source: TI12-security/trunk/python/ndg.security.test/ndg/security/test/integration/authz_lite/securityservices.ini @ 5448

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/python/ndg.security.test/ndg/security/test/integration/authz_lite/securityservices.ini@5448
Revision 5448, 16.9 KB checked in by pjkersha, 11 years ago (diff)

ndg.security.test.integration.authz_lite integration test: revised securityservices.ini stripping out Session Manager settings.

Line 
1#
2# NERC DataGrid Security
3#
4# Paste configuration for combined Session Manager, Attribute Authority,
5# OpenID Relying Party and Provider services
6#
7# The %(here)s variable will be replaced with the parent directory of this file
8#
9# Author: P J Kershaw
10# date: 26/02/09
11# Copyright: (C) 2009 Science and Technology Facilities Council
12# license: BSD - see LICENSE file in top-level directory
13# Contact: Philip.Kershaw@stfc.ac.uk
14# Revision: $Id$
15
16[DEFAULT]
17portNum = 7443
18hostname = localhost
19scheme = http
20baseURI = %(scheme)s://%(hostname)s:%(portNum)s
21openIDProviderIDBase = /openid
22openIDProviderIDSelectURI = %(baseURI)s%(openIDProviderIDBase)s
23testConfigDir = %(here)s/../../config
24sessionManagerPath = /SessionManager
25sessionManagerURI = %(baseURI)s%(sessionManagerPath)s
26openid.ax.sessionManagerURI.typeURI=urn:ndg:security:openid:sessionManagerURI
27openid.ax.sessionId.typeURI=urn:ndg:security:openid:sessionId
28
29#______________________________________________________________________________
30# Attribute Authority settings
31# 'name' setting MUST agree with map config file 'thisHost' name attribute
32attributeAuthority.name: Site A
33
34# Lifetime is measured in seconds
35attributeAuthority.attCertLifetime: 28800 
36
37# Allow an offset for clock skew between servers running
38# security services. NB, measured in seconds - use a minus sign for time in the
39# past
40attributeAuthority.attCertNotBeforeOff: 0
41
42# All Attribute Certificates issued are recorded in this dir
43attributeAuthority.attCertDir: %(testConfigDir)s/attributeauthority/sitea/attributeCertificateLog
44
45# Files in attCertDir are stored using a rotating file handler
46# attCertFileLogCnt sets the max number of files created before the first is
47# overwritten
48attributeAuthority.attCertFileName: ac.xml
49attributeAuthority.attCertFileLogCnt: 16
50attributeAuthority.dnSeparator:/
51
52# Location of role mapping file
53attributeAuthority.mapConfigFile: %(testConfigDir)s/attributeauthority/sitea/siteAMapConfig.xml
54
55# Settings for custom AttributeInterface derived class to get user roles for given
56# user ID
57#attributeAuthority.attributeInterface.modFilePath: %(testConfigDir)s/attributeauthority/sitea
58attributeAuthority.attributeInterface.modName: ndg.security.test.integration.authz.attributeinterface
59attributeAuthority.attributeInterface.className: TestUserRoles
60
61# Config for XML signature of Attribute Certificate
62attributeAuthority.signingPriKeyFilePath: %(testConfigDir)s/attributeauthority/sitea/siteA-aa.key
63attributeAuthority.signingCertFilePath: %(testConfigDir)s/attributeauthority/sitea/siteA-aa.crt
64attributeAuthority.caCertFilePathList: %(testConfigDir)s/ca/ndg-test-ca.crt
65
66[server:main]
67use = egg:Paste#http
68host = 0.0.0.0
69port = %(portNum)s
70
71[filter-app:OpenIDProviderApp]
72use = egg:Paste#httpexceptions
73next = cascade
74
