source: TI12-security/trunk/python/ndg.security.test/ndg/security/test/integration/authz_lite/securityservices.ini @ 5555

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/python/ndg.security.test/ndg/security/test/integration/authz_lite/securityservices.ini@5555
Revision 5555, 14.4 KB checked in by pjkersha, 11 years ago (diff)

OpenID Relying Party flexible configuration

Fixed security WSGI configuration so that the OpenID Relying Party can run in the same middleware as the application it protects or independently in the security services middleware stack. There are two applications involved in applying security:

  1. the app to be secured
  2. app running security services


  1. is configured with middleware to intercept requests and apply the security policy. 2. runs services such as the Attribute Authority and OpenID Provider used by 1. The OpenID Relying Party can now be incorporated in either. For cases where an application runs in a different domain to the security services stack it's easier to deploy a Relying Party with the app in 1. as otherwise cookies set by the RP won't be in the scope of the secured app. 2. is useful for where the app is in the same domain as 2. and there's a need to run the RP over SSL.

Configurations can be set at deployment from Paste ini file pipeline settings.

Line 
1#
2# NERC DataGrid Security
3#
4# Paste configuration for combined Attribute Authority, OpenID Relying Party
5# and Provider services
6#
7# The %(here)s variable will be replaced with the parent directory of this file
8#
9# Author: P J Kershaw
10# date: 01/07/09
11# Copyright: (C) 2009 Science and Technology Facilities Council
12# license: BSD - see LICENSE file in top-level directory
13# Contact: Philip.Kershaw@stfc.ac.uk
14# Revision: $Id:$
15
16[DEFAULT]
17portNum = 7443
18hostname = localhost
19scheme = http
20baseURI = %(scheme)s://%(hostname)s:%(portNum)s
21openIDProviderIDBase = /openid
22openIDProviderIDSelectURI = %(baseURI)s%(openIDProviderIDBase)s
23testConfigDir = %(here)s/../../config
24beakerSessionKeyName = beaker.session.ndg.security.services
25
26#______________________________________________________________________________
27# Attribute Authority settings
28# 'name' setting MUST agree with map config file 'thisHost' name attribute
29attributeAuthority.name: Site A
30
31# Lifetime is measured in seconds
32attributeAuthority.attCertLifetime: 28800 
33
34# Allow an offset for clock skew between servers running
35# security services. NB, measured in seconds - use a minus sign for time in the
36# past
37attributeAuthority.attCertNotBeforeOff: 0
38
39# All Attribute Certificates issued are recorded in this dir
40attributeAuthority.attCertDir: %(testConfigDir)s/attributeauthority/sitea/attributeCertificateLog
41
42# Files in attCertDir are stored using a rotating file handler
43# attCertFileLogCnt sets the max number of files created before the first is
44# overwritten
45attributeAuthority.attCertFileName: ac.xml
46attributeAuthority.attCertFileLogCnt: 16
47attributeAuthority.dnSeparator:/
48
49# Location of role mapping file
50attributeAuthority.mapConfigFile: %(testConfigDir)s/attributeauthority/sitea/siteAMapConfig.xml
51
52# Settings for custom AttributeInterface derived class to get user roles for given
53# user ID
54#attributeAuthority.attributeInterface.modFilePath: %(testConfigDir)s/attributeauthority/sitea
55attributeAuthority.attributeInterface.modName: ndg.security.test.integration.authz.attributeinterface
56attributeAuthority.attributeInterface.className: TestUserRoles
57
58# Config for XML signature of Attribute Certificate
59attributeAuthority.signingPriKeyFilePath: %(testConfigDir)s/attributeauthority/sitea/siteA-aa.key
60attributeAuthority.signingCertFilePath: %(testConfigDir)s/attributeauthority/sitea/siteA-aa.crt
61attributeAuthority.caCertFilePathList: %(testConfigDir)s/ca/ndg-test-ca.crt
62
63[server:main]
64use = egg:Paste#http
65host = 0.0.0.0
66port = %(portNum)s
67
68[filter-app:OpenIDProviderApp]
69use = egg:Paste#httpexceptions
70next = cascade
71
72# Composite for OpenID Provider to enable settings for picking up static
73# content
74[composit:cascade]
75use = egg:Paste#cascade
76app1 = OpenIDProviderStaticContent
