source: TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/full_system/securityservices.ini @ 7361

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/full_system/securityservices.ini@7361
Revision 7361, 23.3 KB checked in by pjkersha, 10 years ago (diff)

Incomplete - task 2: XACML-Security Integration

  • working caching with ndg.security.test.integration.full_system integration test. Caching works at the app, caching authz decisions but also at the PIP inside the authorisation service, caching Attribute Authority query results.
  • TODO: make PEP use two stage PDP, first lightweight PDP filters out CSS and graphics requests to avoid overhead of network call to the authorisation service, second stage is callout to authorisation service as already in place.
  • Property svn:keywords set to Id
Line 
1#
2# NERC DataGrid Security
3#
4# Paste configuration for combined SAML Attribute Authority and Authorisation
5# Services, OpenID Relying Party and Provider services and SSL client
6# authentication filters.  This is for test purposes only.  A production system
7# might deploy these on different hosts or separate WSGI scripts.
8#
9# The %(here)s variable will be replaced with the parent directory of this file
10#
11# Author: P J Kershaw
12# date: 01/07/09
13# Copyright: (C) 2009 Science and Technology Facilities Council
14# license: BSD - see LICENSE file in top-level directory
15# Contact: Philip.Kershaw@stfc.ac.uk
16# Revision: $Id$
17
18[DEFAULT]
19portNum = 7443
20hostname = localhost
21scheme = https
22baseURI = %(scheme)s://%(hostname)s:%(portNum)s
23openIDProviderIDBase = /openid
24openIDProviderIDSelectURI = %(baseURI)s%(openIDProviderIDBase)s
25testConfigDir = %(here)s/../../config
26beakerSessionKeyName = beaker.session.ndg.security.services
27
28# Global Attribute Authority Settings
29attributeQueryInterfaceEnvironKeyName = ndg.security.server.attributeauthority.attributeQueryInterface
30
31# ... and Authorisation Service
32authzDecisionQueryInterfaceEnvironKeyName = ndg.security.server.wsgi.authz.service.authzDecisionQueryInterface
33
34dbConnectionString = sqlite:///%(testConfigDir)s/user.db
35
36[server:main]
37use = egg:Paste#http
38host = 0.0.0.0
39port = %(portNum)s
40
41# Uncomment and replace OpenIDProviderApp with OpenIDProviderFilterApp in the
42# pipeline below if the RelyingParty filter is removed.  The RelyingParty
43# provides static content to both it and the Provider in this configuration.
44# See the staticContentDir setting in the OpenIDRelyingPartyFilter section
45#[filter-app:OpenIDProviderFilterApp]
46#use = egg:Paste#httpexceptions
47#next = cascade
48#
49## Composite for OpenID Provider to enable settings for picking up static
50## content
51#[composit:cascade]
52#use = egg:Paste#cascade
53#app1 = OpenIDProviderStaticContent
54#catch = 404
55#
56#[app:OpenIDProviderStaticContent]
57#use = egg:Paste#static
58#document_root = %(here)s/openidprovider
59
60# Ordering of filters and app is critical
61[pipeline:main]
62pipeline = AttributeAuthorityFilter
63           AttributeAuthoritySamlSoapBindingFilter
64           AuthorisationServiceFilter
65           AuthorisationSamlSoapBindingFilter
66                   SessionMiddlewareFilter
67                   SSLCientAuthKitFilter
68                   SSLClientAuthenticationFilter
