Google Git
Sign in
apache / cxf-fediz / 2385ca7cca384c387ea62482a4fe203b896a085a / . / systests / oidc / src / test / resources / oidc / spring / applicationContext.xml
blob: 2733334e694e09f2b6508f0e2f52260cd8b1cc41 [file] [log] [blame]
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:cxf="http://cxf.apache.org/core"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:jaxrs="http://cxf.apache.org/jaxrs"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:http="http://cxf.apache.org/transports/http/configuration"
xmlns:sec="http://cxf.apache.org/configuration/security"
xmlns:springsec="http://www.springframework.org/schema/security"
xmlns:p="http://www.springframework.org/schema/p"
xsi:schemaLocation="
http://cxf.apache.org/core
http://cxf.apache.org/schemas/core.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
http://cxf.apache.org/jaxrs
http://cxf.apache.org/schemas/jaxrs.xsd
http://www.springframework.org/schema/util
http://www.springframework.org/schema/util/spring-util-4.3.xsd
http://cxf.apache.org/transports/http/configuration
http://cxf.apache.org/schemas/configuration/http-conf.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd
http://cxf.apache.org/configuration/security
http://cxf.apache.org/schemas/configuration/security.xsd">
<cxf:bus>
<cxf:features>
<cxf:logging/>
</cxf:features>
</cxf:bus>
<import resource="data-manager.xml" />
<!-- DISABLE in production as it might log confidential information about the user -->
<springsec:debug />
<springsec:http entry-point-ref="federationEntryPoint" use-expressions="true">
<springsec:intercept-url pattern="/**" access="isAuthenticated()"/>
<springsec:custom-filter ref="federationFilter" after="BASIC_AUTH_FILTER" />
<springsec:custom-filter ref="logoutFilter" position="LOGOUT_FILTER"/>
<springsec:custom-filter ref="federationSignOutCleanupFilter" position="PRE_AUTH_FILTER"/>
<springsec:session-management session-authentication-strategy-ref="sas"/>
<springsec:csrf disabled="true"/>
</springsec:http>
<springsec:authentication-manager alias="authManager">
<springsec:authentication-provider ref="federationAuthProvider" />
</springsec:authentication-manager>
<bean id="fedizConfig" class="org.apache.cxf.fediz.spring.FederationConfigImpl" init-method="init"
p:configFile="file:./target/tomcat/fediz_config_spring.xml" />
<bean id="federationEntryPoint"
class="org.apache.cxf.fediz.spring.web.FederationAuthenticationEntryPoint"
p:federationConfig-ref="fedizConfig" />
<bean id="federationFilter"
class="org.apache.cxf.fediz.spring.web.FederationAuthenticationFilter"
p:authenticationManager-ref="authManager"
p:federationConfig-ref="fedizConfig">
<property name="authenticationFailureHandler">
<bean class="org.apache.cxf.fediz.spring.web.FederationAuthenticationFailureHandler" p:federationConfig-ref="fedizConfig" />
</property>
</bean>
<bean id="federationAuthProvider" class="org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider"
p:federationConfig-ref="fedizConfig">
<property name="authenticationUserDetailsService">
<bean class="org.apache.cxf.fediz.spring.authentication.GrantedAuthoritiesUserDetailsFederationService"/>
</property>
</bean>
<bean id="sas" class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy" />
<bean id="logoutFilter" class="org.apache.cxf.fediz.spring.web.FederationLogoutFilter">
<constructor-arg name="logoutSuccessHandler" ref="federationLogoutSuccessHandler"/>
<constructor-arg name="handlers">
<list>
<ref bean="securityContextLogoutHandler"/>
</list>
</constructor-arg>
<property name="federationConfig" ref="fedizConfig"/>
</bean>
<bean id="federationLogoutSuccessHandler" class="org.apache.cxf.fediz.spring.web.FederationLogoutSuccessHandler">
<property name="federationConfig" ref="fedizConfig"/>
</bean>
<bean id="securityContextLogoutHandler" name="securityContextLogoutHandler"
class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler">
</bean>
<bean id="federationSignOutCleanupFilter" class="org.apache.cxf.fediz.spring.web.FederationSignOutCleanupFilter"/>
<!-- Supports OIDC Authorization Code flow -->
<util:list id="scopesRequiringNoConsent">
<value>openid</value>
<value>roles</value>
</util:list>
<bean id="oidcAuthorizationService" class="org.apache.cxf.rs.security.oidc.idp.OidcAuthorizationCodeService">