77app2 = OpenIDProviderMiddlewareApp
78catch = 404
79
80[app:OpenIDProviderStaticContent]
81use = egg:Paste#static
82document_root = %(here)s/openidprovider
83
84[pipeline:main]
85pipeline = wsseSignatureVerificationFilter
86                   AttributeAuthorityFilter
87           wsseSignatureFilter
88                   SessionMiddlewareFilter
89                   OpenIDRelyingPartyFilter
90                   OpenIDProviderApp
91
92#______________________________________________________________________________
93# Beaker Session Middleware (used by OpenID Provider Filter)
94[filter:SessionMiddlewareFilter]
95paste.filter_app_factory=beaker.middleware:SessionMiddleware
96beaker.session.key = openid
97beaker.session.secret = qKEdQdCr33NE087dRUWX3qUv5r7AsuQU
98
99# If you'd like to fine-tune the individual locations of the cache data dirs
100# for the Cache data, or the Session saves, un-comment the desired settings
101# here:
102beaker.cache.data_dir = %(here)s/openidprovider/beaker/cache
103beaker.session.data_dir = %(here)s/openidprovider/beaker/sessions
104beaker.session.cookie_expires = True
105
106# Key name for keying into environ dictionary
107environ_key = %(beakerSessionKeyName)s
108
109[filter:OpenIDRelyingPartyFilter]
110paste.filter_app_factory = 
111        ndg.security.server.wsgi.openid.relyingparty:OpenIDRelyingPartyMiddleware.filter_app_factory
112
113openid.relyingparty.baseURL = %(authkit.openid.baseurl)s
114openid.relyingparty.certFilePath = %(testConfigDir)s/pki/localhost.crt
115openid.relyingparty.priKeyFilePath = %(testConfigDir)s/pki/localhost.key
116openid.relyingparty.priKeyPwd = 
117openid.relyingparty.caCertDirPath = %(testConfigDir)s/ca
118openid.relyingparty.providerWhitelistFilePath =
119openid.relyingparty.signinInterfaceMiddlewareClass = ndg.security.server.wsgi.openid.relyingparty.signin_interface.buffet.BuffetSigninTemplate
120openid.relyingparty.signinInterface.templatePackage = ndg.security.server.wsgi.openid.relyingparty.signin_interface.buffet.templates
121openid.relyingparty.signinInterface.staticContentRootDir = %(here)s/openidrelyingparty/public
122openid.relyingparty.signinInterface.baseURL = %(openid.relyingparty.baseURL)s
123openid.relyingparty.signinInterface.initialOpenID = %(openIDProviderIDSelectURI)s
124openid.relyingparty.signinInterface.leftLogo = %(openid.relyingparty.signinInterface.baseURL)s/layout/NERC_Logo.gif
125openid.relyingparty.signinInterface.leftAlt = Natural Environment Research Council
126openid.relyingparty.signinInterface.ndgLink = http://ndg.nerc.ac.uk/
127openid.relyingparty.signinInterface.ndgImage = %(openid.relyingparty.signinInterface.baseURL)s/layout/ndg_logo_circle.gif
128openid.relyingparty.signinInterface.disclaimer = This site is for test purposes only and is under active development.
129openid.relyingparty.signinInterface.stfcLink = http://www.stfc.ac.uk/
130openid.relyingparty.signinInterface.stfcImage = %(openid.relyingparty.signinInterface.baseURL)s/layout/stfc-circle-sm.gif
131openid.relyingparty.signinInterface.helpIcon = %(openid.relyingparty.signinInterface.baseURL)s/layout/icons/help.png
132
133cache_dir = %(here)s/data
134
135# AuthKit Set-up
136authkit.setup.method=openid, cookie
137
138# This cookie name and secret MUST agree with the name used by the
139# Authentication Filter used to secure a given app
140authkit.cookie.name=ndg.security.auth
141
142authkit.cookie.secret=9wvZObs9anUEhSIAnJNoY2iJq59FfYZr
143authkit.cookie.signoutpath = /logout
144
145# Disable inclusion of client IP address from cookie signature due to
146# suspected problem with AuthKit setting it when a HTTP Proxy is in place
147authkit.cookie.includeip = False
148
149authkit.openid.path.signedin=/
150authkit.openid.store.type=file
151authkit.openid.store.config=%(here)s/openidrelyingparty/store
152authkit.openid.session.key = authkit_openid
153authkit.openid.session.secret = random string
154
155# Key name for dereferencing beaker.session object held in environ
156authkit.openid.session.middleware = %(beakerSessionKeyName)s
157
158authkit.openid.baseurl = %(baseURI)s
159
160# Template for signin
161#authkit.openid.template.obj =
162
163# Handler for parsing OpenID and creating a session from it
164#authkit.openid.urltouser =
165
