source: TI12-security/trunk/python/ndg.security.server/ndg/security/server/paster_templates/default_deployment/services.ini_tmpl @ 4692

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/python/ndg.security.server/ndg/security/server/paster_templates/default_deployment/services.ini_tmpl@4692
Revision 4692, 17.6 KB checked in by pjkersha, 11 years ago (diff)

Refactoring of SSO service to enable use of local AA and SM instances via keys to environ.

Line 
1#
2# NERC DataGrid Security
3#
4# Paste configuration for combined security web services deployment:
5# * Session Manager
6# * Attribute Authority
7#
8# The %(here)s variable will be replaced with the parent directory of this file
9#
10# Author: P J Kershaw
11# date: 30/11/05
12# Copyright: (C) 2008 STFC & NERC
13# license: This software may be distributed under the terms of the Q Public
14# License, version 1.0 or later.
15# Contact: Philip.Kershaw@stfc.ac.uk
16# Revision: $$Id$$
17
18[DEFAULT]
19#______________________________________________________________________________
20# Attribute Authority settings
21# 'name' setting MUST agree with map config file 'thisHost' name attribute
22attributeAuthority.name: ${attributeAuthorityID}
23
24# Lifetime is measured in seconds
25attributeAuthority.attCertLifetime: 28800
26
27# Allow an offset for clock skew between servers running
28# security services. NB, measured in seconds - use a minus sign for time in the
29# past
30attributeAuthority.attCertNotBeforeOff: 0
31
32# All Attribute Certificates issued are recorded in this dir
33attributeAuthority.attCertDir: %(here)s/attributeauthority/attCertLog
34
35# Files in attCertDir are stored using a rotating file handler
36# attCertFileLogCnt sets the max number of files created before the first is
37# overwritten
38attributeAuthority.attCertFileName: ac.xml
39attributeAuthority.attCertFileLogCnt: 16
40attributeAuthority.dnSeparator:/
41
42# Location of role mapping file
43attributeAuthority.mapConfigFile: %(here)s/attributeauthority/mapConfig.xml
44
45# Settings for custom AAUserRoles derived class to get user roles for given
46# user ID
47attributeAuthority.userRolesModFilePath: %(here)s/attributeauthority
48attributeAuthority.userRolesModName: attributeinterface
49attributeAuthority.userRolesClassName: TestAttributeInterface
50
51# Config for XML signature of Attribute Certificate
52attributeAuthority.signingPriKeyFilePath: %(here)s/attributeauthority/aa.key
53attributeAuthority.signingCertFilePath: %(here)s/attributeauthority/aa.crt
54attributeAuthority.caCertFilePathList: %(here)s/ca/ndg-test-ca.crt
55
56#______________________________________________________________________________
57# Session Manager specific settings - commented out settings will take their
58# default settings.  To override the defaults uncomment and set as required.
59# See ndg.security.server.sessionMgr.SessionMgr class for details
60
61# Credential Wallet Settings - global to all user sessions
62#
63# CA certificates for Attribute Certificate signature validation
64sessionManager.credentialWallet.caCertFilePathList=%(here)s/ca/ndg-test-ca.crt
65
66# CA certificates for SSL connection peer cert. validation - required if
67# connecting to an Attribute Authority over SSL
68sessionManager.credentialWallet.sslCACertFilePathList=%(here)s/ca/ndg-test-ca.crt
69
70# Allow Get Attribute Certificate calls to try to get a mapped certificate
71# from another organisation trusted by the target Attribute Authority
72sessionManager.credentialWallet.mapFromTrustedHosts=True
73sessionManager.credentialWallet.rtnExtAttCertList=True
74
75# Refresh an Attribute Certificate, if an existing one in the wallet has only
76# this length of time left before it expires
77credentialWallet.attCertRefreshElapse=7200
78
79# Pointer to WS-Security settings.  These WS-Security settings are for use
80# by user credential wallets held in user sessions hosted by the Session
81# Manager.  They enable individual wallets to query Attribute Authorities for
82# user Attribute Certificates.  Nb. the difference between these settings and
83# the WS-Security section for handling requests to the Session Manager.
