source: TI12-security/trunk/python/ndg.security.test/ndg/security/test/integration/authz_lite/securityservices.ini @ 5454

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/python/ndg.security.test/ndg/security/test/integration/authz_lite/securityservices.ini@5454
Revision 5454, 14.6 KB checked in by pjkersha, 11 years ago (diff)

Important fix: remove credentialWallet key on logout

Line 
1#
2# NERC DataGrid Security
3#
4# Paste configuration for combined Attribute Authority, OpenID Relying Party
5# and Provider services
6#
7# The %(here)s variable will be replaced with the parent directory of this file
8#
9# Author: P J Kershaw
10# date: 01/07/09
11# Copyright: (C) 2009 Science and Technology Facilities Council
12# license: BSD - see LICENSE file in top-level directory
13# Contact: Philip.Kershaw@stfc.ac.uk
14# Revision: $Id:$
15
16[DEFAULT]
17portNum = 7443
18hostname = localhost
19scheme = http
20baseURI = %(scheme)s://%(hostname)s:%(portNum)s
21openIDProviderIDBase = /openid
22openIDProviderIDSelectURI = %(baseURI)s%(openIDProviderIDBase)s
23testConfigDir = %(here)s/../../config
24
25#______________________________________________________________________________
26# Attribute Authority settings
27# 'name' setting MUST agree with map config file 'thisHost' name attribute
28attributeAuthority.name: Site A
29
30# Lifetime is measured in seconds
31attributeAuthority.attCertLifetime: 28800 
32
33# Allow an offset for clock skew between servers running
34# security services. NB, measured in seconds - use a minus sign for time in the
35# past
36attributeAuthority.attCertNotBeforeOff: 0
37
38# All Attribute Certificates issued are recorded in this dir
39attributeAuthority.attCertDir: %(testConfigDir)s/attributeauthority/sitea/attributeCertificateLog
40
41# Files in attCertDir are stored using a rotating file handler
42# attCertFileLogCnt sets the max number of files created before the first is
43# overwritten
44attributeAuthority.attCertFileName: ac.xml
45attributeAuthority.attCertFileLogCnt: 16
46attributeAuthority.dnSeparator:/
47
48# Location of role mapping file
49attributeAuthority.mapConfigFile: %(testConfigDir)s/attributeauthority/sitea/siteAMapConfig.xml
50
51# Settings for custom AttributeInterface derived class to get user roles for given
52# user ID
53#attributeAuthority.attributeInterface.modFilePath: %(testConfigDir)s/attributeauthority/sitea
54attributeAuthority.attributeInterface.modName: ndg.security.test.integration.authz.attributeinterface
55attributeAuthority.attributeInterface.className: TestUserRoles
56
57# Config for XML signature of Attribute Certificate
58attributeAuthority.signingPriKeyFilePath: %(testConfigDir)s/attributeauthority/sitea/siteA-aa.key
59attributeAuthority.signingCertFilePath: %(testConfigDir)s/attributeauthority/sitea/siteA-aa.crt
60attributeAuthority.caCertFilePathList: %(testConfigDir)s/ca/ndg-test-ca.crt
61
62[server:main]
63use = egg:Paste#http
64host = 0.0.0.0
65port = %(portNum)s
66
67[filter-app:OpenIDProviderApp]
68use = egg:Paste#httpexceptions
69next = cascade
70
71# Composite for OpenID Provider to enable settings for picking up static
72# content
73[composit:cascade]
74use = egg:Paste#cascade
75app1 = OpenIDProviderStaticContent
76app2 = OpenIDProviderMiddlewareApp
77catch = 404
78
79[app:OpenIDProviderStaticContent]
80use = egg:Paste#static
81document_root = %(here)s/openidprovider
82
83[pipeline:main]
84pipeline = wsseSignatureVerificationFilter
85                   AttributeAuthorityFilter
86           wsseSignatureFilter
87                   SessionMiddlewareFilter
88                   OpenIDRelyingPartyFilter
89                   OpenIDProviderApp
90
91#______________________________________________________________________________
92# Beaker Session Middleware (used by OpenID Provider Filter)
93[filter:SessionMiddlewareFilter]
94paste.filter_app_factory=beaker.middleware:SessionMiddleware
95beaker.session.key = openid
96beaker.session.secret = qKEdQdCr33NE087dRUWX3qUv5r7AsuQU
97# These options enable cookie only type sessions with the cookie content
98# encrypted
99#beaker.session.type = cookie
100#beaker.session.validate_key = 0123456789abcdef
101#beaker.session.encrypt_key = fedcba9876543210