166#______________________________________________________________________________
167# OpenID Provider WSGI Settings
168[app:OpenIDProviderMiddlewareApp]
169paste.app_factory=ndg.security.server.wsgi.openid.provider:OpenIDProviderMiddleware.app_factory
170
171openid.provider.path.openidserver=/OpenID/Provider/server
172openid.provider.path.login=/OpenID/Provider/login
173openid.provider.path.loginsubmit=/OpenID/Provider/loginsubmit
174
175# Yadis based discovery only - the 'id' path is configured to return 404 not
176# found - see ndg.security.server.wsgi.openid.provider.renderinginterface.
177# buffet.BuffetRendering class
178openid.provider.path.id=/OpenID/Provider/id/${userIdentifier}
179openid.provider.path.yadis=%(openIDProviderIDBase)s/${userIdentifier}
180
181# Yadis based discovery for idselect mode - this is where the user has entered
182# a URI at the Relying Party which identifies their Provider only and not their
183# full ID URI.  e.g. https://badc.nerc.ac.uk instead of
184# https://badc.nerc.ac.uk/John
185openid.provider.path.serveryadis=%(openIDProviderIDBase)s
186openid.provider.path.allow=/OpenID/Provider/allow
187openid.provider.path.decide=/OpenID/Provider/decide
188openid.provider.path.mainpage=/OpenID/Provider/home
189
190openid.provider.session_middleware=%(beakerSessionKeyName)s
191openid.provider.base_url=%(baseURI)s
192openid.provider.trace=False
193openid.provider.consumer_store_dirpath=%(here)s/openidprovider
194openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.renderinginterface.buffet.BuffetRendering
195#openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.DemoRenderingInterface
196
197openid.provider.rendering.templateType = kid
198openid.provider.rendering.templateRoot = ndg.security.server.wsgi.openid.provider.renderinginterface.buffet.templates
199openid.provider.rendering.kid.assume_encoding= utf-8
200openid.provider.rendering.kid.encoding = utf-8
201
202# Layout
203openid.provider.rendering.baseURL = %(openid.provider.base_url)s
204openid.provider.rendering.leftLogo = %(openid.provider.rendering.baseURL)s/layout/NERC_Logo.gif
205openid.provider.rendering.leftAlt = Natural Environment Research Council
206openid.provider.rendering.ndgLink = http://ndg.nerc.ac.uk/
207openid.provider.rendering.ndgImage = %(openid.provider.rendering.baseURL)s/layout/ndg_logo_circle.gif
208openid.provider.rendering.disclaimer = This site is for test purposes only and is under active development.
209openid.provider.rendering.stfcLink = http://www.stfc.ac.uk/
210openid.provider.rendering.stfcImage = %(openid.provider.rendering.baseURL)s/layout/stfc-circle-sm.gif
211openid.provider.rendering.helpIcon = %(openid.provider.rendering.baseURL)s/layout/icons/help.png
212
213# Basic Authentication interface to demonstrate capabilities
214openid.provider.authNInterface=ndg.security.server.wsgi.openid.provider.authninterface.basic.BasicAuthNInterface
215
216# user login details format is:
217# <username>:<password>:<OpenID name>, ... <OpenID name N> <username>:... etc
218# Each user entry is delimited by a space. username, password and OpenID name
219# list are delimited by a colon.  The list of OpenID names are delimited by
220# commas.  The OpenID name represents the unique part of the OpenID URL for the
221# individual user.  Each username may have more than one OpenID alias but only
222# alias at a time may be registered with a given Attribute Authority
223openid.provider.authN.userCreds=pjk:testpassword:PhilipKershaw,P.J.Kershaw another:testpassword:A.N.Other
224
225# Basic authentication for testing/admin - comma delimited list of
226# <username>:<password> pairs
227#openid.provider.usercreds=pjk:test
228
229#______________________________________________________________________________
230# Attribute Authority WSGI settings
231#
232[filter:AttributeAuthorityFilter]
233# This filter is a container for a binding to a SOAP based interface to the
234# Attribute Authority
235paste.filter_app_factory = ndg.security.server.wsgi.soap:SOAPBindingMiddleware
236
237# Use this ZSI generated SOAP service interface class to handle i/o for this
238# filter
239ServiceSOAPBindingClass = ndg.security.server.zsi.attributeauthority.AttributeAuthorityWS
240
