OpenID-Connect-Java-Spring-Server/openid-connect-server-webapp/src/main/webapp/WEB-INF/application-context.xml at 687e63fe059e346e8258aa878242a29d6c57b513 · mitreid-connect/OpenID-Connect-Java-Spring-Server · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
<?xml version="1.0" encoding="UTF-8"?>
<!--
    Copyright 2018 The MIT Internet Trust Consortium

    Portions copyright 2011-2013 The MITRE Corporation

    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.
    You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

    Unless required by applicable law or agreed to in writing, software
    distributed under the License is distributed on an "AS IS" BASIS,
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
    limitations under the License.
 -->
<beans xmlns="http://www.springframework.org/schema/beans"
	xmlns:mvc="http://www.springframework.org/schema/mvc"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xmlns:tx="http://www.springframework.org/schema/tx"
	xmlns:context="http://www.springframework.org/schema/context"
	xmlns:security="http://www.springframework.org/schema/security"
	xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
	xmlns:util="http://www.springframework.org/schema/util"
	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
		http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.3.xsd
		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd
		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
		http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-4.3.xsd
		http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-4.3.xsd
		http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.3.xsd">

	<!-- Scan for components -->
	<context:component-scan annotation-config="true" base-package="org.mitre" />

	<!-- Enables the Spring MVC @Controller programming model -->
	<tx:annotation-driven transaction-manager="transactionManager" />
	<mvc:annotation-driven ignore-default-model-on-redirect="true">
		<mvc:message-converters>
			<bean class="org.springframework.http.converter.StringHttpMessageConverter" />
			<bean class="org.springframework.http.converter.json.MappingJackson2HttpMessageConverter" />
		</mvc:message-converters>
	</mvc:annotation-driven>

	<mvc:interceptors>
		<mvc:interceptor>
			<!-- Exclude APIs and other machine-facing endpoints from these interceptors -->
			<mvc:mapping path="/**" />
			<mvc:exclude-mapping path="/#{T(org.mitre.openid.connect.web.JWKSetPublishingEndpoint).URL}**" />
			<mvc:exclude-mapping path="/#{T(org.mitre.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**" />
			<mvc:exclude-mapping path="/resources/**" />
			<mvc:exclude-mapping path="/token**"/>
			<mvc:exclude-mapping path="/#{T(org.mitre.openid.connect.web.DynamicClientRegistrationEndpoint).URL}/**" />
			<mvc:exclude-mapping path="/#{T(org.mitre.openid.connect.web.ProtectedResourceRegistrationEndpoint).URL}/**" />
			<mvc:exclude-mapping path="/#{T(org.mitre.openid.connect.web.UserInfoEndpoint).URL}**" />
			<mvc:exclude-mapping path="/#{T(org.mitre.openid.connect.web.RootController).API_URL}/**" />
			<mvc:exclude-mapping path="/#{T(org.mitre.oauth2.web.DeviceEndpoint).URL}/**" />
			<mvc:exclude-mapping path="/#{T(org.mitre.oauth2.web.IntrospectionEndpoint).URL}**" />
			<mvc:exclude-mapping path="/#{T(org.mitre.oauth2.web.RevocationEndpoint).URL}**" />

			<!-- Inject the UserInfo into the response -->
			<bean id="userInfoInterceptor" class="org.mitre.openid.connect.web.UserInfoInterceptor" />
		</mvc:interceptor>
		<mvc:interceptor>
			<!-- Exclude APIs and other machine-facing endpoints from these interceptors -->
			<mvc:mapping path="/**" />
			<mvc:exclude-mapping path="/#{T(org.mitre.openid.connect.web.JWKSetPublishingEndpoint).URL}**" />
			<mvc:exclude-mapping path="/#{T(org.mitre.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**" />
			<mvc:exclude-mapping path="/resources/**" />
			<mvc:exclude-mapping path="/token**"/>
			<mvc:exclude-mapping path="/#{T(org.mitre.openid.connect.web.DynamicClientRegistrationEndpoint).URL}/**" />
			<mvc:exclude-mapping path="/#{T(org.mitre.openid.connect.web.ProtectedResourceRegistrationEndpoint).URL}/**" />
			<mvc:exclude-mapping path="/#{T(org.mitre.openid.connect.web.UserInfoEndpoint).URL}**" />
			<mvc:exclude-mapping path="/#{T(org.mitre.openid.connect.web.RootController).API_URL}/**" />
			<mvc:exclude-mapping path="/#{T(org.mitre.oauth2.web.DeviceEndpoint).URL}/**" />
			<mvc:exclude-mapping path="/#{T(org.mitre.oauth2.web.IntrospectionEndpoint).URL}**" />
			<mvc:exclude-mapping path="/#{T(org.mitre.oauth2.web.RevocationEndpoint).URL}**" />
			<!-- Inject the server configuration into the response -->
			<bean id="serverConfigInterceptor" class="org.mitre.openid.connect.web.ServerConfigInterceptor" />
		</mvc:interceptor>
	</mvc:interceptors>