102
103# If you'd like to fine-tune the individual locations of the cache data dirs
104# for the Cache data, or the Session saves, un-comment the desired settings
105# here:
106beaker.cache.data_dir = %(here)s/openidprovider/beaker/cache
107beaker.session.data_dir = %(here)s/openidprovider/beaker/sessions
108beaker.session.cookie_expires = True
109
110[filter:OpenIDRelyingPartyFilter]
111paste.filter_app_factory = 
112        ndg.security.server.wsgi.openid.relyingparty:OpenIDRelyingPartyMiddleware.filter_app_factory
113
114openid.relyingparty.sessionKey = beaker.session
115openid.relyingparty.baseURL = %(authkit.openid.baseurl)s
116openid.relyingparty.certFilePath = %(testConfigDir)s/pki/localhost.crt
117openid.relyingparty.priKeyFilePath = %(testConfigDir)s/pki/localhost.key
118openid.relyingparty.priKeyPwd = 
119openid.relyingparty.caCertDirPath = %(testConfigDir)s/ca
120openid.relyingparty.providerWhitelistFilePath =
121#openid.relyingparty.signinInterfaceMiddlewareClass = ndg.security.test.integration.openid.openidrelyingparty.signin_interface.CombinedSigninAndLoginInterface
122#openid.relyingparty.signinInterface.templatePackage = ndg.security.test.integration.openid.openidrelyingparty.templates
123openid.relyingparty.signinInterfaceMiddlewareClass = ndg.security.server.wsgi.openid.relyingparty.signin_interface.buffet.BuffetSigninTemplate
124openid.relyingparty.signinInterface.templatePackage = ndg.security.server.wsgi.openid.relyingparty.signin_interface.buffet.templates
125openid.relyingparty.signinInterface.staticContentRootDir = %(here)s/openidrelyingparty/public
126openid.relyingparty.signinInterface.baseURL = %(openid.relyingparty.baseURL)s
127openid.relyingparty.signinInterface.initialOpenID = %(openIDProviderIDSelectURI)s
128openid.relyingparty.signinInterface.leftLogo = %(openid.relyingparty.signinInterface.baseURL)s/layout/NERC_Logo.gif
129openid.relyingparty.signinInterface.leftAlt = Natural Environment Research Council
130openid.relyingparty.signinInterface.ndgLink = http://ndg.nerc.ac.uk/
131openid.relyingparty.signinInterface.ndgImage = %(openid.relyingparty.signinInterface.baseURL)s/layout/ndg_logo_circle.gif
132openid.relyingparty.signinInterface.disclaimer = This site is for test purposes only and is under active development.
133openid.relyingparty.signinInterface.stfcLink = http://www.stfc.ac.uk/
134openid.relyingparty.signinInterface.stfcImage = %(openid.relyingparty.signinInterface.baseURL)s/layout/stfc-circle-sm.gif
135openid.relyingparty.signinInterface.helpIcon = %(openid.relyingparty.signinInterface.baseURL)s/layout/icons/help.png
136
137cache_dir = %(here)s/data
138
139# AuthKit Set-up
140authkit.setup.method=openid, cookie
141
142# This cookie name and secret MUST agree with the name used by the
143# Authentication Filter used to secure a given app
144authkit.cookie.name=ndg.security.auth
145authkit.cookie.secret=9wvZObs9anUEhSIAnJNoY2iJq59FfYZr
146authkit.cookie.signoutpath = /logout
147
148# Disable inclusion of client IP address from cookie signature due to
149# suspected problem with AuthKit setting it when a HTTP Proxy is in place
150authkit.cookie.includeip = False
151
152authkit.openid.path.signedin=/
153authkit.openid.store.type=file
154authkit.openid.store.config=%(here)s/openidrelyingparty/store
155authkit.openid.session.key = authkit_openid
156authkit.openid.session.secret = random string
157
158authkit.openid.baseurl = %(baseURI)s
159
160# Template for signin
161#authkit.openid.template.obj =
162
163# Handler for parsing OpenID and creating a session from it
164#authkit.openid.urltouser =
165
166#______________________________________________________________________________
167# OpenID Provider WSGI Settings
168[app:OpenIDProviderMiddlewareApp]
169paste.app_factory=ndg.security.server.wsgi.openid.provider:OpenIDProviderMiddleware.app_factory
170openid.provider.path.openidserver=/OpenID/Provider/server
171openid.provider.path.login=/OpenID/Provider/login
172openid.provider.path.loginsubmit=/OpenID/Provider/loginsubmit
173
174# Yadis based discovery only - the 'id' path is configured to return 404 not
175# found - see ndg.security.server.wsgi.openid.provider.renderinginterface.
