| <?xml version="1.0" encoding="UTF-8"?> |
| <!-- |
| Licensed to the Apache Software Foundation (ASF) under one |
| or more contributor license agreements. See the NOTICE file |
| distributed with this work for additional information |
| regarding copyright ownership. The ASF licenses this file |
| to you under the Apache License, Version 2.0 (the |
| "License"); you may not use this file except in compliance |
| with the License. You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, |
| software distributed under the License is distributed on an |
| "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| KIND, either express or implied. See the License for the |
| specific language governing permissions and limitations |
| under the License. |
| --> |
| <beans xmlns="http://www.springframework.org/schema/beans" |
| xmlns:cxf="http://cxf.apache.org/core" |
| xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" |
| xmlns:jaxrs="http://cxf.apache.org/jaxrs" |
| xmlns:util="http://www.springframework.org/schema/util" |
| xmlns:http="http://cxf.apache.org/transports/http/configuration" |
| xmlns:sec="http://cxf.apache.org/configuration/security" |
| xmlns:springsec="http://www.springframework.org/schema/security" |
| xmlns:p="http://www.springframework.org/schema/p" |
| xsi:schemaLocation=" |
| http://cxf.apache.org/core |
| http://cxf.apache.org/schemas/core.xsd |
| http://www.springframework.org/schema/beans |
| http://www.springframework.org/schema/beans/spring-beans-4.3.xsd |
| http://cxf.apache.org/jaxrs |
| http://cxf.apache.org/schemas/jaxrs.xsd |
| http://www.springframework.org/schema/util |
| http://www.springframework.org/schema/util/spring-util-4.3.xsd |
| http://cxf.apache.org/transports/http/configuration |
| http://cxf.apache.org/schemas/configuration/http-conf.xsd |
| http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd |
| http://cxf.apache.org/configuration/security |
| http://cxf.apache.org/schemas/configuration/security.xsd"> |
| |
| <cxf:bus> |
| <cxf:features> |
| <cxf:logging/> |
| </cxf:features> |
| </cxf:bus> |
| |
| <import resource="data-manager.xml" /> |
| |
| |
| <!-- DISABLE in production as it might log confidential information about the user --> |
| <springsec:debug /> |
| |
| <springsec:http entry-point-ref="federationEntryPoint" use-expressions="true"> |
| <springsec:intercept-url pattern="/idp/*" access="isAuthenticated()"/> |
| <springsec:intercept-url pattern="/console/*" access="isAuthenticated()"/> |
| <springsec:custom-filter ref="federationFilter" after="BASIC_AUTH_FILTER" /> |
| <springsec:custom-filter ref="logoutFilter" position="LOGOUT_FILTER"/> |
| <springsec:custom-filter ref="federationSignOutCleanupFilter" position="PRE_AUTH_FILTER"/> |
| <springsec:session-management session-authentication-strategy-ref="sas"/> |
| <springsec:csrf disabled="true"/> |
| </springsec:http> |
| |
| |
| <springsec:authentication-manager alias="authManager"> |
| <springsec:authentication-provider ref="federationAuthProvider" /> |
| </springsec:authentication-manager> |
| |
| <bean id="fedizConfig" class="org.apache.cxf.fediz.spring.FederationConfigImpl" init-method="init" |
| p:configFile="file:./target/tomcat/fediz_config_spring.xml" /> |
| |
| <bean id="federationEntryPoint" |
| class="org.apache.cxf.fediz.spring.web.FederationAuthenticationEntryPoint" |
| p:federationConfig-ref="fedizConfig" /> |
| |
| <bean id="federationFilter" |
| class="org.apache.cxf.fediz.spring.web.FederationAuthenticationFilter" |
| p:authenticationManager-ref="authManager" |
| p:federationConfig-ref="fedizConfig"> |
| |
| <property name="authenticationFailureHandler"> |
