Server configuration
The MITREid Connect server can function as an OpenID Connect Identity Provider (IdP) and an OAuth 2.0 Authorization Server (AS) simultaneously. The server is a Spring application and its configuration files are found in openid-connect-server/src/main/webapp/WEB-INF/ and end in .xml. The configuration has been split into multiple .xml files to facilitate overrides and custom configuration. As such, application-context.xml and spring-servlet.xml should never be edited or overridden by a local configuration. Rather, each of the remaining files contains aspects that can be configured independently:
-
user-context.xml: Defines how users user information is stored and accessed within the system, which users map to administrators, and how the site's default access controls will work. -
server-config.xml: Defines the server's ConfigurationPropertiesBean class which defines the server'sIssuerURL, from which all other URLs in the system are based. This also defines the display title and titlebar icon. -
data-context.xml: Data connection information used by the JPA storage layers. The beans defined here will include database connection credentials and any other components that need to be defined for storage. -
crypto-config.xml: Cryptographic configuration, defines the server's signing and validation service. this requires parameters such as location of the server's private key file and the server's default signing key and algorithm. -
task-config.xml: Defines scheduled tasks that should be run repeatedly with a fixed-delay. In our master branch, we have 2 tasks defined: clear out expired tokens, and clear out expired ApprovedSite definitions. -
local-config.xml: Any remaining new bean definitions that don't fit existing categories but need to be added to the configuration. This is loaded last.
If you override this file, be sure to include the promptFilter in your configured filters stack for handling prompt=login, prompt=consent, and prompt=none functions. Also make sure your primary authentication filter references authenticationTimeStamper as its authenticationSuccessHandler. An example of a custom configuration follows:
<bean id="ssoFilter" class="org.mitre.openid.connect.mitreadaptor.filter.X509LoginUrlFilter">
<property name="authenticationSuccessHandler" ref="authenticationTimeStamper" />
<property name="authenticationManager" ref="authenticationManager" />
<property name="principalExtractor" ref="principalExtractor" />
</bean>
<security:http entry-point-ref="authenticationEntryPoint" use-expressions="true" disable-url-rewriting="true"
authentication-manager-ref="authenticationManager" pattern="/**">
<security:intercept-url pattern="/**" access="permitAll" />
<security:custom-filter ref="promptFilter" after="SECURITY_CONTEXT_FILTER" />
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<security:custom-filter ref="ssoFilter" before="BASIC_AUTH_FILTER" />
<security:expression-handler ref="oauthWebExpressionHandler" />
<security:logout logout-url="/logout" />
<security:anonymous />
</security:http>
