github
/
OpenID-Connect-Java-Spring-Server
mirror of https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

moved UMA-specific files to the UMA webapp package

pull/708/merge
Justin Richer 2015-05-12 17:39:17 -04:00
parent 1b4dba70f0
commit f077579b29
13 changed files with 2288 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
openid-connect-server-webapp/pom.xml
View File

@ -127,5 +127,6 @@
<groupId>javax.servlet</groupId>
<artifactId>jstl</artifactId>
</dependency>
</dependencies>
</project>

77
uma-server-webapp/src/main/resources/db/clients.sql Normal file
View File

@ -0,0 +1,77 @@
--
-- Turn off autocommit and start a transaction so that we can use the temp tables
--
SET AUTOCOMMIT FALSE;
START TRANSACTION;
--
-- Insert client information into the temporary tables. To add clients to the HSQL database, edit things here.
--
INSERT INTO client_details_TEMP (client_id, client_secret, client_name, dynamically_registered, refresh_token_validity_seconds, access_token_validity_seconds, id_token_validity_seconds, allow_introspection) VALUES
('client', 'secret', 'Test Client', false, null, 3600, 600, true),
('rs', 'secret', 'Test UMA RS', false, null, null, 600, false),
('c', 'secret', 'Test UMA Client', false, null, null, 600, false);
INSERT INTO client_scope_TEMP (owner_id, scope) VALUES
('client', 'openid'),
('client', 'profile'),
('client', 'email'),
('client', 'address'),
('client', 'phone'),
('client', 'offline_access'),
('rs', 'uma_protection'),
('c', 'uma_authorization');
INSERT INTO client_redirect_uri_TEMP (owner_id, redirect_uri) VALUES
('client', 'http://localhost/'),
('client', 'http://localhost:8080/');
INSERT INTO client_grant_type_TEMP (owner_id, grant_type) VALUES
('client', 'authorization_code'),
('client', 'urn:ietf:params:oauth:grant_type:redelegate'),
('client', 'implicit'),
('client', 'refresh_token'),
('rs', 'authorization_code'),
('rs', 'implicit'),
('c', 'authorization_code'),
('c', 'implicit');
--
-- Merge the temporary clients safely into the database. This is a two-step process to keep clients from being created on every startup with a persistent store.
--
MERGE INTO client_details
USING (SELECT client_id, client_secret, client_name, dynamically_registered, refresh_token_validity_seconds, access_token_validity_seconds, id_token_validity_seconds, allow_introspection FROM client_details_TEMP) AS vals(client_id, client_secret, client_name, dynamically_registered, refresh_token_validity_seconds, access_token_validity_seconds, id_token_validity_seconds, allow_introspection)
ON vals.client_id = client_details.client_id
WHEN NOT MATCHED THEN
INSERT (client_id, client_secret, client_name, dynamically_registered, refresh_token_validity_seconds, access_token_validity_seconds, id_token_validity_seconds, allow_introspection) VALUES(client_id, client_secret, client_name, dynamically_registered, refresh_token_validity_seconds, access_token_validity_seconds, id_token_validity_seconds, allow_introspection);
MERGE INTO client_scope
USING (SELECT id, scope FROM client_scope_TEMP, client_details WHERE client_details.client_id = client_scope_TEMP.owner_id) AS vals(id, scope)
ON vals.id = client_scope.owner_id AND vals.scope = client_scope.scope
WHEN NOT MATCHED THEN
INSERT (owner_id, scope) values (vals.id, vals.scope);
MERGE INTO client_redirect_uri
USING (SELECT id, redirect_uri FROM client_redirect_uri_TEMP, client_details WHERE client_details.client_id = client_redirect_uri_TEMP.owner_id) AS vals(id, redirect_uri)
ON vals.id = client_redirect_uri.owner_id AND vals.redirect_uri = client_redirect_uri.redirect_uri
WHEN NOT MATCHED THEN
INSERT (owner_id, redirect_uri) values (vals.id, vals.redirect_uri);
MERGE INTO client_grant_type
USING (SELECT id, grant_type FROM client_grant_type_TEMP, client_details WHERE client_details.client_id = client_grant_type_TEMP.owner_id) AS vals(id, grant_type)
ON vals.id = client_grant_type.owner_id AND vals.grant_type = client_grant_type.grant_type
WHEN NOT MATCHED THEN
INSERT (owner_id, grant_type) values (vals.id, vals.grant_type);
--
-- Close the transaction and turn autocommit back on
--
COMMIT;
SET AUTOCOMMIT TRUE;

35
uma-server-webapp/src/main/resources/db/scopes.sql Normal file
View File

@ -0,0 +1,35 @@
--
-- Turn off autocommit and start a transaction so that we can use the temp tables
--
SET AUTOCOMMIT FALSE;
START TRANSACTION;
--
-- Insert scope information into the temporary tables.
--
INSERT INTO system_scope_TEMP (scope, description, icon, restricted, default_scope, structured, structured_param_description) VALUES
('openid', 'log in using your identity', 'user', false, true, false, null),
('profile', 'basic profile information', 'list-alt', false, true, false, null),
('email', 'email address', 'envelope', false, true, false, null),
('address', 'physical address', 'home', false, true, false, null),
('phone', 'telephone number', 'bell', false, true, false, null),
('offline_access', 'offline access', 'time', false, false, false, null),
('uma_protection', 'manage protected resources', 'briefcase', false, false, false, null),
('uma_authorization', 'request access to protected resources', 'share', false, false, false, null);
--
-- Merge the temporary scopes safely into the database. This is a two-step process to keep scopes from being created on every startup with a persistent store.
--
MERGE INTO system_scope
USING (SELECT scope, description, icon, restricted, default_scope, structured, structured_param_description FROM system_scope_TEMP) AS vals(scope, description, icon, restricted, default_scope, structured, structured_param_description)
ON vals.scope = system_scope.scope
WHEN NOT MATCHED THEN
INSERT (scope, description, icon, restricted, default_scope, structured, structured_param_description) VALUES(vals.scope, vals.description, vals.icon, vals.restricted, vals.default_scope, vals.structured, vals.structured_param_description);
COMMIT;
SET AUTOCOMMIT TRUE;