69                   SSLCientAuthnRedirectResponseFilter
70                   OpenIDRelyingPartyFilter
71                   OpenIDProviderApp
72
73#______________________________________________________________________________
74# Beaker Session Middleware (used by OpenID Provider Filter)
75[filter:SessionMiddlewareFilter]
76paste.filter_app_factory=beaker.middleware:SessionMiddleware
77beaker.session.key = openid
78beaker.session.secret = qKEdQdCr33NE087dRUWX3qUv5r7AsuQU
79
80# If you'd like to fine-tune the individual locations of the cache data dirs
81# for the Cache data, or the Session saves, un-comment the desired settings
82# here:
83beaker.cache.data_dir = %(here)s/openidprovider/beaker/cache
84beaker.session.data_dir = %(here)s/openidprovider/beaker/sessions
85beaker.session.cookie_expires = True
86
87#beaker.session.cookie_domain = .localhost
88
89# Key name for keying into environ dictionary
90environ_key = %(beakerSessionKeyName)s
91
92[filter:SSLCientAuthKitFilter]
93paste.filter_app_factory = authkit.authenticate:middleware
94
95# AuthKit Set-up
96setup.method=cookie
97
98# This cookie name and secret MUST agree with the name used by the
99# Authentication Filter used to secure a given app
100cookie.name=ndg.security.auth
101
102cookie.secret=9wvZObs9anUEhSIAnJNoY2iJq59FfYZr
103cookie.signoutpath = /logout
104
105# Disable inclusion of client IP address from cookie signature due to
106# suspected problem with AuthKit setting it when a HTTP Proxy is in place
107cookie.includeip = False
108
109#cookie.params.domain = .localhost
110
111# SSL Client Certificate based authentication is invoked if the client passed
112# a certificate with request.  This bypasses OpenID based authn.
113[filter:SSLClientAuthenticationFilter]
114paste.filter_app_factory = ndg.security.server.wsgi.ssl:AuthKitSSLAuthnMiddleware
115prefix = ssl.
116
117# Apply verification against a list of trusted CAs.  To skip this step, comment
118# out or remove this item.  e.g. set CA verification in the Apache config file.
119ssl.caCertFilePathList = %(testConfigDir)s/ca/d573507a.0
120#ssl.clientCertDNMatchList = /O=NDG/OU=BADC/CN=mytest /O=gabriel/OU=BADC/CN=test /O=NDG/OU=BADC/CN=test
121
122# 'HTTP_' prefix is set when passed through a proxy
123ssl.sslKeyName = HTTP_HTTPS
124ssl.sslClientCertKeyName = HTTP_SSL_CLIENT_CERT
125
126# Set the URI pattern match here to interrupt a redirect to the OpenID Relying
127# Party from the service running over HTTP and see if a client certificate has
128# been set
129ssl.rePathMatchList = ^/verify.*
130
131[filter:OpenIDRelyingPartyFilter]
132paste.filter_app_factory = 
133        ndg.security.server.wsgi.openid.relyingparty:OpenIDRelyingPartyMiddleware.filter_app_factory
134
135openid.relyingparty.baseURL = %(authkit.openid.baseurl)s
136
137# Uncomment to restrict sign in to a whitelist of trusted OpenID Providers.
138#openid.relyingparty.idpWhitelistConfigFilePath = %(here)s/openidrelyingparty/ssl-idp-validator.xml
139
140openid.relyingparty.signinInterfaceMiddlewareClass = ndg.security.server.wsgi.openid.relyingparty.signin_interface.genshi.GenshiSigninTemplate
141
142# Nb. in this configuration, this directory is provider static content for both
143# this filter and the OpenID Provider app downstream in the WSGI stack.
