source: TI12-security/trunk/python/ndg.security.server/ndg/security/server/paster_templates/default_deployment/services.ini_tmpl @ 4775

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/python/ndg.security.server/ndg/security/server/paster_templates/default_deployment/services.ini_tmpl@4775
Revision 4775, 16.1 KB checked in by pjkersha, 11 years ago (diff)
  • Moved StaticURLParser app for serving OpenID Provider static content from into a Paste ini file [composit:...] - for combined services unit tests and default and full paster templates
  • Added main_app factory class method to OpenIDProviderMiddleware to fit main_app function signature required for Paste ini file to run OpenID Provider as the main app rather than as a filter.
Line 
1#
2# NERC DataGrid Security
3#
4# Paste configuration for combined security web services deployment:
5# * Session Manager
6# * Attribute Authority
7# * OpenID Provider
8#
9# The %(here)s variable will be replaced with the parent directory of this file
10#
11# Author: P J Kershaw
12# date: 30/11/05
13# Copyright: (C) 2008 STFC
14# license: This software may be distributed under the terms of the Q Public
15# License, version 1.0 or later.
16# Contact: Philip.Kershaw@stfc.ac.uk
17# Revision: $$Id$$
18
19[DEFAULT]
20#______________________________________________________________________________
21# Attribute Authority settings
22# 'name' setting MUST agree with map config file 'thisHost' name attribute
23attributeAuthority.name: ${attributeAuthorityID}
24
25# Lifetime is measured in seconds
26attributeAuthority.attCertLifetime: 28800
27
28# Allow an offset for clock skew between servers running
29# security services. NB, measured in seconds - use a minus sign for time in the
30# past
31attributeAuthority.attCertNotBeforeOff: 0
32
33# All Attribute Certificates issued are recorded in this dir
34attributeAuthority.attCertDir: %(here)s/attributeauthority/attCertLog
35
36# Files in attCertDir are stored using a rotating file handler
37# attCertFileLogCnt sets the max number of files created before the first is
38# overwritten
39attributeAuthority.attCertFileName: ac.xml
40attributeAuthority.attCertFileLogCnt: 16
41attributeAuthority.dnSeparator:/
42
43# Location of role mapping file
44attributeAuthority.mapConfigFile: %(here)s/attributeauthority/mapConfig.xml
45
46# Settings for custom AAUserRoles derived class to get user roles for given
47# user ID
48attributeAuthority.userRolesModFilePath: %(here)s/attributeauthority
49attributeAuthority.userRolesModName: attributeinterface
50attributeAuthority.userRolesClassName: TestAttributeInterface
51
52# Config for XML signature of Attribute Certificate
53attributeAuthority.signingPriKeyFilePath: %(here)s/attributeauthority/aa.key
54attributeAuthority.signingCertFilePath: %(here)s/attributeauthority/aa.crt
55attributeAuthority.caCertFilePathList: %(here)s/ca/ndg-test-ca.crt
56
57#______________________________________________________________________________
58# Session Manager specific settings - commented out settings will take their
59# default settings.  To override the defaults uncomment and set as required.
60# See ndg.security.server.sessionmanager module for details
61
62# Credential Wallet Settings - global to all user sessions
63#
64# CA certificates for Attribute Certificate signature validation
65sessionManager.credentialWallet.caCertFilePathList=%(here)s/ca/ndg-test-ca.crt
66
67# CA certificates for SSL connection peer cert. validation - required if
68# connecting to an Attribute Authority over SSL
69sessionManager.credentialWallet.sslCACertFilePathList=%(here)s/ca/ndg-test-ca.crt
70
71# Allow Get Attribute Certificate calls to try to get a mapped certificate
72# from another organisation trusted by the target Attribute Authority
73sessionManager.credentialWallet.mapFromTrustedHosts=True
74sessionManager.credentialWallet.rtnExtAttCertList=True
75
76# Refresh an Attribute Certificate, if an existing one in the wallet has only
77# this length of time left before it expires
78credentialWallet.attCertRefreshElapse=7200
79
80# Pointer to WS-Security settings.  These WS-Security settings are for use
81# by user credential wallets held in user sessions hosted by the Session
82# Manager.  They enable individual wallets to query Attribute Authorities for
83# user Attribute Certificates.  Nb. the difference between these settings and
84# the WS-Security section for handling requests to the Session Manager.
85#
86# Settings are identified by a prefix. 
87sessionManager.credentialWallet.wssCfgPrefix=sessionManager.credentialWallet.wssecurity
88
89# ...A section name could also be used.