267
uma-server-webapp/src/main/webapp/WEB-INF/application-context.xml Normal file
View File

@ -0,0 +1,267 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
Copyright 2015 The MITRE Corporation
and the MIT Kerberos and Internet Trust Consortium
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
xmlns:util="http://www.springframework.org/schema/util"
xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-4.1.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.1.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.1.xsd">
<!-- Scan for components -->
<context:component-scan annotation-config="true" base-package="org.mitre" />
<!-- Enables the Spring MVC @Controller programming model -->
<tx:annotation-driven transaction-manager="transactionManager" />
<mvc:annotation-driven ignore-default-model-on-redirect="true">
<mvc:message-converters>
<bean class="org.springframework.http.converter.StringHttpMessageConverter" />
<bean class="org.springframework.http.converter.json.MappingJackson2HttpMessageConverter" />
</mvc:message-converters>
</mvc:annotation-driven>
<mvc:interceptors>
<!-- Inject the UserInfo into the response -->
<bean id="userInfoInterceptor" class="org.mitre.openid.connect.web.UserInfoInterceptor" />
<!-- Inject the server configuration into the response -->
<bean id="serverConfigInterceptor" class="org.mitre.openid.connect.web.ServerConfigInterceptor" />
</mvc:interceptors>
<mvc:default-servlet-handler />
<!-- Bean to hold configuration properties -->
<import resource="server-config.xml" />
<!-- Import the data context -->
<import resource="data-context.xml" />
<!-- SPEL processors -->
<security:global-method-security pre-post-annotations="enabled" proxy-target-class="true" authentication-manager-ref="authenticationManager">
<!--you could also wire in the expression handler up at the layer of the http filters. See https://jira.springsource.org/browse/SEC-1452 -->
<security:expression-handler ref="oauthExpressionHandler" />
</security:global-method-security>
<oauth:expression-handler id="oauthExpressionHandler" />
<oauth:web-expression-handler id="oauthWebExpressionHandler" />
<!-- Spring Security configuration -->
<oauth:resource-server id="resourceServerFilter" token-services-ref="defaultOAuth2ProviderTokenService" />
<security:http pattern="/token"
create-session="stateless"
authentication-manager-ref="clientAuthenticationManager"
entry-point-ref="oauthAuthenticationEntryPoint"
use-expressions="true">
<security:intercept-url pattern="/token" access="permitAll" method="OPTIONS" /> <!-- allow OPTIONS calls without auth for CORS stuff -->
<security:intercept-url pattern="/token" access="isAuthenticated()" />
<security:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
<!-- include this only if you need to authenticate clients via request parameters -->
<security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:access-denied-handler ref="oauthAccessDeniedHandler" />
</security:http>
<!-- Allow open access to discovery endpoints -->
<security:http pattern="/#{T(org.mitre.openid.connect.web.JWKSetPublishingEndpoint).URL}**" use-expressions="true" entry-point-ref="http403EntryPoint" create-session="stateless">
<security:intercept-url pattern="/#{T(org.mitre.openid.connect.web.JWKSetPublishingEndpoint).URL}**" access="permitAll"/>
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
</security:http>
<security:http pattern="/#{T(org.mitre.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**" use-expressions="true" entry-point-ref="http403EntryPoint" create-session="stateless">
<security:intercept-url pattern="/#{T(org.mitre.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**" access="permitAll"/>
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
</security:http>
<!-- Allow open access to all static resources -->
<security:http pattern="/resources/**" use-expressions="true" entry-point-ref="http403EntryPoint" create-session="stateless">
<security:intercept-url pattern="/resources/**" access="permitAll"/>
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
</security:http>
<!-- OAuth-protect API and other endpoints -->
<security:http pattern="/#{T(org.mitre.openid.connect.web.DynamicClientRegistrationEndpoint).URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:expression-handler ref="oauthWebExpressionHandler" />
<security:intercept-url pattern="/register/**" access="permitAll"/>
</security:http>
<security:http pattern="/#{T(org.mitre.openid.connect.web.ProtectedResourceRegistrationEndpoint).URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:expression-handler ref="oauthWebExpressionHandler" />
<security:intercept-url pattern="/resource/**" access="permitAll"/>
</security:http>
<security:http pattern="/#{T(org.mitre.uma.web.ResourceSetRegistrationEndpoint).URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="never">
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:expression-handler ref="oauthWebExpressionHandler" />
</security:http>
<security:http pattern="/#{T(org.mitre.uma.web.PermissionRegistrationEndpoint).URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="never">
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:expression-handler ref="oauthWebExpressionHandler" />
</security:http>
<security:http pattern="/#{T(org.mitre.uma.web.AuthorizationRequestEndpoint).URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="never">
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:expression-handler ref="oauthWebExpressionHandler" />
</security:http>
<security:http pattern="/#{T(org.mitre.openid.connect.web.UserInfoEndpoint).URL}**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:expression-handler ref="oauthWebExpressionHandler" />
</security:http>
<security:http pattern="/#{T(org.mitre.openid.connect.web.RootController).API_URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="never">
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<security:expression-handler ref="oauthWebExpressionHandler" />
</security:http>
<security:http pattern="/#{T(org.mitre.oauth2.web.IntrospectionEndpoint).URL}**"
use-expressions="true"
entry-point-ref="oauthAuthenticationEntryPoint"
create-session="stateless"
authentication-manager-ref="clientAuthenticationManager">
<security:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
</security:http>
<security:http pattern="/#{T(org.mitre.oauth2.web.RevocationEndpoint).URL}**"
use-expressions="true"
entry-point-ref="oauthAuthenticationEntryPoint"
create-session="stateless"
authentication-manager-ref="clientAuthenticationManager">
<security:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
<!-- <security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" /> -->
<security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
</security:http>
<bean id="oauthAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
<property name="realmName" value="openidconnect" />
</bean>
<bean id="http403EntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" />
<!-- SECOAUTH Authorization Server -->
<import resource="authz-config.xml" />
<bean id="oauth2ExceptionTranslator" class="org.springframework.security.oauth2.provider.error.DefaultWebResponseExceptionTranslator" />
<bean id="clientAuthMatcher" class="org.mitre.openid.connect.filter.MultiUrlRequestMatcher">
<constructor-arg name="filterProcessesUrls">
<set>
<value>/introspect</value>
<value>/revoke</value>
<value>/token</value>
</set>
</constructor-arg>
</bean>
<bean id="clientCredentialsEndpointFilter" class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
<property name="authenticationManager" ref="clientAuthenticationManager" />
<property name="requiresAuthenticationRequestMatcher" ref="clientAuthMatcher" />
</bean>
<bean id="clientAssertionEndpointFilter" class="org.mitre.openid.connect.assertion.JWTBearerClientAssertionTokenEndpointFilter">
<constructor-arg name="additionalMatcher" ref="clientAuthMatcher" />
<property name="authenticationManager" ref="clientAssertionAuthenticationManager" />
</bean>
<security:authentication-manager id="clientAuthenticationManager">
<security:authentication-provider user-service-ref="clientUserDetailsService" />
</security:authentication-manager>
<security:authentication-manager id="clientAssertionAuthenticationManager">
<security:authentication-provider ref="clientAssertionAuthenticationProvider" />
</security:authentication-manager>
<bean id="clientAssertionAuthenticationProvider" class="org.mitre.openid.connect.assertion.JWTBearerAuthenticationProvider" />
<!-- Configure locale information -->
<bean id="messageSource" class="org.mitre.openid.connect.config.JsonMessageSource">
<property name="baseDirectory" value="/resources/js/locale/" />
</bean>
<!-- user services -->
<import resource="user-context.xml" />
<!-- End Spring Security configuration -->
<!-- JPA -->
<import resource="jpa-config.xml" />
<!-- End JPA -->
<!-- Crypto -->
<import resource="crypto-config.xml" />
<!-- End Crypto -->
<!-- View configuration -->
<!-- Handles HTTP GET requests for /resources/** by efficiently serving
up static resources in the ${webappRoot}/resources directory -->
<mvc:resources mapping="/resources/**" location="/resources/" />
<!-- Resolves views selected for rendering by @Controllers to .jsp resources
in the /WEB-INF/views directory -->
<bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="viewClass" value="org.springframework.web.servlet.view.JstlView" />
<property name="prefix" value="/WEB-INF/views/" />
<property name="suffix" value=".jsp" />
<property name="order" value="2" />
</bean>
<!-- Resolve views based on string names -->
<bean class="org.springframework.web.servlet.view.BeanNameViewResolver">
<property name="order" value="1" />
</bean>
<!-- End view configuration -->
<!--Import scheduled task configuration -->
<import resource="task-config.xml" />
<!-- import application-local configuration information (such as bean definitions) -->
<import resource="local-config.xml" />
</beans>

