ics.oauth2.model.ClientDetailsEntity; import cz.muni.ics.oauth2.model.ClientDetailsEntity;
import cz.muni.ics.oauth2.model.OAuth2AccessTokenEntity; import cz.muni.ics.oauth2.model.OAuth2AccessTokenEntity;
@ -27,7 +27,7 @@ import cz.muni.ics.openid.connect.service.OIDCTokenService;
import cz.muni.ics.openid.connect.view.HttpCodeView; import cz.muni.ics.openid.connect.view.HttpCodeView;
import cz.muni.ics.openid.connect.view.JsonEntityView; import cz.muni.ics.openid.connect.view.JsonEntityView;
import cz.muni.ics.openid.connect.view.JsonErrorView; import cz.muni.ics.openid.connect.view.JsonErrorView;
import cz.muni.ics.openid.connect.web.RootController; import cz.muni.ics.openid.connect.web.controller.GuiController;
import java.security.Principal; import java.security.Principal;
import java.util.List; import java.util.List;
import java.util.Set; import java.util.Set;
@ -53,7 +53,7 @@ import org.springframework.web.bind.annotation.RequestMethod;
@Slf4j @Slf4j
public class TokenAPI { public class TokenAPI {
public static final String URL = RootController.API_URL + "/tokens"; public static final String URL = GuiController.API_URL + "/tokens";
@Autowired @Autowired
private OAuth2TokenEntityService tokenService; private OAuth2TokenEntityService tokenService;

2
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/OAuthConfirmationController.java → perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/controller/OAuthConfirmationController.java
View File

@ -18,7 +18,7 @@
/** /**
* *
*/ */
package cz.muni.ics.oauth2.web; package cz.muni.ics.oauth2.web.controller;
import com.google.common.base.Joiner; import com.google.common.base.Joiner;
import com.google.common.base.Splitter; import com.google.common.base.Splitter;

2
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/DeviceEndpoint.java → perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/endpoint/DeviceEndpoint.java
View File

@ -14,7 +14,7 @@
* limitations under the License. * limitations under the License.
*******************************************************************************/ *******************************************************************************/
package cz.muni.ics.oauth2.web; package cz.muni.ics.oauth2.web.endpoint;
import cz.muni.ics.oauth2.exception.DeviceCodeCreationException; import cz.muni.ics.oauth2.exception.DeviceCodeCreationException;
import cz.muni.ics.oauth2.model.ClientDetailsEntity; import cz.muni.ics.oauth2.model.ClientDetailsEntity;

3
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/IntrospectionEndpoint.java → perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/endpoint/IntrospectionEndpoint.java
View File

@ -15,7 +15,7 @@
* See the License for the specific language governing permissions and * See the License for the specific language governing permissions and
* limitations under the License. * limitations under the License.
*******************************************************************************/ *******************************************************************************/
package cz.muni.ics.oauth2.web; package cz.muni.ics.oauth2.web.endpoint;
import com.google.common.base.Strings; import com.google.common.base.Strings;
import com.google.common.collect.ImmutableMap; import com.google.common.collect.ImmutableMap;
@ -26,6 +26,7 @@ import cz.muni.ics.oauth2.service.ClientDetailsEntityService;
import cz.muni.ics.oauth2.service.IntrospectionResultAssembler; import cz.muni.ics.oauth2.service.IntrospectionResultAssembler;
import cz.muni.ics.oauth2.service.OAuth2TokenEntityService; import cz.muni.ics.oauth2.service.OAuth2TokenEntityService;
import cz.muni.ics.oauth2.service.SystemScopeService; import cz.muni.ics.oauth2.service.SystemScopeService;
import cz.muni.ics.oauth2.web.AuthenticationUtilities;
import cz.muni.ics.openid.connect.model.UserInfo; import cz.muni.ics.openid.connect.model.UserInfo;
import cz.muni.ics.openid.connect.service.UserInfoService; import cz.muni.ics.openid.connect.service.UserInfoService;
import cz.muni.ics.openid.connect.view.HttpCodeView; import cz.muni.ics.openid.connect.view.HttpCodeView;

2
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/RevocationEndpoint.java → perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/endpoint/RevocationEndpoint.java
View File