90#sessionManager.credentialWallet.wssCfgSection=
91
92# SOAP Signature Handler settings for the Credential Wallet's Attribute
93# Authority interface
94#
95# CA Certificates used to verify X.509 certs used in Attribute Certificates.
96# The CA certificates of other NDG trusted sites should go here.  NB, multiple
97# values should be delimited by a space
98sessionManager.credentialWallet.wssecurity.caCertFilePathList: %(here)s/ca/ndg-test-ca.crt
99
100# Signature of an outbound message
101#
102# Certificate associated with private key used to sign a message.  The sign
103# method will add this to the BinarySecurityToken element of the WSSE header. 
104# binSecTokValType attribute must be set to 'X509' or 'X509v3' ValueType. 
105# As an alternative, use signingCertChain - see below...
106
107# PEM encoded cert
108sessionManager.credentialWallet.wssecurity.signingCertFilePath: %(here)s/sessionmanager/sm.crt
109
110# ... or provide file path to PEM encoded private key file
111sessionManager.credentialWallet.wssecurity.signingPriKeyFilePath: %(here)s/sessionmanager/sm.key
112
113# Set the ValueType for the BinarySecurityToken added to the WSSE header for a
114# signed message.  See __setReqBinSecTokValType method and binSecTokValType
115# class variable for options - it may be one of X509, X509v3, X509PKIPathv1 or
116# give full namespace to alternative - see
117# ZSI.wstools.Namespaces.OASIS.X509TOKEN
118#
119# binSecTokValType determines whether signingCert or signingCertChain
120# attributes will be used.
121sessionManager.credentialWallet.wssecurity.reqBinSecTokValType: X509v3
122
123# Add a timestamp element to an outbound message
124sessionManager.credentialWallet.wssecurity.addTimestamp: True
125
126# For WSSE 1.1 - service returns signature confirmation containing signature
127# value sent by client
128sessionManager.credentialWallet.wssecurity.applySignatureConfirmation: True
129
130# Authentication service properties
131sessionManager.authNService.moduleFilePath:
132sessionManager.authNService.moduleName: ndg.security.test.config.sessionmanager.userx509certauthn
133sessionManager.authNService.className: UserX509CertAuthN
134
135# Specific settings for UserCertAuthN Session Manager authentication plugin
136# This sets up PKI credentials for a single test account
137sessionManager.authNService.userX509CertFilePath: %(here)s/sessionmanager/user.crt
138sessionManager.authNService.userPriKeyFilePath: %(here)s/sessionmanager/user.key
139sessionManager.authNService.userPriKeyPwd: testpassword
140
141[server:main]
142use = egg:Paste#http
143host = 0.0.0.0
144port = 8000
145
146[filter-app:mainApp]
147use = egg:Paste#httpexceptions
148next = cascade
149
150# Put OpenID Provider and Static URL parser together in a cascade
151[composit:cascade]
152use = egg:Paste#cascade
153app1 = StaticOpenIDProviderContent
154app2 = OpenIDProviderApp
155catch = 404
156
157[app:StaticOpenIDProviderContent]
158# Static URL Parser to serve OpenID Provider static page content such as CSS
159# and graphics
160use = egg:Paste#static
161document_root = %(here)s/openidprovider
162
163[app:OpenIDProviderApp]
164# OpenID Provider set as the main application
165paste.app_factory=ndg.security.server.wsgi.openid.provider:OpenIDProviderMiddleware.main_app
166openid.provider.path.openidserver=/openid/endpoint
167openid.provider.path.login=/openid/login
168openid.provider.path.loginsubmit=/openid/loginsubmit
169
170# Comment out next two lines and uncomment the third to disable URL based
171# discovery and allow only Yadis based instead
172openid.provider.path.id=/openid/id
173openid.provider.path.yadis=/openid/yadis
174#openid.provider.path.yadis=/id/
175
176openid.provider.path.serveryadis=/openid/serveryadis
177openid.provider.path.allow=/openid/allow
178openid.provider.path.decide=/openid/decide
179openid.provider.path.mainpage=/openid/
180openid.provider.session_middleware=beaker.session
181openid.provider.base_url=http://localhost:8000
182openid.provider.trace=False
183openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.renderinginterface.buffet.BuffetRendering
184#openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.DemoRenderingInterface
185
186openid.provider.rendering.templateType = kid
187openid.provider.rendering.templateRoot = ndg.security.server.wsgi.openid.provider.renderinginterface.buffet.templates
188openid.provider.rendering.kid.assume_encoding= utf-8
189openid.provider.rendering.kid.encoding = utf-8
190
191# Layout
192openid.provider.rendering.baseURL = %(openid.provider.base_url)s
193openid.provider.rendering.leftLogo = %(openid.provider.rendering.baseURL)s/layout/NERC_Logo.gif
194openid.provider.rendering.leftAlt = Natural Environment Research Council
195openid.provider.rendering.ndgLink = http://ndg.nerc.ac.uk/
196openid.provider.rendering.ndgImage = %(openid.provider.rendering.baseURL)s/layout/ndg_logo_circle.gif
197openid.provider.rendering.disclaimer = This site is for test purposes only and is under active development.