54
uma-server-webapp/src/main/webapp/WEB-INF/server-config.xml Normal file
View File

@ -0,0 +1,54 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
Copyright 2015 The MITRE Corporation
and the MIT Kerberos and Internet Trust Consortium
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.1.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.1.xsd">
<bean id="configBean" class="org.mitre.openid.connect.config.ConfigurationPropertiesBean">
<!-- This property sets the root URL of the server, known as the issuer -->
<property name="issuer" value="http://localhost:8080/uma-server-webapp/" />
<!-- This property is a URL pointing to a logo image 24px high to be used in the top bar -->
<property name="logoImageUrl" value="resources/images/openid_connect_small.png" />
<!-- This property sets the display name of the server, displayed in the topbar and page title -->
<property name="topbarTitle" value="UMA Server" />
<!-- This property sets the lifetime of registration access tokens, in seconds. Leave it unset (null) for no rotation. -->
<!-- <property name="regTokenLifeTime" value="172800" /> -->
<!-- This property forces the issuer value to start with "https" -->
<!-- <property name="forceHttps" value="true" /> -->
<!-- This property sets the locale for server text -->
<!-- <property name="locale" value="sv" /> -->
</bean>
</beans>

21
uma-server-webapp/src/main/webapp/WEB-INF/tags/actionmenu.tag Normal file
View File

@ -0,0 +1,21 @@
<%@ tag language="java" pageEncoding="UTF-8"%>
<%@ taglib prefix="spring" uri="http://www.springframework.org/tags"%>
<%@ taglib prefix="security"
uri="http://www.springframework.org/security/tags"%>
<security:authorize access="hasRole('ROLE_ADMIN')">
<li class="nav-header"><spring:message code="sidebar.administrative.title"/></li>
<li><a href="manage/#admin/clients" data-toggle="collapse" data-target=".nav-collapse"><spring:message code="sidebar.administrative.manage_clients"/></a></li>
<li><a href="manage/#admin/whitelists" data-toggle="collapse" data-target=".nav-collapse"><spring:message code="sidebar.administrative.whitelisted_clients"/></a></li>
<li><a href="manage/#admin/blacklist" data-toggle="collapse" data-target=".nav-collapse"><spring:message code="sidebar.administrative.blacklisted_clients"/></a></li>
<li><a href="manage/#admin/scope" data-toggle="collapse" data-target=".nav-collapse"><spring:message code="sidebar.administrative.system_scopes"/></a></li>
<li class="divider"></li>
</security:authorize>
<li class="nav-header"><spring:message code="sidebar.personal.title"/></li>
<li><a href="manage/#user/approved" data-toggle="collapse" data-target=".nav-collapse"><spring:message code="sidebar.personal.approved_sites"/></a></li>
<li><a href="manage/#user/tokens" data-toggle="collapse" data-target=".nav-collapse"><spring:message code="sidebar.personal.active_tokens"/></a></li>
<li><a href="manage/#user/profile" data-toggle="collapse" data-target=".nav-collapse"><spring:message code="sidebar.personal.profile_information"/></a></li>
<li><a href="manage/#user/policy" data-toggle="collapse" data-target=".nav-collapse"><spring:message code="sidebar.personal.resource_policies"/></a></li>
<li class="divider"></li>
<li class="nav-header"><spring:message code="sidebar.developer.title"/></li>
<li><a href="manage/#dev/dynreg" data-toggle="collapse" data-target=".nav-collapse"><spring:message code="sidebar.developer.client_registration"/></a><li>
<li><a href="manage/#dev/resource" data-toggle="collapse" data-target=".nav-collapse"><spring:message code="sidebar.developer.resource_registration"/></a><li>

