source: TI12-security/trunk/python/ndg.security.test/ndg/security/test/integration/openidrelyingparty_withapp/securityservices.ini @ 5543

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/python/ndg.security.test/ndg/security/test/integration/openidrelyingparty_withapp/securityservices.ini@5543
Revision 5543, 11.6 KB checked in by pjkersha, 11 years ago (diff)

Fixes for testing OpenID Relying Party running in the application code stack instead of the separate services stack.

Line 
1#
2# NERC DataGrid Security
3#
4# Paste configuration for combined Attribute Authority, OpenID Relying Party
5# and Provider services
6#
7# The %(here)s variable will be replaced with the parent directory of this file
8#
9# Author: P J Kershaw
10# date: 01/07/09
11# Copyright: (C) 2009 Science and Technology Facilities Council
12# license: BSD - see LICENSE file in top-level directory
13# Contact: Philip.Kershaw@stfc.ac.uk
14# Revision: $Id:$
15
16[DEFAULT]
17portNum = 7443
18hostname = localhost
19scheme = http
20baseURI = %(scheme)s://%(hostname)s:%(portNum)s
21openIDProviderIDBase = /openid
22openIDProviderIDSelectURI = %(baseURI)s%(openIDProviderIDBase)s
23testConfigDir = %(here)s/../../config
24
25#______________________________________________________________________________
26# Attribute Authority settings
27# 'name' setting MUST agree with map config file 'thisHost' name attribute
28attributeAuthority.name: Site A
29
30# Lifetime is measured in seconds
31attributeAuthority.attCertLifetime: 28800 
32
33# Allow an offset for clock skew between servers running
34# security services. NB, measured in seconds - use a minus sign for time in the
35# past
36attributeAuthority.attCertNotBeforeOff: 0
37
38# All Attribute Certificates issued are recorded in this dir
39attributeAuthority.attCertDir: %(testConfigDir)s/attributeauthority/sitea/attributeCertificateLog
40
41# Files in attCertDir are stored using a rotating file handler
42# attCertFileLogCnt sets the max number of files created before the first is
43# overwritten
44attributeAuthority.attCertFileName: ac.xml
45attributeAuthority.attCertFileLogCnt: 16
46attributeAuthority.dnSeparator:/
47
48# Location of role mapping file
49attributeAuthority.mapConfigFile: %(testConfigDir)s/attributeauthority/sitea/siteAMapConfig.xml
50
51# Settings for custom AttributeInterface derived class to get user roles for given
52# user ID
53#attributeAuthority.attributeInterface.modFilePath: %(testConfigDir)s/attributeauthority/sitea
54attributeAuthority.attributeInterface.modName: ndg.security.test.integration.authz.attributeinterface
55attributeAuthority.attributeInterface.className: TestUserRoles
56
57# Config for XML signature of Attribute Certificate
58attributeAuthority.signingPriKeyFilePath: %(testConfigDir)s/attributeauthority/sitea/siteA-aa.key
59attributeAuthority.signingCertFilePath: %(testConfigDir)s/attributeauthority/sitea/siteA-aa.crt
60attributeAuthority.caCertFilePathList: %(testConfigDir)s/ca/ndg-test-ca.crt
61
62[server:main]
63use = egg:Paste#http
64host = 0.0.0.0
65port = %(portNum)s
66
67[filter-app:OpenIDProviderApp]
68use = egg:Paste#httpexceptions
69next = cascade
70
71# Composite for OpenID Provider to enable settings for picking up static
72# content
73[composit:cascade]
74use = egg:Paste#cascade
75app1 = OpenIDProviderStaticContent
76app2 = OpenIDProviderMiddlewareApp
77catch = 404
78
79[app:OpenIDProviderStaticContent]
80use = egg:Paste#static
81document_root = %(here)s/openidprovider
82
83[pipeline:main]
84pipeline = wsseSignatureVerificationFilter
85                   AttributeAuthorityFilter
86           wsseSignatureFilter
87                   SessionMiddlewareFilter
88                   OpenIDProviderApp
89
90#______________________________________________________________________________
91# Beaker Session Middleware (used by OpenID Provider Filter)
92[filter:SessionMiddlewareFilter]
93paste.filter_app_factory=beaker.middleware:SessionMiddleware
94beaker.session.key = openid
95beaker.session.secret = qKEdQdCr33NE087dRUWX3qUv5r7AsuQU
96# These options enable cookie only type sessions with the cookie content
97# encrypted
98#beaker.session.type = cookie
99#beaker.session.validate_key = 0123456789abcdef
100#beaker.session.encrypt_key = fedcba9876543210
101
102# If you'd like to fine-tune the individual locations of the cache data dirs
103# for the Cache data, or the Session saves, un-comment the desired settings
104# here:
105beaker.cache.data_dir = %(here)s/openidprovider/beaker/cache
106beaker.session.data_dir = %(here)s/openidprovider/beaker/sessions
107beaker.session.cookie_expires = True
108
109
110#______________________________________________________________________________
111# OpenID Provider WSGI Settings
112[app:OpenIDProviderMiddlewareApp]
113paste.app_factory=ndg.security.server.wsgi.openid.provider:OpenIDProviderMiddleware.app_factory
114openid.provider.path.openidserver=/OpenID/Provider/server
115openid.provider.path.login=/OpenID/Provider/login
116openid.provider.path.loginsubmit=/OpenID/Provider/loginsubmit
117
118# Yadis based discovery only - the 'id' path is configured to return 404 not
119# found - see ndg.security.server.wsgi.openid.provider.renderinginterface.