<property name="dataProvider" ref="oauthProvider"/>
<property name="subjectCreator" ref="subjectCreator"/>
<property name="scopesRequiringNoConsent" ref="scopesRequiringNoConsent"/>
<!--
<property name="useAllClientScopes" value="true"/>
-->
<property name="canSupportPublicClients" value="true"/>
</bean>
<!-- Supports OIDC Implicit and Hybrid flows -->
<bean id="oidcHybridService" class="org.apache.cxf.rs.security.oidc.idp.OidcHybridService">
<property name="dataProvider" ref="oauthProvider"/>
<property name="subjectCreator" ref="subjectCreator"/>
<property name="scopesRequiringNoConsent" ref="scopesRequiringNoConsent"/>
<property name="responseFilter" ref="idTokenFilter"/>
<property name="codeService" ref="oidcAuthorizationService"/>
</bean>
<util:list id="oidcServices">
<ref bean="oidcAuthorizationService"/>
<ref bean="oidcHybridService"/>
</util:list>
<!-- Service which makes Code, Implicit and Hybrid flow available
at the same relative "/authorize" address -->
<bean id="authorizationService" class="org.apache.cxf.rs.security.oauth2.services.AuthorizationService">
<property name="services" ref="oidcServices"/>
</bean>
<bean id="tokenCleanupHandler" class="org.apache.cxf.fediz.service.oidc.logout.TokenCleanupHandler">
<property name="dataProvider" ref="oauthProvider"/>
</bean>
<bean id="logoutService" class="org.apache.cxf.fediz.service.oidc.logout.LogoutService">
<property name="dataProvider" ref="oauthProvider"/>
<property name="relativeIdpLogoutUri" value="../../secure/logout"/>
<property name="logoutHandlers" ref="tokenCleanupHandler"/>
</bean>
<!-- Service supporting all OIDC Core flows -->
<jaxrs:server address="/idp">
<jaxrs:serviceBeans>
<ref bean="authorizationService"/>
<ref bean="logoutService"/>
</jaxrs:serviceBeans>
<jaxrs:providers>
<ref bean="viewProvider"/>
<ref bean="oauthJsonProvider"/>
</jaxrs:providers>
<jaxrs:properties>
<entry key="rs.security.signature.properties" value="rs.security.properties"/>
<entry key="rs.security.signature.key.password.provider" value-ref="keyPasswordProvider"/>
</jaxrs:properties>
</jaxrs:server>
<!--
Public JWK Key Service: Disable it if the client secret is used or if
pre-installing public OIDC keys to clients is preferred
-->
<bean id="oidcKeysService" class="org.apache.cxf.rs.security.oidc.idp.OidcKeysService"/>
<jaxrs:server address="/jwk">
<jaxrs:serviceBeans>
<ref bean="oidcKeysService"/>
</jaxrs:serviceBeans>
<jaxrs:providers>
<ref bean="corsFilter"/>
<bean class="org.apache.cxf.rs.security.jose.jaxrs.JsonWebKeysProvider"/>
</jaxrs:providers>
<jaxrs:properties>
<entry key="rs.security.signature.properties" value="rs.security.properties"/>
<entry key="rs.security.signature.key.password.provider" value-ref="keyPasswordProvider"/>
</jaxrs:properties>
</jaxrs:server>
<bean id="oauth2TokenValidationFilter" class="org.apache.cxf.rs.security.oauth2.filters.OAuthRequestFilter">
<property name="dataProvider" ref="oauthProvider"/>
<property name="audienceIsEndpointAddress" value="false"/>
</bean>
<!-- User Info Service -->
<bean id="userInfoService" class="org.apache.cxf.rs.security.oidc.idp.UserInfoService">
<property name="oauthDataProvider" ref="oauthProvider"/>
<property name="jwsRequired" value="false"/>
</bean>
<jaxrs:server address="/users">
<jaxrs:serviceBeans>
<ref bean="userInfoService"/>
</jaxrs:serviceBeans>
<jaxrs:providers>
<ref bean="corsFilter"/>
<bean class="org.apache.cxf.jaxrs.provider.json.JsonMapObjectProvider"/>
<ref bean="oauth2TokenValidationFilter"/>
</jaxrs:providers>
</jaxrs:server>
<bean id="keyPasswordProvider" class="org.apache.cxf.fediz.service.oidc.PrivateKeyPasswordProviderImpl">
<property name="password" value="password"/>
</bean>
<!-- Client Registration Service -->
<bean id="clientRegService" init-method="init"
class="org.apache.cxf.fediz.service.oidc.clients.ClientRegistrationService">
<property name="dataProvider" ref="oauthProvider"/>
<property name="clientProvider" ref="oauthProvider"/>
<!--
<property name="clientScopes" ref="supportedScopes"/>
-->
<property name="homeRealms">
<map>
<entry key="urn:org:apache:cxf:fediz:idp:realm-A" value="IDP of Realm A" />
<entry key="urn:org:apache:cxf:fediz:idp:realm-B" value="IDP of Realm B" />
</map>
</property>
<property name="additionalTLDs">
<list>
