Permalink
Switch branches/tags
Find file
Fetching contributors…
Cannot retrieve contributors at this time
executable file 617 lines (539 sloc) 34 KB
<?xml version="1.0" encoding="UTF-8" ?>
<!--
Cloud Foundry
Copyright (c) [2009-2014] Pivotal Software, Inc. All Rights Reserved.
This product is licensed to you under the Apache License, Version 2.0 (the "License").
You may not use this product except in compliance with the License.
This product includes a number of subcomponents with
separate copyright notices and license terms. Your use of these
subcomponents is subject to the terms and conditions of the
subcomponent's license, as noted in the LICENSE file.
-->
<beans xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://www.springframework.org/schema/beans"
xmlns:oauth="http://www.springframework.org/schema/security/oauth2" xmlns:util="http://www.springframework.org/schema/util"
xmlns:aop="http://www.springframework.org/schema/aop"
xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2-2.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-4.1.xsd
http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-4.0.xsd">
<!--<bean id="tokenEndpoint" class="org.springframework.security.oauth2.provider.endpoint.TokenEndpoint" autowire="byType">-->
<!--<property name="OAuth2RequestValidator">-->
<!--<bean class="org.cloudfoundry.identity.uaa.oauth.UaaOauth2RequestValidator"/>-->
<!--</property>-->
<!--<property name="clientDetailsService" ref="jdbcClientDetailsService"/>-->
<!--</bean>-->
<bean id="oauth2RequestValidator" class="org.cloudfoundry.identity.uaa.oauth.UaaOauth2RequestValidator">
<property name="clientDetailsService" ref="jdbcClientDetailsService"/>
</bean>
<bean id="tokenEndpointPostProcessor" class="org.cloudfoundry.identity.uaa.security.web.TokenEndpointPostProcessor"/>
<oauth:authorization-server
client-details-service-ref="jdbcClientDetailsService"
token-services-ref="tokenServices" user-approval-handler-ref="userManagedApprovalHandler"
authorization-request-manager-ref="authorizationRequestManager" request-validator-ref="oauth2RequestValidator">
<oauth:authorization-code authorization-code-services-ref="authorizationCodeServices" />
<oauth:implicit />
<oauth:refresh-token />
<oauth:client-credentials />
<oauth:password authentication-manager-ref="compositeAuthenticationManager" />
</oauth:authorization-server>
<bean id="userTokenGranter" class="org.cloudfoundry.identity.uaa.oauth.token.UserTokenGranter">
<constructor-arg name="tokenServices" ref="tokenServices"/>
<constructor-arg name="clientDetailsService" ref="jdbcClientDetailsService"/>
<constructor-arg name="requestFactory" ref="authorizationRequestManager"/>
<constructor-arg name="tokenStore" ref="revocableTokenProvisioning"/>
</bean>
<bean id="addUserTokenGranter"
class="org.cloudfoundry.identity.uaa.oauth.token.AddTokenGranter">
<constructor-arg name="userTokenGranter" ref="userTokenGranter"/>
<constructor-arg name="compositeTokenGranter" ref="oauth2TokenGranter"/>
</bean>
<bean id="tokenRevocationEndpoint" class="org.cloudfoundry.identity.uaa.oauth.TokenRevocationEndpoint">
<constructor-arg name="clientDetailsService" ref="jdbcClientDetailsService"/>
<constructor-arg name="userProvisioning" ref="scimUserProvisioning"/>
<constructor-arg name="tokenProvisioning" ref="revocableTokenProvisioning" />
</bean>
<http name="tokenRevocationFilter"
pattern="/oauth/token/revoke/**"
create-session="stateless"
authentication-manager-ref="emptyAuthenticationManager"
entry-point-ref="oauthAuthenticationEntryPoint"
xmlns="http://www.springframework.org/schema/security" use-expressions="true">
<intercept-url pattern="/oauth/token/revoke/client/**" access="#oauth2.hasScope('uaa.admin') or @self.isClientTokenRevocationForSelf(request, 4)" />