	<mvc:default-servlet-handler />

	<!-- Bean to hold configuration properties -->
	<import resource="server-config.xml" />

	<!-- Import the data context -->
	<import resource="data-context.xml" />

	<!-- SPEL processors -->
	<security:global-method-security pre-post-annotations="enabled" proxy-target-class="true" authentication-manager-ref="authenticationManager">
		<!--you could also wire in the expression handler up at the layer of the http filters. See https://jira.springsource.org/browse/SEC-1452 -->
		<security:expression-handler ref="oauthExpressionHandler" />
	</security:global-method-security>

	<oauth:expression-handler id="oauthExpressionHandler" />

	<oauth:web-expression-handler id="oauthWebExpressionHandler" />

	<!-- Spring Security configuration -->

	<oauth:resource-server id="resourceServerFilter" token-services-ref="defaultOAuth2ProviderTokenService" stateless="false" />

	<security:http pattern="/token"
		create-session="stateless"
		authentication-manager-ref="clientAuthenticationManager"
		entry-point-ref="oauthAuthenticationEntryPoint"
		use-expressions="true">

		<security:intercept-url pattern="/token" access="permitAll" method="OPTIONS" /> <!-- allow OPTIONS calls without auth for CORS stuff -->
		<security:intercept-url pattern="/token" access="isAuthenticated()" />
		<security:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
		<!-- include this only if you need to authenticate clients via request parameters -->
		<security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
		<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
		<security:access-denied-handler ref="oauthAccessDeniedHandler" />
		<security:csrf disabled="true"/>
	</security:http>

	<security:http pattern="/transaction"
		create-session="stateless"
		use-expressions="true"
		entry-point-ref="http403EntryPoint"
		>

		<security:intercept-url pattern="/token" access="permitAll" /> <!--  handle authentication internally for now  -->
		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
		<security:csrf disabled="true"/>

	</security:http>

	<!-- Allow open access to discovery endpoints -->
	<security:http pattern="/#{T(org.mitre.openid.connect.web.JWKSetPublishingEndpoint).URL}**" use-expressions="true" entry-point-ref="http403EntryPoint" create-session="stateless">
		<security:intercept-url pattern="/#{T(org.mitre.openid.connect.web.JWKSetPublishingEndpoint).URL}**" access="permitAll"/>
		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
		<security:csrf disabled="true"/>
	</security:http>
	<security:http pattern="/#{T(org.mitre.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**" use-expressions="true" entry-point-ref="http403EntryPoint" create-session="stateless">
		<security:intercept-url pattern="/#{T(org.mitre.discovery.web.DiscoveryEndpoint).WELL_KNOWN_URL}/**" access="permitAll"/>
		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
		<security:csrf disabled="true"/>
	</security:http>

	<!-- Allow open access to all static resources -->
	<security:http pattern="/resources/**" use-expressions="true" entry-point-ref="http403EntryPoint" create-session="stateless">
		<security:intercept-url pattern="/resources/**" access="permitAll"/>
		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
		<security:csrf disabled="true"/>
	</security:http>

	<!-- OAuth-protect API and other endpoints -->
	<security:http pattern="/#{T(org.mitre.openid.connect.web.DynamicClientRegistrationEndpoint).URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">
		<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
		<security:expression-handler ref="oauthWebExpressionHandler" />
		<security:intercept-url pattern="/register/**" access="permitAll"/>
		<security:csrf disabled="true"/>
	</security:http>

	<security:http pattern="/#{T(org.mitre.openid.connect.web.ProtectedResourceRegistrationEndpoint).URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">
		<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
		<security:expression-handler ref="oauthWebExpressionHandler" />
		<security:intercept-url pattern="/resource/**" access="permitAll"/>
		<security:csrf disabled="true"/>
	</security:http>

	<security:http pattern="/#{T(org.mitre.openid.connect.web.UserInfoEndpoint).URL}**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="stateless">
		<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
		<security:expression-handler ref="oauthWebExpressionHandler" />
		<security:csrf disabled="true"/>
	</security:http>

 	<security:http pattern="/#{T(org.mitre.openid.connect.web.RootController).API_URL}/**" use-expressions="true" entry-point-ref="oauthAuthenticationEntryPoint" create-session="never">
		<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
		<security:expression-handler ref="oauthWebExpressionHandler" />
		<security:csrf disabled="true"/>
	</security:http>