@ -15,7 +15,7 @@
* See the License for the specific language governing permissions and * See the License for the specific language governing permissions and
* limitations under the License. * limitations under the License.
*******************************************************************************/ *******************************************************************************/
package cz.muni.ics.oauth2.web; package cz.muni.ics.oauth2.web.endpoint;
import static cz.muni.ics.oauth2.web.AuthenticationUtilities.ensureOAuthScope; import static cz.muni.ics.oauth2.web.AuthenticationUtilities.ensureOAuthScope;

2
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/CorsFilter.java → perun-oidc-server/src/main/java/cz/muni/ics/oauth2/web/filter/CorsFilter.java
View File

@ -18,7 +18,7 @@
/** /**
* *
*/ */
package cz.muni.ics.oauth2.web; package cz.muni.ics.oauth2.web.filter;
import java.io.IOException; import java.io.IOException;
import javax.servlet.FilterChain; import javax.servlet.FilterChain;

26
perun-oidc-server/src/main/java/cz/muni/ics/oidc/saml/SamlInvalidateSessionFilter.java
View File

@ -33,9 +33,15 @@ public class SamlInvalidateSessionFilter extends GenericFilterBean {
private static final RequestMatcher MATCHER = new OrRequestMatcher( private static final RequestMatcher MATCHER = new OrRequestMatcher(
Arrays.asList(AUTHORIZE_MATCHER, AUTHORIZE_ALL_MATCHER, DEVICE_CODE_MATCHER, DEVICE_CODE_ALL_MATCHER)); Arrays.asList(AUTHORIZE_MATCHER, AUTHORIZE_ALL_MATCHER, DEVICE_CODE_MATCHER, DEVICE_CODE_ALL_MATCHER));
public static final RequestMatcher MATCH = new AntPathRequestMatcher("/authorize");
private final SecurityContextLogoutHandler contextLogoutHandler; private final SecurityContextLogoutHandler contextLogoutHandler;
private final List<String> internalReferrers = new ArrayList<>(); private final List<String> internalReferrers = new ArrayList<>();
public SamlInvalidateSessionFilter(SecurityContextLogoutHandler contextLogoutHandler) {
this.contextLogoutHandler = contextLogoutHandler;
}
public SamlInvalidateSessionFilter(String idpEntityId, public SamlInvalidateSessionFilter(String idpEntityId,
String oidcIssuer, String oidcIssuer,
String proxySpEntityId, String proxySpEntityId,
@ -67,14 +73,24 @@ public class SamlInvalidateSessionFilter extends GenericFilterBean {
{ {
HttpServletRequest req = (HttpServletRequest) request; HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse res = (HttpServletResponse) response; HttpServletResponse res = (HttpServletResponse) response;
if (MATCHER.matches(req)) { if (MATCH.matches(req)) {
String referer = req.getHeader(REFERER); log.debug("INV_SESS - invalidate");
if (!isInternalReferer(referer)) {
log.debug("Got external referer, clear session to reauthenticate");
contextLogoutHandler.logout(req, res, null); contextLogoutHandler.logout(req, res, null);
} } else {
log.debug("INV_SESS - skipping");
} }
chain.doFilter(req, res); chain.doFilter(req, res);
// HttpServletRequest req = (HttpServletRequest) request;
// HttpServletResponse res = (HttpServletResponse) response;
// if (MATCHER.matches(req)) {
// String referer = req.getHeader(REFERER);
// if (!isInternalReferer(referer)) {
// log.debug("Got external referer, clear session to reauthenticate");
// contextLogoutHandler.logout(req, res, null);
// }
// }
// chain.doFilter(req, res);
} }
private boolean isInternalReferer(String referer) { private boolean isInternalReferer(String referer) {

2
perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/FiltersUtils.java
View File

@ -1,6 +1,6 @@
package cz.muni.ics.oidc.server.filters; package cz.muni.ics.oidc.server.filters;
import static cz.muni.ics.oauth2.web.DeviceEndpoint.DEVICE_CODE_SESSION_ATTRIBUTE; import static cz.muni.ics.oauth2.web.endpoint.DeviceEndpoint.DEVICE_CODE_SESSION_ATTRIBUTE;
import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.PARAM_FORCE_AUTHN; import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.PARAM_FORCE_AUTHN;
import cz.muni.ics.oauth2.model.ClientDetailsEntity; import cz.muni.ics.oauth2.model.ClientDetailsEntity;

