From 40a7a7d57f9981d4663375db261d8ce8078e97ad Mon Sep 17 00:00:00 2001 From: barrett Date: Fri, 18 Nov 2016 09:39:33 -0800 Subject: [PATCH] pushing endpoint disabling out to separate configs to anable disabling security rules as well --- .../README.md | 32 +---- .../config/ApiResourceServerConfig.java | 113 +++++++++++++++++- .../config/CommonResourceServerConfig.java | 2 +- .../config/OpenIDConnectServerConfig.java | 112 ++--------------- ...ourceRegistrationResourceServerConfig.java | 23 +++- .../config/oauth2/TokenWebSecurityConfig.java | 15 ++- ...lientRegistrationResourceServerConfig.java | 26 +++- .../openid/connect/JwkWebSecurityConfig.java | 23 +++- .../connect/UserInfoResourceServerConfig.java | 32 ++++- .../connect/WellKnownWebSecurityConfig.java | 25 +++- .../src/test/resources/application.yml | 7 +- .../web/ApiAuthorizationTestsBase.java | 5 +- .../src/test/resources/application.yml | 7 +- 13 files changed, 254 insertions(+), 168 deletions(-) diff --git a/openid-connect-server-spring-boot-config/README.md b/openid-connect-server-spring-boot-config/README.md index 7ab39f0..329e96e 100644 --- a/openid-connect-server-spring-boot-config/README.md +++ b/openid-connect-server-spring-boot-config/README.md @@ -179,6 +179,12 @@ true When set to false the Scope API endpoint is not exposed. + + openid.connect.server.endpoints.api.stats.enabled + + true + When set to false the StatsAPI endpoint is not exposed. + openid.connect.server.endpoints.oidc.dynamicclientregistration.enabled @@ -209,32 +215,6 @@ true When set to false the ProtectedResourceRegistration endpoint is not exposed. - - openid.connect.server.endpoints.stats.enabled - - true - When set to false the StatsAPI endpoint is not exposed. - - - - openid.connect.server.endpoints.oauth2.introspection.enabled - - true - When set to false the OAuth 2.0 introspection endpoint is not exposed. - - - openid.connect.server.endpoints.oauth2.revocation.enabled - - true - When set to false the OAuth 2.0 Revocation endpoint is not exposed. - - - openid.connect.server.endpoints.oauth2.confirmation.enabled - - true - When set to false the OAuth 2.0 Access Confirmation endpoint is not exposed. - - diff --git a/openid-connect-server-spring-boot-config/src/main/java/org/mitre/springboot/config/ApiResourceServerConfig.java b/openid-connect-server-spring-boot-config/src/main/java/org/mitre/springboot/config/ApiResourceServerConfig.java index d51e466..93603ec 100644 --- a/openid-connect-server-spring-boot-config/src/main/java/org/mitre/springboot/config/ApiResourceServerConfig.java +++ b/openid-connect-server-spring-boot-config/src/main/java/org/mitre/springboot/config/ApiResourceServerConfig.java @@ -1,18 +1,36 @@ package org.mitre.springboot.config; +import org.mitre.oauth2.view.TokenApiView; +import org.mitre.oauth2.web.ScopeAPI; +import org.mitre.oauth2.web.TokenAPI; +import org.mitre.openid.connect.service.impl.MITREidDataService_1_0; +import org.mitre.openid.connect.service.impl.MITREidDataService_1_1; +import org.mitre.openid.connect.service.impl.MITREidDataService_1_2; +import org.mitre.openid.connect.view.ClientEntityViewForAdmins; +import org.mitre.openid.connect.view.ClientEntityViewForUsers; +import org.mitre.openid.connect.view.JsonApprovedSiteView; +import org.mitre.openid.connect.web.ApprovedSiteAPI; +import org.mitre.openid.connect.web.BlacklistAPI; +import org.mitre.openid.connect.web.ClientAPI; +import org.mitre.openid.connect.web.DataAPI; +import org.mitre.openid.connect.web.StatsAPI; +import org.mitre.openid.connect.web.WhitelistAPI; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; +import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; +import org.springframework.context.annotation.Import; import org.springframework.core.annotation.Order; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter; import org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint; -@Configuration -@Order(180) -public class ApiResourceServerConfig extends ResourceServerConfigurerAdapter { - String PATTERN = "/" + org.mitre.openid.connect.web.RootController.API_URL + "/**"; +public abstract class