38
uma-server-webapp/src/main/webapp/WEB-INF/tags/footer.tag Normal file
View File

@ -0,0 +1,38 @@
<%@ attribute name="js" required="false"%>
<%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions"%>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<%@ taglib prefix="o" tagdir="/WEB-INF/tags"%>
<div id="push"></div>
</div>
<!-- end #wrap -->
<div id="footer">
<div class="container">
<p class="muted credit">
<o:copyright />
</p>
</div>
</div>
<!-- javascript
================================================== -->
<!-- Placed at the end of the document so the pages load faster -->
<script type="text/javascript" src="resources/bootstrap2/js/bootstrap.js"></script>
<script type="text/javascript" src="resources/js/lib/underscore.js"></script>
<script type="text/javascript" src="resources/js/lib/backbone.js"></script>
<script type="text/javascript" src="resources/js/lib/purl.js"></script>
<script type="text/javascript" src="resources/js/lib/bootstrapx-clickover.js"></script>
<script type="text/javascript" src="resources/js/lib/bootstrap-sheet.js"></script>
<script type="text/javascript" src="resources/js/lib/bootpag.js"></script>
<c:if test="${js != null && js != ''}">
<script type="text/javascript" src="resources/js/client.js"></script>
<script type="text/javascript" src="resources/js/grant.js"></script>
<script type="text/javascript" src="resources/js/scope.js"></script>
<script type="text/javascript" src="resources/js/whitelist.js"></script>
<script type="text/javascript" src="resources/js/dynreg.js"></script>
<script type="text/javascript" src="resources/js/rsreg.js"></script>
<script type="text/javascript" src="resources/js/token.js"></script>
<script type="text/javascript" src="resources/js/policy.js"></script>
<script type="text/javascript" src="resources/js/admin.js"></script>
</c:if>
<script type="text/javascript" src="resources/js/lib/retina.js"></script>
</body>
</html>

146
uma-server-webapp/src/main/webapp/WEB-INF/user-context.xml Normal file
View File

@ -0,0 +1,146 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
Copyright 2015 The MITRE Corporation
and the MIT Kerberos and Internet Trust Consortium
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.1.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.1.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.1.xsd">
<!-- Support for external OIDC logins for claims gathering -->
<mvc:view-controller path="/external_login" view-name="external_login" />
<security:http pattern="/external_login**" use-expressions="true" entry-point-ref="http403EntryPoint">
<security:intercept-url pattern="/external_login**" access="permitAll"/>
</security:http>
<security:http disable-url-rewriting="true" use-expressions="true"
auto-config="false" entry-point-ref="externalAuthenticationEntryPoint"
pattern="/#{T(org.mitre.uma.web.ClaimsCollectionEndpoint).URL}**">
<security:logout logout-url="/logout" />
<security:expression-handler ref="oauthWebExpressionHandler" />
</security:http>
<bean id="externalAuthenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<property name="loginFormUrl" value="/openid_connect_login" />
</bean>
<security:authentication-manager id="externalAuthenticationManager">
<security:authentication-provider ref="externalAuthenticationProvider" />
</security:authentication-manager>
<bean id="externalAuthenticationProvider" class="org.mitre.openid.connect.client.OIDCAuthenticationProvider">
<property name="authoritiesMapper">
<bean class="org.mitre.uma.util.ExternalLoginAuthoritiesMapper" />
</property>
</bean>
<bean id="externalAuthenticationFilter" class="org.mitre.openid.connect.client.OIDCAuthenticationFilter">
<property name="authenticationManager" ref="externalAuthenticationManager" />
<property name="issuerService" ref="hybridIssuerService" />
<property name="serverConfigurationService" ref="dynamicServerConfigurationService" />
<property name="clientConfigurationService" ref="dynamicClientConfigurationService" />
<property name="authRequestOptionsService" ref="staticAuthRequestOptionsService" />
<property name="authRequestUrlBuilder" ref="plainAuthRequestUrlBuilder" />
</bean>
<bean class="org.mitre.openid.connect.client.service.impl.HybridIssuerService" id="hybridIssuerService">
<property name="loginPageUrl" value="external_login" />
</bean>
<bean class="org.mitre.openid.connect.client.service.impl.DynamicServerConfigurationService" id="dynamicServerConfigurationService" />
<bean class="org.mitre.openid.connect.client.service.impl.DynamicRegistrationClientConfigurationService" id="dynamicClientConfigurationService">
<property name="template">
<bean class="org.mitre.oauth2.model.RegisteredClient">
<property name="clientName" value="HealthAuth Authorization Server" />
<property name="scope">
<set value-type="java.lang.String">
<value>openid</value>
<value>profile</value>
<value>email</value>
<value>phone</value>
<value>address</value>
</set>
</property>
<property name="tokenEndpointAuthMethod" value="SECRET_BASIC" />
<property name="redirectUris">
<set>
<value>#{configBean.issuer + "openid_connect_login"}</value>
</set>
</property>
</bean>
</property>
<!--
Registered Client Service. Uncomment this to save dynamically registered clients out to a
file on disk (indicated by the filename property) or replace this with another implementation
of RegisteredClientService. This defaults to an in-memory implementation of RegisteredClientService
which will forget and re-register all clients on restart.
-->
<!--
<property name="registeredClientService">
<bean class="org.mitre.openid.connect.client.service.impl.JsonFileRegisteredClientService">
<constructor-arg name="filename" value="/tmp/simple-web-app-clients.json" />
</bean>
</property>
-->
</bean>
<bean class="org.mitre.openid.connect.client.service.impl.StaticAuthRequestOptionsService" id="staticAuthRequestOptionsService" />
<bean class="org.mitre.openid.connect.client.service.impl.PlainAuthRequestUrlBuilder" id="plainAuthRequestUrlBuilder" />
<!-- Standard configuration -->
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider>
<security:jdbc-user-service data-source-ref="dataSource"/>
</security:authentication-provider>
</security:authentication-manager>
<mvc:view-controller path="/login" view-name="login" />
<security:http pattern="/login**" use-expressions="true" entry-point-ref="http403EntryPoint">
<security:intercept-url pattern="/login**" access="permitAll"/>
</security:http>
<security:http disable-url-rewriting="true" use-expressions="true">
<security:form-login login-page="/login" authentication-failure-url="/login?error=failure" authentication-success-handler-ref="authenticationTimeStamper" />
<security:intercept-url pattern="/**" access="permitAll" />
<security:custom-filter before="PRE_AUTH_FILTER" ref="externalAuthenticationFilter" />
<security:custom-filter ref="authRequestFilter" after="SECURITY_CONTEXT_FILTER" />
<security:logout logout-url="/logout" />
<security:anonymous />
<security:expression-handler ref="oauthWebExpressionHandler" />
</security:http>
</beans>