241# SOAP Binding Class specific keywords are in this section identified by this
242# prefix:
243ServiceSOAPBindingPropPrefix = AttributeAuthority
244
245# The AttributeAuthority class has settings in the default section above
246# identified by this prefix:
247AttributeAuthority.propPrefix = attributeAuthority
248AttributeAuthority.propFilePath = %(here)s/securityservices.ini
249AttributeAuthority.wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter
250
251# Provide an identifier for this filter so that main WSGI app
252# CombinedServicesWSGI Session Manager filter can call this Attribute Authority
253# directly
254referencedFilters = filter:wsseSignatureVerificationFilter
255
256# Path from URL for Attribute Authority in this Paste deployment
257path = /AttributeAuthority
258
259# External endpoint for this Attribute Authority - must agree with setting used
260# to invoke this service set in:
261# * serverapp.py
262# * or port in [server:main] if calling with paster serve securityservices.ini
263# * or something else e.g. proxied through Apache?
264# This setting is used by Attribute Authority clients in this WSGI stack to see
265# if a request is being made to the local service or to another Attribute
266# Authority running elsewhere
267publishedURI = %(baseURI)s%(path)s
268
269# Enable ?wsdl query argument to list the WSDL content
270enableWSDLQuery = True
271charset = utf-8
272filterID = %(__name__)s
273
274#______________________________________________________________________________
275# WS-Security Signature Verification
276[filter:wsseSignatureVerificationFilter]
277paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:SignatureVerificationFilter
278filterID = %(__name__)s
279
280# Settings for WS-Security SignatureHandler class used by this filter
281wsseCfgFilePrefix = wssecurity
282
283# Verify against known CAs - Provide a space separated list of file paths
284wssecurity.caCertFilePathList=%(testConfigDir)s/ca/ndg-test-ca.crt
285
286#______________________________________________________________________________
287# Apply WS-Security Signature
288[filter:wsseSignatureFilter]
289paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:ApplySignatureFilter
290
291# Reference the verification filter in order to be able to apply signature
292# confirmation
293referencedFilters = filter:wsseSignatureVerificationFilter
294wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter
295
296# Last filter in chain of SOAP handlers writes the response
297writeResponse = True
298
299# Settings for WS-Security SignatureHandler class used by this filter
300wsseCfgFilePrefix = wssecurity
301
302# Certificate associated with private key used to sign a message.  The sign
303# method will add this to the BinarySecurityToken element of the WSSE header. 
304wssecurity.signingCertFilePath=%(testConfigDir)s/pki/wsse-server.crt
305
306# PEM encoded private key file
307wssecurity.signingPriKeyFilePath=%(testConfigDir)s/pki/wsse-server.key
308
309# Set the ValueType for the BinarySecurityToken added to the WSSE header for a
310# signed message.  See __setReqBinSecTokValType method and binSecTokValType
311# class variable for options - it may be one of X509, X509v3, X509PKIPathv1 or
312# give full namespace to alternative - see
313# ZSI.wstools.Namespaces.OASIS.X509TOKEN
314#
315# binSecTokValType determines whether signingCert or signingCertChain
316# attributes will be used.
317wssecurity.reqBinSecTokValType=X509v3
318
319# Add a timestamp element to an outbound message
320wssecurity.addTimestamp=True
321
322# For WSSE 1.1 - service returns signature confirmation containing signature
323# value sent by client
324wssecurity.applySignatureConfirmation=True
325
326# Logging configuration
327[loggers]
328keys = root, ndg
329
330[handlers]
331keys = console
332
333[formatters]
334keys = generic
335
336[logger_root]
337level = INFO
338handlers = console
339
340[logger_ndg]
341level = DEBUG
342handlers =
343qualname = ndg
344
345[handler_console]
346class = StreamHandler
347args = (sys.stderr,)
348level = NOTSET
349formatter = generic
350
351[formatter_generic]
352format = %(asctime)s,%(msecs)03d %(levelname)-5.5s [%(name)s] %(message)s
353datefmt = %H:%M:%S
354
Note: See TracBrowser for help on using the repository browser.