source: TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/paster_templates/securedapp/service.ini_tmpl @ 7847

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/paster_templates/securedapp/service.ini_tmpl@7847
Revision 7847, 5.5 KB checked in by pjkersha, 11 years ago (diff)

Incomplete - task 16: NDG Security 2.x.x - incl. updated Paster templates

  • fixes to the ndgsecurity_services template
Line 
1#
2# Description: NDG Security configuration to secure a given WSGI application. 
3#              Security filters placed in front of the application in the WSGI
4#              pipeline act as client to security services running on a separate
5#              application stack.  - See
6#              ndg.security.test.integration.full_system or the
7#              ndgsecurity_services template.
8#
9# NERC DataGrid
10#
11# Author: P J Kershaw
12#
13# Date: 01/07/09
14#
15# Copyright: STFC 2011
16#
17# Licence: BSD
18#
19# The %(here)s variable will be replaced with the parent directory of this file
20#
21[DEFAULT]
22beakerSessionKeyName = beaker.session.ndg.security
23
24portNum = %%{portNumber}
25baseURI = %%{baseURI}
26
27[server:main]
28use = egg:Paste#http
29host = 0.0.0.0
30port = %(portNum)s
31
32# Security filters are arranged in serial ahead of the application to be
33# secured
34[pipeline:main]
35pipeline = BeakerSessionFilter AuthenticationFilter AuthorisationFilter App
36
37# This is the application to be secured.  In this case it's a test harness for
38# checking the various aspects of the security filters' functionality.  Replace
39# this with the required application for a production system
40[app:App]
41paste.app_factory = ndg.security.test.integration:AuthZTestApp.app_factory
42
43#
44# This filter sets up a server side session linked to a cookie.  The session
45# caches authentication and authorisation state information
46[filter:BeakerSessionFilter]
47paste.filter_app_factory = beaker.middleware:SessionMiddleware
48
49# Cookie name
50beaker.session.key = ndg.security.session
51
52# WSGI environ key name
53environ_key = %(beakerSessionKeyName)s
54beaker.session.secret = %%{beakerSessionCookieSecret}
55beaker.cache.data_dir = %(here)s/authn/beaker/cache
56beaker.session.data_dir = %(here)s/authn/beaker/sessions
57
58#beaker.session.cookie_domain = .localhost
59
60#
61# This filter redirects unauthenticated requests to a separate authentication
62# service listening on another port - typically 443 so that it can host an
63# SSL client authentication filter
64[filter:AuthenticationFilter]
65paste.filter_app_factory = ndg.security.server.wsgi.authn:AuthenticationMiddleware
66prefix = authN.
67
68# Set redirect for OpenID Relying Party in the Security Services app instance
69authN.redirectURI = %%{authnRedirectURI}
70
71# Default URI to return to if middleware wasn't able to set via HTTP_REFERER or
72# passed return to query argument
73authN.sessionHandler.defaultLogoutReturnToURI = %(baseURI)s
74
75# AuthKit Set-up
76authkit.setup.method=cookie
77
78# This cookie name and secret MUST agree with the name used by the security web
79# services app
80authkit.cookie.name = ndg.security.auth
81authkit.cookie.secret = %%{authkitCookieSecret}
82authkit.cookie.signoutpath = /logout
83
84# Disable inclusion of client IP address from cookie signature due to
85# suspected problem with AuthKit setting it when a HTTP Proxy is in place
86authkit.cookie.includeip = False
87
88#authkit.cookie.params.expires = 2
89#authkit.cookie.params.domain = .localhost
90
91# environ key name for beaker session
92authkit.session.middleware = %(beakerSessionKeyName)s
93
94#
95# Authorisation filter contains a Policy Enforcement Point which enforces access
96# control decisions made by a separate Authorisation Service
97[filter:AuthorisationFilter]
98paste.filter_app_factory=ndg.security.server.wsgi.authz:AuthorisationFilter.filter_app_factory
99
100# Result handler handles the response for HTTP 403 responses set by the
101# application or the PEP.
102resultHandler = ndg.security.server.wsgi.authz.result_handler.genshi.GenshiPEPResultHandlerMiddleware
103resultHandler.staticContentDir = %(here)s/pep_result_handler
104resultHandler.heading = %%{accessDeniedPageHeading}
105
106# Settings for the PEP (Policy Enforcement Point)
107pep.sessionKey = beaker.session.ndg.security
108pep.authzServiceURI = %%{authzServiceURI}
109pep.cacheDecisions = True
110
111# Including this setting activates a simple PDP local to this PEP which filters
112# requests to cut down on calls to the authorisation service.  This is useful
113# for example to avoid calling the authorisation service for non-secure content
114# such as HTML CSS or graphics.  Note that filters based on resource URI
115# requested alone.  Subject, action and environment settings are not passed in
116# the request context to the local PDP.
117#
118# The policy content should be set carefully to avoid unintended override of the
119# authorisation service's policy
120pep.localPolicyFilePath = %(here)s/request-filter.xml
121
122# Settings for Policy Information Point used by the Policy Decision Point to
123# retrieve subject attributes from the Attribute Authority associated with the
124# resource to be accessed
125
126# If omitted, DN of SSL Cert is used
127pep.authzDecisionQuery.issuerName = %%{authzDecisionQueryIssuerName}
128pep.authzDecisionQuery.issuerFormat = %%{authzDecisionQueryIssuerFormat}
129pep.authzDecisionQuery.subjectIdFormat = urn:esg:openid
130pep.authzDecisionQuery.clockSkewTolerance = 0.
131pep.authzDecisionQuery.sslCACertDir=%(here)s/pki/ca
132pep.authzDecisionQuery.sslCertFilePath=%(here)s/pki/localhost.crt
133pep.authzDecisionQuery.sslPriKeyFilePath=%(here)s/pki/localhost.key
134
135# Logging configuration
136[loggers]
137keys = root, ndg
138
139[handlers]
140keys = console, logfile
141
142[formatters]
143keys = generic
144
145[logger_root]
146level = INFO
147handlers = console
148
149[logger_ndg]
150level = DEBUG
151handlers =
152qualname = ndg
153
154[handler_console]
155class = StreamHandler
156args = (sys.stderr,)
157level = NOTSET
158formatter = generic
159
160[formatter_generic]
161format = %(asctime)s.%(msecs)03d %(levelname)-7.7s [%(name)s:%(lineno)s] %(message)s
162datefmt = %Y-%m-%d-%H:%M:%S
163
164[handler_logfile]
165class = handlers.RotatingFileHandler
166level=NOTSET
167formatter=generic
168args=(os.path.join('%%{outputDir}', 'log', 'service.log'), 'a', 50000, 2)
Note: See TracBrowser for help on using the repository browser.