0
openid-connect-server-webapp/src/main/webapp/WEB-INF/views/external_login.jsp → uma-server-webapp/src/main/webapp/WEB-INF/views/external_login.jsp
View File

1172
uma-server-webapp/src/main/webapp/resources/js/admin.js Normal file
View File

File diff suppressed because it is too large Load Diff

477
uma-server-webapp/src/main/webapp/resources/js/locale/en/messages.json Normal file
View File

@ -0,0 +1,477 @@
{
"admin": {
"blacklist": "Blacklist",
"blacklist-form": {
"blacklisted-uris": "Blacklisted URIs"
},
"home": "Home",
"list-widget": {
"empty": "There are no items in this list.",
"tooltip": "Click to display full value."
},
"manage-blacklist": "Manage Blacklisted Clients",
"self-service-client": "Self-service Client Registration",
"self-service-resource": "Self-service Protected Resource Registration",
"user-profile": {
"claim": "Claim name:",
"show": "View User Profile",
"text": "Your user profile has the following information:",
"value": "Claim value:"
},
"policies": "Manage Protected Resource Policies"
},
"client": {
"client-form": {
"access": "Access",
"access-token-no-timeout": "Access tokens do not time out",
"access-token-timeout": "Access Token Timeout",
"access-token-timeout-help": "Enter this time in seconds, minutes, or hours.",
"acr-values": "Default ACR Values",
"acr-values-placeholder": "new ACR value",
"acr-values-help": "Default Authentication Context Reference to request for this client",
"allow-introspection": "Allow calls to the Introspection Endpoint?",
"authentication-method": "Token Endpoint Authentication Method",
"authorization-code": "authorization code",
"client-credentials": "client credentials",
"client-description": "Description",
"client-description-help": "Human-readable text description",
"client-description-placeholder": "Type a description",
"client-id": "Client ID",
"client-id-help": "Unique identifier. If you leave this blank it will be automatically generated.",
"client-id-placeholder": "Type something",
"client-name": "Client name",
"client-name-help": "Human-readable application name",
"client-name-placeholder": "Type something",
"client-secret": "Client Secret",
"client-secret-placeholder": "Type a secret",
"contacts": "Contacts",
"contacts-help": "List of contacts for administrators of this client.",
"contacts-placeholder": "new contact",
"credentials": "Credentials",
"crypto": {
"a128cbc-hs256": "Composite Authenticated Encryption algorithm using AES in Cipher Block Chaining (CBC) mode with PKCS #5 padding with an integrity calculation using HMAC SHA-256, using a 256 bit CMK (and 128 bit CEK)",
"a256cbc-hs512": "Composite Authenticated Encryption algorithm using AES in CBC mode with PKCS #5 padding with an integrity calculation using HMAC SHA-512, using a 512 bit CMK (and 256 bit CEK)",
"a128gcm": "AES GCM using 128 bit keys",
"a256gcm": "AES GCM using 256 bit keys",
"a128kw": "AES Key Wrap Algorithm using 128 bit keys",
"a256kw": "AES Key Wrap Algorithm using 256 bit keys",
"default": "Use server default",
"dir": "Direct use of a shared symmetric key as the Content Master Key (CMK) for the block encryption step",
"ecdh-es": "Elliptic Curve Diffie-Hellman Ephemeral Static key agreement using the Concat KDF, with the agreed-upon key being used directly as the Content Master Key",
"ecdh-es-a128kw": "Elliptic Curve Diffie-Hellman Ephemeral Static key agreement per ECDH-ES and Section 4.7, but where the agreed-upon key is used to wrap the Content Master Key (CMK) with the A128KW function",
"ecdh-es-a256kw": "Elliptic Curve Diffie-Hellman Ephemeral Static key agreement per ECDH-ES and Section 4.7, but where the agreed-upon key is used to wrap the Content Master Key (CMK) with the A256KW function",
"none": "No encryption",
"rsa-oaep": "RSAES using Optimal Asymmetric Encryption Padding (OAEP)",
"rsa1-5": "RSAES-PKCS1-V1_5"
},
"cryptography": "Crypto",
"display-secret": "Display/edit client secret:",
"edit": "Edit Client",
"generate-new-secret": "Generate a new client secret?",
"generate-new-secret-help": "New secret will be generated when you click 'Save'",
"generate-on-save": "Generate on Save",
"grant-types": "Grant Types",
"home": "Home Page",
"home-help": "URL for the client's home page, will be displayed to the user",
"hours": "hours",
"id": "ID:",
"id-token-crypto-algorithm": "ID Token Encryption Algorithm",
"id-token-crypto-method": "ID Token Encryption Method",
"id-token-signing-algorithm": "ID Token Signing Algorithm",
"id-token-timeout": "ID Token Timeout",
"implicit": "implicit",
"initiate-login": "Initiate Login",
"initiate-login-help": "URL to initiate login on the client",
"introspection": "Introspection",
"jwk-set": "JWK Set",
"jwk-set-help": "URL for the client's JSON Web Key set",
"logo": "Logo",
"logo-help": "URL that points to a logo image, will be displayed on approval page",
"main": "Main",
"max-age": "Default Max Age",
"max-age-help": "Default maximum session age before re-prompting",
"minutes": "minutes",
"new": "New Client",
"other": "Other",
"pairwise": "Pairwise",
"password": "password",
"policy": "Policy Statement",
"policy-help": "URL for the Policy Statement of this client, will be displayed to the user",
"post-logout": "Post-Logout Redirect",
"post-logout-help": "URL to redirect the client to after a logout operation",
"public": "Public",
"redelegation": "redelegation",
"redirect-uris": "Redirect URI(s)",
"redirect-uris-help": "URIs that the client can be redirected to after the authorization page",
"refresh": "refresh",
"refresh-tokens": "Refresh Tokens",
"refresh-tokens-issued": "Refresh tokens are issued for this client",
"refresh-tokens-reused": "Refresh tokens for this client are re-used",