84#
85# Settings are identified by a prefix. 
86sessionManager.credentialWallet.wssCfgPrefix=sessionManager.credentialWallet.wssecurity
87
88# ...A section name could also be used.
89#sessionManager.credentialWallet.wssCfgSection=
90
91# SOAP Signature Handler settings for the Credential Wallet's Attribute
92# Authority interface
93#
94# CA Certificates used to verify X.509 certs used in Attribute Certificates.
95# The CA certificates of other NDG trusted sites should go here.  NB, multiple
96# values should be delimited by a space
97sessionManager.credentialWallet.wssecurity.caCertFilePathList: %(here)s/ca/ndg-test-ca.crt
98
99# Signature of an outbound message
100#
101# Certificate associated with private key used to sign a message.  The sign
102# method will add this to the BinarySecurityToken element of the WSSE header. 
103# binSecTokValType attribute must be set to 'X509' or 'X509v3' ValueType. 
104# As an alternative, use signingCertChain - see below...
105
106# PEM encoded cert
107sessionManager.credentialWallet.wssecurity.signingCertFilePath: %(here)s/sessionmanager/sm.crt
108
109# ... or provide file path to PEM encoded private key file
110sessionManager.credentialWallet.wssecurity.signingPriKeyFilePath: %(here)s/sessionmanager/sm.key
111
112# Set the ValueType for the BinarySecurityToken added to the WSSE header for a
113# signed message.  See __setReqBinSecTokValType method and binSecTokValType
114# class variable for options - it may be one of X509, X509v3, X509PKIPathv1 or
115# give full namespace to alternative - see
116# ZSI.wstools.Namespaces.OASIS.X509TOKEN
117#
118# binSecTokValType determines whether signingCert or signingCertChain
119# attributes will be used.
120sessionManager.credentialWallet.wssecurity.reqBinSecTokValType: X509v3
121
122# Add a timestamp element to an outbound message
123sessionManager.credentialWallet.wssecurity.addTimestamp: True
124
125# For WSSE 1.1 - service returns signature confirmation containing signature
126# value sent by client
127sessionManager.credentialWallet.wssecurity.applySignatureConfirmation: True
128
129# Authentication service properties
130sessionManager.authNService.moduleFilePath:
131sessionManager.authNService.moduleName: ndg.security.test.combinedservices.sessionmanager.userx509certauthn
132sessionManager.authNService.className: UserX509CertAuthN
133
134# Specific settings for UserCertAuthN Session Manager authentication plugin
135# This sets up PKI credentials for a single test account
136sessionManager.authNService.userX509CertFilePath: %(here)s/sessionmanager/user.crt
137sessionManager.authNService.userPriKeyFilePath: %(here)s/sessionmanager/user.key
138sessionManager.authNService.userPriKeyPwd: testpassword
139
140[server:main]
141use = egg:Paste#http
142host = 0.0.0.0
143port = 8000
144
145[app:mainApp]
146paste.app_factory = ndg.security.server.sso.sso.config.middleware:make_app
147cache_dir = %(here)s/data
148beaker.session.key = sso
149beaker.session.secret = somesecret
150
151# If you'd like to fine-tune the individual locations of the cache data dirs
152# for the Cache data, or the Session saves, un-comment the desired settings
153# here:
154#beaker.cache.data_dir = %(here)s/data/cache
155#beaker.session.data_dir = %(here)s/data/sessions
156
157# WARNING: *THE LINE BELOW MUST BE UNCOMMENTED ON A PRODUCTION ENVIRONMENT*
158# Debug mode will enable the interactive debugging tool, allowing ANYONE to
159# execute malicious code after an exception is raised.