| <bean class="org.apache.cxf.fediz.spring.web.FederationAuthenticationFailureHandler" p:federationConfig-ref="fedizConfig" /> |
| </property> |
| </bean> |
| |
| <bean id="federationAuthProvider" class="org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider" |
| p:federationConfig-ref="fedizConfig"> |
| <property name="authenticationUserDetailsService"> |
| <bean class="org.apache.cxf.fediz.spring.authentication.GrantedAuthoritiesUserDetailsFederationService"/> |
| </property> |
| </bean> |
| |
| <bean id="sas" class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy" /> |
| |
| <bean id="logoutFilter" class="org.apache.cxf.fediz.spring.web.FederationLogoutFilter"> |
| <constructor-arg name="logoutSuccessHandler" ref="federationLogoutSuccessHandler"/> |
| <constructor-arg name="handlers"> |
| <list> |
| <ref bean="securityContextLogoutHandler"/> |
| </list> |
| </constructor-arg> |
| <property name="federationConfig" ref="fedizConfig"/> |
| </bean> |
| |
| <bean id="federationLogoutSuccessHandler" class="org.apache.cxf.fediz.spring.web.FederationLogoutSuccessHandler"> |
| <property name="federationConfig" ref="fedizConfig"/> |
| </bean> |
| |
| <bean id="securityContextLogoutHandler" name="securityContextLogoutHandler" |
| class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"> |
| </bean> |
| |
| <bean id="federationSignOutCleanupFilter" class="org.apache.cxf.fediz.spring.web.FederationSignOutCleanupFilter"/> |
| |
| <!-- Supports OIDC Authorization Code flow --> |
| <util:list id="scopesRequiringNoConsent"> |
| <value>openid</value> |
| <value>roles</value> |
| </util:list> |
| <bean id="oidcAuthorizationService" class="org.apache.cxf.rs.security.oidc.idp.OidcAuthorizationCodeService"> |
| <property name="dataProvider" ref="oauthProvider"/> |
| <property name="subjectCreator" ref="subjectCreator"/> |
| <property name="scopesRequiringNoConsent" ref="scopesRequiringNoConsent"/> |
| <!-- |
| <property name="useAllClientScopes" value="true"/> |
| --> |
| <property name="canSupportPublicClients" value="true"/> |
| </bean> |
| <!-- Supports OIDC Implicit and Hybrid flows --> |
| <bean id="oidcHybridService" class="org.apache.cxf.rs.security.oidc.idp.OidcHybridService"> |
| <property name="dataProvider" ref="oauthProvider"/> |
| <property name="subjectCreator" ref="subjectCreator"/> |
| <property name="scopesRequiringNoConsent" ref="scopesRequiringNoConsent"/> |
| <property name="responseFilter" ref="idTokenFilter"/> |
| <property name="codeService" ref="oidcAuthorizationService"/> |
| </bean> |
| |
| <util:list id="oidcServices"> |
| <ref bean="oidcAuthorizationService"/> |
| <ref bean="oidcHybridService"/> |
| </util:list> |
| |
| <!-- Service which makes Code, Implicit and Hybrid flow available |
| at the same relative "/authorize" address --> |
| <bean id="authorizationService" class="org.apache.cxf.rs.security.oauth2.services.AuthorizationService"> |
| <property name="services" ref="oidcServices"/> |
| </bean> |
| |
| <bean id="tokenCleanupHandler" class="org.apache.cxf.fediz.service.oidc.logout.TokenCleanupHandler"> |
| <property name="dataProvider" ref="oauthProvider"/> |
| </bean> |
| |
| <bean id="logoutService" class="org.apache.cxf.fediz.service.oidc.logout.LogoutService"> |
| <property name="dataProvider" ref="oauthProvider"/> |
| <property name="relativeIdpLogoutUri" value="../../secure/logout"/> |
| <property name="logoutHandlers" ref="tokenCleanupHandler"/> |
| </bean> |
| |
| <!-- Service supporting all OIDC Core flows --> |
| <jaxrs:server address="/idp"> |
| <jaxrs:serviceBeans> |
| <ref bean="authorizationService"/> |
| <ref bean="logoutService"/> |
| </jaxrs:serviceBeans> |
| <jaxrs:providers> |
| <ref bean="viewProvider"/> |
| <ref bean="oauthJsonProvider"/> |