2
perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/PerunFilterConstants.java
View File

@ -11,7 +11,7 @@ import java.util.Map;
*/ */
public class PerunFilterConstants { public class PerunFilterConstants {
public static final String AUTHORIZE_REQ_PATTERN = "/authorize"; public static final String AUTHORIZE_REQ_PATTERN = "/auth/authorize";
public static final String DEVICE_APPROVE_REQ_PATTERN = "/device/code"; public static final String DEVICE_APPROVE_REQ_PATTERN = "/device/code";
public static final String DEVICE_CHECK_CODE_REQ_PATTERN = "/device/checkcode"; public static final String DEVICE_CHECK_CODE_REQ_PATTERN = "/device/checkcode";

2
perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/ga4gh/Ga4ghPassportAndVisaClaimSource.java
View File

@ -16,7 +16,7 @@ import cz.muni.ics.oidc.server.claims.ClaimSource;
import cz.muni.ics.oidc.server.claims.ClaimSourceInitContext; import cz.muni.ics.oidc.server.claims.ClaimSourceInitContext;
import cz.muni.ics.oidc.server.claims.ClaimSourceProduceContext; import cz.muni.ics.oidc.server.claims.ClaimSourceProduceContext;
import cz.muni.ics.oidc.server.connectors.Affiliation; import cz.muni.ics.oidc.server.connectors.Affiliation;
import cz.muni.ics.openid.connect.web.JWKSetPublishingEndpoint; import cz.muni.ics.openid.connect.web.endpoint.JWKSetPublishingEndpoint;
import java.io.IOException; import java.io.IOException;
import java.net.URI; import java.net.URI;
import java.net.URISyntaxException; import java.net.URISyntaxException;

5
perun-oidc-server/src/main/java/cz/muni/ics/oidc/web/controllers/ControllerUtils.java
View File

@ -1,7 +1,7 @@
package cz.muni.ics.oidc.web.controllers; package cz.muni.ics.oidc.web.controllers;
import static cz.muni.ics.oauth2.web.OAuthConfirmationController.CLAIMS; import static cz.muni.ics.oauth2.web.controller.OAuthConfirmationController.CLAIMS;
import static cz.muni.ics.oauth2.web.OAuthConfirmationController.SCOPES; import static cz.muni.ics.oauth2.web.controller.OAuthConfirmationController.SCOPES;
import com.google.common.base.Strings; import com.google.common.base.Strings;
import com.google.common.collect.Sets; import com.google.common.collect.Sets;
@ -29,7 +29,6 @@ import java.util.Set;
import java.util.stream.Collectors; import java.util.stream.Collectors;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import cz.muni.ics.openid.connect.service.ScopeClaimTranslationService;
import lombok.extern.slf4j.Slf4j; import lombok.extern.slf4j.Slf4j;
import org.apache.http.NameValuePair; import org.apache.http.NameValuePair;
import org.apache.http.client.utils.URIBuilder; import org.apache.http.client.utils.URIBuilder;

2
perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/filter/AuthorizationRequestFilter.java
View File

@ -78,7 +78,7 @@ public class AuthorizationRequestFilter extends GenericFilterBean {
@Autowired(required = false) @Autowired(required = false)
private LoginHintExtracter loginHintExtracter = new RemoveLoginHintsWithHTTP(); private LoginHintExtracter loginHintExtracter = new RemoveLoginHintsWithHTTP();
private RequestMatcher requestMatcher = new AntPathRequestMatcher("/authorize"); private RequestMatcher requestMatcher = new AntPathRequestMatcher("/auth/authorize");
/** /**
* *

5
perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/ApprovedSiteAPI.java → perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/api/ApprovedSiteAPI.java
View File