 	<security:http pattern="/#{T(org.mitre.oauth2.web.DeviceEndpoint).URL}/**"
 		use-expressions="true"
 		entry-point-ref="oauthAuthenticationEntryPoint"
 		create-session="stateless"
 		authentication-manager-ref="clientAuthenticationManager">
		<security:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
		<!-- include this only if you need to authenticate clients via request parameters -->
		<security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
		<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
		<security:access-denied-handler ref="oauthAccessDeniedHandler" />
		<security:csrf disabled="true"/>
	</security:http>

	<security:http pattern="/#{T(org.mitre.oauth2.web.IntrospectionEndpoint).URL}**"
			use-expressions="true"
			entry-point-ref="oauthAuthenticationEntryPoint"
			create-session="stateless"
			authentication-manager-ref="clientAuthenticationManager">
		<security:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
		<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
		<security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
		<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
		<security:csrf disabled="true"/>
	</security:http>

	<security:http pattern="/#{T(org.mitre.oauth2.web.RevocationEndpoint).URL}**"
			use-expressions="true"
			entry-point-ref="oauthAuthenticationEntryPoint"
			create-session="stateless"
			authentication-manager-ref="clientAuthenticationManager">
		<security:http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
		<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
		<security:custom-filter ref="clientAssertionEndpointFilter" after="PRE_AUTH_FILTER" /> <!-- this one has to go first -->
		<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
		<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
		<security:csrf disabled="true"/>
	</security:http>

	<bean id="oauthAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
		<property name="realmName" value="openidconnect" />
	</bean>

	<bean id="http403EntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" />

	<!-- Additional endpoints for extensions (such as UMA) -->

	<import resource="endpoint-config.xml" />

	<!-- SECOAUTH Authorization Server -->

	<import resource="authz-config.xml" />

	<bean id="oauth2ExceptionTranslator" class="org.springframework.security.oauth2.provider.error.DefaultWebResponseExceptionTranslator" />

	<bean id="clientAuthMatcher" class="org.mitre.openid.connect.filter.MultiUrlRequestMatcher">
		<constructor-arg name="filterProcessesUrls">
			<set>
				<value>/introspect</value>
				<value>/revoke</value>
				<value>/token</value>
			</set>
		</constructor-arg>
	</bean>

	<bean id="clientCredentialsEndpointFilter" class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
		<property name="authenticationManager" ref="clientAuthenticationManager" />
		<property name="requiresAuthenticationRequestMatcher" ref="clientAuthMatcher" />
	</bean>

	<bean id="clientAssertionEndpointFilter" class="org.mitre.openid.connect.assertion.JWTBearerClientAssertionTokenEndpointFilter">
		<constructor-arg name="additionalMatcher" ref="clientAuthMatcher" />
		<property name="authenticationManager" ref="clientAssertionAuthenticationManager" />
	</bean>

	<security:authentication-manager id="clientAuthenticationManager">
		<security:authentication-provider user-service-ref="clientUserDetailsService" />
		<security:authentication-provider user-service-ref="uriEncodedClientUserDetailsService" />
	</security:authentication-manager>

	<security:authentication-manager id="clientAssertionAuthenticationManager">
		<security:authentication-provider ref="clientAssertionAuthenticationProvider" />
	</security:authentication-manager>

	<bean id="clientAssertionAuthenticationProvider" class="org.mitre.openid.connect.assertion.JWTBearerAuthenticationProvider" />

	<!-- Configure locale information -->
	<import resource="locale-config.xml" />

	<!-- user services -->
	<import resource="user-context.xml" />

	<!-- assertion processing -->
	<import resource="assertion-config.xml" />

	<!-- End Spring Security configuration -->

	<!-- JPA -->

	<import resource="jpa-config.xml" />

	<!-- End JPA -->

	<!-- Crypto -->

	<import resource="crypto-config.xml" />

	<!-- End Crypto -->

	<!-- View configuration -->

	<!-- Handles HTTP GET requests for /resources/** by efficiently serving
		up static resources in the ${webappRoot}/resources directory -->
	<mvc:resources mapping="/resources/**" location="/resources/" />

	<!-- Resolves views selected for rendering by @Controllers to .jsp resources
		in the /WEB-INF/views directory -->
	<bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
		<property name="viewClass" value="org.springframework.web.servlet.view.JstlView" />
		<property name="prefix" value="/WEB-INF/views/" />
		<property name="suffix" value=".jsp" />
		<property name="order" value="2" />
	</bean>

	<!-- Resolve views based on string names -->
	<bean class="org.springframework.web.servlet.view.BeanNameViewResolver">
		<property name="order" value="1" />
	</bean>

	<!-- End view configuration -->

	<!--Import scheduled task configuration -->
	<import resource="task-config.xml" />

	<!-- Import configuration for front-end (JavaScript) UI components -->
	<import resource="ui-config.xml" />

	<!-- import application-local configuration information (such as bean definitions) -->
	<import resource="local-config.xml" />

</beans>