ApiResourceServerConfig extends ResourceServerConfigurerAdapter { + protected abstract String getPattern(); + @Autowired private OAuth2AuthenticationEntryPoint authenticationEntryPoint; @@ -21,14 +39,99 @@ public void configure(HttpSecurity http) throws Exception { // @formatter:off http .requestMatchers() - .antMatchers(PATTERN) + .antMatchers("/" + getPattern() + "/**") .and() .exceptionHandling().authenticationEntryPoint(authenticationEntryPoint) .and() .sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.STATELESS) + ; // @formatter:on } + + @Order(180) + @Configuration + @ConditionalOnProperty(havingValue="true", name="openid.connect.endpoints.api.whitelist.enabled", matchIfMissing=true) + @Import(value=WhitelistAPI.class) + public static class WhitelistEndpointConfiguration extends ApiResourceServerConfig { + protected String getPattern() {return WhitelistAPI.URL;} + } + + @Order(181) + @Configuration + @ConditionalOnProperty(havingValue="true", name="openid.connect.endpoints.api.approvedsite.enabled", matchIfMissing=true) + @Import(value={ApprovedSiteAPI.class, JsonApprovedSiteView.class}) + public static class ApprovedSiteEndpointConfiguration extends ApiResourceServerConfig { + protected String getPattern() {return ApprovedSiteAPI.URL;} + } + + @Order(182) + @Configuration + @ConditionalOnProperty(havingValue="true", name="openid.connect.endpoints.api.blacklist.enabled", matchIfMissing=true) + @Import(value=BlacklistAPI.class) + public static class BlacklistEndpointConfiguration extends ApiResourceServerConfig { + protected String getPattern() {return BlacklistAPI.URL;} + } + + @Order(183) + @Configuration + @ConditionalOnProperty(havingValue="true", name="openid.connect.endpoints.api.client.enabled", matchIfMissing=true) + @Import(value={ClientAPI.class, ClientEntityViewForAdmins.class, ClientEntityViewForUsers.class}) + public static class ClientEndpointConfiguration extends ApiResourceServerConfig { + protected String getPattern() {return ClientAPI.URL;} + } + @Order(184) + @Configuration + @ConditionalOnProperty(havingValue="true", name="openid.connect.endpoints.api.data.enabled", matchIfMissing=true) + @Import(value=DataAPI.class) + public static class DataEndpointConfiguration extends ApiResourceServerConfig { + + protected String getPattern() {return DataAPI.URL;} + + @Bean + @ConditionalOnMissingBean(MITREidDataService_1_0.class) + public MITREidDataService_1_0 MITREidDataService_1_0() { + return new MITREidDataService_1_0(); + } + + @Bean + @ConditionalOnMissingBean(MITREidDataService_1_1.class) + public MITREidDataService_1_1 MITREidDataService_1_1() { + return new MITREidDataService_1_1(); + } + + @Bean + @ConditionalOnMissingBean(MITREidDataService_1_2.class) + public MITREidDataService_1_2 MITREidDataService_1_2() { + return new MITREidDataService_1_2(); + } + + } + + @Order(185) + @Configuration + @ConditionalOnProperty(havingValue="true", name="openid.connect.endpoints.api.stats.enabled", matchIfMissing=true) + @Import(value=StatsAPI.class) + public static class StatsEndpointConfiguration extends ApiResourceServerConfig { + protected String getPattern() {return StatsAPI.URL;} + } + + @Order(185) + @Configuration + @ConditionalOnProperty(havingValue="true", name="openid.connect.endpoints.api.token.enabled", matchIfMissing=true) + @Import(value={TokenApiView.class, TokenAPI.class}) + public static class TokenAPIConfiguration extends ApiResourceServerConfig { + protected String getPattern() {return TokenAPI.URL;} + } + + @Order(187) + @Configuration + @ConditionalOnProperty(havingValue="true", name="openid.connect.endpoints.api.scope.enabled", matchIfMissing=true) + @Import(value={ScopeAPI.class}) + public static class ScopeAPIConfiguration extends ApiResourceServerConfig { + protected String getPattern() {return ScopeAPI.URL;} + } + } \ No newline at end of file diff --git a/openid-connect-server-spring-boot-config/src/main/java/org/mitre/springboot/config/CommonResourceServerConfig.java b/openid-connect-server-spring-boot-config/src/main/java/org/mitre/springboot/config/CommonResourceServerConfig.java index