Ignore:
Timestamp:
13/05/08 09:34:07 (12 years ago)
Author:
pjkersha
Message:

Security Single Sign On code separated out of ows_server code stack and put in ndg.security. ows_server can still run single sign on but in alternate modes:

  • Single Sign On Service run from within ows_server code stack - all SSO controllers, templates and globals are imported from ndg.security
  • ... or ows_server runs as a client to a Single Sign On service running in a separate paster instance. ows_server imports SSO client interface code from ndg.security

ows_server/development.ini:

  • added logging config as available with Pylons 0.9.6

ows_server/ndgDiscovery.config: [NDG_SECURITY] settings are now divided into sub sections:

  • NDG_SECURITY.ssoClient - for running a client to a Single Sign On service
  • NDG_SECURITY.ssoService - for running an integral SSO service
  • NDG_SECURITY.wssecurity - digital signature for web service interfaces
  • TODO: separate section for Gatekeeper


ows_server/ows_server/models/ndgSecurity.py: get rid of sslPeerCertDN setting to SM client - not needed

ows_server/ows_server/config/environment.py: include templates from ndg.security.server.sso

ows_server/ows_server/config/ndgMiddleware.py: call separate security SSO service/client middleware set-up

ows_server/ows_server/config/routing.py,
ows_server/ows_server/controllers/wayf.py: separate wayf controller

ows_server/ows_server/controllers/login.py: code moved to ndg.security.server.sso.sso.controllers.login ows_server login extends this class
ows_server/ows_server/controllers/logout.py: likewise for logout - inherit from ndg.security.server.sso equivalent

ows_server/ows_server/lib/security_util.py:

  • stripFromURI returns str type not unicode
  • SecurityConfig? class no longer needed - code transfered to ndg.security

ows_server/ows_server/lib/base.py: remove security handling code and instead inherit from ndg.security.client.ssoclient.ssoclient.base.BaseController?

ows_server/ows_server/public/layout/ndg2.css: fix to header image path

ows_server/ows_server/templates/ndgPage.kid: embed code to base 64 encode return to URL

Location:
TI05-delivery/ows_framework/trunk/ows_server
Files:
1 added
13 edited

Legend:

Unmodified
Added
Removed
  • TI05-delivery/ows_framework/trunk/ows_server/development.ini

    r3027 r3893  
    5757# execute malicious code after an exception is raised. 
    5858#set debug = false 
     59 
     60# Logging configuration 
     61[loggers] 
     62keys = root, ows_server, ndg 
     63 
     64[handlers] 
     65keys = console 
     66 
     67[formatters] 
     68keys = generic 
     69 
     70[logger_root] 
     71level = INFO 
     72handlers = console 
     73 
     74[logger_ows_server] 
     75level = DEBUG 
     76handlers = 
     77qualname = ows_server 
     78 
     79[logger_ndg] 
     80level = DEBUG 
     81handlers = 
     82qualname = ndg 
     83 
     84 
     85[handler_console] 
     86class = StreamHandler 
     87args = (sys.stderr,) 
     88#level = NOTSET 
     89level = DEBUG 
     90formatter = generic 
     91 
     92[formatter_generic] 
     93format = %(asctime)s,%(msecs)03d %(levelname)-5.5s [%(name)s] %(message)s 
     94datefmt = %H:%M:%S 
     95 
  • TI05-delivery/ows_framework/trunk/ows_server/ndgDiscovery.config

    r3842 r3893  
    1010# 
    1111# the following is the server on which this browse/discovery instance runs! 
    12 #server:         http://localhost 
     12server:         http://localhost 
    1313#server:       http://superglue.badc.rl.ac.uk:8083 
    1414## This is the proxied server root 
    15 server: http://superglue.badc.rl.ac.uk/ndg-test 
     15#server: http://superglue.badc.rl.ac.uk/ndg-test 
    1616 
    1717# 
    1818# the following is the server on which the NDG discovery service is running! (Not to be confused with 
    1919# the server on which the NDG discovery web service is running). This can and probably should be the local 
    20 # server (i.e. dont change it!) 
     20# server (i.e. don't change it!) 
    2121# 
    2222ndgServer:      %(server)s 
     