| </jaxrs:providers> |
| <jaxrs:properties> |
| <entry key="rs.security.signature.properties" value="rs.security.properties"/> |
| <entry key="rs.security.signature.key.password.provider" value-ref="keyPasswordProvider"/> |
| </jaxrs:properties> |
| </jaxrs:server> |
| |
| <!-- |
| Public JWK Key Service: Disable it if the client secret is used or if |
| pre-installing public OIDC keys to clients is preferred |
| --> |
| <bean id="oidcKeysService" class="org.apache.cxf.rs.security.oidc.idp.OidcKeysService"/> |
| <jaxrs:server address="/jwk"> |
| <jaxrs:serviceBeans> |
| <ref bean="oidcKeysService"/> |
| </jaxrs:serviceBeans> |
| <jaxrs:providers> |
| <ref bean="corsFilter"/> |
| <bean class="org.apache.cxf.rs.security.jose.jaxrs.JsonWebKeysProvider"/> |
| </jaxrs:providers> |
| <jaxrs:properties> |
| <entry key="rs.security.signature.properties" value="rs.security.properties"/> |
| <entry key="rs.security.signature.key.password.provider" value-ref="keyPasswordProvider"/> |
| </jaxrs:properties> |
| </jaxrs:server> |
| |
| |
| <bean id="oauth2TokenValidationFilter" class="org.apache.cxf.rs.security.oauth2.filters.OAuthRequestFilter"> |
| <property name="dataProvider" ref="oauthProvider"/> |
| <property name="audienceIsEndpointAddress" value="false"/> |
| </bean> |
| |
| <!-- User Info Service --> |
| <bean id="userInfoService" class="org.apache.cxf.rs.security.oidc.idp.UserInfoService"> |
| <property name="oauthDataProvider" ref="oauthProvider"/> |
| <property name="jwsRequired" value="false"/> |
| </bean> |
| <jaxrs:server address="/users"> |
| <jaxrs:serviceBeans> |
| <ref bean="userInfoService"/> |
| </jaxrs:serviceBeans> |
| <jaxrs:providers> |
| <ref bean="corsFilter"/> |
| <bean class="org.apache.cxf.jaxrs.provider.json.JsonMapObjectProvider"/> |
| <ref bean="oauth2TokenValidationFilter"/> |
| </jaxrs:providers> |
| </jaxrs:server> |
| |
| <bean id="keyPasswordProvider" class="org.apache.cxf.fediz.service.oidc.PrivateKeyPasswordProviderImpl"> |
| <property name="password" value="password"/> |
| </bean> |
| |
| <!-- Client Registration Service --> |
| <bean id="clientRegService" init-method="init" |
| class="org.apache.cxf.fediz.service.oidc.clients.ClientRegistrationService"> |
| <property name="dataProvider" ref="oauthProvider"/> |
| <property name="clientProvider" ref="oauthProvider"/> |
| <!-- |
| <property name="clientScopes" ref="supportedScopes"/> |
| --> |
| <property name="homeRealms"> |
| <map> |
| <entry key="urn:org:apache:cxf:fediz:idp:realm-A" value="IDP of Realm A" /> |
| <entry key="urn:org:apache:cxf:fediz:idp:realm-B" value="IDP of Realm B" /> |
| </map> |
| </property> |
| <property name="additionalTLDs"> |
| <list> |
| <value>domain123</value> |
| <value>corp</value> |
| <value>domain456</value> |
| </list> |
| </property> |
| </bean> |
| |
| <!-- Console linking to the client registration service --> |
| <bean id="consoleService" class="org.apache.cxf.fediz.service.oidc.console.UserConsoleService"> |
| <property name="clientRegService" ref="clientRegService"/> |
| </bean> |
| <jaxrs:server address="/console"> |
| <jaxrs:serviceBeans> |
| <ref bean="consoleService"/> |
| </jaxrs:serviceBeans> |
| <jaxrs:providers> |
| <ref bean="viewProvider"/> |
| </jaxrs:providers> |
| </jaxrs:server> |
| |
| <bean id="viewProvider" class="org.apache.cxf.jaxrs.provider.RequestDispatcherProvider"> |
| <property name="useClassNames" value="true"/> |
| <property name="locationPrefix" value="/WEB-INF/views/"/> |
| <property name="beanName" value="data"/> |
| <property name="dispatcherName" value="jsp"/> |
| <property name="resourcePaths"> |
| <map> |
| <entry key="/remove" value="/WEB-INF/views/registeredClients.jsp"/> |
| </map> |
| </property> |