75# Composite for OpenID Provider to enable settings for picking up static
76# content
77[composit:cascade]
78use = egg:Paste#cascade
79app1 = OpenIDProviderStaticContent
80app2 = OpenIDProviderMiddlewareApp
81catch = 404
82
83[app:OpenIDProviderStaticContent]
84use = egg:Paste#static
85document_root = %(here)s/openidprovider
86
87[pipeline:main]
88pipeline = wsseSignatureVerificationFilter
89                   AttributeAuthorityFilter
90           wsseSignatureFilter
91                   SessionMiddlewareFilter
92                   OpenIDRelyingPartyFilter
93                   OpenIDProviderApp
94
95#______________________________________________________________________________
96# Beaker Session Middleware (used by OpenID Provider Filter)
97[filter:SessionMiddlewareFilter]
98paste.filter_app_factory=beaker.middleware:SessionMiddleware
99beaker.session.key = openid
100beaker.session.secret = qKEdQdCr33NE087dRUWX3qUv5r7AsuQU
101# These options enable cookie only type sessions with the cookie content
102# encrypted
103#beaker.session.type = cookie
104#beaker.session.validate_key = 0123456789abcdef
105#beaker.session.encrypt_key = fedcba9876543210
106
107# If you'd like to fine-tune the individual locations of the cache data dirs
108# for the Cache data, or the Session saves, un-comment the desired settings
109# here:
110beaker.cache.data_dir = %(here)s/openidprovider/beaker/cache
111beaker.session.data_dir = %(here)s/openidprovider/beaker/sessions
112beaker.session.cookie_expires = True
113
114[filter:OpenIDRelyingPartyFilter]
115paste.filter_app_factory = 
116        ndg.security.server.wsgi.openid.relyingparty:OpenIDRelyingPartyMiddleware.filter_app_factory
117
118openid.relyingparty.sessionKey = beaker.session
119openid.relyingparty.baseURL = %(authkit.openid.baseurl)s
120openid.relyingparty.certFilePath = %(testConfigDir)s/pki/localhost.crt
121openid.relyingparty.priKeyFilePath = %(testConfigDir)s/pki/localhost.key
122openid.relyingparty.priKeyPwd = 
123openid.relyingparty.caCertDirPath = %(testConfigDir)s/ca
124openid.relyingparty.providerWhitelistFilePath =
125#openid.relyingparty.signinInterfaceMiddlewareClass = ndg.security.test.integration.openid.openidrelyingparty.signin_interface.CombinedSigninAndLoginInterface
126#openid.relyingparty.signinInterface.templatePackage = ndg.security.test.integration.openid.openidrelyingparty.templates
127openid.relyingparty.signinInterfaceMiddlewareClass = ndg.security.server.wsgi.openid.relyingparty.signin_interface.buffet.BuffetSigninTemplate
128openid.relyingparty.signinInterface.templatePackage = ndg.security.server.wsgi.openid.relyingparty.signin_interface.buffet.templates
129openid.relyingparty.signinInterface.staticContentRootDir = %(here)s/openidrelyingparty/public
130openid.relyingparty.signinInterface.baseURL = %(openid.relyingparty.baseURL)s
131openid.relyingparty.signinInterface.initialOpenID = %(openIDProviderIDSelectURI)s
132openid.relyingparty.signinInterface.leftLogo = %(openid.relyingparty.signinInterface.baseURL)s/layout/NERC_Logo.gif
133openid.relyingparty.signinInterface.leftAlt = Natural Environment Research Council
134openid.relyingparty.signinInterface.ndgLink = http://ndg.nerc.ac.uk/
135openid.relyingparty.signinInterface.ndgImage = %(openid.relyingparty.signinInterface.baseURL)s/layout/ndg_logo_circle.gif
136openid.relyingparty.signinInterface.disclaimer = This site is for test purposes only and is under active development.