d8856fc..4b91a9a 100644 --- a/openid-connect-server-spring-boot-config/src/main/java/org/mitre/springboot/config/CommonResourceServerConfig.java +++ b/openid-connect-server-spring-boot-config/src/main/java/org/mitre/springboot/config/CommonResourceServerConfig.java @@ -20,7 +20,7 @@ public void configure(ResourceServerSecurityConfigurer resources) throws Excepti resources.stateless(false); resources.tokenServices(oAuth2TokenEntityService); } - + @Override public void configure(HttpSecurity http) throws Exception { } diff --git a/openid-connect-server-spring-boot-config/src/main/java/org/mitre/springboot/config/OpenIDConnectServerConfig.java b/openid-connect-server-spring-boot-config/src/main/java/org/mitre/springboot/config/OpenIDConnectServerConfig.java index 55819b9..ab3a7db 100644 --- a/openid-connect-server-spring-boot-config/src/main/java/org/mitre/springboot/config/OpenIDConnectServerConfig.java +++ b/openid-connect-server-spring-boot-config/src/main/java/org/mitre/springboot/config/OpenIDConnectServerConfig.java @@ -34,9 +34,7 @@ import org.mitre.oauth2.token.StructuredScopeAwareOAuth2RequestValidator; import org.mitre.oauth2.view.TokenApiView; import org.mitre.oauth2.web.CorsFilter; -import org.mitre.oauth2.web.IntrospectionEndpoint; import org.mitre.oauth2.web.OAuthConfirmationController; -import org.mitre.oauth2.web.RevocationEndpoint; import org.mitre.oauth2.web.ScopeAPI; import org.mitre.oauth2.web.TokenAPI; import org.mitre.openid.connect.config.ConfigurationPropertiesBean; @@ -80,11 +78,10 @@ import org.mitre.openid.connect.view.ClientEntityViewForUsers; import org.mitre.openid.connect.view.ClientInformationResponseView; import org.mitre.openid.connect.view.HttpCodeView; +import org.mitre.openid.connect.view.JWKSetView; import org.mitre.openid.connect.view.JsonApprovedSiteView; import org.mitre.openid.connect.view.JsonEntityView; import org.mitre.openid.connect.view.JsonErrorView; -import org.mitre.openid.connect.view.UserInfoJWTView; -import org.mitre.openid.connect.view.UserInfoView; import org.mitre.openid.connect.web.ApprovedSiteAPI; import org.mitre.openid.connect.web.AuthenticationTimeStamper; import org.mitre.openid.connect.web.BlacklistAPI; @@ -94,7 +91,6 @@ import org.mitre.openid.connect.web.JWKSetPublishingEndpoint; import org.mitre.openid.connect.web.ProtectedResourceRegistrationEndpoint; import org.mitre.openid.connect.web.StatsAPI; -import org.mitre.openid.connect.web.UserInfoEndpoint; import org.mitre.openid.connect.web.WhitelistAPI; import org.mitre.springboot.config.annotation.EnableOpenIDConnectServer; import org.mitre.uma.service.ResourceSetService; @@ -139,6 +135,8 @@ @Order(101) public class OpenIDConnectServerConfig { + //TODO Configuration for ClientKeyPublisherMapping + @Bean(name="config") @ConfigurationProperties(prefix = "openid.connect.server") @ConditionalOnMissingBean(ConfigurationPropertiesBean.class) @@ -191,56 +189,8 @@ protected OAuth2AccessDeniedHandler oAuth2AccessDeniedHandler(){ @Import(value=AuthenticationTimeStamper.class) public static class WebEndpointConfiguration {} - @Configuration - @ConditionalOnProperty(havingValue="true", name="openid.connect.endpoints.api.whitelist.enabled", matchIfMissing=true) - @Import(value=WhitelistAPI.class) - public static class WhitelistEndpointConfiguration {} - - @Configuration - @ConditionalOnProperty(havingValue="true", name="openid.connect.endpoints.api.approvedsite.enabled", matchIfMissing=true) - @Import(value={ApprovedSiteAPI.class, JsonApprovedSiteView.class}) - public static class ApprovedSiteEndpointConfiguration {} - - @Configuration - @ConditionalOnProperty(havingValue="true", name="openid.connect.endpoints.api.blacklist.enabled", matchIfMissing=true) - @Import(value=BlacklistAPI.class) - public static class BlacklistEndpointConfiguration {} - - @Configuration - @ConditionalOnProperty(havingValue="true", name="openid.connect.endpoints.api.client.enabled", matchIfMissing=true) - @Import(value={ClientAPI.class, ClientEntityViewForAdmins.class, ClientEntityViewForUsers.class}) - public static class ClientEndpointConfiguration {} - - @Configuration - @ConditionalOnProperty(havingValue="true", name="openid.connect.endpoints.api.data.enabled", matchIfMissing=true) - @Import(value=DataAPI.class) - public static class DataEndpointConfiguration {} - - @Configuration - @ConditionalOnProperty(havingValue="true", name="openid.connect.endpoints.oidc.dynamicclientregistration.enabled", matchIfMissing=true) - @Import(value={DynamicClientRegistrationEndpoint.class, ClientInformationResponseView.class}) - public static class DynamicClientRegistrationEndpointConfiguration {} - - @Configuration - @ConditionalOnProperty(havingValue="true", name="openid.connect.endpoints.oidc.jwksetpublishing.enabled", matchIfMissing=true) - @Import(value=JWKSetPublishingEndpoint.class) - public static class JWKsetPublishingEndpointConfiguration {} - - @Configuration - @ConditionalOnProperty(havingValue="true", name="openid.connect.endpoints.oidc.userinfo.enabled", matchIfMissing=true) - @Import(value={UserInfoEndpoint.class, UserInfoJWTView.class, UserInfoView.class}) - public static class UserInfoEndpointConfiguration {} - @Configuration - @ConditionalOnProperty(havingValue="true", name="openid.connect.endpoints.protectedresourceregistration.enabled", matchIfMissing=true) - @Import(value={ProtectedResourceRegistrationEndpoint.class, ClientInformationResponseView.class}) - public static class ProtectedResourceRegistrationEndpointConfiguration {} - @Configuration - @ConditionalOnProperty(havingValue="true", name="openid.connect.endpoints.stats.enabled", matchIfMissing=true) - @Import(value=StatsAPI.class) - public static class StatsEndpointConfiguration {} - /* * Specific configuration for "org.mitre.jwt.signer.service.impl" */ @@ -248,15 +198,7 @@ public static class StatsEndpointConfiguration {} @Configuration @Import(value={ClientKeyCacheService.class, JWKSetCacheService.class, SymmetricKeyJWTValidatorCacheService.class}) public static class JwtSignerServiceConfiguration {} - - /* - * Enabled configuration for "org.mitre.discovery.view","org.mitre.discovery.web" - */ - @Configuration - @ConditionalOnProperty(havingValue="true", name="openid.connect.endpoints.oidc.discovery.enabled", matchIfMissing=true) - @Import(value={WebfingerView.class, DiscoveryEndpoint.class}) - public static class DiscoveryEndpointConfiguration {} - + /* * Override configuration for "org.mitre.oauth2.repository.impl" */ @@ -370,30 +312,9 @@ protected OAuth2RequestValidator requestValidator() { */ @Configuration - @ConditionalOnProperty(havingValue="true", name="openid.connect.endpoints.api.token.enabled", matchIfMissing=true) - @Import(value={TokenApiView.class, TokenAPI.class}) - public static class TokenAPIConfiguration {} - - @Configuration - @ConditionalOnProperty(havingValue="true", name="openid.connect.endpoints.api.scope.enabled", matchIfMissing=true) - @Import(value={ScopeAPI.class}) - public static class ScopeAPIConfiguration {} - - @Configuration - @ConditionalOnProperty(havingValue="true", name="openid.connect.endpoints.oauth2.introspection.enabled", matchIfMissing=true) - @Import(value={IntrospectionEndpoint.class}) - public static class IntrospectionEndpointConfiguration {} - - @Configuration - @ConditionalOnProperty(havingValue="true", name="openid.connect.endpoints.oauth2.confirmation.enabled", matchIfMissing=true) @Import(value={OAuthConfirmationController.class}) public static class OAuthConfirmationControllerConfiguration {} - - @Configuration - @ConditionalOnProperty(havingValue="true", name="openid.connect.endpoints.oauth2.revocation.enabled", matchIfMissing=true) - @Import(value={RevocationEndpoint.class}) - public static class RevocationEndpointConfiguration {} - + @Bean @ConditionalOnMissingBean(name="corsFilter") public Filter corsFilter() { @@ -514,23 +435,6 @@ public ResourceSetService dummyResourceSetService() { return new DummyResourceSetService(); } - @Bean - @ConditionalOnMissingBean(MITREidDataService_1_0.class) - public MITREidDataService_1_0 MITREidDataService_1_0() { - return new MITREidDataService_1_0(); - } - - @Bean - @ConditionalOnMissingBean(MITREidDataService_1_1.class) - public MITREidDataService_1_1 