source: TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/full_system/securedapp.ini @ 7364

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/full_system/securedapp.ini@7364
Revision 7364, 4.8 KB checked in by pjkersha, 10 years ago (diff)

Incomplete - task 2: XACML-Security Integration

  • Started work making PEP use two stage PDP, first lightweight PDP filters out CSS and graphics requests to avoid overhead of network call to the authorisation service, second stage is callout to authorisation service as already in place.
  • Property svn:keywords set to Id
Line 
1#
2# NDG Security AuthZ WSGI Testing environment configuration.  This ini file
3# defines the configuration for a an application to be secured.  Security
4# filters placed in front of the application in the WSGI pipeline act as
5# client to security services running on a separate application stack.  - See
6# securityservices.ini
7#
8# NERC DataGrid
9#
10# Author: P J Kershaw
11#
12# Date: 01/07/09
13#
14# Copyright: STFC 2009
15#
16# Licence: BSD - See top-level LICENCE file for licence details
17#
18# The %(here)s variable will be replaced with the parent directory of this file
19#
20[DEFAULT]
21testConfigDir = %(here)s/../../config
22beakerSessionKeyName = beaker.session.ndg.security
23
24[server:main]
25use = egg:Paste#http
26host = 0.0.0.0
27port = 7080
28
29[pipeline:main]
30pipeline = BeakerSessionFilter
31                   AuthenticationFilter
32                   AuthorisationFilter
33                   AuthZTestApp
34
35[app:AuthZTestApp]
36paste.app_factory = ndg.security.test.integration:AuthZTestApp.app_factory
37
38
39[filter:BeakerSessionFilter]
40paste.filter_app_factory = beaker.middleware:SessionMiddleware
41
42# Cookie name
43beaker.session.key = ndg.security.session
44
45# WSGI environ key name
46environ_key = %(beakerSessionKeyName)s
47beaker.session.secret = rBIvKXLa+REYB8pM/8pdPoorVpKQuaOW
48beaker.cache.data_dir = %(here)s/authn/beaker/cache
49beaker.session.data_dir = %(here)s/authn/beaker/sessions
50
51#beaker.session.cookie_domain = .localhost
52
53[filter:AuthenticationFilter]
54paste.filter_app_factory = ndg.security.server.wsgi.authn:AuthenticationMiddleware
55prefix = authN.
56
57# Set redirect for OpenID Relying Party in the Security Services app instance
58authN.redirectURI = https://localhost:7443/verify
59
60# Default URI to return to if middleware wasn't able to set via HTTP_REFERER or
61# passed return to query argument
62authN.sessionHandler.defaultLogoutReturnToURI = https://localhost:7443/
63
64# AuthKit Set-up
65authkit.setup.method=cookie
66
67# This cookie name and secret MUST agree with the name used by the security web
68# services app
69authkit.cookie.name=ndg.security.auth
70authkit.cookie.secret=9wvZObs9anUEhSIAnJNoY2iJq59FfYZr
71authkit.cookie.signoutpath = /logout
72
73# Disable inclusion of client IP address from cookie signature due to
74# suspected problem with AuthKit setting it when a HTTP Proxy is in place
75authkit.cookie.includeip = False
76
77#authkit.cookie.params.expires = 2
78#authkit.cookie.params.domain = .localhost
79
80# environ key name for beaker session
81authkit.session.middleware = %(beakerSessionKeyName)s
82
83#
84# Authorisation filter contains a Policy Enforcement Point which enforces access
85# control decisions made by the Authorisation Service
86[filter:AuthorisationFilter]
87paste.filter_app_factory=ndg.security.server.wsgi.authz:AuthorisationFilter.filter_app_factory
88
89# Result handler handles the response for HTTP 403 responses set by the
90# application or the PEP.
91resultHandler = ndg.security.server.wsgi.authz.result_handler.genshi.GenshiPEPResultHandlerMiddleware
92resultHandler.staticContentDir = %(here)s/pep_result_handler
93
94# Settings for the PEP (Policy Enforcement Point)
95pep.sessionKey = beaker.session.ndg.security
96pep.authzServiceURI = https://localhost:7443/AuthorisationService
97pep.cacheDecisions = True
98
99# Including this setting activates a simple PDP local to this PEP which filters
100# requests to cut down on calls to the authorisation service.  This is useful
101# for example to avoid calling the authorisation service for non-secure content
102# such as HTML CSS or graphics.  Note that filters based on resource URI
103# requested alone.  Subject, action and environment settings are not passed in
104# the request context to the local PDP.
105#
106# The policy content should be set carefully to avoid unintended override of the
107# authorisation service's policy
108pep.localPolicyFilePath = %(here)s/request-filter.xml
109
110# Settings for Policy Information Point used by the Policy Decision Point to
111# retrieve subject attributes from the Attribute Authority associated with the
112# resource to be accessed
113
114# If omitted, DN of SSL Cert is used
115pep.authzDecisionQuery.issuerName = /O=NDG/OU=BADC/CN=test
116pep.authzDecisionQuery.issuerFormat = urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName
117pep.authzDecisionQuery.subjectIdFormat = urn:esg:openid
118pep.authzDecisionQuery.clockSkewTolerance = 0.
119pep.authzDecisionQuery.sslCACertDir=%(testConfigDir)s/ca
120pep.authzDecisionQuery.sslCertFilePath=%(testConfigDir)s/pki/test.crt
121pep.authzDecisionQuery.sslPriKeyFilePath=%(testConfigDir)s/pki/test.key
122
123# Logging configuration
124[loggers]
125keys = root, ndg
126
127[handlers]
128keys = console
129
130[formatters]
131keys = generic
132
133[logger_root]
134level = INFO
135handlers = console
136
137[logger_ndg]
138level = DEBUG
139handlers =
140qualname = ndg
141
142[handler_console]
143class = StreamHandler
144args = (sys.stderr,)
145level = NOTSET
146formatter = generic
147
148[formatter_generic]
149format = %(asctime)s.%(msecs)03d %(levelname)-5.5s [%(name)s:%(lineno)s] %(message)s
150datefmt = %Y-%m-%d-%H:%M:%S
151
Note: See TracBrowser for help on using the repository browser.