source: TI12-security/trunk/python/ndg.security.test/ndg/security/test/integration/openidrelyingparty_withapp/securityservices.ini @ 5555

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/python/ndg.security.test/ndg/security/test/integration/openidrelyingparty_withapp/securityservices.ini@5555
Revision 5555, 11.7 KB checked in by pjkersha, 11 years ago (diff)

OpenID Relying Party flexible configuration

Fixed security WSGI configuration so that the OpenID Relying Party can run in the same middleware as the application it protects or independently in the security services middleware stack. There are two applications involved in applying security:

  1. the app to be secured
  2. app running security services


  1. is configured with middleware to intercept requests and apply the security policy. 2. runs services such as the Attribute Authority and OpenID Provider used by 1. The OpenID Relying Party can now be incorporated in either. For cases where an application runs in a different domain to the security services stack it's easier to deploy a Relying Party with the app in 1. as otherwise cookies set by the RP won't be in the scope of the secured app. 2. is useful for where the app is in the same domain as 2. and there's a need to run the RP over SSL.

Configurations can be set at deployment from Paste ini file pipeline settings.

Line 
1#
2# NERC DataGrid Security
3#
4# Paste configuration for combined Attribute Authority, OpenID Relying Party
5# and Provider services
6#
7# The %(here)s variable will be replaced with the parent directory of this file
8#
9# Author: P J Kershaw
10# date: 01/07/09
11# Copyright: (C) 2009 Science and Technology Facilities Council
12# license: BSD - see LICENSE file in top-level directory
13# Contact: Philip.Kershaw@stfc.ac.uk
14# Revision: $Id:$
15
16[DEFAULT]
17portNum = 7443
18hostname = localhost
19scheme = http
20baseURI = %(scheme)s://%(hostname)s:%(portNum)s
21openIDProviderIDBase = /openid
22openIDProviderIDSelectURI = %(baseURI)s%(openIDProviderIDBase)s
23testConfigDir = %(here)s/../../config
24beakerSessionKeyName = beaker.session.ndg.security.services
25
26#______________________________________________________________________________
27# Attribute Authority settings
28# 'name' setting MUST agree with map config file 'thisHost' name attribute
29attributeAuthority.name: Site A
30
31# Lifetime is measured in seconds
32attributeAuthority.attCertLifetime: 28800 
33
34# Allow an offset for clock skew between servers running
35# security services. NB, measured in seconds - use a minus sign for time in the
36# past
37attributeAuthority.attCertNotBeforeOff: 0
38
39# All Attribute Certificates issued are recorded in this dir
40attributeAuthority.attCertDir: %(testConfigDir)s/attributeauthority/sitea/attributeCertificateLog
41
42# Files in attCertDir are stored using a rotating file handler
43# attCertFileLogCnt sets the max number of files created before the first is
44# overwritten
45attributeAuthority.attCertFileName: ac.xml
46attributeAuthority.attCertFileLogCnt: 16
47attributeAuthority.dnSeparator:/
48
49# Location of role mapping file
50attributeAuthority.mapConfigFile: %(testConfigDir)s/attributeauthority/sitea/siteAMapConfig.xml
51
52# Settings for custom AttributeInterface derived class to get user roles for given
53# user ID
54#attributeAuthority.attributeInterface.modFilePath: %(testConfigDir)s/attributeauthority/sitea
55attributeAuthority.attributeInterface.modName: ndg.security.test.integration.authz.attributeinterface
56attributeAuthority.attributeInterface.className: TestUserRoles
57
58# Config for XML signature of Attribute Certificate
59attributeAuthority.signingPriKeyFilePath: %(testConfigDir)s/attributeauthority/sitea/siteA-aa.key
60attributeAuthority.signingCertFilePath: %(testConfigDir)s/attributeauthority/sitea/siteA-aa.crt
61attributeAuthority.caCertFilePathList: %(testConfigDir)s/ca/ndg-test-ca.crt
62
63[server:main]
64use = egg:Paste#http
65host = 0.0.0.0
66port = %(portNum)s
67
68[filter-app:OpenIDProviderApp]
69use = egg:Paste#httpexceptions
70next = cascade
71
72# Composite for OpenID Provider to enable settings for picking up static
73# content
74[composit:cascade]
75use = egg:Paste#cascade
76app1 = OpenIDProviderStaticContent
77app2 = OpenIDProviderMiddlewareApp
78catch = 404
79
80[app:OpenIDProviderStaticContent]
81use = egg:Paste#static
82document_root = %(here)s/openidprovider
83
84[pipeline:main]
85pipeline = wsseSignatureVerificationFilter
86                   AttributeAuthorityFilter
87           wsseSignatureFilter
88                   SessionMiddlewareFilter
89                   OpenIDProviderApp
90
91#______________________________________________________________________________