MITREidDataService_1_1() { - return new MITREidDataService_1_1(); - } - - @Bean - @ConditionalOnMissingBean(MITREidDataService_1_2.class) - public MITREidDataService_1_2 MITREidDataService_1_2() { - return new MITREidDataService_1_2(); - } @Bean @ConditionalOnMissingBean(PairwiseIdentiferService.class) @@ -561,11 +465,13 @@ public UserApprovalHandler tofuUserApprovalHandler() { return new TofuUserApprovalHandler(); } - /* - * Configuration for common views in "org.mitre.openid.connect.view" + /** + * Configuration for common views in "org.mitre.openid.connect.view" used across most APIs and Endpoints */ @Configuration @Import(value={HttpCodeView.class, JsonEntityView.class,JsonErrorView.class }) public static class OpenIDConnectCommonViewConfiguration {} + + } diff --git a/openid-connect-server-spring-boot-config/src/main/java/org/mitre/springboot/config/ProtectedResourceRegistrationResourceServerConfig.java b/openid-connect-server-spring-boot-config/src/main/java/org/mitre/springboot/config/ProtectedResourceRegistrationResourceServerConfig.java index e6191c6..6f43ed3 100644 --- a/openid-connect-server-spring-boot-config/src/main/java/org/mitre/springboot/config/ProtectedResourceRegistrationResourceServerConfig.java +++ b/openid-connect-server-spring-boot-config/src/main/java/org/mitre/springboot/config/ProtectedResourceRegistrationResourceServerConfig.java @@ -2,9 +2,13 @@ import javax.servlet.Filter; -import org.mitre.oauth2.web.CorsFilter; +import org.mitre.openid.connect.view.ClientInformationResponseView; +import org.mitre.openid.connect.web.ProtectedResourceRegistrationEndpoint; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Qualifier; +import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; +import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.core.annotation.Order; import org.springframework.security.config.annotation.web.builders.HttpSecurity; @@ -14,16 +18,29 @@ import org.springframework.security.web.context.SecurityContextPersistenceFilter; @Configuration +@ConditionalOnProperty(havingValue="true", name="openid.connect.endpoints.protectedresourceregistration.enabled", matchIfMissing=true) @Order(210) public class ProtectedResourceRegistrationResourceServerConfig extends ResourceServerConfigurerAdapter { String PATTERN = "/" + org.mitre.openid.connect.web.ProtectedResourceRegistrationEndpoint.URL + "/**"; @Autowired @Qualifier("corsFilter") - private Filter corsFilter; + protected Filter corsFilter; @Autowired - private OAuth2AuthenticationEntryPoint authenticationEntryPoint; + protected OAuth2AuthenticationEntryPoint authenticationEntryPoint; + + @Bean + @ConditionalOnMissingBean(ProtectedResourceRegistrationEndpoint.class) + protected ProtectedResourceRegistrationEndpoint ProtectedResourceRegistrationEndpoint() { + return new ProtectedResourceRegistrationEndpoint(); + } + + @Bean(name=ClientInformationResponseView.VIEWNAME) + @ConditionalOnMissingBean(name=ClientInformationResponseView.VIEWNAME) + protected ClientInformationResponseView clientInformationResponseView() { + return new ClientInformationResponseView(); + } @Override public void configure(HttpSecurity http) throws Exception { diff --git a/openid-connect-server-spring-boot-config/src/main/java/org/mitre/springboot/config/oauth2/TokenWebSecurityConfig.java b/openid-connect-server-spring-boot-config/src/main/java/org/mitre/springboot/config/oauth2/TokenWebSecurityConfig.java index 73be730..f93c4e0 100644 --- a/openid-connect-server-spring-boot-config/src/main/java/org/mitre/springboot/config/oauth2/TokenWebSecurityConfig.java +++ b/openid-connect-server-spring-boot-config/src/main/java/org/mitre/springboot/config/oauth2/TokenWebSecurityConfig.java @@ -5,7 +5,6 @@ import javax.servlet.Filter; -import org.mitre.oauth2.web.CorsFilter; import org.mitre.oauth2.web.IntrospectionEndpoint; import org.mitre.oauth2.web.RevocationEndpoint; import org.mitre.openid.connect.assertion.JWTBearerAuthenticationProvider; @@ -44,7 +43,7 @@ public class TokenWebSecurityConfig extends WebSecurityConfigurerAdapter { @Autowired @Qualifier("corsFilter") - private Filter corsFilter; + protected