120# buffet.BuffetRendering class
121openid.provider.path.id=/OpenID/Provider/id/${userIdentifier}
122openid.provider.path.yadis=%(openIDProviderIDBase)s/${userIdentifier}
123
124# Yadis based discovery for idselect mode - this is where the user has entered
125# a URI at the Relying Party which identifies their Provider only and not their
126# full ID URI.  e.g. https://badc.nerc.ac.uk instead of
127# https://badc.nerc.ac.uk/John
128openid.provider.path.serveryadis=%(openIDProviderIDBase)s
129openid.provider.path.allow=/OpenID/Provider/allow
130openid.provider.path.decide=/OpenID/Provider/decide
131openid.provider.path.mainpage=/OpenID/Provider/home
132
133openid.provider.session_middleware=beaker.session
134openid.provider.base_url=%(baseURI)s
135openid.provider.trace=False
136openid.provider.consumer_store_dirpath=%(here)s/openidprovider
137openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.renderinginterface.buffet.BuffetRendering
138#openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.DemoRenderingInterface
139
140openid.provider.rendering.templateType = kid
141openid.provider.rendering.templateRoot = ndg.security.server.wsgi.openid.provider.renderinginterface.buffet.templates
142openid.provider.rendering.kid.assume_encoding= utf-8
143openid.provider.rendering.kid.encoding = utf-8
144
145# Layout
146openid.provider.rendering.baseURL = %(openid.provider.base_url)s
147openid.provider.rendering.leftLogo = %(openid.provider.rendering.baseURL)s/layout/NERC_Logo.gif
148openid.provider.rendering.leftAlt = Natural Environment Research Council
149openid.provider.rendering.ndgLink = http://ndg.nerc.ac.uk/
150openid.provider.rendering.ndgImage = %(openid.provider.rendering.baseURL)s/layout/ndg_logo_circle.gif
151openid.provider.rendering.disclaimer = This site is for test purposes only and is under active development.
152openid.provider.rendering.stfcLink = http://www.stfc.ac.uk/
153openid.provider.rendering.stfcImage = %(openid.provider.rendering.baseURL)s/layout/stfc-circle-sm.gif
154openid.provider.rendering.helpIcon = %(openid.provider.rendering.baseURL)s/layout/icons/help.png
155
156# Basic Authentication interface to demonstrate capabilities
157openid.provider.authNInterface=ndg.security.server.wsgi.openid.provider.authninterface.basic.BasicAuthNInterface
158
159# user login details format is:
160# <username>:<password>:<OpenID name>, ... <OpenID name N> <username>:... etc
161# Each user entry is delimited by a space. username, password and OpenID name
162# list are delimited by a colon.  The list of OpenID names are delimited by
163# commas.  The OpenID name represents the unique part of the OpenID URL for the
164# individual user.  Each username may have more than one OpenID alias but only
165# alias at a time may be registered with a given Attribute Authority
166openid.provider.authN.userCreds=pjk:testpassword:PhilipKershaw,P.J.Kershaw another:testpassword:A.N.Other
167
168# Basic authentication for testing/admin - comma delimited list of
169# <username>:<password> pairs
170#openid.provider.usercreds=pjk:test
171
172#______________________________________________________________________________
173# Attribute Authority WSGI settings
174#
175[filter:AttributeAuthorityFilter]
176# This filter is a container for a binding to a SOAP based interface to the
177# Attribute Authority
178paste.filter_app_factory = ndg.security.server.wsgi.soap:SOAPBindingMiddleware
179
180# Use this ZSI generated SOAP service interface class to handle i/o for this
181# filter
182ServiceSOAPBindingClass = ndg.security.server.zsi.attributeauthority.AttributeAuthorityWS
183
184# SOAP Binding Class specific keywords are in this section identified by this
185# prefix:
186ServiceSOAPBindingPropPrefix = AttributeAuthority
187
188# The AttributeAuthority class has settings in the default section above
189# identified by this prefix:
190AttributeAuthority.propPrefix = attributeAuthority
191AttributeAuthority.propFilePath = %(here)s/securityservices.ini
192AttributeAuthority.wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter
193
194# Provide an identifier for this filter so that main WSGI app
195# CombinedServicesWSGI Session Manager filter can call this Attribute Authority
196# directly
197referencedFilters = filter:wsseSignatureVerificationFilter
198
199# Path from URL for Attribute Authority in this Paste deployment
200path = /AttributeAuthority
201
202# External endpoint for this Attribute Authority - must agree with setting used
203# to invoke this service set in:
204# * serverapp.py
205# * or port in [server:main] if calling with paster serve securityservices.ini
206# * or something else e.g. proxied through Apache?