92# Beaker Session Middleware (used by OpenID Provider Filter)
93[filter:SessionMiddlewareFilter]
94paste.filter_app_factory=beaker.middleware:SessionMiddleware
95beaker.session.key = openid
96beaker.session.secret = qKEdQdCr33NE087dRUWX3qUv5r7AsuQU
97# These options enable cookie only type sessions with the cookie content
98# encrypted
99#beaker.session.type = cookie
100#beaker.session.validate_key = 0123456789abcdef
101#beaker.session.encrypt_key = fedcba9876543210
102
103# If you'd like to fine-tune the individual locations of the cache data dirs
104# for the Cache data, or the Session saves, un-comment the desired settings
105# here:
106beaker.cache.data_dir = %(here)s/openidprovider/beaker/cache
107beaker.session.data_dir = %(here)s/openidprovider/beaker/sessions
108beaker.session.cookie_expires = True
109
110# Key name for keying into environ dictionary
111environ_key = %(beakerSessionKeyName)s
112
113#______________________________________________________________________________
114# OpenID Provider WSGI Settings
115[app:OpenIDProviderMiddlewareApp]
116paste.app_factory=ndg.security.server.wsgi.openid.provider:OpenIDProviderMiddleware.app_factory
117
118openid.provider.path.openidserver=/OpenID/Provider/server
119openid.provider.path.login=/OpenID/Provider/login
120openid.provider.path.loginsubmit=/OpenID/Provider/loginsubmit
121
122# Yadis based discovery only - the 'id' path is configured to return 404 not
123# found - see ndg.security.server.wsgi.openid.provider.renderinginterface.
124# buffet.BuffetRendering class
125openid.provider.path.id=/OpenID/Provider/id/${userIdentifier}
126openid.provider.path.yadis=%(openIDProviderIDBase)s/${userIdentifier}
127
128# Yadis based discovery for idselect mode - this is where the user has entered
129# a URI at the Relying Party which identifies their Provider only and not their
130# full ID URI.  e.g. https://badc.nerc.ac.uk instead of
131# https://badc.nerc.ac.uk/John
132openid.provider.path.serveryadis=%(openIDProviderIDBase)s
133openid.provider.path.allow=/OpenID/Provider/allow
134openid.provider.path.decide=/OpenID/Provider/decide
135openid.provider.path.mainpage=/OpenID/Provider/home
136
137openid.provider.session_middleware=%(beakerSessionKeyName)s
138openid.provider.base_url=%(baseURI)s
139openid.provider.trace=False
140openid.provider.consumer_store_dirpath=%(here)s/openidprovider
141openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.renderinginterface.buffet.BuffetRendering
142#openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.DemoRenderingInterface
143
144openid.provider.rendering.templateType = kid
145openid.provider.rendering.templateRoot = ndg.security.server.wsgi.openid.provider.renderinginterface.buffet.templates
146openid.provider.rendering.kid.assume_encoding= utf-8
147openid.provider.rendering.kid.encoding = utf-8
148
149# Layout
150openid.provider.rendering.baseURL = %(openid.provider.base_url)s
151openid.provider.rendering.leftLogo = %(openid.provider.rendering.baseURL)s/layout/NERC_Logo.gif
152openid.provider.rendering.leftAlt = Natural Environment Research Council
153openid.provider.rendering.ndgLink = http://ndg.nerc.ac.uk/
154openid.provider.rendering.ndgImage = %(openid.provider.rendering.baseURL)s/layout/ndg_logo_circle.gif
155openid.provider.rendering.disclaimer = This site is for test purposes only and is under active development.
156openid.provider.rendering.stfcLink = http://www.stfc.ac.uk/
157openid.provider.rendering.stfcImage = %(openid.provider.rendering.baseURL)s/layout/stfc-circle-sm.gif
158openid.provider.rendering.helpIcon = %(openid.provider.rendering.baseURL)s/layout/icons/help.png
159
160# Basic Authentication interface to demonstrate capabilities
161openid.provider.authNInterface=ndg.security.server.wsgi.openid.provider.authninterface.basic.BasicAuthNInterface
162
163# user login details format is:
164# <username>:<password>:<OpenID name>, ... <OpenID name N> <username>:... etc
165# Each user entry is delimited by a space. username, password and OpenID name
166# list are delimited by a colon.  The list of OpenID names are delimited by
167# commas.  The OpenID name represents the unique part of the OpenID URL for the
168# individual user.  Each username may have more than one OpenID alias but only
169# alias at a time may be registered with a given Attribute Authority
170openid.provider.authN.userCreds=pjk:testpassword:PhilipKershaw,P.J.Kershaw another:testpassword:A.N.Other
171
172# Basic authentication for testing/admin - comma delimited list of
173# <username>:<password> pairs
174#openid.provider.usercreds=pjk:test
175
176#______________________________________________________________________________
177# Attribute Authority WSGI settings