Filter corsFilter; @Autowired protected OAuth2AuthenticationEntryPoint authenticationEntryPoint; @@ -74,6 +73,18 @@ protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.userDetailsService(uriEncodedClientUserDetailsService); } + @Bean + @ConditionalOnMissingBean(IntrospectionEndpoint.class) + protected IntrospectionEndpoint introspectionEndpoint() { + return new IntrospectionEndpoint(); + } + + @Bean + @ConditionalOnMissingBean(RevocationEndpoint.class) + protected RevocationEndpoint revocationEndpoint() { + return new RevocationEndpoint(); + } + @Bean @Autowired @ConditionalOnMissingBean(ClientCredentialsTokenEndpointFilter.class) diff --git a/openid-connect-server-spring-boot-config/src/main/java/org/mitre/springboot/config/openid/connect/DynamicClientRegistrationResourceServerConfig.java b/openid-connect-server-spring-boot-config/src/main/java/org/mitre/springboot/config/openid/connect/DynamicClientRegistrationResourceServerConfig.java index dd361d9..6d6109d 100644 --- a/openid-connect-server-spring-boot-config/src/main/java/org/mitre/springboot/config/openid/connect/DynamicClientRegistrationResourceServerConfig.java +++ b/openid-connect-server-spring-boot-config/src/main/java/org/mitre/springboot/config/openid/connect/DynamicClientRegistrationResourceServerConfig.java @@ -2,9 +2,13 @@ import javax.servlet.Filter; -import org.mitre.oauth2.web.CorsFilter; +import org.mitre.openid.connect.view.ClientInformationResponseView; +import org.mitre.openid.connect.web.DynamicClientRegistrationEndpoint; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Qualifier; +import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; +import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.core.annotation.Order; import org.springframework.security.config.annotation.web.builders.HttpSecurity; @@ -14,16 +18,30 @@ import org.springframework.security.web.context.SecurityContextPersistenceFilter; @Configuration +@ConditionalOnProperty(havingValue="true", name="openid.connect.endpoints.oidc.dynamicclientregistration.enabled", matchIfMissing=true) @Order(200) public class DynamicClientRegistrationResourceServerConfig extends ResourceServerConfigurerAdapter { String PATTERN = "/" + org.mitre.openid.connect.web.DynamicClientRegistrationEndpoint.URL + "/**"; - + @Autowired @Qualifier("corsFilter") - private Filter corsFilter; + protected Filter corsFilter; @Autowired - private OAuth2AuthenticationEntryPoint authenticationEntryPoint; + protected OAuth2AuthenticationEntryPoint authenticationEntryPoint; + + @Bean + @ConditionalOnMissingBean(DynamicClientRegistrationEndpoint.class) + protected DynamicClientRegistrationEndpoint DynamicClientRegistrationEndpoint() { + return new DynamicClientRegistrationEndpoint(); + } + + @Bean(name=ClientInformationResponseView.VIEWNAME) + @ConditionalOnMissingBean(name=ClientInformationResponseView.VIEWNAME) + protected ClientInformationResponseView clientInformationResponseView() { + return new ClientInformationResponseView(); + } + @Override public void configure(HttpSecurity http) throws Exception { diff --git a/openid-connect-server-spring-boot-config/src/main/java/org/mitre/springboot/config/openid/connect/JwkWebSecurityConfig.java b/openid-connect-server-spring-boot-config/src/main/java/org/mitre/springboot/config/openid/connect/JwkWebSecurityConfig.java index f3bda44..9381020 100644 --- a/openid-connect-server-spring-boot-config/src/main/java/org/mitre/springboot/config/openid/connect/JwkWebSecurityConfig.java +++ b/openid-connect-server-spring-boot-config/src/main/java/org/mitre/springboot/config/openid/connect/JwkWebSecurityConfig.java @@ -2,9 +2,13 @@ import javax.servlet.Filter; -import org.mitre.oauth2.web.CorsFilter; +import org.mitre.openid.connect.view.JWKSetView; +import org.mitre.openid.connect.web.JWKSetPublishingEndpoint; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Qualifier; +import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; +import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.core.annotation.Order; import org.springframework.security.config.annotation.web.builders.HttpSecurity; @@ -14,14 +18,27 @@ @Order(150) @Configuration +@ConditionalOnProperty(havingValue="true", name="openid.connect.endpoints.oidc.jwksetpublishing.enabled", matchIfMissing=true) public class JwkWebSecurityConfig extends WebSecurityConfigurerAdapter { @Autowired @Qualifier("corsFilter") - private Filter corsFilter; + protected Filter corsFilter; @Autowired - private Http403ForbiddenEntryPoint http403ForbiddenEntryPoint; + protected Http403ForbiddenEntryPoint http403ForbiddenEntryPoint; + + @Bean + @ConditionalOnMissingBean(JWKSetPublishingEndpoint.class) + protected JWKSetPublishingEndpoint JWKSetPublishingEndpoint() { + return new JWKSetPublishingEndpoint(); + } + + @Bean(name=JWKSetView.VIEWNAME) + @ConditionalOnMissingBean(name=JWKSetView.VIEWNAME) + protected JWKSetView jwkSet() { + return new JWKSetView(); + } @Override protected void configure(HttpSecurity http) throws Exception { diff --git a/openid-connect-server-spring-boot-config/src/main/java/org/mitre/springboot/config/openid/connect/UserInfoResourceServerConfig.java b/openid-connect-server-spring-boot-config/src/main/java/org/mitre/springboot/config/openid/connect/UserInfoResourceServerConfig.java index 240e2f0..d1550cc 100644 --- a/openid-connect-server-spring-boot-config/src/main/java/org/mitre/springboot/config/openid/connect/UserInfoResourceServerConfig.java +++ b/openid-connect-server-spring-boot-config/src/main/java/org/mitre/springboot/config/openid/connect/UserInfoResourceServerConfig.java @@ -2,9 +2,14 @@ import javax.servlet.Filter; -import org.mitre.oauth2.web.CorsFilter; +import org.mitre.openid.connect.view.UserInfoJWTView; +import org.mitre.openid.connect.view.UserInfoView; +import org.mitre.openid.connect.web.UserInfoEndpoint; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Qualifier; +import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; +import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.core.annotation.Order; import org.springframework.security.config.annotation.web.builders.HttpSecurity; @@ -14,16 +19,35 @@ import org.springframework.security.web.context.SecurityContextPersistenceFilter; @Configuration +@ConditionalOnProperty(havingValue="true", name="openid.connect.endpoints.oidc.userinfo.enabled", matchIfMissing=true) @Order(190) public class UserInfoResourceServerConfig extends ResourceServerConfigurerAdapter { String PATTERN = "/" + org.mitre.openid.connect.web.UserInfoEndpoint.URL + "**"; - + @Autowired @Qualifier("corsFilter") - private Filter corsFilter; + protected Filter corsFilter; @Autowired - private OAuth2AuthenticationEntryPoint authenticationEntryPoint; + protected OAuth2AuthenticationEntryPoint authenticationEntryPoint; + + @Bean + @ConditionalOnMissingBean(UserInfoEndpoint.class) + protected UserInfoEndpoint userInfoEndpoint() { + return new UserInfoEndpoint(); + } + + @Bean(name=UserInfoJWTView.VIEWNAME) + @ConditionalOnMissingBean(name=UserInfoJWTView.VIEWNAME) + protected UserInfoJWTView userInfoJwtView() { + return new UserInfoJWTView(); + } + + @Bean(name=UserInfoView.VIEWNAME) + @ConditionalOnMissingBean(name=UserInfoView.VIEWNAME) + protected UserInfoView userInfoView() { + return new UserInfoView(); + } @Override public void configure(HttpSecurity http) throws Exception { diff --git a/openid-connect-server-spring-boot-config/src/main/java/org/mitre/springboot/config/openid/connect/WellKnownWebSecurityConfig.java b/openid-connect-server-spring-boot-config/src/main/java/org/mitre/springboot/config/openid/connect/WellKnownWebSecurityConfig.java index dd4d0ad..ff9b172 100644 --- a/openid-connect-server-spring-boot-config/src/main/java/org/mitre/springboot/config/openid/connect/WellKnownWebSecurityConfig.java +++ b/openid-connect-server-spring-boot-config/src/main/java/org/mitre/springboot/config/openid/connect/WellKnownWebSecurityConfig.java @@ -1,9 +1,11 @@ package org.mitre.springboot.config.openid.connect; -import javax.servlet.Filter; - +import org.mitre.discovery.view.WebfingerView; +import