    2424# this is the physical file location of the layout directory on this machine  
    2525#  
    26 layoutdir:      /usr/local/ows_server_deployment/layout 
     26layoutdir:  
    2727# 
    2828# this should never be changed 
    2929# 
    3030##!NOTE: These are changed to  reflect the proxy prefix 
    31 layout:         /ndg-test/layout/ 
    32 icondir:        /ndg-test/layout/icons/ 
     31#layout:         /ndg-test/layout/ 
     32#icondir:        /ndg-test/layout/icons/ 
     33layout:          /layout/ 
     34icondir:         /layout/icons/ 
     35 
    3336# 
    3437mailserver:       xxxoutbox.rl.ac.uk 
     
    5154[layout] 
    5255###### user customisable: 
    53 localLink:      http://superglue.badc.rl.ac.uk/ndg-test/ 
     56localLink:      %(ndgServer)s/layout/ 
    5457localImage:     %(layout)sndg_logo_circle.gif 
    5558localAlt:       visit badc 
    5659###### ought to be the end of the customisations 
    57 ndgLink:        http://superglue.badc.rl.ac.uk/ndg-test/ 
     60ndgLink:        http://ndg.nerc.ac.uk/ 
    5861ndgImage:       %(layout)sndg_logo_circle.gif 
    5962ndgAlt:         visit ndg 
     
    6770printer:        %(icondir)sprinter.png 
    6871helpIcon:       %(icondir)shelp.png 
    69 HdrLeftAlt:     %(layout)sNatural Environment Research Council 
     72HdrLeftAlt:     %(layout)s Natural Environment Research Council 
    7073HdrLeftLogo:    %(layout)sNERC_Logo.gif 
    7174 
     
    121124passwordFile: ./passwords.txt 
    122125 
    123 [NDG_SECURITY] 
    124 # Server address for secure connections 
     126# 
     127# NDG Security 
     128# 
     129 
     130# Security settings for configuration as a client to a Single Sign On Service 
     131# i.e. Where Are You From, login and logout operations are handled by a  
     132# separate standalone paster instance 
     133#[NDG_SECURITY.ssoClient] 
     134## THIS service's address for secure connections - the Single Sign On service 
     135## returns security parameters to this service along this channel 
    125136#sslServer: https://localhost 
    126 sslServer: https://ndgbeta.badc.rl.ac.uk 
     137##sslServer: https://ndgbeta.badc.rl.ac.uk 
     138# 
     139## THIS service's address for unencrypted connections - when login is complete, 
     140## the BaseController redirects to an equivalent address under this host name. 
     141## sslServer and server settings must match for the sharing of cookies. 
     142#server: http://localhost 
     143# 
     144## WAYF running on Single Sign On Service - omit to default to WAYF running on 
     145## THIS paster instance 
     146#wayfURI:               https://localhost/sso/wayf 
     147# 
     148## Logout URI running on Single Sign On Service - omit to default to WAYF running on 
     149## THIS paster instance 
     150#logoutURI:             https://localhost/sso/logout 
     151 
     152# Security settings for running a Single Sign On Service from this paster 
     153# instance.  Either NDG_SECURITY.ssoClient or NDG_SECURITY.ssoService sections 
     154# should be set but NOT both 
     155 
     156# Single Sign On Service Settings 
     157[NDG_SECURITY.ssoService] 
     158 
     159# THIS service's address for secure connections - the Single Sign On service 
     160# returns security parameters to this service along this channel 
     161sslServer: https://localhost 
     162#sslServer: https://ndgbeta.badc.rl.ac.uk 
     163 
     164# THIS service's address for unencrypted connections - when login is complete, 
     165# the BaseController redirects to an equivalent address under this host name. 
     166# sslServer and server settings must match for the sharing of cookies. 
     167server: http://localhost 
    127168 
    128169# Redirect SOAP output to a file e.g. open(<somefile>, 'w') 
     