178#
179[filter:AttributeAuthorityFilter]
180# This filter is a container for a binding to a SOAP based interface to the
181# Attribute Authority
182paste.filter_app_factory = ndg.security.server.wsgi.soap:SOAPBindingMiddleware
183
184# Use this ZSI generated SOAP service interface class to handle i/o for this
185# filter
186ServiceSOAPBindingClass = ndg.security.server.zsi.attributeauthority.AttributeAuthorityWS
187
188# SOAP Binding Class specific keywords are in this section identified by this
189# prefix:
190ServiceSOAPBindingPropPrefix = AttributeAuthority
191
192# The AttributeAuthority class has settings in the default section above
193# identified by this prefix:
194AttributeAuthority.propPrefix = attributeAuthority
195AttributeAuthority.propFilePath = %(here)s/securityservices.ini
196AttributeAuthority.wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter
197
198# Provide an identifier for this filter so that main WSGI app
199# CombinedServicesWSGI Session Manager filter can call this Attribute Authority
200# directly
201referencedFilters = filter:wsseSignatureVerificationFilter
202
203# Path from URL for Attribute Authority in this Paste deployment
204path = /AttributeAuthority
205
206# External endpoint for this Attribute Authority - must agree with setting used
207# to invoke this service set in:
208# * serverapp.py
209# * or port in [server:main] if calling with paster serve securityservices.ini
210# * or something else e.g. proxied through Apache?
211# This setting is used by Attribute Authority clients in this WSGI stack to see
212# if a request is being made to the local service or to another Attribute
213# Authority running elsewhere
214publishedURI = %(baseURI)s%(path)s
215
216# Enable ?wsdl query argument to list the WSDL content
217enableWSDLQuery = True
218charset = utf-8
219filterID = %(__name__)s
220
221#______________________________________________________________________________
222# WS-Security Signature Verification
223[filter:wsseSignatureVerificationFilter]
224paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:SignatureVerificationFilter
225filterID = %(__name__)s
226
227# Settings for WS-Security SignatureHandler class used by this filter
228wsseCfgFilePrefix = wssecurity
229
230# Verify against known CAs - Provide a space separated list of file paths
231wssecurity.caCertFilePathList=%(testConfigDir)s/ca/ndg-test-ca.crt
232
233#______________________________________________________________________________
234# Apply WS-Security Signature
235[filter:wsseSignatureFilter]
236paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:ApplySignatureFilter
237
238# Reference the verification filter in order to be able to apply signature
239# confirmation
240referencedFilters = filter:wsseSignatureVerificationFilter
241wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter
242
243# Last filter in chain of SOAP handlers writes the response
244writeResponse = True
245
246# Settings for WS-Security SignatureHandler class used by this filter
247wsseCfgFilePrefix = wssecurity
248
249# Certificate associated with private key used to sign a message.  The sign
250# method will add this to the BinarySecurityToken element of the WSSE header. 
251wssecurity.signingCertFilePath=%(testConfigDir)s/pki/wsse-server.crt
252
253# PEM encoded private key file
254wssecurity.signingPriKeyFilePath=%(testConfigDir)s/pki/wsse-server.key
255
256# Set the ValueType for the BinarySecurityToken added to the WSSE header for a
257# signed message.  See __setReqBinSecTokValType method and binSecTokValType
258# class variable for options - it may be one of X509, X509v3, X509PKIPathv1 or
259# give full namespace to alternative - see
260# ZSI.wstools.Namespaces.OASIS.X509TOKEN
261#
262# binSecTokValType determines whether signingCert or signingCertChain
263# attributes will be used.
264wssecurity.reqBinSecTokValType=X509v3
265
266# Add a timestamp element to an outbound message
267wssecurity.addTimestamp=True
268
269# For WSSE 1.1 - service returns signature confirmation containing signature
270# value sent by client
271wssecurity.applySignatureConfirmation=True
272
273# Logging configuration
274[loggers]
275keys = root, ndg
276
277[handlers]
278keys = console
279
280[formatters]
281keys = generic
282
283[logger_root]
284level = INFO
285handlers = console
286
287[logger_ndg]
288level = DEBUG
289handlers =
290qualname = ndg
291
292[handler_console]
293class = StreamHandler
294args = (sys.stderr,)
295level = NOTSET
296formatter = generic
297
298[formatter_generic]
299format = %(asctime)s,%(msecs)03d %(levelname)-5.5s [%(name)s] %(message)s
300datefmt = %H:%M:%S
301
Note: See TracBrowser for help on using the repository browser.