@ -18,7 +18,7 @@
/** /**
* *
*/ */
package cz.muni.ics.openid.connect.web; package cz.muni.ics.openid.connect.web.api;
import cz.muni.ics.openid.connect.model.ApprovedSite; import cz.muni.ics.openid.connect.model.ApprovedSite;
import cz.muni.ics.openid.connect.service.ApprovedSiteService; import cz.muni.ics.openid.connect.service.ApprovedSiteService;
@ -26,6 +26,7 @@ import cz.muni.ics.openid.connect.view.HttpCodeView;
import cz.muni.ics.openid.connect.view.JsonApprovedSiteView; import cz.muni.ics.openid.connect.view.JsonApprovedSiteView;
import cz.muni.ics.openid.connect.view.JsonEntityView; import cz.muni.ics.openid.connect.view.JsonEntityView;
import cz.muni.ics.openid.connect.view.JsonErrorView; import cz.muni.ics.openid.connect.view.JsonErrorView;
import cz.muni.ics.openid.connect.web.controller.GuiController;
import java.security.Principal; import java.security.Principal;
import java.util.Collection; import java.util.Collection;
import lombok.extern.slf4j.Slf4j; import lombok.extern.slf4j.Slf4j;
@ -49,7 +50,7 @@ import org.springframework.web.bind.annotation.RequestMethod;
@Slf4j @Slf4j
public class ApprovedSiteAPI { public class ApprovedSiteAPI {
public static final String URL = RootController.API_URL + "/approved"; public static final String URL = GuiController.API_URL + "/approved";
@Autowired @Autowired
private ApprovedSiteService approvedSiteService; private ApprovedSiteService approvedSiteService;

5
perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/BlacklistAPI.java → perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/api/BlacklistAPI.java
View File

@ -18,7 +18,7 @@
/** /**
* *
*/ */
package cz.muni.ics.openid.connect.web; package cz.muni.ics.openid.connect.web.api;
import com.google.gson.Gson; import com.google.gson.Gson;
import com.google.gson.JsonObject; import com.google.gson.JsonObject;
@ -29,6 +29,7 @@ import cz.muni.ics.openid.connect.service.BlacklistedSiteService;
import cz.muni.ics.openid.connect.view.HttpCodeView; import cz.muni.ics.openid.connect.view.HttpCodeView;
import cz.muni.ics.openid.connect.view.JsonEntityView; import cz.muni.ics.openid.connect.view.JsonEntityView;
import cz.muni.ics.openid.connect.view.JsonErrorView; import cz.muni.ics.openid.connect.view.JsonErrorView;
import cz.muni.ics.openid.connect.web.controller.GuiController;
import java.security.Principal; import java.security.Principal;
import java.util.Collection; import java.util.Collection;
import lombok.extern.slf4j.Slf4j; import lombok.extern.slf4j.Slf4j;
@ -53,7 +54,7 @@ import org.springframework.web.bind.annotation.RequestMethod;
@Slf4j @Slf4j
public class BlacklistAPI { public class BlacklistAPI {
public static final String URL = RootController.API_URL + "/blacklist"; public static final String URL = GuiController.API_URL + "/blacklist";
@Autowired @Autowired
private BlacklistedSiteService blacklistService; private BlacklistedSiteService blacklistService;

5
perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/ClientAPI.java → perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/api/ClientAPI.java
View File

@ -15,7 +15,7 @@
* See the License for the specific language governing permissions and * See the License for the specific language governing permissions and
* limitations under the License. * limitations under the License.
*******************************************************************************/ *******************************************************************************/
package cz.muni.ics.openid.connect.web; package cz.muni.ics.openid.connect.web.api;
import static cz.muni.ics.oauth2.model.RegisteredClientFields.APPLICATION_TYPE; import static cz.muni.ics.oauth2.model.RegisteredClientFields.APPLICATION_TYPE;
import static cz.muni.ics.oauth2.model.RegisteredClientFields.CLAIMS_REDIRECT_URIS; import static cz.muni.ics.oauth2.model.RegisteredClientFields.CLAIMS_REDIRECT_URIS;
@ -88,6 +88,7 @@ import cz.muni.ics.openid.connect.view.ClientEntityViewForUsers;
import cz.muni.ics.openid.connect.view.HttpCodeView; import cz.muni.ics.openid.connect.view.HttpCodeView;
import cz.muni.ics.openid.connect.view.JsonEntityView; import cz.muni.ics.openid.connect.view.JsonEntityView;
import cz.muni.ics.openid.connect.view.JsonErrorView; import cz.muni.ics.openid.connect.view.JsonErrorView;
import cz.muni.ics.openid.connect.web.controller.GuiController;
import java.lang.reflect.Type; import java.lang.reflect.Type;
import java.sql.SQLIntegrityConstraintViolationException; import java.sql.SQLIntegrityConstraintViolationException;
import java.text.ParseException; import java.text.ParseException;
@ -120,7 +121,7 @@ import org.springframework.web.servlet.ModelAndView;
@Slf4j @Slf4j
public class ClientAPI { public class ClientAPI {
public static final String URL = RootController.API_URL + "/clients"; public static final String URL = GuiController.API_URL + "/clients";
@Autowired @Autowired
private ClientDetailsEntityService clientService; private ClientDetailsEntityService clientService;