<intercept-url pattern="/oauth/token/revoke/user/**" access="#oauth2.hasScope('uaa.admin') or (#oauth2.hasScope('tokens.revoke') and @self.isUserTokenRevocationForSelf(request, 4))" />
<intercept-url pattern="/oauth/token/revoke/**" access="#oauth2.hasScope('tokens.revoke') or @self.isTokenRevocationForSelf(request, 3)" method="DELETE"/>
<intercept-url pattern="/**" access="denyAll" />
<custom-filter ref="resourceAgnosticAuthenticationFilter" position="PRE_AUTH_FILTER" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
<expression-handler ref="oauthWebExpressionHandler" />
<csrf disabled="true"/>
</http>
<http name="tokenListFilter"
pattern="/oauth/token/list/**"
create-session="stateless"
authentication-manager-ref="emptyAuthenticationManager"
entry-point-ref="oauthAuthenticationEntryPoint"
xmlns="http://www.springframework.org/schema/security" use-expressions="true">
<intercept-url pattern="/oauth/token/list/user/**" access="#oauth2.hasScope('tokens.list')" method="GET"/>
<intercept-url pattern="/oauth/token/list/client/**" access="#oauth2.hasScope('tokens.list')" method="GET"/>
<intercept-url pattern="/**" access="denyAll" />
<custom-filter ref="resourceAgnosticAuthenticationFilter" position="PRE_AUTH_FILTER" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
<expression-handler ref="oauthWebExpressionHandler" />
<csrf disabled="true"/>
</http>
<!-- Owner password flow for external authentication (SAML) -->
<!-- Pattern: /oauth/token parameters:{grant_type=password,passcode= -->
<http name="tokenEndpointSecurityForPasscodes" request-matcher-ref="passcodeTokenMatcher" create-session="stateless" use-expressions="false"
entry-point-ref="basicAuthenticationEntryPoint" xmlns="http://www.springframework.org/schema/security" authentication-manager-ref="emptyAuthenticationManager">
<intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
<anonymous enabled="false" />
<custom-filter ref="backwardsCompatibleScopeParameter" position="FIRST"/>
<custom-filter ref="clientParameterAuthenticationFilter" before="BASIC_AUTH_FILTER"/>
<custom-filter ref="clientAuthenticationFilter" position="BASIC_AUTH_FILTER" />
<custom-filter ref="passcodeAuthenticationFilter" after="BASIC_AUTH_FILTER" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
<csrf disabled="true"/>
</http>
<bean id="passcodeAuthenticationFilter" class="org.cloudfoundry.identity.uaa.authentication.PasscodeAuthenticationFilter">
<constructor-arg ref="userDatabase" />
<constructor-arg ref="zoneAwareAuthzAuthenticationManager" />
<constructor-arg ref="authorizationRequestManager"/>
<constructor-arg ref="codeStore"/>
<property name="authenticationDetailsSource" ref="authenticationDetailsSource" />
<property name="parameterNames">
<list>
<value>username</value>
<value>password</value>
<value>passcode</value>
<value>credentials</value>
<value>origin</value>
<value>user_id</value>
</list>
</property>
</bean>
<bean id="passcodeTokenMatcher" class="org.cloudfoundry.identity.uaa.security.web.UaaRequestMatcher">
<constructor-arg value="/oauth/token" />
<property name="accept">
<list>
<value>application/json</value>
<value>application/x-www-form-urlencoded</value>
</list>
</property>
<property name="parameters">
<map>
<entry key="grant_type" value="password" />
<entry key="passcode" value="" />
</map>
</property>
</bean>
<bean id="uaaTokenEndpoint" class="org.cloudfoundry.identity.uaa.oauth.token.UaaTokenEndpoint">
<property name="OAuth2RequestValidator" ref="oauth2RequestValidator"/>
<property name="tokenGranter" ref="oauth2TokenGranter"/> <!--this bean created by <oauth:authorization-server/> -->
<property name="clientDetailsService" ref="jdbcClientDetailsService"/>