207# This setting is used by Attribute Authority clients in this WSGI stack to see
208# if a request is being made to the local service or to another Attribute
209# Authority running elsewhere
210publishedURI = %(baseURI)s%(path)s
211
212# Enable ?wsdl query argument to list the WSDL content
213enableWSDLQuery = True
214charset = utf-8
215filterID = %(__name__)s
216
217#______________________________________________________________________________
218# WS-Security Signature Verification
219[filter:wsseSignatureVerificationFilter]
220paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:SignatureVerificationFilter
221filterID = %(__name__)s
222
223# Settings for WS-Security SignatureHandler class used by this filter
224wsseCfgFilePrefix = wssecurity
225
226# Verify against known CAs - Provide a space separated list of file paths
227wssecurity.caCertFilePathList=%(testConfigDir)s/ca/ndg-test-ca.crt
228
229#______________________________________________________________________________
230# Apply WS-Security Signature
231[filter:wsseSignatureFilter]
232paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:ApplySignatureFilter
233
234# Reference the verification filter in order to be able to apply signature
235# confirmation
236referencedFilters = filter:wsseSignatureVerificationFilter
237wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter
238
239# Last filter in chain of SOAP handlers writes the response
240writeResponse = True
241
242# Settings for WS-Security SignatureHandler class used by this filter
243wsseCfgFilePrefix = wssecurity
244
245# Certificate associated with private key used to sign a message.  The sign
246# method will add this to the BinarySecurityToken element of the WSSE header. 
247wssecurity.signingCertFilePath=%(testConfigDir)s/pki/wsse-server.crt
248
249# PEM encoded private key file
250wssecurity.signingPriKeyFilePath=%(testConfigDir)s/pki/wsse-server.key
251
252# Set the ValueType for the BinarySecurityToken added to the WSSE header for a
253# signed message.  See __setReqBinSecTokValType method and binSecTokValType
254# class variable for options - it may be one of X509, X509v3, X509PKIPathv1 or
255# give full namespace to alternative - see
256# ZSI.wstools.Namespaces.OASIS.X509TOKEN
257#
258# binSecTokValType determines whether signingCert or signingCertChain
259# attributes will be used.
260wssecurity.reqBinSecTokValType=X509v3
261
262# Add a timestamp element to an outbound message
263wssecurity.addTimestamp=True
264
265# For WSSE 1.1 - service returns signature confirmation containing signature
266# value sent by client
267wssecurity.applySignatureConfirmation=True
268
269# Logging configuration
270[loggers]
271keys = root, ndg
272
273[handlers]
274keys = console
275
276[formatters]
277keys = generic
278
279[logger_root]
280level = INFO
281handlers = console
282
283[logger_ndg]
284level = DEBUG
285handlers =
286qualname = ndg
287
288[handler_console]
289class = StreamHandler
290args = (sys.stderr,)
291level = NOTSET
292formatter = generic
293
294[formatter_generic]
295format = %(asctime)s,%(msecs)03d %(levelname)-5.5s [%(name)s] %(message)s
296datefmt = %H:%M:%S
297
Note: See TracBrowser for help on using the repository browser.