"refresh-tokens-no-expire": "Refresh tokens do not time out",
"registered": "Registered at",
"registration-token": "Registration Token:",
"registration-access-token": "Registration Access Token",
"registration-token-error": "There was a problem loading the registration access token for this client.",
"request-object-signing-algorithm": "Request Object Signing Algorithm",
"request-uri": "Request URIs",
"request-uri-help": "URIs containing request objects used by this client",
"require-auth-time": "Require Authentication Time",
"require-auth-time-label": "Always require that the auth_time claim be sent in the id token",
"response-types": "Response Types",
"rotate-registration-token": "Rotate registration token",
"rotate-registration-token-confirm": "Are you sure you want to rotate this client's registration token?",
"rotate-registration-token-error": "There was a problem rotating the registration access token for this client.",
"saved": {
"no-secret": "No client secret",
"saved": "Client Saved",
"secret": "Secret:",
"show-secret": "Show Secret",
"unchanged": "unchanged"
},
"scope-placeholder": "new scope",
"scope-help": "OAuth scopes this client is allowed to request",
"seconds": "seconds",
"secret-asymmetric-jwt": "Asymmetrically-signed JWT assertion",
"secret-http": "Client Secret over HTTP Basic",
"secret-none": "No authentication",
"secret-post": "Client Secret over HTTP POST",
"secret-symmetric-jwt": "Client Secret via symmetrically-signed JWT assertion",
"sector-identifier": "Sector Identifier URI",
"signing": {
"any": "Any allowed",
"default": "Use server default",
"ecdsa-256": "ECDSA using P-256 curve and SHA-256 hash algorithm",
"ecdsa-384": "ECDSA using P-384 curve and SHA-384 hash algorithm",
"ecdsa-512": "ECDSA using P-512 curve and SHA-512 hash algorithm",
"hmac-256": "HMAC using SHA-256 hash algorithm",
"hmac-384": "HMAC using SHA-384 hash algorithm",
"hmac-512": "HMAC using SHA-512 hash algorithm",
"none": "No digital signature",
"rsassa-256": "RSASSA using SHA-256 hash algorithm",
"rsassa-384": "RSASSA using SHA-384 hash algorithm",
"rsassa-512": "RSASSA using SHA-512 hash algorithm"
},
"subject-type": "Subject Type",
"terms": "Terms of Service",
"terms-help": "URL for the Terms of Service of this client, will be displayed to the user",
"token-signing-algorithm": "Token Endpoint Authentication Signing Algorithm",
"tokens": "Tokens",
"type": "Application Type",
"type-native": "Native",
"type-web": "Web",
"unknown": "(Unknown)",
"user-info-crypto-algorithm": "User Info Endpoint Encryption Algorithm",
"user-info-crypto-method": "User Info Endpoint Encryption Method",
"user-info-signing-algorithm": "User Info Endpoint Signing Algorithm"
},
"client-table": {
"allow-introspection-tooltip": "This client can perform token introspection",
"confirm": "Are you sure sure you would like to delete this client?",
"dynamically-registered-tooltip": "This client was dynamically registered. Click to view registration access token",
"match": {
"contacts": "contacts",
"description": "description",
"homepage": "home page",
"id": "id",
"logo": "logo",
"name": "name",
"policy": "policy",
"redirect": "redirect uri",
"scope": "scope",
"terms": "terms of service"
},
"matched-search": "Matched search:",
"new": "New Client",
"no-clients": "There are no registered clients on this server.",
"no-matches": "There are no clients that match your search criteria.",
"no-redirect": "NO REDIRECT URI",
"registered": "Registrered",
"search": "Search...",
"whitelist": "Whitelist",
"unknown": "at an unknown time"
},
"manage": "Manage Clients",
"more-info": {
"contacts": "Administrative Contacts:",
"home": "Home Page:",
"more": "more information",
"policy": "Policy:",
"terms": "Terms of Service:"
},
"newClient": "New Client"
},
"common": {
"cancel": "Cancel",
"client": "Client",
"clients": "Clients",
"close": "Close",
"delete": "Delete",
"description": "Description",
"dynamically-registered": "This client was dynamically registered",
"edit": "Edit",
"expires": "Expires:",
"information": "Information",
"new": "New",
"not-yet-implemented": "Not Yet Implemented",
"not-yet-implemented-content": "The value of this field will be saved with the client, but the server does not currently process anything with it. Future versions of the server library will make use of this.",
"revoke": "Revoke",
"save": "Save",
"scopes": "Scopes",
"statistics": "Statistics"
},
"dynreg": {
"client-id-placeholder": "Enter Client ID",
"configuration-url": "Client Configuration URL",
"edit-dynamically-registered": "Edit a Dynamically Registered Client",
"edit-existing": "Edit an existing client",
"edit-existing-help": "Paste in your client ID and registration access token to access the client.",
"invalid-access-token": "Invalid client or registration access token.",
"new-client": "Register a new client",
"or": " - OR - ",
"regtoken-placeholder": "Enter Registration Access Token",
"warning": "<strong>Warning!</strong> You MUST protect your <b>Client ID</b>, <b>Client Secret (if provided)</b>, and your <b>Registration Access Token</b>. If you lose your Client ID or Registration Access Token, you will no longer have access to your client's registration records and you will need to register a new client.",
"will-be-generated": "Will be generated"
},
"grant": {
"manage-approved-sites": "Manage Approved Sites",
"refresh": "Refresh",
"grant-table": {
"active-tokens": "Number of currently active access tokens",
"application": "Application",
"approved-sites": "Approved Sites",
"authorized": "Authorized:",
"dynamically-registered": "This client was dynamically registered",
"expires": "Expires:",
"last-accessed": "Last accessed:",
"never": "Never",
"no-sites": "You have not approved any sites.",