137openid.relyingparty.signinInterface.stfcLink = http://www.stfc.ac.uk/
138openid.relyingparty.signinInterface.stfcImage = %(openid.relyingparty.signinInterface.baseURL)s/layout/stfc-circle-sm.gif
139openid.relyingparty.signinInterface.helpIcon = %(openid.relyingparty.signinInterface.baseURL)s/layout/icons/help.png
140
141cache_dir = %(here)s/data
142
143# AuthKit Set-up
144authkit.setup.method=openid, cookie
145
146# This cookie name and secret MUST agree with the name used by the
147# Authentication Filter used to secure a given app
148authkit.cookie.name=ndg.security.auth
149authkit.cookie.secret=9wvZObs9anUEhSIAnJNoY2iJq59FfYZr
150authkit.cookie.signoutpath = /logout
151
152# Disable inclusion of client IP address from cookie signature due to
153# suspected problem with AuthKit setting it when a HTTP Proxy is in place
154authkit.cookie.includeip = False
155
156authkit.openid.path.signedin=/
157authkit.openid.store.type=file
158authkit.openid.store.config=%(here)s/openidrelyingparty/store
159authkit.openid.session.key = authkit_openid
160authkit.openid.session.secret = random string
161
162authkit.openid.baseurl = %(baseURI)s
163
164authkit.openid.ax.typeuri.sessionManagerURI=%(openid.ax.sessionManagerURI.typeURI)s
165authkit.openid.ax.required.sessionManagerURI=True
166authkit.openid.ax.alias.sessionManagerURI=sessionManagerURI
167
168authkit.openid.ax.typeuri.sessionId=%(openid.ax.sessionId.typeURI)s
169authkit.openid.ax.required.sessionId=True
170authkit.openid.ax.alias.sessionId=sessionId
171
172# Template for signin
173#authkit.openid.template.obj =
174
175# Handler for parsing OpenID and creating a session from it
176#authkit.openid.urltouser =
177
178#______________________________________________________________________________
179# OpenID Provider WSGI Settings
180[app:OpenIDProviderMiddlewareApp]
181paste.app_factory=ndg.security.server.wsgi.openid.provider:OpenIDProviderMiddleware.app_factory
182openid.provider.path.openidserver=/OpenID/Provider/server
183openid.provider.path.login=/OpenID/Provider/login
184openid.provider.path.loginsubmit=/OpenID/Provider/loginsubmit
185
186# Yadis based discovery only - the 'id' path is configured to return 404 not
187# found - see ndg.security.server.wsgi.openid.provider.renderinginterface.
188# buffet.BuffetRendering class
189openid.provider.path.id=/OpenID/Provider/id/${userIdentifier}
190openid.provider.path.yadis=%(openIDProviderIDBase)s/${userIdentifier}
191
192# Yadis based discovery for idselect mode - this is where the user has entered
193# a URI at the Relying Party which identifies their Provider only and not their
194# full ID URI.  e.g. https://badc.nerc.ac.uk instead of
195# https://badc.nerc.ac.uk/John
196openid.provider.path.serveryadis=%(openIDProviderIDBase)s
197openid.provider.path.allow=/OpenID/Provider/allow
198openid.provider.path.decide=/OpenID/Provider/decide
199openid.provider.path.mainpage=/OpenID/Provider/home
200
201openid.provider.session_middleware=beaker.session
202openid.provider.base_url=%(baseURI)s
203openid.provider.trace=False
204openid.provider.consumer_store_dirpath=%(here)s/openidprovider
205openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.renderinginterface.buffet.BuffetRendering
206#openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.DemoRenderingInterface
207
208openid.provider.rendering.templateType = kid
209openid.provider.rendering.templateRoot = ndg.security.server.wsgi.openid.provider.renderinginterface.buffet.templates
210openid.provider.rendering.kid.assume_encoding= utf-8
211openid.provider.rendering.kid.encoding = utf-8
212
213# Layout
214openid.provider.rendering.baseURL = %(openid.provider.base_url)s
215openid.provider.rendering.leftLogo = %(openid.provider.rendering.baseURL)s/layout/NERC_Logo.gif
216openid.provider.rendering.leftAlt = Natural Environment Research Council
217openid.provider.rendering.ndgLink = http://ndg.nerc.ac.uk/
218openid.provider.rendering.ndgImage = %(openid.provider.rendering.baseURL)s/layout/ndg_logo_circle.gif
219openid.provider.rendering.disclaimer = This site is for test purposes only and is under active development.