144openid.relyingparty.signinInterface.staticContentRootDir = %(here)s/public
145
146openid.relyingparty.signinInterface.baseURL = %(openid.relyingparty.baseURL)s
147openid.relyingparty.signinInterface.initialOpenID = %(openIDProviderIDSelectURI)s
148openid.relyingparty.signinInterface.heading = OpenID Sign-in
149#openid.relyingparty.signinInterface.leftLogo = %(openid.relyingparty.signinInterface.baseURL)s/layout/NERC_Logo.gif
150#openid.relyingparty.signinInterface.leftAlt = Natural Environment Research Council
151#openid.relyingparty.signinInterface.leftLink = http://ndg.nerc.ac.uk/
152#openid.relyingparty.signinInterface.leftImage = %(openid.relyingparty.signinInterface.baseURL)s/layout/ndg_logo_circle.gif
153
154# This setting will accept HTML mark-up
155openid.relyingparty.signinInterface.footerText = This site is for test purposes only.   <a class="FooterLink" href="http://openid.net/what/" target="_blank"><small>What is OpenID?</small></a>
156openid.relyingparty.signinInterface.rightLink = http://ceda.ac.uk/
157openid.relyingparty.signinInterface.rightImage = %(openid.relyingparty.signinInterface.baseURL)s/layout/CEDA_RightButton60.png
158openid.relyingparty.signinInterface.rightAlt = Centre for Environmental Data Archival
159openid.relyingparty.signinInterface.helpIcon = %(openid.relyingparty.signinInterface.baseURL)s/layout/icons/help.png
160
161cache_dir = %(here)s/data
162
163# AuthKit Set-up
164authkit.setup.method=openid, cookie
165
166# This cookie name and secret MUST agree with the name used by the
167# Authentication Filter used to secure a given app
168authkit.cookie.name=ndg.security.auth
169
170authkit.cookie.secret=9wvZObs9anUEhSIAnJNoY2iJq59FfYZr
171authkit.cookie.signoutpath = /logout
172#authkit.cookie.params.domain = .localhost
173
174# Disable inclusion of client IP address from cookie signature due to
175# suspected problem with AuthKit setting it when a HTTP Proxy is in place
176authkit.cookie.includeip = False
177
178authkit.openid.path.signedin=/
179authkit.openid.store.type=file
180authkit.openid.store.config=%(here)s/openidrelyingparty/store
181authkit.openid.session.key = authkit_openid
182authkit.openid.session.secret = random string
183
184# Key name for dereferencing beaker.session object held in environ
185authkit.openid.session.middleware = %(beakerSessionKeyName)s
186
187authkit.openid.baseurl = %(baseURI)s
188
189# Template for signin
190#authkit.openid.template.obj =
191
192# Handler for parsing OpenID and creating a session from it
193#authkit.openid.urltouser =
194
195# Attribute Exchange - all are optional unless the relevant ax.required.<name>
196# is set to True.  The alias defers to the parameter name given unless explicity
197# specified - see commented out entry for firstName below.  The number of
198# attributes for each attribute name defaults to 1 unless otherwise set
199#authkit.openid.ax.typeuri.firstName=http://openid.net/schema/namePerson/first
200#authkit.openid.ax.alias.firstName=firstName
201##authkit.openid.ax.count.firstName=1
202#authkit.openid.ax.required.firstName=True
203#authkit.openid.ax.typeuri.lastName=http://openid.net/schema/namePerson/last
204#authkit.openid.ax.alias.lastName=lastName
205#authkit.openid.ax.required.lastName=True
206#authkit.openid.ax.typeuri.emailAddress=http://openid.net/schema/contact/internet/email
207#authkit.openid.ax.alias.emailAddress=emailAddress
208#authkit.openid.ax.required.emailAddress=True
209
210# ESG Gateway requested parameters
211authkit.openid.ax.typeuri.uuid:http://openid.net/schema/person/guid
212authkit.openid.ax.alias.uuid=uuid
213authkit.openid.ax.typeuri.username:http://openid.net/schema/namePerson/friendly
214authkit.openid.ax.alias.username=username
215authkit.openid.ax.typeuri.firstname:http://openid.net/schema/namePerson/first
216authkit.openid.ax.alias.firstname=firstname
217authkit.openid.ax.required.firstname:True
218authkit.openid.ax.typeuri.middlename:http://openid.net/schema/namePerson/middle
219authkit.openid.ax.alias.middlename=middlename
220authkit.openid.ax.typeuri.lastname:http://openid.net/schema/namePerson/last
221authkit.openid.ax.required.lastname:True