160set debug = false
161
162configfile = %(here)s/sso/sso.cfg
163
164# AuthKit Set-up
165authkit.setup.method=openid, cookie
166authkit.cookie.secret=secret encryption string
167authkit.cookie.signoutpath = /logout
168authkit.openid.path.signedin=/
169authkit.openid.store.type=file
170authkit.openid.store.config=%(here)s/data/openid
171authkit.openid.session.key = authkit_openid
172authkit.openid.session.secret = random string
173
174authkit.openid.baseurl = http://localhost
175
176# Template for signin
177authkit.openid.template.obj = ndg.security.server.sso.sso.lib.openid_util:make_template
178
179# Handler for parsing OpenID and creating a session from it
180authkit.openid.urltouser = ndg.security.server.sso.sso.lib.openid_util:url2user
181
182# Chain of SOAP Middleware filters
183[pipeline:main]
184pipeline = wsseSignatureVerificationFilter
185                   AttributeAuthorityFilter
186           SessionManagerFilter
187           wsseSignatureFilter
188           httpBasicAuthFilter
189           SessionMiddlewareFilter
190           OpenIDProviderFilter
191           mainApp
192
193
194#______________________________________________________________________________
195# Attribute Authority WSGI settings
196#
197[filter:AttributeAuthorityFilter]
198# This filter is a container for a binding to a SOAP based interface to the
199# Attribute Authority
200paste.filter_app_factory = ndg.security.server.wsgi.soap:SOAPBindingMiddleware
201
202# Use this ZSI generated SOAP service interface class to handle i/o for this
203# filter
204ServiceSOAPBindingClass = ndg.security.server.zsi.attributeauthority.AttributeAuthorityWS
205
206# SOAP Binding Class specific keywords are in this section identified by this
207# prefix:
208ServiceSOAPBindingPropPrefix = AttributeAuthority
209
210# The AttributeAuthority class has settings in the default section above
211# identified by this prefix:
212AttributeAuthority.propPrefix = attributeAuthority
213AttributeAuthority.propFilePath = %(here)s/services.ini
214AttributeAuthority.wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter
215
216# Provide an identifier for this filter so that main WSGI app
217# CombinedServicesWSGI Session Manager filter can call this Attribute Authority
218# directly
219referencedFilters = filter:wsseSignatureVerificationFilter
220
221# Path from URL for Attribute Authority in this Paste deployment
222path = /AttributeAuthority
223
224# Enable ?wsdl query argument to list the WSDL content
225enableWSDLQuery = True
226charset = utf-8
227filterID = %(__name__)s
228
229#______________________________________________________________________________
230# Session Manager WSGI settings
231#
232[filter:SessionManagerFilter]
233# This filter is a container for a binding to a SOAP based interface to the
234# Session Manager
235paste.filter_app_factory = ndg.security.server.wsgi.soap:SOAPBindingMiddleware
236
237# Use this ZSI generated SOAP service interface class to handle i/o for this
238# filter
239ServiceSOAPBindingClass = ndg.security.server.zsi.sessionmanager.SessionManagerWS
240
241# SOAP Binding Class specific keywords are in this section identified by this
242# prefix:
243ServiceSOAPBindingPropPrefix = SessionManager
244
245# The SessionManager class has settings in the default section above identified
246# by this prefix:
247SessionManager.propPrefix = sessionManager
248SessionManager.propFilePath = %(here)s/services.ini
249
250# This filter references other filters - a local Attribute Authority (optional)
251# and a WS-Security signature verification filter (required if using signature
252# to authenticate user in requests
253SessionManager.attributeAuthorityFilterID = filter:AttributeAuthorityFilter
254SessionManager.wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter
255
256# The SessionManagerWS SOAP interface class needs to know about these other
257# filters
258referencedFilters = filter:wsseSignatureVerificationFilter
259                                        filter:AttributeAuthorityFilter
260
261# Path from URL for Session Manager in this Paste deployment
262path = /SessionManager
263
264# Enable ?wsdl query argument to list the WSDL content
265enableWSDLQuery = True
266charset = utf-8
267
268# Provide an identifier for this filter so that main WSGI app
269# CombinedServicesWSGI can call this Session Manager directly
270filterID = %(__name__)s
271
272#______________________________________________________________________________
273# WS-Security Signature Verification
274[filter:wsseSignatureVerificationFilter]
275paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:SignatureVerificationFilter
276filterID = %(__name__)s
277
278# Settings for WS-Security SignatureHandler class used by this filter
279wsseCfgFilePrefix = wssecurity
280
281# Verify against known CAs - Provide a space separated list of file paths
282wssecurity.caCertFilePathList=%(here)s/ca/ndg-test-ca.crt
283
284#______________________________________________________________________________
285# Apply WS-Security Signature
286[filter:wsseSignatureFilter]
287paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:ApplySignatureFilter
288
289# Reference the verification filter in order to be able to apply signature
290# confirmation
291referencedFilters = filter:wsseSignatureVerificationFilter
292wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter
293
294# Last filter in chain of SOAP handlers writes the response
295writeResponse = True
296
297# Settings for WS-Security SignatureHandler class used by this filter
298wsseCfgFilePrefix = wssecurity
299
300# Certificate associated with private key used to sign a message.  The sign
301# method will add this to the BinarySecurityToken element of the WSSE header. 
302wssecurity.signingCertFilePath=%(here)s/wssecurity/server.crt
303
304# PEM encoded private key file
305wssecurity.signingPriKeyFilePath=%(here)s/wssecurity/server.key
306
307# Set the ValueType for the BinarySecurityToken added to the WSSE header for a
308# signed message.  See __setReqBinSecTokValType method and binSecTokValType
309# class variable for options - it may be one of X509, X509v3, X509PKIPathv1 or
310# give full namespace to alternative - see
311# ZSI.wstools.Namespaces.OASIS.X509TOKEN
312#
313# binSecTokValType determines whether signingCert or signingCertChain
314# attributes will be used.
315wssecurity.reqBinSecTokValType=X509v3
316
317# Add a timestamp element to an outbound message
318wssecurity.addTimestamp=True
319
320# For WSSE 1.1 - service returns signature confirmation containing signature
321# value sent by client
322wssecurity.applySignatureConfirmation=True
323
324#______________________________________________________________________________
325# Apply HTTP Basic Authentication using AuthKit to enable a convenient no SOAP
326# based call to Session Manager connect method
327[filter:httpBasicAuthFilter]
328paste.filter_app_factory = authkit.authenticate:middleware
329setup_method=basic
330basic_realm=NDG Security Combined Services Tests
331basic_authenticate_function=ndg.security.test.combinedservices.serverapp:CombinedServicesWSGI.httpBasicAuthentication
332
333
334#______________________________________________________________________________
335# OpenID Provider WSGI Settings
336[filter:OpenIDProviderFilter]
337paste.filter_app_factory=ndg.security.server.wsgi.openid.provider:OpenIDProviderMiddleware
338openid.provider.path.openidserver=/openid/endpoint
339openid.provider.path.login=/openid/login
340openid.provider.path.loginsubmit=/openid/loginsubmit
341
342# Comment out next two lines and uncomment the third to disable URL based
343# discovery and allow only Yadis based instead
344openid.provider.path.id=/openid/id
345openid.provider.path.yadis=/openid/yadis
346#openid.provider.path.yadis=/id/
347
348openid.provider.path.serveryadis=/openid/serveryadis
349openid.provider.path.allow=/openid/allow
350openid.provider.path.decide=/openid/decide
351openid.provider.path.mainpage=/openid/
352openid.provider.session_middleware=beaker.session
353openid.provider.base_url=http://localhost:8000
354openid.provider.trace=False
355openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.renderinginterface.buffet.BuffetRendering
356#openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.DemoRenderingInterface
357
358openid.provider.rendering.templateType = kid
359openid.provider.rendering.templateRoot = ndg.security.server.wsgi.openid.provider.renderinginterface.buffet.templates
360openid.provider.rendering.kid.assume_encoding= utf-8
361openid.provider.rendering.kid.encoding = utf-8
362
363# Layout
364openid.provider.rendering.baseURL = %(openid.provider.base_url)s
365openid.provider.rendering.leftLogo = %(openid.provider.rendering.baseURL)s/layout/NERC_Logo.gif
366openid.provider.rendering.leftAlt = Natural Environment Research Council
367openid.provider.rendering.ndgLink = http://ndg.nerc.ac.uk/
368openid.provider.rendering.ndgImage = %(openid.provider.rendering.baseURL)s/layout/ndg_logo_circle.gif
369openid.provider.rendering.disclaimer = This site is for test purposes only and is under active development.
