source: TI12-security/trunk/python/ndg.security.test/ndg/security/test/integration/openidrelyingparty_withapp/securedapp.ini @ 5555

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/python/ndg.security.test/ndg/security/test/integration/openidrelyingparty_withapp/securedapp.ini@5555
Revision 5555, 6.1 KB checked in by pjkersha, 10 years ago (diff)

OpenID Relying Party flexible configuration

Fixed security WSGI configuration so that the OpenID Relying Party can run in the same middleware as the application it protects or independently in the security services middleware stack. There are two applications involved in applying security:

  1. the app to be secured
  2. app running security services


  1. is configured with middleware to intercept requests and apply the security policy. 2. runs services such as the Attribute Authority and OpenID Provider used by 1. The OpenID Relying Party can now be incorporated in either. For cases where an application runs in a different domain to the security services stack it's easier to deploy a Relying Party with the app in 1. as otherwise cookies set by the RP won't be in the scope of the secured app. 2. is useful for where the app is in the same domain as 2. and there's a need to run the RP over SSL.

Configurations can be set at deployment from Paste ini file pipeline settings.

Line 
1#
2# NDG Security AuthZ WSGI Testing environment configuration.  This ini file
3# defines the configuration for a an application to be secured.  Security
4# filters placed in front of the application in the WSGI pipeline act as
5# client to security services running on a separate application stack.  - See
6# securityservices.ini
7#
8# NERC DataGrid
9#
10# Author: P J Kershaw
11#
12# Date: 01/07/09
13#
14# Copyright: STFC 2009
15#
16# Licence: BSD - See top-level LICENCE file for licence details
17#
18# The %(here)s variable will be replaced with the parent directory of this file
19#
20[DEFAULT]
21portNum = 7080
22hostname = localhost
23scheme = http
24baseURI = %(scheme)s://%(hostname)s:%(portNum)s
25openIDProviderIDBase = /openid
26openIDProviderIDSelectURI = http://localhost:7443%(openIDProviderIDBase)s
27testConfigDir = %(here)s/../../config
28beakerSessionKeyName = beaker.session.ndg.security
29
30# Logout URI used by AuthKit and SessionHandlerMiddleware
31globalSignoutPath = /logout
32
33[server:main]
34use = egg:Paste#http
35host = 0.0.0.0
36port = 7080
37
38[pipeline:main]
39pipeline = BeakerSessionFilter
40                   OpenIDRelyingPartyFilter
41                   SessionHandlerFilter
42                   AuthorizationFilter
43                   AuthZTestApp
44
45[app:AuthZTestApp]
46paste.app_factory = ndg.security.test.integration:AuthZTestApp.app_factory
47
48[filter:BeakerSessionFilter]
49paste.filter_app_factory = beaker.middleware:SessionMiddleware
50
51# Cookie name
52beaker.session.key = ndg.security.session
53
54# WSGI environ key name
55environ_key = %(beakerSessionKeyName)s
56beaker.session.secret = rBIvKXLa+REYB8pM/8pdPoorVpKQuaOW
57beaker.cache.data_dir = %(here)s/authn/beaker/cache
58beaker.session.data_dir = %(here)s/authn/beaker/sessions
59
60# Handle setting of session cookie following sign-in
61[filter:SessionHandlerFilter]
62paste.filter_app_factory = ndg.security.server.wsgi.authn:SessionHandlerMiddleware.filter_app_factory
63sessionhandler.signoutPath = %(globalSignoutPath)s
64sessionhandler.sessionKey = %(beakerSessionKeyName)s
65
66[filter:OpenIDRelyingPartyFilter]
67paste.filter_app_factory = 
68        ndg.security.server.wsgi.openid.relyingparty:OpenIDRelyingPartyMiddleware.filter_app_factory
69
70openid.relyingparty.baseURL = %(authkit.openid.baseurl)s
71openid.relyingparty.certFilePath = %(testConfigDir)s/pki/localhost.crt
72openid.relyingparty.priKeyFilePath = %(testConfigDir)s/pki/localhost.key
73openid.relyingparty.priKeyPwd = 
74openid.relyingparty.caCertDirPath = %(testConfigDir)s/ca
75openid.relyingparty.providerWhitelistFilePath =
76openid.relyingparty.signinInterfaceMiddlewareClass = ndg.security.server.wsgi.openid.relyingparty.signin_interface.buffet.BuffetSigninTemplate