5
perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/WhitelistAPI.java → perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/api/WhitelistAPI.java
View File

@ -18,7 +18,7 @@
/** /**
* *
*/ */
package cz.muni.ics.openid.connect.web; package cz.muni.ics.openid.connect.web.api;
import com.google.gson.Gson; import com.google.gson.Gson;
import com.google.gson.JsonObject; import com.google.gson.JsonObject;
@ -29,6 +29,7 @@ import cz.muni.ics.openid.connect.service.WhitelistedSiteService;
import cz.muni.ics.openid.connect.view.HttpCodeView; import cz.muni.ics.openid.connect.view.HttpCodeView;
import cz.muni.ics.openid.connect.view.JsonEntityView; import cz.muni.ics.openid.connect.view.JsonEntityView;
import cz.muni.ics.openid.connect.view.JsonErrorView; import cz.muni.ics.openid.connect.view.JsonErrorView;
import cz.muni.ics.openid.connect.web.controller.GuiController;
import java.security.Principal; import java.security.Principal;
import java.util.Collection; import java.util.Collection;
import lombok.extern.slf4j.Slf4j; import lombok.extern.slf4j.Slf4j;
@ -53,7 +54,7 @@ import org.springframework.web.bind.annotation.RequestMethod;
@Slf4j @Slf4j
public class WhitelistAPI { public class WhitelistAPI {
public static final String URL = RootController.API_URL + "/whitelist"; public static final String URL = GuiController.API_URL + "/whitelist";
@Autowired @Autowired
private WhitelistedSiteService whitelistService; private WhitelistedSiteService whitelistService;

4
perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/RootController.java → perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/controller/GuiController.java
View File

@ -15,7 +15,7 @@
* See the License for the specific language governing permissions and * See the License for the specific language governing permissions and
* limitations under the License. * limitations under the License.
*******************************************************************************/ *******************************************************************************/
package cz.muni.ics.openid.connect.web; package cz.muni.ics.openid.connect.web.controller;
import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.stereotype.Controller; import org.springframework.stereotype.Controller;
@ -27,7 +27,7 @@ import org.springframework.web.bind.annotation.RequestMapping;
*/ */
@Controller @Controller
public class RootController { public class GuiController {
public static final String API_URL = "api"; public static final String API_URL = "api";

23
perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/AuthorizationEndpoint.java Normal file
View File

@ -0,0 +1,23 @@
package cz.muni.ics.openid.connect.web.endpoint;
import javax.servlet.http.HttpServletRequest;
import lombok.extern.slf4j.Slf4j;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.servlet.view.RedirectView;
@Controller
@Slf4j
public class AuthorizationEndpoint {
@RequestMapping(value = "/authorize")
public RedirectView authorize(HttpServletRequest req) {
log.debug("Handling authorize in endpoint");
RedirectView view = new RedirectView("/auth/authorize?" + req.getQueryString());
view.setContextRelative(true);
view.setAttributesMap(req.getParameterMap());
log.debug("AUTH_ENDPOINT: Redirecting to: {}", view);
return view;
}
}

2
perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/DynamicClientRegistrationEndpoint.java → perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/DynamicClientRegistrationEndpoint.java
View File

@ -15,7 +15,7 @@
* See the License for the specific language governing permissions and * See the License for the specific language governing permissions and
* limitations under the License. * limitations under the License.
*******************************************************************************/ *******************************************************************************/
package cz.muni.ics.openid.connect.web; package cz.muni.ics.openid.connect.web.endpoint;
import static cz.muni.ics.oauth2.model.RegisteredClientFields.APPLICATION_TYPE; import static cz.muni.ics.oauth2.model.RegisteredClientFields.APPLICATION_TYPE;
import static cz.muni.ics.oauth2.model.RegisteredClientFields.CLAIMS_REDIRECT_URIS; import static cz.muni.ics.oauth2.model.RegisteredClientFields.CLAIMS_REDIRECT_URIS;