    131172 
    132173# Service addresses 
    133 #sessionMgrURI: https://localhost:5700/SessionManager 
    134 sessionMgrURI: https://ndgbeta.badc.rl.ac.uk/SessionManager 
    135 #attAuthorityURI: http://localhost:5000/AttributeAuthority 
    136 attAuthorityURI: http://aa.ceda.rl.ac.uk 
    137  
    138 # WS-Security signature handler 
    139 # This is an application certificate ... (which may be a machine certificate) 
    140 # X.509 certificate sent with outbound signed messages 
    141 wssCertFilePath: ./certs/Junk-cert.pem 
    142  
    143 # Private key used to sign messages 
    144 # This is an application certificate ... (which may be a machine certificate) 
    145 wssKeyFilePath: ./certs/Junk-key.pem 
    146  
    147 # Password for private key - comment out if the file is not password protected 
    148 wssKeyPwd: Junk 
    149  
    150 # Space separated list of CA cert. files to validate certs against when 
    151 # verifying responses 
    152 wssCACertFilePathList: ./certs/cacert.pem 
     174sessionMgrURI: https://localhost/SessionManager 
     175#sessionMgrURI: https://ndgbeta.badc.rl.ac.uk/SessionManager 
     176attAuthorityURI: http://localhost:5000/AttributeAuthority 
     177#attAuthorityURI: http://aa.ceda.rl.ac.uk 
    153178 
    154179# SSL Connections 
     
    156181# Space separated list of CA cert. files.  The peer cert. 
    157182# must verify against at least one of these otherwise the connection is  
    158 # dropped. 
    159 sslCACertFilePathList: ./certs/cacert.pem 
    160  
    161 # Set an alternate CommonName to match with peer cert for SSL 
    162 # Connections.  If the CN=hostname of the peer then this option  
    163 # can be commented out 
    164 #sslPeerCertCN:  
     183# dropped.  Include CA certs for all the sites trusted 
     184sslCACertFilePathList: certs/ndg-test-ca.crt 
    165185 
    166186# Gatekeeper Attribute Certificate check 
    167187# Issuer - should match with the issuer element of the users Attribute 
    168188# Certificate submitted in order to gain access 
    169 acIssuer: /CN=AttributeAuthority/O=NDG/OU=BADC 
    170 #acIssuer: /CN=Junk/O=NDG/OU=Gabriel 
    171  
    172 # verification of X.509 cert back to CA 
    173 acCACertFilePathList: ./secpem/cacert.pem 
     189#acIssuer: /CN=AttributeAuthority/O=NDG/OU=BADC 
     190acIssuer: /CN=Junk/O=NDG/OU=Gabriel 
     191 
     192# verification of X.509 cert back to CA.  Currently only the CA of this site 
     193# is needed because only mapped Attribute Certificates may be accepted. 
     194acCACertFilePathList: certs/ndg-test-ca.crt 
     195 
     196 
     197# WS-Security signature handler - set a config file with 'wssCfgFilePath' 
     198# or omit and put the relevant content directly in here under  
     199# 'NDG_SECURITY.wssecurity' section 
     200#wssCfgFilePath: wssecurity.cfg 
     201 
     202[NDG_SECURITY.wssecurity] 
     203 
     204# Settings for signature of an outbound message ... 
     205 
     206# Certificate associated with private key used to sign a message.  The sign  
     207# method will add this to the BinarySecurityToken element of the WSSE header.   
     208# binSecTokValType attribute must be set to 'X509' or 'X509v3' ValueType.   
     209# As an alternative, use 'signingCertChain' parameter 
     210 
     211# file path PEM encoded cert  
     212signingCertFilePath=certs/clnt.crt 
     213 
     214# file path to PEM encoded private key file 
     215signingPriKeyFilePath=certs/clnt.key 
     216 
     217# Password protecting private key.  Leave blank if there is no password. 
     218signingPriKeyPwd= 
     219 
     220# Provide a space separated list of file paths.  CA Certs should be included  
     221# for all the sites this installation trusts 
     222caCertFilePathList=certs/ndg-test-ca.crt 
     223 
     224# Set the ValueType for the BinarySecurityToken added to the WSSE header for a 
     225# signed message.   
     226reqBinSecTokValType=X509v3 
     227 
     228# Add a timestamp element to an outbound message 
     229addTimestamp=True 
     230 
     231# For WSSE 1.1 - service returns signature confirmation containing signature  
     232# value sent by client 
     233applySignatureConfirmation=False 
     234 
    174235 
    175236[RELATED] 
     