<property name="OAuth2RequestFactory" ref="authorizationRequestManager"/>
<property name="allowQueryString" ref="allowQueryStringForTokens"/>
</bean>
<bean id="uaaAuthorizationEndpoint" class="org.cloudfoundry.identity.uaa.oauth.UaaAuthorizationEndpoint">
<property name="authorizationCodeServices" ref="authorizationCodeServices"/>
<property name="OAuth2RequestValidator" ref="oauth2RequestValidator"/>
<property name="userApprovalHandler" ref="userManagedApprovalHandler"/>
<property name="tokenGranter" ref="oauth2TokenGranter"/> <!--this bean created by <oauth:authorization-server/> -->
<property name="clientDetailsService" ref="jdbcClientDetailsService"/>
<property name="OAuth2RequestFactory" ref="authorizationRequestManager"/>
<property name="hybridTokenGranterForAuthCode" ref="hybridTokenGranterForAuthCodeGrant"/>
<property name="redirectResolver">
<bean class="org.cloudfoundry.identity.uaa.oauth.AntPathRedirectResolver"/>
</property>
</bean>
<bean id="hybridTokenGranterForAuthCodeGrant" class="org.cloudfoundry.identity.uaa.oauth.HybridTokenGranterForAuthorizationCode">
<constructor-arg index="0" ref="tokenServices"/>
<constructor-arg index="1" ref="jdbcClientDetailsService"/>
<constructor-arg index="2" ref="authorizationRequestManager"/>
</bean>
<bean id="oauthTokenApiRequestMatcher" class="org.cloudfoundry.identity.uaa.security.web.UaaRequestMatcher">
<constructor-arg value="/oauth/token" />
<property name="headers">
<map>
<entry key="Authorization" value="bearer " />
</map>
</property>
<property name="parameters">
<map>
<entry key="response_type" value="token" />
<entry key="client_id" value="" />
</map>
</property>
</bean>
<!-- Version of the /oauth/token endpoint for stateless clients
/oauth/token Authorization: Bearer <access_token> grant_type=user_token&client_id=<value>&response_type=token
-->
<http name="statelessTokenApiSecurity" request-matcher-ref="oauthTokenApiRequestMatcher" create-session="stateless"
entry-point-ref="oauthAuthenticationEntryPoint" authentication-manager-ref="emptyAuthenticationManager"
xmlns="http://www.springframework.org/schema/security" use-expressions="true">
<intercept-url pattern="/**" access="#oauth2.hasScope('uaa.user')" />
<custom-filter ref="backwardsCompatibleScopeParameter" position="FIRST"/>
<custom-filter ref="resourceAgnosticAuthenticationFilter" position="PRE_AUTH_FILTER" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
<expression-handler ref="oauthWebExpressionHandler" />
<anonymous enabled="false" />
<csrf disabled="true"/>
</http>
<!--/oauth/token with any match -->
<http name="tokenEndpointSecurity" create-session="stateless" authentication-manager-ref="clientAuthenticationManager" use-expressions="false"
pattern="/oauth/token/**" entry-point-ref="basicAuthenticationEntryPoint" xmlns="http://www.springframework.org/schema/security">
<intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
<anonymous enabled="false" />
<custom-filter ref="backwardsCompatibleScopeParameter" position="FIRST"/>
<custom-filter ref="clientAuthenticationFilter" position="BASIC_AUTH_FILTER" />
<custom-filter ref="clientParameterAuthenticationFilter" before="BASIC_AUTH_FILTER" />
<custom-filter ref="tokenEndpointAuthenticationFilter" after="BASIC_AUTH_FILTER" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
<csrf disabled="true"/>
</http>
<!-- Version of the /authorize endpoint for stateless clients such as cf
/oauth/authorize response_type=token&source=credentials
-->
<http name="statelessAuthzEndpointSecurity" request-matcher-ref="oauthAuthorizeRequestMatcher" create-session="stateless"
entry-point-ref="oauthAuthenticationEntryPoint" authentication-manager-ref="zoneAwareAuthzAuthenticationManager"
xmlns="http://www.springframework.org/schema/security" use-expressions="false">
<intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
<custom-filter ref="backwardsCompatibleScopeParameter" position="FIRST"/>
<custom-filter ref="authzAuthenticationFilter" position="FORM_LOGIN_FILTER" />
<anonymous enabled="false" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
<csrf disabled="true"/>
</http>
<!-- Version of the /authorize endpoint for stateless clients such as cf
/oauth/authorize Authorization: Bearer <access_token> response_type=code&client_id=<value>&grant_type=authorization_code
-->
<http name="statelessAuthorizeApiSecurity" request-matcher-ref="oauthAuthorizeApiRequestMatcher" create-session="stateless"
entry-point-ref="oauthAuthenticationEntryPoint" authentication-manager-ref="emptyAuthenticationManager"
xmlns="http://www.springframework.org/schema/security" use-expressions="true">
<intercept-url pattern="/**" access="#oauth2.hasScope('uaa.user')" />
<custom-filter ref="backwardsCompatibleScopeParameter" position="FIRST"/>
<custom-filter ref="resourceAgnosticAuthenticationFilter" position="PRE_AUTH_FILTER" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
<expression-handler ref="oauthWebExpressionHandler" />
<anonymous enabled="false" />
<csrf disabled="true"/>
</http>
<bean id="clientAuthenticationFilter" class="org.cloudfoundry.identity.uaa.authentication.ClientBasicAuthenticationFilter">
<constructor-arg ref="clientAuthenticationManager" />
<constructor-arg ref="basicAuthenticationEntryPoint" />
<property name="authenticationDetailsSource" ref="authenticationDetailsSource" />
</bean>
<bean id="clientParameterAuthenticationFilter" class="org.cloudfoundry.identity.uaa.authentication.ClientParametersAuthenticationFilter">
<property name="clientAuthenticationManager" ref="clientAuthenticationManager"/>
<property name="authenticationEntryPoint" ref="basicAuthenticationEntryPoint"/>
</bean>
<bean id="compositeAuthenticationManager" class="org.cloudfoundry.identity.uaa.authentication.manager.CompositeAuthenticationManager" />
<bean id="tokenEndpointAuthenticationFilter" class="org.cloudfoundry.identity.uaa.authentication.BackwardsCompatibleTokenEndpointAuthenticationFilter">
<constructor-arg ref="zoneAwareAuthzAuthenticationManager" />
<constructor-arg ref="authorizationRequestManager"/>
<constructor-arg ref="samlWebSSOProcessingFilter"/>
<property name="authenticationDetailsSource" ref="authenticationDetailsSource" />
<property name="authenticationEntryPoint" ref="basicAuthenticationEntryPoint" />
</bean>
<authentication-manager id="clientAuthenticationManager" xmlns="http://www.springframework.org/schema/security">
<authentication-provider ref="clientAuthenticationProvider"/>
</authentication-manager>
<bean id="clientAuthenticationProvider" class="org.cloudfoundry.identity.uaa.authentication.ClientDetailsAuthenticationProvider">
<constructor-arg name="userDetailsService" ref="clientDetailsUserService"/>
<constructor-arg name="encoder" ref="cachingPasswordEncoder"/>
</bean>
<bean id="clientAuthenticationPublisher" class="org.cloudfoundry.identity.uaa.client.ClientAuthenticationPublisher"/>
<aop:config proxy-target-class="true">
<aop:aspect ref="clientAuthenticationPublisher">
<aop:after-returning method="clientAuthenticationSuccess"
pointcut="execution(* *..ProviderManager+.authenticate(..)) and bean(clientAuthenticationManager)" returning="authentication" />
<aop:after-throwing method="clientAuthenticationFailure"
pointcut="execution(* *..ProviderManager+.authenticate(..)) and args(authentication) and bean(clientAuthenticationManager)"
throwing="ex" />
</aop:aspect>
</aop:config>
<bean id="clientDetailsUserService" class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