176# buffet.BuffetRendering class
177openid.provider.path.id=/OpenID/Provider/id/${userIdentifier}
178openid.provider.path.yadis=%(openIDProviderIDBase)s/${userIdentifier}
179
180# Yadis based discovery for idselect mode - this is where the user has entered
181# a URI at the Relying Party which identifies their Provider only and not their
182# full ID URI.  e.g. https://badc.nerc.ac.uk instead of
183# https://badc.nerc.ac.uk/John
184openid.provider.path.serveryadis=%(openIDProviderIDBase)s
185openid.provider.path.allow=/OpenID/Provider/allow
186openid.provider.path.decide=/OpenID/Provider/decide
187openid.provider.path.mainpage=/OpenID/Provider/home
188
189openid.provider.session_middleware=beaker.session
190openid.provider.base_url=%(baseURI)s
191openid.provider.trace=False
192openid.provider.consumer_store_dirpath=%(here)s/openidprovider
193openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.renderinginterface.buffet.BuffetRendering
194#openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.DemoRenderingInterface
195
196openid.provider.rendering.templateType = kid
197openid.provider.rendering.templateRoot = ndg.security.server.wsgi.openid.provider.renderinginterface.buffet.templates
198openid.provider.rendering.kid.assume_encoding= utf-8
199openid.provider.rendering.kid.encoding = utf-8
200
201# Layout
202openid.provider.rendering.baseURL = %(openid.provider.base_url)s
203openid.provider.rendering.leftLogo = %(openid.provider.rendering.baseURL)s/layout/NERC_Logo.gif
204openid.provider.rendering.leftAlt = Natural Environment Research Council
205openid.provider.rendering.ndgLink = http://ndg.nerc.ac.uk/
206openid.provider.rendering.ndgImage = %(openid.provider.rendering.baseURL)s/layout/ndg_logo_circle.gif
207openid.provider.rendering.disclaimer = This site is for test purposes only and is under active development.
208openid.provider.rendering.stfcLink = http://www.stfc.ac.uk/
209openid.provider.rendering.stfcImage = %(openid.provider.rendering.baseURL)s/layout/stfc-circle-sm.gif
210openid.provider.rendering.helpIcon = %(openid.provider.rendering.baseURL)s/layout/icons/help.png
211
212# Basic Authentication interface to demonstrate capabilities
213openid.provider.authNInterface=ndg.security.server.wsgi.openid.provider.authninterface.basic.BasicAuthNInterface
214
215# user login details format is:
216# <username>:<password>:<OpenID name>, ... <OpenID name N> <username>:... etc
217# Each user entry is delimited by a space. username, password and OpenID name
218# list are delimited by a colon.  The list of OpenID names are delimited by
219# commas.  The OpenID name represents the unique part of the OpenID URL for the
220# individual user.  Each username may have more than one OpenID alias but only
221# alias at a time may be registered with a given Attribute Authority
222openid.provider.authN.userCreds=pjk:testpassword:PhilipKershaw,P.J.Kershaw another:testpassword:A.N.Other
223
224# Basic authentication for testing/admin - comma delimited list of
225# <username>:<password> pairs
226#openid.provider.usercreds=pjk:test
227
228#______________________________________________________________________________
229# Attribute Authority WSGI settings
230#
231[filter:AttributeAuthorityFilter]
232# This filter is a container for a binding to a SOAP based interface to the
233# Attribute Authority
234paste.filter_app_factory = ndg.security.server.wsgi.soap:SOAPBindingMiddleware
235
236# Use this ZSI generated SOAP service interface class to handle i/o for this
237# filter
238ServiceSOAPBindingClass = ndg.security.server.zsi.attributeauthority.AttributeAuthorityWS
239
240# SOAP Binding Class specific keywords are in this section identified by this
241# prefix:
242ServiceSOAPBindingPropPrefix = AttributeAuthority
243
244# The AttributeAuthority class has settings in the default section above
245# identified by this prefix:
246AttributeAuthority.propPrefix = attributeAuthority
247AttributeAuthority.propFilePath = %(here)s/securityservices.ini
248AttributeAuthority.wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter
249
250# Provide an identifier for this filter so that main WSGI app
251# CombinedServicesWSGI Session Manager filter can call this Attribute Authority
252# directly
253referencedFilters = filter:wsseSignatureVerificationFilter
254
255# Path from URL for Attribute Authority in this Paste deployment
256path = /AttributeAuthority
257
258# External endpoint for this Attribute Authority - must agree with setting used
259# to invoke this service set in:
260# * serverapp.py
261# * or port in [server:main] if calling with paster serve securityservices.ini
262# * or something else e.g. proxied through Apache?