220openid.provider.rendering.stfcLink = http://www.stfc.ac.uk/
221openid.provider.rendering.stfcImage = %(openid.provider.rendering.baseURL)s/layout/stfc-circle-sm.gif
222openid.provider.rendering.helpIcon = %(openid.provider.rendering.baseURL)s/layout/icons/help.png
223
224# Basic Authentication interface to demonstrate capabilities
225openid.provider.authNInterface=ndg.security.server.wsgi.openid.provider.authninterface.basic.BasicAuthNInterface
226openid.provider.authN.userCreds=pjk:test
227openid.provider.authN.username2UserIdentifiers=pjk:PhilipKershaw,P.J.Kershaw another:A.N.Other
228
229# Basic authentication for testing/admin - comma delimited list of
230# <username>:<password> pairs
231#openid.provider.usercreds=pjk:test
232
233#______________________________________________________________________________
234# Attribute Authority WSGI settings
235#
236[filter:AttributeAuthorityFilter]
237# This filter is a container for a binding to a SOAP based interface to the
238# Attribute Authority
239paste.filter_app_factory = ndg.security.server.wsgi.soap:SOAPBindingMiddleware
240
241# Use this ZSI generated SOAP service interface class to handle i/o for this
242# filter
243ServiceSOAPBindingClass = ndg.security.server.zsi.attributeauthority.AttributeAuthorityWS
244
245# SOAP Binding Class specific keywords are in this section identified by this
246# prefix:
247ServiceSOAPBindingPropPrefix = AttributeAuthority
248
249# The AttributeAuthority class has settings in the default section above
250# identified by this prefix:
251AttributeAuthority.propPrefix = attributeAuthority
252AttributeAuthority.propFilePath = %(here)s/securityservices.ini
253AttributeAuthority.wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter
254
255# Provide an identifier for this filter so that main WSGI app
256# CombinedServicesWSGI Session Manager filter can call this Attribute Authority
257# directly
258referencedFilters = filter:wsseSignatureVerificationFilter
259
260# Path from URL for Attribute Authority in this Paste deployment
261path = /AttributeAuthority
262
263# External endpoint for this Attribute Authority - must agree with setting used
264# to invoke this service set in:
265# * serverapp.py
266# * or port in [server:main] if calling with paster serve securityservices.ini
267# * or something else e.g. proxied through Apache?
268# This setting is used by Attribute Authority clients in this WSGI stack to see
269# if a request is being made to the local service or to another Attribute
270# Authority running elsewhere
271publishedURI = %(baseURI)s%(path)s
272
273# Enable ?wsdl query argument to list the WSDL content
274enableWSDLQuery = True
275charset = utf-8
276filterID = %(__name__)s
277
278#______________________________________________________________________________
279# Session Manager WSGI settings
280#
281[filter:SessionManagerFilter]
282# This filter is a container for a binding to a SOAP based interface to the
283# Session Manager
284paste.filter_app_factory = ndg.security.server.wsgi.soap:SOAPBindingMiddleware
285
286# Use this ZSI generated SOAP service interface class to handle i/o for this
287# filter
288ServiceSOAPBindingClass = ndg.security.server.zsi.sessionmanager.SessionManagerWS
289
290# SOAP Binding Class specific keywords are in this section identified by this
291# prefix:
292ServiceSOAPBindingPropPrefix = SessionManager
293
294# The SessionManager class has settings in the default section above identified
295# by this prefix:
296SessionManager.propPrefix = sessionManager
297SessionManager.propFilePath = %(here)s/securityservices.ini
298
299# This filter references other filters - a local Attribute Authority (optional)
300# and a WS-Security signature verification filter (required if using signature
301# to authenticate user in requests
302SessionManager.attributeAuthorityFilterID = filter:AttributeAuthorityFilter
303SessionManager.wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter
304
305# The SessionManagerWS SOAP interface class needs to know about these other
306# filters
307referencedFilters = filter:wsseSignatureVerificationFilter
308                                        filter:AttributeAuthorityFilter
309
310# Path from URI for Session Manager in this Paste deployment
311path = %(sessionManagerPath)s
312
313# External endpoint for this Session Manager - must agree with setting used to
314# invoke this service set in:
315# * securityservicesapp.py
316# * or port in [server:main] if calling with paster serve securityservices.ini
317# * or something else e.g. proxied through Apache?