<constructor-arg ref="jdbcClientDetailsService" />
<property name="passwordEncoder" ref="cachingPasswordEncoder" />
</bean>
<bean id="oauthAuthorizeRequestMatcher" class="org.cloudfoundry.identity.uaa.security.web.UaaRequestMatcher">
<constructor-arg value="/oauth/authorize" />
<property name="accept">
<list>
<value>application/json</value>
<value>application/x-www-form-urlencoded</value>
</list>
</property>
<property name="parameters">
<map>
<entry key="response_type" value="token" />
<entry key="source" value="credentials" />
</map>
</property>
</bean>
<bean id="oauthAuthorizeApiRequestMatcher" class="org.cloudfoundry.identity.uaa.security.web.UaaRequestMatcher">
<constructor-arg value="/oauth/authorize" />
<property name="headers">
<map>
<entry key="Authorization" value="bearer " />
</map>
</property>
<property name="parameters">
<map>
<entry key="response_type" value="code" />
<entry key="client_id" value="" />
</map>
</property>
</bean>
<bean id="authzAuthenticationFilter" class="org.cloudfoundry.identity.uaa.authentication.AuthzAuthenticationFilter">
<constructor-arg ref="zoneAwareAuthzAuthenticationManager" />
<property name="parameterNames">
<list>
<value>username</value>
<value>password</value>
<value>passcode</value>
<value>credentials</value>
</list>
</property>
</bean>
<bean id="promptOauthAuthorizeApiRequestMatcher" class="org.cloudfoundry.identity.uaa.security.web.UaaRequestMatcher">
<constructor-arg value="/oauth/authorize" />
<property name="parameters">
<map>
<entry key="prompt" value="none" />
</map>
</property>
</bean>
<bean id="promptOauthAuthorizeEntryPoint" class="org.cloudfoundry.identity.uaa.oauth.AuthorizePromptNoneEntryPoint">
<constructor-arg name="failureHandler">
<bean class="org.cloudfoundry.identity.uaa.login.UaaAuthenticationFailureHandler">
<constructor-arg name="delegate">
<null/>
</constructor-arg>
</bean>
</constructor-arg>
<constructor-arg name="clientDetailsService" ref="jdbcClientDetailsService"/>
<constructor-arg name="redirectResolver">
<bean class="org.springframework.security.oauth2.provider.endpoint.DefaultRedirectResolver"/>
</constructor-arg>
</bean>
<http name="promptStatelessTokenApiSecurity"
disable-url-rewriting="true"
entry-point-ref="promptOauthAuthorizeEntryPoint"
use-expressions="false"
request-matcher-ref="promptOauthAuthorizeApiRequestMatcher"
create-session="never"
xmlns="http://www.springframework.org/schema/security">
<intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
<csrf disabled="true"/>
</http>
<bean id="xOauthAuthenticationManager" class="org.cloudfoundry.identity.uaa.provider.oauth.XOAuthAuthenticationManager">
<constructor-arg name="providerProvisioning" ref="xoauthProviderConfigurator"/>
<constructor-arg name="restTemplateFactory" ref="restTemplateFactory"/>
<property name="userDatabase" ref="userDatabase"/>
</bean>
<bean id="xOauthCallbackAuthenticationFilter" class="org.cloudfoundry.identity.uaa.provider.oauth.XOAuthAuthenticationFilter">
<constructor-arg name="xOAuthAuthenticationManager" ref="xOauthAuthenticationManager" />
<constructor-arg name="successHandler" ref="accountSavingAuthenticationSuccessHandler"/>
</bean>
<bean id="xOauthCallbackRequestMatcher" class="org.cloudfoundry.identity.uaa.security.web.UaaRequestMatcher">
<constructor-arg value="/login/callback" />
</bean>
<http name="xOauthCallbackEndpointSecurity" request-matcher-ref="xOauthCallbackRequestMatcher" entry-point-ref="loginEntryPoint"
xmlns="http://www.springframework.org/schema/security" use-expressions="false">
<intercept-url pattern="**" access="IS_AUTHENTICATED_FULLY"/>
<custom-filter ref="xOauthCallbackAuthenticationFilter" position="FORM_LOGIN_FILTER" />
<anonymous enabled="false" />
<csrf disabled="true"/>
</http>