263# This setting is used by Attribute Authority clients in this WSGI stack to see
264# if a request is being made to the local service or to another Attribute
265# Authority running elsewhere
266publishedURI = %(baseURI)s%(path)s
267
268# Enable ?wsdl query argument to list the WSDL content
269enableWSDLQuery = True
270charset = utf-8
271filterID = %(__name__)s
272
273#______________________________________________________________________________
274# WS-Security Signature Verification
275[filter:wsseSignatureVerificationFilter]
276paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:SignatureVerificationFilter
277filterID = %(__name__)s
278
279# Settings for WS-Security SignatureHandler class used by this filter
280wsseCfgFilePrefix = wssecurity
281
282# Verify against known CAs - Provide a space separated list of file paths
283wssecurity.caCertFilePathList=%(testConfigDir)s/ca/ndg-test-ca.crt
284
285#______________________________________________________________________________
286# Apply WS-Security Signature
287[filter:wsseSignatureFilter]
288paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:ApplySignatureFilter
289
290# Reference the verification filter in order to be able to apply signature
291# confirmation
292referencedFilters = filter:wsseSignatureVerificationFilter
293wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter
294
295# Last filter in chain of SOAP handlers writes the response
296writeResponse = True
297
298# Settings for WS-Security SignatureHandler class used by this filter
299wsseCfgFilePrefix = wssecurity
300
301# Certificate associated with private key used to sign a message.  The sign
302# method will add this to the BinarySecurityToken element of the WSSE header. 
303wssecurity.signingCertFilePath=%(testConfigDir)s/pki/wsse-server.crt
304
305# PEM encoded private key file
306wssecurity.signingPriKeyFilePath=%(testConfigDir)s/pki/wsse-server.key
307
308# Set the ValueType for the BinarySecurityToken added to the WSSE header for a
309# signed message.  See __setReqBinSecTokValType method and binSecTokValType
310# class variable for options - it may be one of X509, X509v3, X509PKIPathv1 or
311# give full namespace to alternative - see
312# ZSI.wstools.Namespaces.OASIS.X509TOKEN
313#
314# binSecTokValType determines whether signingCert or signingCertChain
315# attributes will be used.
316wssecurity.reqBinSecTokValType=X509v3
317
318# Add a timestamp element to an outbound message
319wssecurity.addTimestamp=True
320
321# For WSSE 1.1 - service returns signature confirmation containing signature
322# value sent by client
323wssecurity.applySignatureConfirmation=True
324
325# Logging configuration
326[loggers]
327keys = root, ndg
328
329[handlers]
330keys = console
331
332[formatters]
333keys = generic
334
335[logger_root]
336level = INFO
337handlers = console
338
339[logger_ndg]
340level = DEBUG
341handlers =
342qualname = ndg
343
344[handler_console]
345class = StreamHandler
346args = (sys.stderr,)
347level = NOTSET
348formatter = generic
349
350[formatter_generic]
351format = %(asctime)s,%(msecs)03d %(levelname)-5.5s [%(name)s] %(message)s
352datefmt = %H:%M:%S
353
Note: See TracBrowser for help on using the repository browser.