"no-whitelisted": "You have not accessed any whitelisted sites.",
"pre-approved": "These are sites that have been pre-approved by an administrator.",
"text": "These are sites you have approved manually. If the same site asks for the same access in the future, it will be granted without prompting.",
"unknown": "Unknown",
"whitelist-note": "<b>NOTE:</b> If you revoke them here, they will automatically be re-approved on your next visit wthout prompting.",
"whitelisted-site": "This site was whitelisted by an adminstrator",
"whitelisted-sites": "Whitelisted Sites"
}
},
"rsreg": {
"resource-id-placeholder": "Enter Resource ID",
"configuration-url": "Client Configuration URL",
"edit": "Edit Protected Resource",
"edit-existing": "Edit an existing protected resource",
"edit-existing-help": "Paste in your ID and registration access token to access the resource's properties.",
"invalid-access-token": "Invalid client or registration access token.",
"new": "New Protected Resource",
"new-resource": "Register a new protected resource",
"or": " - OR - ",
"regtoken-placeholder": "Enter Registration Access Token",
"will-be-generated": "Will be generated",
"warning": "<strong>Warning!</strong> You MUST protect your <b>Client ID</b>, <b>Client Secret (if provided)</b>, and your <b>Registration Access Token</b>. If you lose your Client ID or Registration Access Token, you will no longer have access to your client's registration records and you will need to register a new client.",
"client-form": {
"scope-help": "Scopes that this resource will be able to introspect tokens for."
}
},
"scope": {
"manage": "Manage System Scopes",
"scope-list": {
"no-scopes": "NO SCOPES"
},
"system-scope-form": {
"default": "default scope",
"default-help": "Newly-created clients get this scope by default?",
"description-help": "Human-readable text description",
"description-placeholder": "Type a description",
"restricted": "restricted",
"restricted-help": "Restricted scopes are only usable by system administrators and are unavailable to dynamically registered clients and protected resources",
"edit": "Edit Scope",
"icon": "Icon",
"new": "New Scope",
"select-icon": "Select an icon",
"structured": "is a structured scope",
"structured-help": "Is the scope structured with structured values like <code>base:extension</code>?",
"structured-param-help": "Human-readable description of the structured parameter",
"subject-type": "Subject Type",
"value": "Scope value",
"value-help": "Single string with no spaces",
"value-placeholder": "scope"
},
"system-scope-table": {
"confirm": "Are you sure sure you would like to delete this scope? Clients that have this scope will still be able to ask for it.",
"new": "New Scope",
"text": "There are no system scopes defined. Clients may still have custom scopes.",
"tooltip-restricted": "This scope can be used only by adminisrtators. It is not available for dynamic registration.",
"tooltip-default": "This scope is automatically assigned to newly registered clients."
}
},
"token": {
"manage": "Manage Active Tokens",
"token-table": {
"access-tokens": "Access Tokens",
"associated-id": "This access token was issued with an associated ID token.",
"associated-refresh": "This access token was issued with an associated refresh token.",
"click-to-display": "Click to display full token value",
"confirm": "Are you sure sure you would like to revoke this token?",
"confirm-refresh": "Are you sure sure you would like to revoke this refresh token and its associated access tokens?",
"expires": "Expires",
"no-access": "There are no active access tokens.",
"no-refresh": "There are no active refresh tokens.",
"number-of-tokens": "Number of associated access tokens",
"refresh-tokens": "Refresh Tokens",
"text": "Access tokens are usually short-lived and provide clients with access to specific resources. ID Tokens are specialized access tokens to facilitate log on using OpenID Connect.",
"text-refresh": "Refresh tokens are usually long-lived and provide clients with the ability to get new access tokens without end-user involvement.",
"token-info": "Token Information"
}
},
"whitelist": {
"confirm": "Are you sure you want to delete this whitelist entry?",
"edit": "Edit Whitelist",
"manage": "Manage Whitelisted Sites",
"new": "New Whitelist",
"whitelist": "Whitelist",
"whitelist-form": {
"allowed-scopes": "Allowed Scopes",
"edit": "Edit Whitelisted Site",
"new": "New Whitelisted Site",
"scope-help": "List of scopes that will be automatically approved when this client makes a request",
"scope-placeholder": "new scope"
},
"whitelist-table": {
"no-sites": "There are no whitelisted sites. Use the <strong>whitelist</strong> button on the client management page to create one."
}
},
"policy" : {
"resource-sets": "Resource Sets",
"edit-policy": "Edit Policy",
"required-claims": "Required Claims",
"policy-table": {
"confirm": "Are you sure you want to delete this resource set?",
"delete": "Delete",
"edit": "Edit Policies",
"email-address": "email address",
"required-claims": "Users that you share this resource will with need to be able to present the following claims in order to access the resource.",
"no-resource-sets": "There are no resource sets registered. Introduce a protected to this authorization server to let it register some.",
"no-required-claims": "There are no required claims for this resource set: This resource set is inaccessible by others.",
"share-email": "Share with email address",
"shared-with": "Shared with:",
"shared-nobody": "NOBODY",
"shared-nobody-tooltip": "This resource is not accessible by anyone else, edit the policies and share it with someone.",
"issuers": "Issuers",
"claim": "Claim",
"value": "Value"
},