370openid.provider.rendering.stfcLink = http://ceda.stfc.ac.uk/
371openid.provider.rendering.stfcImage = %(openid.provider.rendering.baseURL)s/layout/stfc-circle-sm.gif
372openid.provider.rendering.helpIcon = %(openid.provider.rendering.baseURL)s/layout/icons/help.png
373
374
375#openid.provider.sregResponseHandler=ndg.security.server.pylons.container.lib.openid_provider_util:esgSRegResponseHandler
376#openid.provider.axResponseHandler=ndg.security.server.pylons.container.lib.openid_provider_util:esgAXResponseHandler
377
378# Basic Authentication interface to demonstrate capabilities
379#openid.provider.authNInterface=ndg.security.server.wsgi.openid.provider.BasicAuthNInterface
380#openid.provider.authN.userCreds=pjk:test
381#openid.provider.authN.username2UserIdentifiers=pjk:PhilipKershaw,P.J.Kershaw
382
383# Link Authentication to a Session Manager instance running in the same WSGI
384# stack or on a remote service
385openid.provider.authNInterface=ndg.security.server.wsgi.openid.provider.authninterface.sessionmanager.SessionManagerOpenIDAuthNInterface
386
387# Omit or leave as blank if the Session Manager is accessible locally in the
388# same WSGI stack.
389openid.provider.authN.sessionManagerURI=
390
391# environ dictionary key to Session Manager WSGI instance held locally.  The
392# setting below is the default and can be omitted if it matches the filterID
393# set for the Session Manager
394#openid.provider.authN.environKey=filter:SessionManagerFilter
395
396# Database connection to enable check between username and OpenID identifier
397openid.provider.authN.connectionString: postgres://postgres:testpassword@localhost/testUserDb
398openid.provider.authN.logonSQLQuery: select username from openid where username = '$$username' and ident = '$$userIdentifier'
399openid.provider.authN.userIdentifiersSQLQuery: select distinct ident from openid where username = '$$username'
400
401# Basic authentication for testing/admin - comma delimited list of
402# <username>:<password> pairs
403#openid.provider.usercreds=pjk:test
404
405#______________________________________________________________________________
406# Beaker Session Middleware (used by OpenID Provider Filter)
407[filter:SessionMiddlewareFilter]
408paste.filter_app_factory=beaker.middleware:SessionMiddleware
409
410# Logging configuration
411[loggers]
412keys = root, ndg
413
414[handlers]
415keys = console
416
417[formatters]
418keys = generic
419
420[logger_root]
421level = INFO
422handlers = console
423
424[logger_ndg]
425level = DEBUG
426handlers =
427qualname = ndg
428
429[handler_console]
430class = StreamHandler
431args = (sys.stderr,)
432level = NOTSET
433formatter = generic
434
435[formatter_generic]
436format = %(asctime)s,%(msecs)03d %(levelname)-5.5s [%(name)s] %(message)s
437datefmt = %H:%M:%S
438
Note: See TracBrowser for help on using the repository browser.