222authkit.openid.ax.alias.lastname=lastname
223authkit.openid.ax.typeuri.email:http://openid.net/schema/contact/internet/email
224authkit.openid.ax.required.email:True
225authkit.openid.ax.alias.email=email
226authkit.openid.ax.typeuri.gateway:http://www.earthsystemgrid.org/gateway
227authkit.openid.ax.alias.gateway=gateway
228authkit.openid.ax.typeuri.organization:http://openid.net/schema/company/name
229authkit.openid.ax.alias.organization=organization
230authkit.openid.ax.typeuri.city:http://openid.net/schema/contact/city/home
231authkit.openid.ax.alias.city=city
232authkit.openid.ax.typeuri.state:http://openid.net/schema/contact/state/home
233authkit.openid.ax.alias.state=state
234authkit.openid.ax.typeuri.country:http://openid.net/schema/contact/country/home
235authkit.openid.ax.alias.country=country
236
237[filter:SSLCientAuthnRedirectResponseFilter]
238# Redirect to original requested URI following SSL Client Authentication.  This
239# filter must be placed AFTER the AuthKit cookie setting middleware.  In this
240# case its configured in the OpenIDRelyingPartyMiddleware filter.  If the
241# OpenID Relying Party filter is removed, a separate AuthKit middleware entry
242# would need to be made so that this redirect filter can still function
243paste.filter_app_factory = ndg.security.server.wsgi.authn:AuthKitRedirectResponseMiddleware
244prefix = ssl.
245ssl.sessionKey = %(beakerSessionKeyName)s
246
247#______________________________________________________________________________
248# OpenID Provider WSGI Settings
249[app:OpenIDProviderApp]
250paste.app_factory=ndg.security.server.wsgi.openid.provider:OpenIDProviderMiddleware.app_factory
251
252openid.provider.path.openidserver=/OpenID/Provider/server
253openid.provider.path.login=/OpenID/Provider/login
254openid.provider.path.loginsubmit=/OpenID/Provider/loginsubmit
255
256# Yadis based discovery only - the 'id' path is configured may be set to page
257# with <link rel="openid.server" href="..."> and Yadis
258# <meta http-equiv="x-xrds-location" content="..."> links if required but in
259# this implementation it set to return 404 not found - see
260# ndg.security.server.wsgi.openid.provider.renderinginterface.genshi.GenshiRendering
261# class
262openid.provider.path.id=/OpenID/Provider/id/${userIdentifier}
263openid.provider.path.yadis=%(openIDProviderIDBase)s/${userIdentifier}
264
265# Yadis based discovery for idselect mode - this is where the user has entered
266# a URI at the Relying Party which identifies their Provider only and not their
267# full ID URI.  e.g. https://badc.nerc.ac.uk instead of
268# https://badc.nerc.ac.uk/John
269openid.provider.path.serveryadis=%(openIDProviderIDBase)s
270openid.provider.path.allow=/OpenID/Provider/allow
271openid.provider.path.decide=/OpenID/Provider/decide
272openid.provider.path.mainpage=/OpenID/Provider/home
273
274openid.provider.session_middleware=%(beakerSessionKeyName)s
275openid.provider.base_url=%(baseURI)s
276
277# Enable login to construct an identity URI if IDSelect mode was chosen and
278# no identity URI was passed from the Relying Party.  This value should
279# match openid.provider.path.id and/or openid.provider.path.yadis - see above
280identityUriTemplate=%(baseURI)s%(openIDProviderIDBase)s/${userIdentifier}
281
282openid.provider.trace=False
283openid.provider.consumer_store_dirpath=%(here)s/openidprovider
284openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.renderinginterface.genshi.GenshiRendering
285#openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.DemoRenderingInterface
286
287# Layout
288openid.provider.rendering.baseURL = %(openid.provider.base_url)s
289#openid.provider.rendering.leftLogo = %(openid.provider.rendering.baseURL)s/layout/NERC_Logo.gif
290#openid.provider.rendering.leftAlt = Natural Environment Research Council
291#openid.provider.rendering.leftLink = http://ndg.nerc.ac.uk/
292#openid.provider.rendering.leftImage = %(openid.provider.rendering.baseURL)s/layout/ndg_logo_circle.gif
293openid.provider.rendering.helpIcon = %(openid.provider.rendering.baseURL)s/layout/icons/help.png
294openid.provider.rendering.footerText = This site is for test purposes only.