"webfinger-error": "Error",
"webfinger-error-description": "The server was unable to find an identity provider for <code>__email__</code>."
},
"copyright": "Powered by <a href=\"https://github.com/mitreid-connect/\">MITREid Connect <span class=\"label\">{0}</span></a> <span class=\"pull-right\">&copy; 2015 The MITRE Corporation and MIT KIT.</span>.",
"about": {
"title": "About",
"body": "\nThis OpenID Connect service is built from the MITREid Connect Open Source project, from \n<a href=\"http://www.mitre.org/\">The MITRE Corporation</a> and the <a href=\"http://kit.mit.edu/\">MIT Kerberos and Internet Trust Consortium</a>.\n</p>\n<p>\nMore information about the project can be found at \n<a href=\"http://github.com/mitreid-connect/\">MITREid Connect on GitHub</a>. \nThere, you can submit bug reports, give feedback, or even contribute code patches for additional features you'd like to see."
},
"statistics": {
"title": "Statistics",
"number_users": "Number of users: <span class=\"label label-info\" id=\"userCount\">{0}</span>",
"number_clients": "Authorized clients: <span class=\"label label-info\" id=\"clientCount\">{0}</span>",
"number_approvals": "Approved sites: <span class=\"label label-info\" id=\"approvalCount\">{0}</span>"
},
"home": {
"title": "Home",
"welcome": {
"title": "Welcome!",
"body": "\nOpenID Connect is an internet-scale federated identity protocol built on top of the OAuth2 authorization framework. \nOpenID Connect lets you log into a remote site using your identity without exposing your credentials, like a username and password.</p>\n<p><a class=\"btn btn-primary btn-large\" href=\"http://openid.net/connect/\">Learn more &raquo;</a>"
},
"more": "More",
"about": {
"title": "About",
"body": "This OpenID Connect service is built from the MITREid Connect Open Source project, from \n<a href=\"http://www.mitre.org/\">The MITRE Corporation</a> and the <a href=\"http://kit.mit.edu/\">MIT Kerberos and Internet Trust Consortium</a>."
},
"contact": {
"title": "Contact",
"body": "\nFor more information or support, contact the administrators of this system.</p>\n<p><a class=\"btn\" href=\"mailto:idp@example.com?Subject=OpenID Connect\">Email &raquo;</a>"
},
"statistics": {
"title": "Current Statistics",
"loading": "Loading...",
"number_users": "Number of users: <span class=\"label label-info\" id=\"userCount\">{0}</span>",
"number_clients": "Authorized clients: <span class=\"label label-info\" id=\"clientCount\">{0}</span>",
"number_approvals": "Approved sites: <span class=\"label label-info\" id=\"approvalCount\">{0}</span>"
}
},
"contact": {
"title": "Contact",
"body": "To report bugs with the MITREid Connect software itself, use the \n<a href=\"https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/issues\">GitHub issue tracker</a>. \nFor problems relating to this server, contact the server's administrator."
},
"topbar": {
"about": "About",
"contact": "Contact",
"statistics": "Statistics",
"home": "Home",
"login": "Log in",
"logout": "Log out"
},
"sidebar": {
"administrative": {
"title": "Administrative",
"manage_clients": "Manage Clients",
"whitelisted_clients": "Whitelisted Clients",
"blacklisted_clients": "Blacklisted Clients",
"system_scopes": "System Scopes"
},
"personal": {
"title": "Personal",
"approved_sites": "Manage Approved Sites",
"active_tokens": "Manage Active Tokens",
"profile_information": "View Profile Information",
"resource_policies": "Manage Protected Resource Policies"
},
"developer": {
"title": "Developer",
"client_registration": "Self-service client registration",
"resource_registration": "Self-service protected resource registration"
}
},
"manage": {
"ok": "OK",
"loading": "Loading",
"title": "Management Console"
},
"approve": {
"dynamically-registered-unknown": "at an unknown time",
"title": "Approve Access",
"error": {
"not_granted": "Access could not be granted."
},
"required_for": "Approval Required for",
"dynamically_registered": "This client was dynamically registered <span class=\"label label-info\" id=\"registrationTime\">{0}</span>.",
"caution": {
"title": "Caution",
"message": {
"none": "It has <span class=\"label label-important\">never</span> been approved previously.",
"singular": "It has been approved <span class=\"label label-warning\">{0}</span> time previously.",
"plural": "It has been approved <span class=\"label\">{0}</span> times previously."
}
},
"more_information": "more information",
"home_page": "Home page",
"policy": "Policy",
"terms": "Terms of Service",
"contacts": "Administrative Contacts",
"warning": "Warning",
"no_redirect_uri": "This client does not have any redirect URIs registered and someone could be using a malicious URI here.",
"redirect_uri": "You will be redirected to the following page if you click Approve: <code>{0}</code>",
"pairwise": "This client uses a <b>pairwise</b> identifier, which makes it more difficult to correlate your identity between sites.",
"no_scopes": "This client does not have any scopes registered and is therefore allowed to request <em>any</em> scopes available on the system. Proceed with caution.",
"access_to": "Access to",
"remember": {
"title": "Remember this decision",
"until_revoke": "remember this decision until I revoke it",
"one_hour": "remember this decision for one hour",
"next_time": "prompt me again next time"
},
"do_authorize": "Do you authorize",
"label": {
"authorize": "Authorize",
"deny": "Deny"
}
}
}

0
openid-connect-server-webapp/src/main/webapp/resources/js/policy.js → uma-server-webapp/src/main/webapp/resources/js/policy.js
View File

0
openid-connect-server-webapp/src/main/webapp/resources/template/policy.html → uma-server-webapp/src/main/webapp/resources/template/policy.html
View File