<!-- For backwards compatibility to the old way of posting credentials to /authorize endpoint
/oauth/authorize response_type=token&credentials={
-->
<http name="oldAuthzEndpointSecurity" request-matcher-ref="oauthAuthorizeRequestMatcherOld" create-session="stateless"
entry-point-ref="oauthAuthenticationEntryPoint" authentication-manager-ref="zoneAwareAuthzAuthenticationManager"
xmlns="http://www.springframework.org/schema/security" use-expressions="false">
<intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
<custom-filter ref="backwardsCompatibleScopeParameter" position="FIRST"/>
<custom-filter ref="authzAuthenticationFilter" position="FORM_LOGIN_FILTER" />
<anonymous enabled="false" />
<access-denied-handler ref="oauthAccessDeniedHandler" />
<csrf disabled="true"/>
</http>
<bean id="oauthAuthorizeRequestMatcherOld" class="org.cloudfoundry.identity.uaa.security.web.UaaRequestMatcher">
<constructor-arg value="/oauth/authorize" />
<property name="accept">
<list>
<value>application/json</value>
<value>application/x-www-form-urlencoded</value>
</list>
</property>
<property name="parameters">
<map>
<entry key="response_type" value="token" />
<entry key="credentials" value="{" />
</map>
</property>
</bean>
<!-- End -->
<bean id="authorizationCodeServices" class="org.cloudfoundry.identity.uaa.oauth.UaaTokenStore">
<constructor-arg ref="dataSource" />
</bean>
<bean id="userApprovalHandler" class="org.cloudfoundry.identity.uaa.user.UaaUserApprovalHandler">
<!--<property name="tokenServices" ref="tokenServices" />-->
<!--TODO - set to true once we have persistent tokens -->
<property name="useTokenServices" value="false"/>
<property name="requestFactory" ref="authorizationRequestManager"/>
<property name="tokenServices" ref="tokenServices"/>
<property name="clientDetailsService" ref="jdbcClientDetailsService" />
</bean>
<bean id="userManagedApprovalHandler" class="org.cloudfoundry.identity.uaa.oauth.UserManagedAuthzApprovalHandler">
<property name="clientDetailsService" ref="clientDetailsService" />
<property name="approvalStore" ref="approvalStore" />
</bean>
<bean id="authorizationRequestManager" class="org.cloudfoundry.identity.uaa.oauth.UaaAuthorizationRequestManager">
<constructor-arg ref="jdbcClientDetailsService" />
<constructor-arg ref="userDatabase"/>
<constructor-arg ref="identityProviderProvisioning"/>
<property name="defaultScopes" ref="defaultUserAuthorities" />
</bean>
<bean id="uaaTokenPolicy" class="org.cloudfoundry.identity.uaa.zone.TokenPolicy">
<constructor-arg name="accessTokenValidity" value="${jwt.token.policy.accessTokenValiditySeconds:#{globalTokenPolicy.getAccessTokenValidity()}}" />
<constructor-arg name="refreshTokenValidity" value="${jwt.token.policy.refreshTokenValiditySeconds:#{globalTokenPolicy.getRefreshTokenValidity()}}" />
<constructor-arg name="signingKeysMap" ref="signingKeysMap" />
<property name="activeKeyId" value="${jwt.token.policy.activeKeyId:#{null}}" />
<property name="jwtRevocable" value="${jwt.token.revocable:false}" />
<property name="refreshTokenFormat" value="${jwt.token.refresh.format:#{T(org.cloudfoundry.identity.uaa.oauth.token.TokenConstants.TokenFormat).JWT.getStringValue()}}" />
<property name="refreshTokenUnique" value="${jwt.token.refresh.unique:false}" />
</bean>
<bean id="legacyTokenKeyInitializer" class="org.springframework.beans.factory.config.MethodInvokingBean" lazy-init="false" depends-on="setUpBouncyCastle">
<property name="arguments">
<list>
<value type="java.lang.String">${jwt.token.signing-key:#{null}}</value>
</list>
</property>
<property name="staticMethod" value="org.cloudfoundry.identity.uaa.impl.config.LegacyTokenKey.setLegacySigningKey" />
</bean>
<bean id="signingKeysMap" class="java.util.HashMap">