77openid.relyingparty.signinInterface.templatePackage = ndg.security.server.wsgi.openid.relyingparty.signin_interface.buffet.templates
78openid.relyingparty.signinInterface.staticContentRootDir = %(here)s/openidrelyingparty/public
79openid.relyingparty.signinInterface.baseURL = %(openid.relyingparty.baseURL)s
80openid.relyingparty.signinInterface.initialOpenID = %(openIDProviderIDSelectURI)s
81openid.relyingparty.signinInterface.leftLogo = %(openid.relyingparty.signinInterface.baseURL)s/layout/NERC_Logo.gif
82openid.relyingparty.signinInterface.leftAlt = Natural Environment Research Council
83openid.relyingparty.signinInterface.ndgLink = http://ndg.nerc.ac.uk/
84openid.relyingparty.signinInterface.ndgImage = %(openid.relyingparty.signinInterface.baseURL)s/layout/ndg_logo_circle.gif
85openid.relyingparty.signinInterface.disclaimer = This site is for test purposes only and is under active development.
86openid.relyingparty.signinInterface.stfcLink = http://www.stfc.ac.uk/
87openid.relyingparty.signinInterface.stfcImage = %(openid.relyingparty.signinInterface.baseURL)s/layout/stfc-circle-sm.gif
88openid.relyingparty.signinInterface.helpIcon = %(openid.relyingparty.signinInterface.baseURL)s/layout/icons/help.png
89
90cache_dir = %(here)s/data
91
92# AuthKit Set-up
93authkit.setup.method=openid, cookie
94
95# This cookie name and secret MUST agree with the name used by the
96# Authentication Filter used to secure a given app
97authkit.cookie.name=ndg.security.authkit
98
99authkit.cookie.secret=9wvZObs9anUEhSIAnJNoY2iJq59FfYZr
100authkit.cookie.signoutpath = %(globalSignoutPath)s
101
102# Disable inclusion of client IP address from cookie signature due to
103# suspected problem with AuthKit setting it when a HTTP Proxy is in place
104authkit.cookie.includeip = False
105
106authkit.openid.path.signedin=/
107authkit.openid.store.type=file
108authkit.openid.store.config=%(here)s/openidrelyingparty/store
109authkit.openid.session.key = authkit_openid
110authkit.openid.session.secret = random string
111
112# Key name for dereferencing beaker.session object held in environ
113authkit.openid.session.middleware = %(beakerSessionKeyName)s
114
115authkit.openid.baseurl = %(baseURI)s
116
117
118[filter:AuthorizationFilter]
119paste.filter_app_factory=ndg.security.server.wsgi.authz:AuthorizationMiddleware.filter_app_factory
120prefix = authz.
121policy.filePath = %(here)s/policy.xml
122
123# Settings for Policy Information Point used by the Policy Decision Point to
124# retrieve subject attributes from the Attribute Authority associated with the
125# resource to be accessed
126pip.sslCACertFilePathList=
127
128# List of CA certificates used to verify the signatures of
129# Attribute Certificates retrieved
130pip.caCertFilePathList=%(testConfigDir)s/ca/ndg-test-ca.crt
131
132#
133# WS-Security Settings for call to Attribute Authority to retrieve user
134# attributes
135
136# Signature of an outbound message
137
138# Certificate associated with private key used to sign a message.  The sign
139# method will add this to the BinarySecurityToken element of the WSSE header. 
140# binSecTokValType attribute must be set to 'X509' or 'X509v3' ValueType. 
141# As an alternative, use signingCertChain - see below...
142
143# PEM encode cert
144pip.wssecurity.signingCertFilePath=%(testConfigDir)s/pki/wsse-server.crt
145
146# PEM encoded private key file
147pip.wssecurity.signingPriKeyFilePath=%(testConfigDir)s/pki/wsse-server.key
148
149# Password protecting private key.  Leave blank if there is no password.
150pip.wssecurity.signingPriKeyPwd=
151
152# For signature verification.  Provide a space separated list of file paths
153pip.wssecurity.caCertFilePathList=%(testConfigDir)s/ca/ndg-test-ca.crt
154
155# ValueType for the BinarySecurityToken added to the WSSE header
156pip.wssecurity.reqBinSecTokValType=X509v3
157
158# Add a timestamp element to an outbound message
159pip.wssecurity.addTimestamp=True
Note: See TracBrowser for help on using the repository browser.