295openid.provider.rendering.rightLink = http://ceda.ac.uk/
296openid.provider.rendering.rightImage = %(openid.provider.rendering.baseURL)s/layout/CEDA_RightButton60.png
297openid.provider.rendering.rightAlt = Centre for Environmental Data Archival
298
299# Basic Authentication interface to demonstrate capabilities
300#openid.provider.authNInterface=ndg.security.server.wsgi.openid.provider.authninterface.basic.BasicAuthNInterface
301openid.provider.authNInterface=ndg.security.server.wsgi.openid.provider.authninterface.sqlalchemy_authn.SQLAlchemyAuthnInterface
302openid.provider.authN.connectionString=%(dbConnectionString)s
303openid.provider.authN.logonSqlQuery=select count(*) from users where username = '${username}' and md5password = '${password}'
304openid.provider.authN.username2UserIdentifierSqlQuery=select openid_identifier from users where username = '${username}'
305openid.provider.authN.isMD5EncodedPwd=True
306
307# user login details format is:
308# <username>:<password>:<OpenID name>, ... <OpenID name N> <username>:... etc
309# Each user entry is delimited by a space. username, password and OpenID name
310# list are delimited by a colon.  The list of OpenID names are delimited by
311# commas.  The OpenID name represents the unique part of the OpenID URL for the
312# individual user.  Each username may have more than one OpenID alias but only
313# alias at a time may be registered with a given Attribute Authority
314openid.provider.authN.userCreds=pjk:testpassword:PhilipKershaw,P.J.Kershaw another:testpassword:A.N.Other
315
316# Basic authentication for testing/admin - comma delimited list of
317# <username>:<password> pairs
318#openid.provider.usercreds=pjk:test
319
320# Attribute Exchange interface
321#openid.provider.axResponse.class=ndg.security.server.wsgi.openid.provider.axinterface.csv.CSVFileAXInterface
322#openid.provider.axResponse.csvFilePath=%(here)s/openidprovider/attributeexchange.csv
323openid.provider.axResponse.class=ndg.security.server.wsgi.openid.provider.axinterface.sqlalchemy_ax.SQLAlchemyAXInterface
324openid.provider.axResponse.connectionString=%(dbConnectionString)s
325openid.provider.axResponse.sqlQuery = select firstname, lastname, emailaddress from users where username = '${username}'
326openid.provider.axResponse.attributeNames=http://openid.net/schema/namePerson/first
327    http://openid.net/schema/namePerson/last
328    http://openid.net/schema/contact/internet/email
329   
330openid.provider.trustedRelyingParties=https://localhost:7443, https://ndg.somewhere.ac.uk,
331        https://badc.somewhere.ac.uk
332
333#______________________________________________________________________________
334# Attribute Authority WSGI settings
335#
336[filter:AttributeAuthorityFilter]
337# This filter publishes an Attribute Authority instance as a key in environ
338# to enable other middleware to access it
339paste.filter_app_factory = ndg.security.server.wsgi.attributeauthority:AttributeAuthorityMiddleware.filter_app_factory
340prefix = attributeAuthority.