198openid.provider.rendering.stfcLink = http://ceda.stfc.ac.uk/
199openid.provider.rendering.stfcImage = %(openid.provider.rendering.baseURL)s/layout/stfc-circle-sm.gif
200openid.provider.rendering.helpIcon = %(openid.provider.rendering.baseURL)s/layout/icons/help.png
201
202
203#openid.provider.sregResponseHandler=ndg.security.server.pylons.container.lib.openid_provider_util:esgSRegResponseHandler
204#openid.provider.axResponseHandler=ndg.security.server.pylons.container.lib.openid_provider_util:esgAXResponseHandler
205
206# Basic Authentication interface to demonstrate capabilities
207#openid.provider.authNInterface=ndg.security.server.wsgi.openid.provider.BasicAuthNInterface
208#openid.provider.authN.userCreds=pjk:test
209#openid.provider.authN.username2UserIdentifiers=pjk:PhilipKershaw,P.J.Kershaw
210
211# Link Authentication to a Session Manager instance running in the same WSGI
212# stack or on a remote service
213openid.provider.authNInterface=ndg.security.server.wsgi.openid.provider.authninterface.sessionmanager.SessionManagerOpenIDAuthNInterface
214
215# Omit or leave as blank if the Session Manager is accessible locally in the
216# same WSGI stack.
217openid.provider.authN.sessionManagerURI=
218
219# environ dictionary key to Session Manager WSGI instance held locally.  The
220# setting below is the default and can be omitted if it matches the filterID
221# set for the Session Manager
222#openid.provider.authN.environKey=filter:SessionManagerFilter
223
224# Database connection to enable check between username and OpenID identifier
225openid.provider.authN.connectionString: postgres://postgres:testpassword@localhost/testUserDb
226openid.provider.authN.logonSQLQuery: select username from openid where username = '$$username' and ident = '$$userIdentifier'
227openid.provider.authN.userIdentifiersSQLQuery: select distinct ident from openid where username = '$$username'
228
229# Basic authentication for testing/admin - comma delimited list of
230# <username>:<password> pairs
231#openid.provider.usercreds=pjk:test
232
233#______________________________________________________________________________
234# Beaker Session Middleware (used by OpenID Provider Filter)
235[filter:SessionMiddlewareFilter]
236paste.filter_app_factory=beaker.middleware:SessionMiddleware
237# Chain of SOAP Middleware filters
238[pipeline:main]
239pipeline = wsseSignatureVerificationFilter
240                   AttributeAuthorityFilter
241           SessionManagerFilter
242           wsseSignatureFilter
243           SessionMiddlewareFilter
244           mainApp
245
246
247#______________________________________________________________________________
248# Attribute Authority WSGI settings
249#
250[filter:AttributeAuthorityFilter]
251# This filter is a container for a binding to a SOAP based interface to the
252# Attribute Authority
253paste.filter_app_factory = ndg.security.server.wsgi.soap:SOAPBindingMiddleware
254
255# Use this ZSI generated SOAP service interface class to handle i/o for this
256# filter
257ServiceSOAPBindingClass = ndg.security.server.zsi.attributeauthority.AttributeAuthorityWS
258
259# SOAP Binding Class specific keywords are in this section identified by this
260# prefix:
261ServiceSOAPBindingPropPrefix = AttributeAuthority
262
263# The AttributeAuthority class has settings in the default section above
264# identified by this prefix:
265AttributeAuthority.propPrefix = attributeAuthority
266AttributeAuthority.propFilePath = %(here)s/services.ini
267AttributeAuthority.wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter
268
269# Provide an identifier for this filter so that main WSGI app
270# CombinedServicesWSGI Session Manager filter can call this Attribute Authority
271# directly
272referencedFilters = filter:wsseSignatureVerificationFilter
273
274# Path from URL for Attribute Authority in this Paste deployment
275path = /AttributeAuthority
276
277# Enable ?wsdl query argument to list the WSDL content
278enableWSDLQuery = True
279charset = utf-8
280filterID = %(__name__)s
281
282#______________________________________________________________________________
283# Session Manager WSGI settings
284#
285[filter:SessionManagerFilter]
286# This filter is a container for a binding to a SOAP based interface to the
287# Session Manager
288paste.filter_app_factory = ndg.security.server.wsgi.soap:SOAPBindingMiddleware