<constructor-arg value="#{@config['jwt']==null ? T(java.util.Collections).EMPTY_MAP :
@config['jwt.token']==null ? T(java.util.Collections).EMPTY_MAP :
@config['jwt.token.policy']==null ? T(java.util.Collections).EMPTY_MAP :
@config['jwt.token.policy.keys']==null ? T(java.util.Collections).EMPTY_MAP : @config['jwt.token.policy.keys']}" />
</bean>
<bean id="globalTokenPolicy" class="org.cloudfoundry.identity.uaa.zone.TokenPolicy">
<property name="accessTokenValidity" value="${jwt.token.policy.global.accessTokenValiditySeconds:43200}" />
<property name="refreshTokenValidity" value="${jwt.token.policy.global.refreshTokenValiditySeconds:2592000}" />
</bean>
<bean id="revocableTokenProvisioning" class="org.cloudfoundry.identity.uaa.oauth.token.JdbcRevocableTokenProvisioning">
<constructor-arg name="jdbcTemplate" ref="jdbcTemplate"/>
</bean>
<bean id="tokenServices" class="org.cloudfoundry.identity.uaa.oauth.UaaTokenServices">
<property name="clientDetailsService" ref="jdbcClientDetailsService" />
<property name="userDatabase" ref="userDatabase" />
<property name="defaultUserAuthorities" ref="defaultUserAuthorities" />
<property name="issuer" value="${issuer.uri:http://localhost:8080/uaa}" />
<property name="approvalStore" ref="approvalStore" />
<property name="tokenPolicy" ref="globalTokenPolicy" />
<property name="excludedClaims" ref="excludedClaims"/>
<property name="tokenProvisioning" ref="revocableTokenProvisioning"/>
<property name="restrictRefreshGrant" value="${jwt.token.refresh.restrict_grant:false}"/>
</bean>
<bean id="excludedClaims" class="java.util.LinkedHashSet">
<constructor-arg type="java.util.Collection"
value="#{@config['jwt']==null ? T(java.util.Collections).EMPTY_SET :
@config['jwt.token']==null ? T(java.util.Collections).EMPTY_SET :
@config['jwt.token.claims']==null ? T(java.util.Collections).EMPTY_SET :
@config['jwt.token.claims.exclude']==null ? T(java.util.Collections).EMPTY_SET : @config['jwt.token.claims.exclude']}"/>
</bean>
<oauth:resource-server id="oauthWithoutResourceAuthenticationFilter" token-services-ref="tokenServices"
entry-point-ref="oauthAuthenticationEntryPoint" />
<bean id="tokenKeyEndpoint" class="org.cloudfoundry.identity.uaa.oauth.TokenKeyEndpoint" />
<bean id="accessController" class="org.cloudfoundry.identity.uaa.oauth.AccessController">
<property name="clientDetailsService" ref="jdbcClientDetailsService" />
<!-- Always use HTTPS if deployed on cloudfoundry -->
<property name="useSsl"
value="#{@applicationProperties['oauth.authorize.ssl']?:(T(java.lang.System).getenv('VCAP_APPLICATION')!=null ? true : null)}" />
<property name="approvalStore" ref="approvalStore" />
<property name="groupProvisioning" ref="scimGroupProvisioning" />
</bean>
<bean id="defaultUserAuthorities" class="org.springframework.beans.factory.config.SetFactoryBean">
<property name="sourceSet" value="#{@config['oauth']==null ? legacyDefaultUserAuthorities : @config['oauth']['user']==null ? legacyDefaultUserAuthorities: @config['oauth']['user']['authorities']}"/>
</bean>
<util:set id="legacyDefaultUserAuthorities" set-class="java.util.HashSet">
<value>openid</value>
<value>scim.me</value>
<value>cloud_controller.read</value>
<value>cloud_controller.write</value>
<value>password.write</value>
<value>scim.userids</value>
<value>uaa.user</value>
<value>approvals.me</value>
<value>oauth.approvals</value>
<value>cloud_controller_service_permissions.read</value>
</util:set>
<bean id="userDatabase" class="org.cloudfoundry.identity.uaa.user.JdbcUaaUserDatabase">
<constructor-arg name="jdbcTemplate" ref="jdbcTemplate" />
<constructor-arg name="timeService" ref="timeService" />
<property name="defaultAuthorities" ref="defaultUserAuthorities" />