318# This setting is used by Session Manager clients in this WSGI stack to see if
319# a request is being made to the local service or to another session manager
320# running elsewhere
321publishedURI = %(sessionManagerURI)s
322
323# Enable ?wsdl query argument to list the WSDL content
324enableWSDLQuery = True
325charset = utf-8
326
327# Provide an identifier for this filter so that main WSGI app
328# CombinedServicesWSGI can call this Session Manager directly
329filterID = %(__name__)s
330
331#______________________________________________________________________________
332# WS-Security Signature Verification
333[filter:wsseSignatureVerificationFilter]
334paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:SignatureVerificationFilter
335filterID = %(__name__)s
336
337# Settings for WS-Security SignatureHandler class used by this filter
338wsseCfgFilePrefix = wssecurity
339
340# Verify against known CAs - Provide a space separated list of file paths
341wssecurity.caCertFilePathList=%(testConfigDir)s/ca/ndg-test-ca.crt
342
343#______________________________________________________________________________
344# Apply WS-Security Signature
345[filter:wsseSignatureFilter]
346paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:ApplySignatureFilter
347
348# Reference the verification filter in order to be able to apply signature
349# confirmation
350referencedFilters = filter:wsseSignatureVerificationFilter
351wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter
352
353# Last filter in chain of SOAP handlers writes the response
354writeResponse = True
355
356# Settings for WS-Security SignatureHandler class used by this filter
357wsseCfgFilePrefix = wssecurity
358
359# Certificate associated with private key used to sign a message.  The sign
360# method will add this to the BinarySecurityToken element of the WSSE header. 
361wssecurity.signingCertFilePath=%(testConfigDir)s/pki/wsse-server.crt
362
363# PEM encoded private key file
364wssecurity.signingPriKeyFilePath=%(testConfigDir)s/pki/wsse-server.key
365
366# Set the ValueType for the BinarySecurityToken added to the WSSE header for a
367# signed message.  See __setReqBinSecTokValType method and binSecTokValType
368# class variable for options - it may be one of X509, X509v3, X509PKIPathv1 or
369# give full namespace to alternative - see
370# ZSI.wstools.Namespaces.OASIS.X509TOKEN
371#
372# binSecTokValType determines whether signingCert or signingCertChain
373# attributes will be used.
374wssecurity.reqBinSecTokValType=X509v3
375
376# Add a timestamp element to an outbound message
377wssecurity.addTimestamp=True
378
379# For WSSE 1.1 - service returns signature confirmation containing signature
380# value sent by client
381wssecurity.applySignatureConfirmation=True
382
383# Logging configuration
384[loggers]
385keys = root, ndg
386
387[handlers]
388keys = console
389
390[formatters]
391keys = generic
392
393[logger_root]
394level = INFO
395handlers = console
396
397[logger_ndg]
398level = DEBUG
399handlers =
400qualname = ndg
401
402[handler_console]
403class = StreamHandler
404args = (sys.stderr,)
405level = NOTSET
406formatter = generic
407
408[formatter_generic]
409format = %(asctime)s,%(msecs)03d %(levelname)-5.5s [%(name)s] %(message)s
410datefmt = %H:%M:%S
411
Note: See TracBrowser for help on using the repository browser.