289
290# Use this ZSI generated SOAP service interface class to handle i/o for this
291# filter
292ServiceSOAPBindingClass = ndg.security.server.zsi.sessionmanager.SessionManagerWS
293
294# SOAP Binding Class specific keywords are in this section identified by this
295# prefix:
296ServiceSOAPBindingPropPrefix = SessionManager
297
298# The SessionManager class has settings in the default section above identified
299# by this prefix:
300SessionManager.propPrefix = sessionManager
301SessionManager.propFilePath = %(here)s/services.ini
302
303# This filter references other filters - a local Attribute Authority (optional)
304# and a WS-Security signature verification filter (required if using signature
305# to authenticate user in requests
306SessionManager.attributeAuthorityFilterID = filter:AttributeAuthorityFilter
307SessionManager.wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter
308
309# The SessionManagerWS SOAP interface class needs to know about these other
310# filters
311referencedFilters = filter:wsseSignatureVerificationFilter
312                                        filter:AttributeAuthorityFilter
313
314# Path from URL for Session Manager in this Paste deployment
315path = /SessionManager
316
317# Enable ?wsdl query argument to list the WSDL content
318enableWSDLQuery = True
319charset = utf-8
320
321# Provide an identifier for this filter so that main WSGI app
322# CombinedServicesWSGI can call this Session Manager directly
323filterID = %(__name__)s
324
325#______________________________________________________________________________
326# WS-Security Signature Verification
327[filter:wsseSignatureVerificationFilter]
328paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:SignatureVerificationFilter
329filterID = %(__name__)s
330
331# Settings for WS-Security SignatureHandler class used by this filter
332wsseCfgFilePrefix = wssecurity
333
334# Verify against known CAs - Provide a space separated list of file paths
335wssecurity.caCertFilePathList=%(here)s/ca/ndg-test-ca.crt
336
337#______________________________________________________________________________
338# Apply WS-Security Signature
339[filter:wsseSignatureFilter]
340paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:ApplySignatureFilter
341
342# Reference the verification filter in order to be able to apply signature
343# confirmation
344referencedFilters = filter:wsseSignatureVerificationFilter
345wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter
346
347# Last filter in chain of SOAP handlers writes the response
348writeResponse = True
349
350# Settings for WS-Security SignatureHandler class used by this filter
351wsseCfgFilePrefix = wssecurity
352
353# Certificate associated with private key used to sign a message.  The sign
354# method will add this to the BinarySecurityToken element of the WSSE header. 
355wssecurity.signingCertFilePath=%(here)s/pki/wsse-server.crt
356
357# PEM encoded private key file
358wssecurity.signingPriKeyFilePath=%(here)s/pki/wsse-server.key
359
360# Set the ValueType for the BinarySecurityToken added to the WSSE header for a
361# signed message.  See __setReqBinSecTokValType method and binSecTokValType
362# class variable for options - it may be one of X509, X509v3, X509PKIPathv1 or
363# give full namespace to alternative - see
364# ZSI.wstools.Namespaces.OASIS.X509TOKEN
365#
366# binSecTokValType determines whether signingCert or signingCertChain
367# attributes will be used.
368wssecurity.reqBinSecTokValType=X509v3
369
370# Add a timestamp element to an outbound message
371wssecurity.addTimestamp=True
372
373# For WSSE 1.1 - service returns signature confirmation containing signature
374# value sent by client
375wssecurity.applySignatureConfirmation=True
376
377
378# Logging configuration
379[loggers]
380keys = root, ndg
381
382[handlers]
383keys = console
384
385[formatters]
386keys = generic
387
388[logger_root]
389level = INFO
390handlers = console
391
392[logger_ndg]
393level = DEBUG
394handlers =
395qualname = ndg
396
397[handler_console]
398class = StreamHandler
399args = (sys.stderr,)
400level = NOTSET
401formatter = generic
402
403[formatter_generic]
404format = %(asctime)s,%(msecs)03d %(levelname)-5.5s [%(name)s] %(message)s
405datefmt = %H:%M:%S
406
Note: See TracBrowser for help on using the repository browser.