<property name="caseInsensitive" ref="useCaseInsensitiveQueries"/>
</bean>
<bean id="userLockoutPolicy" class="org.cloudfoundry.identity.uaa.provider.LockoutPolicy">
<property name="lockoutAfterFailures"
value="${authentication.policy.lockoutAfterFailures:#{defaultUserLockoutPolicy.getLockoutAfterFailures()}}"/>
<property name="countFailuresWithin"
value="${authentication.policy.countFailuresWithinSeconds:#{defaultUserLockoutPolicy.getCountFailuresWithin()}}"/>
<property name="lockoutPeriodSeconds"
value="${authentication.policy.lockoutPeriodSeconds:#{defaultUserLockoutPolicy.getLockoutPeriodSeconds()}}"/>
</bean>
<bean id="defaultUserLockoutPolicy" class="org.cloudfoundry.identity.uaa.provider.LockoutPolicy">
<property name="lockoutAfterFailures"
value="${authentication.policy.global.lockoutAfterFailures:5}"/>
<property name="countFailuresWithin"
value="${authentication.policy.global.countFailuresWithinSeconds:1200}"/>
<property name="lockoutPeriodSeconds"
value="${authentication.policy.global.lockoutPeriodSeconds:300}"/>
</bean>
<bean id="defaultClientLockoutPolicy" class="org.cloudfoundry.identity.uaa.provider.LockoutPolicy">
<property name="lockoutAfterFailures"
value="${authentication.policy.global.lockoutAfterFailures:-1}"/>
<property name="countFailuresWithin"
value="${authentication.policy.global.countFailuresWithinSeconds:-1}"/>
<property name="lockoutPeriodSeconds"
value="${authentication.policy.global.lockoutPeriodSeconds:-1}"/>
</bean>
<bean id="globalUserLockoutPolicyRetriever" class="org.cloudfoundry.identity.uaa.authentication.manager.UserLockoutPolicyRetriever">
<constructor-arg ref="identityProviderProvisioning"/>
<property name="defaultLockoutPolicy" ref="defaultUserLockoutPolicy" />
</bean>
<bean id="globalPeriodLockoutPolicy" class="org.cloudfoundry.identity.uaa.authentication.manager.PeriodLockoutPolicy">
<constructor-arg ref="globalUserLoginPolicy" />
</bean>
<bean id="globalUserLoginPolicy" class="org.cloudfoundry.identity.uaa.authentication.manager.CommonLoginPolicy">
<constructor-arg index="0" ref="jdbcAuditService"/>
<constructor-arg index="1" ref="globalUserLockoutPolicyRetriever"/>
<constructor-arg index="2" value="UserAuthenticationSuccess"/>
<constructor-arg index="3" value="UserAuthenticationFailure"/>
<constructor-arg index="4" ref="timeService" />
<constructor-arg index="5" value="true"/>
</bean>
<bean id="uaaUserDatabaseAuthenticationManager"
class="org.cloudfoundry.identity.uaa.authentication.manager.AuthzAuthenticationManager">
<constructor-arg ref="userDatabase"/>
<constructor-arg ref="identityProviderProvisioning"/>
<property name="accountLoginPolicy" ref="globalPeriodLockoutPolicy"/>
<property name="origin" value="uaa"/>
<property name="allowUnverifiedUsers" value="${allowUnverifiedUsers:true}"/>
</bean>
<bean id="uaaAuthenticationMgr" class="org.cloudfoundry.identity.uaa.authentication.manager.CheckIdpEnabledAuthenticationManager">
<constructor-arg name="delegate" ref="uaaUserDatabaseAuthenticationManager"/>
<constructor-arg name="origin" value="uaa"/>
<constructor-arg name="identityProviderProvisioning" ref="identityProviderProvisioning"/>
</bean>
<bean id="zoneAwareAuthzAuthenticationManager" class="org.cloudfoundry.identity.uaa.authentication.manager.DynamicZoneAwareAuthenticationManager"
destroy-method="destroy">
<constructor-arg name="internalUaaAuthenticationManager" ref="uaaAuthenticationMgr"/>
<constructor-arg name="provisioning" ref="identityProviderProvisioning"/>
<constructor-arg name="scimGroupExternalMembershipManager" ref="externalGroupMembershipManager"/>
<constructor-arg name="scimGroupProvisioning" ref="scimGroupProvisioning"/>
<constructor-arg name="ldapLoginAuthenticationManager" ref="ldapLoginAuthenticationMgr"/>
</bean>
</beans>