2
perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/EndSessionEndpoint.java → perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/EndSessionEndpoint.java
View File

@ -14,7 +14,7 @@
* limitations under the License. * limitations under the License.
*******************************************************************************/ *******************************************************************************/
package cz.muni.ics.openid.connect.web; package cz.muni.ics.openid.connect.web.endpoint;
import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.PARAM_POST_LOGOUT_REDIRECT_URI; import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.PARAM_POST_LOGOUT_REDIRECT_URI;
import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.PARAM_STATE; import static cz.muni.ics.oidc.server.filters.PerunFilterConstants.PARAM_STATE;

2
perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/JWKSetPublishingEndpoint.java → perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/JWKSetPublishingEndpoint.java
View File

@ -15,7 +15,7 @@
* See the License for the specific language governing permissions and * See the License for the specific language governing permissions and
* limitations under the License. * limitations under the License.
*******************************************************************************/ *******************************************************************************/
package cz.muni.ics.openid.connect.web; package cz.muni.ics.openid.connect.web.endpoint;
import com.nimbusds.jose.jwk.JWK; import com.nimbusds.jose.jwk.JWK;
import cz.muni.ics.jwt.signer.service.JWTSigningAndValidationService; import cz.muni.ics.jwt.signer.service.JWTSigningAndValidationService;

2
perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/ProtectedResourceRegistrationEndpoint.java → perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/ProtectedResourceRegistrationEndpoint.java
View File

@ -13,7 +13,7 @@
* See the License for the specific language governing permissions and * See the License for the specific language governing permissions and
* limitations under the License. * limitations under the License.
*******************************************************************************/ *******************************************************************************/
package cz.muni.ics.openid.connect.web; package cz.muni.ics.openid.connect.web.endpoint;
import com.google.common.base.Strings; import com.google.common.base.Strings;
import com.google.gson.JsonSyntaxException; import com.google.gson.JsonSyntaxException;

3
perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/UserInfoEndpoint.java → perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/endpoint/UserInfoEndpoint.java
View File

@ -15,11 +15,10 @@
* See the License for the specific language governing permissions and * See the License for the specific language governing permissions and
* limitations under the License. * limitations under the License.
*******************************************************************************/ *******************************************************************************/
package cz.muni.ics.openid.connect.web; package cz.muni.ics.openid.connect.web.endpoint;
import com.google.common.base.Strings; import com.google.common.base.Strings;
import cz.muni.ics.oauth2.model.ClientDetailsEntity; import cz.muni.ics.oauth2.model.ClientDetailsEntity;
import cz.muni.ics.oauth2.model.OAuth2AccessTokenEntity;
import cz.muni.ics.oauth2.model.SavedUserAuthentication; import cz.muni.ics.oauth2.model.SavedUserAuthentication;
import cz.muni.ics.oauth2.service.ClientDetailsEntityService; import cz.muni.ics.oauth2.service.ClientDetailsEntityService;
import cz.muni.ics.oauth2.service.SystemScopeService; import cz.muni.ics.oauth2.service.SystemScopeService;

2
perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/ServerConfigInterceptor.java → perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/interceptor/ServerConfigInterceptor.java
View File

@ -18,7 +18,7 @@
/** /**
* *
*/ */
package cz.muni.ics.openid.connect.web; package cz.muni.ics.openid.connect.web.interceptor;
import cz.muni.ics.openid.connect.config.ConfigurationPropertiesBean; import cz.muni.ics.openid.connect.config.ConfigurationPropertiesBean;
import cz.muni.ics.openid.connect.config.UIConfiguration; import cz.muni.ics.openid.connect.config.UIConfiguration;

2
perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/UserInfoInterceptor.java → perun-oidc-server/src/main/java/cz/muni/ics/openid/connect/web/interceptor/UserInfoInterceptor.java
View File

@ -18,7 +18,7 @@
/** /**
* *
*/ */
package cz.muni.ics.openid.connect.web; package cz.muni.ics.openid.connect.web.interceptor;
import static cz.muni.ics.openid.connect.request.ConnectRequestParameters.CLIENT_ID; import static cz.muni.ics.openid.connect.request.ConnectRequestParameters.CLIENT_ID;
import static cz.muni.ics.openid.connect.request.ConnectRequestParameters.SCOPE; import static cz.muni.ics.openid.connect.request.ConnectRequestParameters.SCOPE;