341
342# Lifetime is measured in seconds
343attributeAuthority.assertionLifetime: 28800 
344
345# Settings for custom AttributeInterface derived class to get user roles for given
346# user ID
347#attributeAuthority.attributeInterface.modFilePath: %(testConfigDir)s/attributeauthority/sitea
348#attributeAuthority.attributeInterface.modName: siteAUserRoles
349#attributeAuthority.attributeInterface.className: TestUserRoles
350
351# Key name for the SAML SOAP binding based interface to reference this
352# service's attribute query method
353attributeAuthority.environKeyNameAttributeQueryInterface: %(attributeQueryInterfaceEnvironKeyName)s
354
355# SQLAlchemy Attribute Interface
356attributeAuthority.attributeInterface.connectionString: %(dbConnectionString)s
357attributeAuthority.attributeInterface.className: ndg.security.server.attributeauthority.SQLAlchemyAttributeInterface
358attributeAuthority.attributeInterface.samlSubjectSqlQuery = select count(*) from users where openid = '${userId}'
359attributeAuthority.attributeInterface.samlAttribute2SqlQuery.1 = "urn:esg:first:name" "select firstname from users where openid = '${userId}'"
360attributeAuthority.attributeInterface.samlAttribute2SqlQuery.lastName = "urn:esg:last:name" "select lastname from users where openid = '${userId}'"
361attributeAuthority.attributeInterface.samlAttribute2SqlQuery.emailAddress = "urn:esg:email:address" "select emailaddress from users where openid = '${userId}'"
362attributeAuthority.attributeInterface.samlAttribute2SqlQuery.4 = "urn:siteA:security:authz:1.0:attr" "select attributename from attributes where openid = '${userId}'"
363attributeAuthority.attributeInterface.samlValidRequestorDNs = /O=Site A/CN=Authorisation Service,/O=Site A/CN=Attribute Authority,
364                                                           /O=Site B/CN=Authorisation Service,
365                                                           /CN=test/O=NDG/OU=BADC
366
367# SAML SOAP Binding to the Attribute Authority
368[filter:AttributeAuthoritySamlSoapBindingFilter]
369paste.filter_app_factory = ndg.saml.saml2.binding.soap.server.wsgi.queryinterface:SOAPQueryInterfaceMiddleware.filter_app_factory
370prefix = saml.soapbinding.
371
372saml.soapbinding.deserialise = ndg.saml.xml.etree:AttributeQueryElementTree.fromXML
373
374# Specialisation to incorporate ESG Group/Role type
375saml.soapbinding.serialise = ndg.security.common.saml_utils.esg.xml.etree:EsgResponseElementTree.toXML
376
377saml.soapbinding.mountPath = /AttributeAuthority
378saml.soapbinding.queryInterfaceKeyName = %(attributeQueryInterfaceEnvironKeyName)s
379
380# Clock skew for SAML Attribute Queries - allow clockSkew number of seconds
381# tolerance for query issueInstant parameter. Set here to 3 minutes
382saml.soapbinding.clockSkewTolerance: 180.0
383
384saml.soapbinding.issuerName: /O=Site A/CN=Attribute Authority
385saml.soapbinding.issuerFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName 
386
387#______________________________________________________________________________
388# SAML/SOAP query interface to the Authorisation Service
389[filter:AuthorisationSamlSoapBindingFilter]
390paste.filter_app_factory = ndg.saml.saml2.binding.soap.server.wsgi.queryinterface:SOAPQueryInterfaceMiddleware.filter_app_factory
391prefix = saml.
392
393# The URI path for this service
394saml.mountPath = /AuthorisationService
395
396# The key name in environ which the upstream authorisation service must assign
397# to its authorisation query callback - see the AuthorisationServiceFilter
398# settings below...
399saml.queryInterfaceKeyName = %(authzDecisionQueryInterfaceEnvironKeyName)s
400
401# ElementTree based XML parsing and serialisation used for SAML messages
402saml.deserialise = ndg.saml.xml.etree:AuthzDecisionQueryElementTree.fromXML
403saml.serialise = ndg.saml.xml.etree:ResponseElementTree.toXML
404
405# Sets the identity of THIS authorisation service when filling in SAML responses
406saml.issuerName = /O=Site A/CN=Authorisation Service
407saml.issuerFormat = urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName
408
409#______________________________________________________________________________
410# Authorisation Service WSGI settings
411[filter:AuthorisationServiceFilter]
412# This filter is a container for a binding to a SOAP/SAML based interface to the
413# Authorisation Service.  It contains a XACML Context handler which manages
414# requests from Policy Enforcement Points to the PDP and also enables the PDP
415# to make attribute queries to Policy Information Point
416paste.filter_app_factory = ndg.security.server.wsgi.authz.service:AuthorisationServiceMiddleware.filter_app_factory
417prefix = authz.