<value>domain123</value>
<value>corp</value>
<value>domain456</value>
</list>
</property>
</bean>
<!-- Console linking to the client registration service -->
<bean id="consoleService" class="org.apache.cxf.fediz.service.oidc.console.UserConsoleService">
<property name="clientRegService" ref="clientRegService"/>
</bean>
<jaxrs:server address="/console">
<jaxrs:serviceBeans>
<ref bean="consoleService"/>
</jaxrs:serviceBeans>
<jaxrs:providers>
<ref bean="viewProvider"/>
</jaxrs:providers>
</jaxrs:server>
<bean id="viewProvider" class="org.apache.cxf.jaxrs.provider.RequestDispatcherProvider">
<property name="useClassNames" value="true"/>
<property name="locationPrefix" value="/WEB-INF/views/"/>
<property name="beanName" value="data"/>
<property name="dispatcherName" value="jsp"/>
<property name="resourcePaths">
<map>
<entry key="/remove" value="/WEB-INF/views/registeredClients.jsp"/>
</map>
</property>
<property name="classResources">
<map>
<entry key="org.apache.cxf.fediz.service.oidc.clients.InvalidRegistration" value="/WEB-INF/views/invalidRegistration.jsp"/>
</map>
</property>
</bean>
<!-- AccessTokenService response filter which adds IdTokens to client responses -->
<bean id="idTokenFilter" class="org.apache.cxf.rs.security.oidc.idp.IdTokenResponseFilter">
<!--
<property name="signWithClientSecret" value="true"/>
-->
</bean>
<!-- Cors filter for endpoints used by implicit flow (by js clients) -->
<util:list id="implicitFlowAllowHeaders">
<value>Authorization</value>
</util:list>
<bean id="corsFilter" class="org.apache.cxf.rs.security.cors.CrossOriginResourceSharingFilter">
<property name="allowHeaders" ref="implicitFlowAllowHeaders"/>
</bean>
<bean id="refreshTokenHandler" class="org.apache.cxf.rs.security.oauth2.grants.refresh.RefreshTokenGrantHandler">
<property name="dataProvider" ref="oauthProvider"/>
</bean>
<bean id="clientCredsHandler" class="org.apache.cxf.rs.security.oauth2.grants.clientcred.ClientCredentialsGrantHandler">
<property name="dataProvider" ref="oauthProvider"/>
</bean>
<util:list id="grantHandlers">
<ref bean="refreshTokenHandler"/>
<!-- Add more custom grant handlers as needed -->
<ref bean="clientCredsHandler"/>
</util:list>
<!-- Access Token service -->
<bean id="accessTokenService" class="org.apache.cxf.rs.security.oauth2.services.AccessTokenService">
<property name="dataProvider" ref="oauthProvider"/>
<property name="responseFilter" ref="idTokenFilter"/>
<property name="grantHandlers" ref="grantHandlers"/>
<property name="canSupportPublicClients" value="true"/>
</bean>
<!-- Access Token Revocation service -->
<bean id="accessTokenRevocationService" class="org.apache.cxf.rs.security.oauth2.services.TokenRevocationService">
<property name="dataProvider" ref="oauthProvider"/>
</bean>
<!-- Access Token Introspection service -->
<bean id="accessTokenIntrospectionService" class="org.apache.cxf.rs.security.oauth2.services.TokenIntrospectionService">
<property name="dataProvider" ref="oauthProvider"/>
<property name="blockUnauthorizedRequests" value="false"/>
</bean>
<bean id="oauthJsonProvider" class="org.apache.cxf.rs.security.oauth2.provider.OAuthJSONProvider"/>
<jaxrs:server address="/oauth2">
<jaxrs:serviceBeans>
<ref bean="accessTokenService"/>
<ref bean="accessTokenIntrospectionService"/>
<ref bean="accessTokenRevocationService"/>
</jaxrs:serviceBeans>
<jaxrs:providers>
<ref bean="oauthJsonProvider"/>
</jaxrs:providers>
<jaxrs:properties>
<entry key="rs.security.signature.properties" value="rs.security.properties"/>
<entry key="rs.security.signature.key.password.provider" value-ref="keyPasswordProvider"/>
</jaxrs:properties>
</jaxrs:server>
<!-- .well-known OIDC Configuration Service -->
<bean id="oidcConfigService" class="org.apache.cxf.rs.security.oidc.idp.OidcConfigurationService"/>
<jaxrs:server address="/.well-known">
<jaxrs:serviceBeans>
<ref bean="oidcConfigService"/>
</jaxrs:serviceBeans>
<jaxrs:properties>
<entry key="rs.security.signature.properties" value="rs.security.properties"/>
</jaxrs:properties>
</jaxrs:server>
<http:conduit name="*.http-conduit">
<http:tlsClientParameters
disableCNCheck="true">
<sec:trustManagers>
<sec:keyStore type="jks" password="tompass" resource="server.jks" />
</sec:trustManagers>
</http:tlsClientParameters>
</http:conduit>
</beans>