org.mitre.discovery.web.DiscoveryEndpoint; import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.beans.factory.annotation.Qualifier; +import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; +import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.core.annotation.Order; import org.springframework.security.config.annotation.web.builders.HttpSecurity; @@ -13,10 +15,23 @@ @Order(160) @Configuration +@ConditionalOnProperty(havingValue="true", name="openid.connect.endpoints.oidc.discovery.enabled", matchIfMissing=true) public class WellKnownWebSecurityConfig extends WebSecurityConfigurerAdapter { @Autowired - private Http403ForbiddenEntryPoint http403ForbiddenEntryPoint; + protected Http403ForbiddenEntryPoint http403ForbiddenEntryPoint; + + @Bean + @ConditionalOnMissingBean(DiscoveryEndpoint.class) + protected DiscoveryEndpoint discoveryEndpoint() { + return new DiscoveryEndpoint(); + } + + @Bean(name="webfingerView") + @ConditionalOnMissingBean(name="webfingerView") + protected WebfingerView webfingerView() { + return new WebfingerView(); + } @Override protected void configure(HttpSecurity http) throws Exception { @@ -37,4 +52,4 @@ protected void configure(HttpSecurity http) throws Exception { ; // @formatter:on } -} \ No newline at end of file +} diff --git a/openid-connect-server-spring-boot-config/src/test/resources/application.yml b/openid-connect-server-spring-boot-config/src/test/resources/application.yml index b58cbe8..f3d8982 100644 --- a/openid-connect-server-spring-boot-config/src/test/resources/application.yml +++ b/openid-connect-server-spring-boot-config/src/test/resources/application.yml @@ -65,14 +65,11 @@ openid: data.enabled: true token.enabled: true scope.enabled: true + stats.enabled: true oidc: dynamicclientregistration.enabled: true jwksetpublishing.enabled: true userinfo.enabled: true discovery.enabled: true - oauth2: - introspection.enabled: true - revocation.enabled: true - confirmation.enabled: true protectedresourceregistration.enabled: true - stats.enabled: true \ No newline at end of file + \ No newline at end of file diff --git a/openid-connect-server-spring-boot-test/src/test/java/org/mitre/springboot/openid/connect/web/ApiAuthorizationTestsBase.java b/openid-connect-server-spring-boot-test/src/test/java/org/mitre/springboot/openid/connect/web/ApiAuthorizationTestsBase.java index fdb00f3..c87a55f 100644 --- a/openid-connect-server-spring-boot-test/src/test/java/org/mitre/springboot/openid/connect/web/ApiAuthorizationTestsBase.java +++ b/openid-connect-server-spring-boot-test/src/test/java/org/mitre/springboot/openid/connect/web/ApiAuthorizationTestsBase.java @@ -6,6 +6,7 @@ import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post; import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.put; +import static org.springframework.test.web.servlet.result.MockMvcResultHandlers.print; import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath; import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; @@ -39,7 +40,7 @@ protected void checkPostAccess(String uri, int status, String body) throws Excep .content(body) .session(mockSession) .locale(Locale.ENGLISH) - .with(csrf())) + ) .andExpect(status().is(status)) ; } @@ -55,7 +56,7 @@ protected void checkPutAccess(String uri, int status, String body) throws Except .content(body) .session(mockSession) .locale(Locale.ENGLISH) - .with(csrf())) + ) .andExpect(status().is(status)) ; } diff --git a/openid-connect-server-spring-boot-test/src/test/resources/application.yml b/openid-connect-server-spring-boot-test/src/test/resources/application.yml index 8e5223d..9593087 100644 --- a/openid-connect-server-spring-boot-test/src/test/resources/application.yml +++ b/openid-connect-server-spring-boot-test/src/test/resources/application.yml @@ -47,14 +47,11 @@ openid: data.enabled: true token.enabled: true scope.enabled: true + stats.enabled: true oidc: dynamicclientregistration.enabled: true jwksetpublishing.enabled: true userinfo.enabled: true discovery.enabled: true - oauth2: - introspection.enabled: true - revocation.enabled: true - confirmation.enabled: true protectedresourceregistration.enabled: true - stats.enabled: true \ No newline at end of file + \ No newline at end of file