418
419# Expose this filter's authorisation decision query callback via this key name
420# in environ
421authz.queryInterfaceKeyName = %(authzDecisionQueryInterfaceEnvironKeyName)s
422
423# Lifetime for authorisation assertions issued from this service
424authz.xacmlContext.assertionLifetime = 86400
425
426#
427# XACML Context handler manages PEP (Policy Information Point) requests and the
428# PDP's (Policy Decision Point's) interface to the PIP (Policy Information
429# Point)
430
431# XACML Policy file
432authz.ctx_handler.policyFilePath = %(here)s/policy.xml
433
434# Settings for SAML authorisation decision response to a Policy Enforcement Point
435# making a decision query
436authz.ctx_handler.issuerName = /O=Site A/CN=Authorisation Service
437authz.ctx_handler.issuerFormat = urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName
438authz.ctx_handler.assertionLifetime = 86400
439
440#
441# Policy Information Point interface settings
442#
443# The Context handler is a client to the PIP, passing on attribute queries
444# on behalf of the PDP onwards to the PIP
445
446# The PIP can cache assertions retrieved from Attribute Authority calls to
447# optimise performance.  Set this flag to True/False to enable/disable caching
448# respectively.  If this setting is omitted it defaults to True
449authz.ctx_handler.pip.cacheSessions = True
450
451# Set the directory for cached information to be stored.  This options is
452# ignored if 'cacheSessions' is set to False.  If this setting is omitted, then
453# sessions will be cached in memory only.  If the service is stopped all cached
454# information would be lost
455authz.ctx_handler.pip.sessionCacheDataDir = %(here)s/pip-session-cache
456
457#
458# Attribute ID -> Attribute Authority mapping file.  The PIP, on receipt of a
459# query from the XACML context handler, checks the attribute(s) being queried
460# for and looks up this mapping to determine which attribute authority to query
461# to find out if the subject has the attribute in their entitlement
462authz.ctx_handler.pip.mappingFilePath = %(here)s/pip-mapping.txt
463
464# The attribute ID of the subject value to extract from the XACML request
465# context and pass in the SAML attribute query
466authz.ctx_handler.pip.subjectAttributeId = urn:esg:openid
467
468# The context handler
469authz.ctx_handler.pip.attributeQuery.issuerName = %(authz.ctx_handler.issuerName)s
470authz.ctx_handler.pip.attributeQuery.issuerFormat = %(authz.ctx_handler.issuerFormat)s
471
472# These settings configure SSL mutual authentication for the query to the SAML Attribute Authority
473authz.ctx_handler.pip.attributeQuery.sslCertFilePath = %(testConfigDir)s/pki/localhost.crt
474authz.ctx_handler.pip.attributeQuery.sslPriKeyFilePath = %(testConfigDir)s/pki/localhost.key
475authz.ctx_handler.pip.attributeQuery.sslCACertDir = %(testConfigDir)s/ca
476
477# Logging configuration
478[loggers]
479keys = root, ndg
480
481[handlers]
482keys = console
483
484[formatters]
485keys = generic
486
487[logger_root]
488level = INFO
489handlers = console
490
491[logger_ndg]
492level = DEBUG
493handlers =
494qualname = ndg
495
496[handler_console]
497class = StreamHandler
498args = (sys.stderr,)
499level = NOTSET
500formatter = generic
501
502[formatter_generic]
503format = %(asctime)s.%(msecs)03d %(levelname)-5.5s [%(name)s:%(lineno)s] %(message)s
504datefmt = %Y-%m-%d %H:%M:%S
505
Note: See TracBrowser for help on using the repository browser.