| <property name="classResources"> |
| <map> |
| <entry key="org.apache.cxf.fediz.service.oidc.clients.InvalidRegistration" value="/WEB-INF/views/invalidRegistration.jsp"/> |
| </map> |
| </property> |
| </bean> |
| |
| <!-- AccessTokenService response filter which adds IdTokens to client responses --> |
| <bean id="idTokenFilter" class="org.apache.cxf.rs.security.oidc.idp.IdTokenResponseFilter"> |
| <!-- |
| <property name="signWithClientSecret" value="true"/> |
| --> |
| </bean> |
| <!-- Cors filter for endpoints used by implicit flow (by js clients) --> |
| <util:list id="implicitFlowAllowHeaders"> |
| <value>Authorization</value> |
| </util:list> |
| <bean id="corsFilter" class="org.apache.cxf.rs.security.cors.CrossOriginResourceSharingFilter"> |
| <property name="allowHeaders" ref="implicitFlowAllowHeaders"/> |
| </bean> |
| <bean id="refreshTokenHandler" class="org.apache.cxf.rs.security.oauth2.grants.refresh.RefreshTokenGrantHandler"> |
| <property name="dataProvider" ref="oauthProvider"/> |
| </bean> |
| |
| <bean id="clientCredsHandler" class="org.apache.cxf.rs.security.oauth2.grants.clientcred.ClientCredentialsGrantHandler"> |
| <property name="dataProvider" ref="oauthProvider"/> |
| </bean> |
| |
| <util:list id="grantHandlers"> |
| <ref bean="refreshTokenHandler"/> |
| <!-- Add more custom grant handlers as needed --> |
| <ref bean="clientCredsHandler"/> |
| </util:list> |
| <!-- Access Token service --> |
| <bean id="accessTokenService" class="org.apache.cxf.rs.security.oauth2.services.AccessTokenService"> |
| <property name="dataProvider" ref="oauthProvider"/> |
| <property name="responseFilter" ref="idTokenFilter"/> |
| <property name="grantHandlers" ref="grantHandlers"/> |
| <property name="canSupportPublicClients" value="true"/> |
| </bean> |
| <!-- Access Token Revocation service --> |
| <bean id="accessTokenRevocationService" class="org.apache.cxf.rs.security.oauth2.services.TokenRevocationService"> |
| <property name="dataProvider" ref="oauthProvider"/> |
| </bean> |
| <!-- Access Token Introspection service --> |
| <bean id="accessTokenIntrospectionService" class="org.apache.cxf.rs.security.oauth2.services.TokenIntrospectionService"> |
| <property name="dataProvider" ref="oauthProvider"/> |
| <property name="blockUnauthorizedRequests" value="false"/> |
| </bean> |
| <bean id="oauthJsonProvider" class="org.apache.cxf.rs.security.oauth2.provider.OAuthJSONProvider"/> |
| <jaxrs:server address="/oauth2"> |
| <jaxrs:serviceBeans> |
| <ref bean="accessTokenService"/> |
| <ref bean="accessTokenIntrospectionService"/> |
| <ref bean="accessTokenRevocationService"/> |
| </jaxrs:serviceBeans> |
| <jaxrs:providers> |
| <ref bean="oauthJsonProvider"/> |
| </jaxrs:providers> |
| <jaxrs:properties> |
| <entry key="rs.security.signature.properties" value="rs.security.properties"/> |
| <entry key="rs.security.signature.key.password.provider" value-ref="keyPasswordProvider"/> |
| </jaxrs:properties> |
| </jaxrs:server> |
| |
| <!-- .well-known OIDC Configuration Service --> |
| <bean id="oidcConfigService" class="org.apache.cxf.rs.security.oidc.idp.OidcConfigurationService"/> |
| <jaxrs:server address="/.well-known"> |
| <jaxrs:serviceBeans> |
| <ref bean="oidcConfigService"/> |
| </jaxrs:serviceBeans> |
| <jaxrs:properties> |
| <entry key="rs.security.signature.properties" value="rs.security.properties"/> |
| </jaxrs:properties> |
| </jaxrs:server> |
| <http:conduit name="*.http-conduit"> |
| <http:tlsClientParameters |
| disableCNCheck="true"> |
| <sec:trustManagers> |
| <sec:keyStore type="jks" password="tompass" resource="server.jks" /> |
| </sec:trustManagers> |
| </http:tlsClientParameters> |
| </http:conduit> |
| |
| </beans> |
| |