source: TI12-security/trunk/python/ndg.security.test/ndg/security/test/integration/authz_lite/securedapp.ini @ 5555

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/python/ndg.security.test/ndg/security/test/integration/authz_lite/securedapp.ini@5555
Revision 5555, 3.6 KB checked in by pjkersha, 10 years ago (diff)

OpenID Relying Party flexible configuration

Fixed security WSGI configuration so that the OpenID Relying Party can run in the same middleware as the application it protects or independently in the security services middleware stack. There are two applications involved in applying security:

  1. the app to be secured
  2. app running security services


  1. is configured with middleware to intercept requests and apply the security policy. 2. runs services such as the Attribute Authority and OpenID Provider used by 1. The OpenID Relying Party can now be incorporated in either. For cases where an application runs in a different domain to the security services stack it's easier to deploy a Relying Party with the app in 1. as otherwise cookies set by the RP won't be in the scope of the secured app. 2. is useful for where the app is in the same domain as 2. and there's a need to run the RP over SSL.

Configurations can be set at deployment from Paste ini file pipeline settings.

Line 
1#
2# NDG Security AuthZ WSGI Testing environment configuration.  This ini file
3# defines the configuration for a an application to be secured.  Security
4# filters placed in front of the application in the WSGI pipeline act as
5# client to security services running on a separate application stack.  - See
6# securityservices.ini
7#
8# NERC DataGrid
9#
10# Author: P J Kershaw
11#
12# Date: 01/07/09
13#
14# Copyright: STFC 2009
15#
16# Licence: BSD - See top-level LICENCE file for licence details
17#
18# The %(here)s variable will be replaced with the parent directory of this file
19#
20[DEFAULT]
21testConfigDir = %(here)s/../../config
22beakerSessionKeyName = beaker.session.ndg.security
23
24[server:main]
25use = egg:Paste#http
26host = 0.0.0.0
27port = 7080
28
29[pipeline:main]
30pipeline = BeakerSessionFilter
31                   AuthenticationFilter
32                   AuthorizationFilter
33                   AuthZTestApp
34
35[app:AuthZTestApp]
36paste.app_factory = ndg.security.test.integration:AuthZTestApp.app_factory
37
38
39[filter:BeakerSessionFilter]
40paste.filter_app_factory = beaker.middleware:SessionMiddleware
41
42# Cookie name
43beaker.session.key = ndg.security.session
44
45# WSGI environ key name
46environ_key = %(beakerSessionKeyName)s
47beaker.session.secret = rBIvKXLa+REYB8pM/8pdPoorVpKQuaOW
48beaker.cache.data_dir = %(here)s/authn/beaker/cache
49beaker.session.data_dir = %(here)s/authn/beaker/sessions
50
51
52[filter:AuthenticationFilter]
53paste.filter_app_factory = ndg.security.server.wsgi.authn:AuthenticationMiddleware
54prefix = authN.
55
56# Set redirect for OpenID Relying Party in the Security Services app instance
57authN.redirectURI = http://localhost:7443/verify
58
59# AuthKit Set-up
60authkit.setup.method=cookie
61
62# This cookie name and secret MUST agree with the name used by the security web
63# services app
64authkit.cookie.name=ndg.security.auth
65authkit.cookie.secret=9wvZObs9anUEhSIAnJNoY2iJq59FfYZr
66authkit.cookie.signoutpath = /logout
67
68# Disable inclusion of client IP address from cookie signature due to
69# suspected problem with AuthKit setting it when a HTTP Proxy is in place
70authkit.cookie.includeip = False
71
72# environ key name for beaker session
73authkit.session.middleware = %(beakerSessionKeyName)s
74
75[filter:AuthorizationFilter]
76paste.filter_app_factory=ndg.security.server.wsgi.authz:AuthorizationMiddleware.filter_app_factory
77prefix = authz.
78policy.filePath = %(here)s/policy.xml
79
80# Settings for Policy Information Point used by the Policy Decision Point to
81# retrieve subject attributes from the Attribute Authority associated with the
82# resource to be accessed
83pip.sslCACertFilePathList=
84
85# List of CA certificates used to verify the signatures of
86# Attribute Certificates retrieved
87pip.caCertFilePathList=%(testConfigDir)s/ca/ndg-test-ca.crt
88
89#
90# WS-Security Settings for call to Attribute Authority to retrieve user
91# attributes
92
93# Signature of an outbound message
94
95# Certificate associated with private key used to sign a message.  The sign
96# method will add this to the BinarySecurityToken element of the WSSE header. 
97# binSecTokValType attribute must be set to 'X509' or 'X509v3' ValueType. 
98# As an alternative, use signingCertChain - see below...
99
100# PEM encode cert
101pip.wssecurity.signingCertFilePath=%(testConfigDir)s/pki/wsse-server.crt
102
103# PEM encoded private key file
104pip.wssecurity.signingPriKeyFilePath=%(testConfigDir)s/pki/wsse-server.key
105
106# Password protecting private key.  Leave blank if there is no password.
107pip.wssecurity.signingPriKeyPwd=
108
109# For signature verification.  Provide a space separated list of file paths
110pip.wssecurity.caCertFilePathList=%(testConfigDir)s/ca/ndg-test-ca.crt
111
112# ValueType for the BinarySecurityToken added to the WSSE header
113pip.wssecurity.reqBinSecTokValType=X509v3
114
115# Add a timestamp element to an outbound message
116pip.wssecurity.addTimestamp=True
Note: See TracBrowser for help on using the repository browser.