    187248formatDefault=DIF 
    188249icon_title: Links to the DISCOVERY RECORD for this dataset 
    189 standalone: True 
     250#standalone: True 
     251standalone: False 
    190252 
    191253[OWS_SERVER] 
  • TI05-delivery/ows_framework/trunk/ows_server/ows_server/config/environment.py

    r3536 r3893  
    88import ows_server.lib.helpers 
    99from ows_server.config.routing import make_map 
     10 
     11# Set-up tools package import for locating NDG Security SSO Service 
     12import pkg_resources 
     13 
     14import logging 
     15log = logging.getLogger(__name__) 
     16 
    1017 
    1118def load_environment(global_conf={}, app_conf={}): 
     
    1926             } 
    2027 
     28     
    2129    # Initialize config with the basic options 
    2230    config.init_app(global_conf, app_conf, package='ows_server', 
     
    3341     
    3442    # Add your own template options config options here, note that all config options will override 
    35     # any Pylons config options     
     43    # any Pylons config options   
     44     
     45    # Add templates for NDG Security Single Sign On Service making sure to 
     46    # provide an alias to avoid overwriting the default templates dir   
     47    kidopts = {'kid.assume_encoding':'utf-8', 'kid.encoding':'utf-8'} 
     48    config.add_template_engine('kid',  
     49                               'ndg.security.server.sso.sso.templates',  
     50                               kidopts, 
     51                               alias='ndg.security.kid') 
  • TI05-delivery/ows_framework/trunk/ows_server/ows_server/config/ndgMiddleware.py

    r3418 r3893  
    22from paste.deploy import CONFIG 
    33from ows_server.models.Utilities import myConfig 
    4 from ows_server.lib.security_util import SecurityConfig 
    54 
     5 
     6class NDGConfigError(Exception):   
     7    '''Errors related to reading from ndg config file''' 
     8      
    69class ndgMiddleware: 
    710     
     
    2124        self.globals.htdocs=cf.get('DEFAULT','htdocs',None) 
    2225        self.globals.localLink=cf.get('layout','localLink',None) 
    23         self.globals.localImage=cf.get('layout','localImage',None) 
    24         self.globals.localAlt=cf.get('layout','localAlt','Visit Local Site') 
    25         self.globals.ndgLink=cf.get('layout','ndgLink','http://ndg.nerc.ac.uk') 
    26         self.globals.ndgImage=cf.get('layout','ndgImage',None) 
    27         self.globals.ndgAlt=cf.get('layout','ndgAlt','Visit NDG') 
     26        self.globals.localImage=cf.get('layout','localImage',None) 
     27        self.globals.localAlt=cf.get('layout','localAlt','Visit Local Site') 
     28        self.globals.ndgLink=cf.get('layout','ndgLink','http://ndg.nerc.ac.uk') 
     29        self.globals.ndgImage=cf.get('layout','ndgImage',None) 
     30        self.globals.ndgAlt=cf.get('layout','ndgAlt','Visit NDG') 
    2831        self.globals.stfcLink=cf.get('layout','stfcLink') 
    2932        self.globals.stfcImage=cf.get('layout','stfcImage') 
     
    4750        self.globals.server=cf.get('DEFAULT','server','') 
    4851 
    49         # Security Related 
    50         self.globals.wayfuri='%s/wayf'%self.globals.server 
    51  
    52         # Use secure connection 
    53         self.globals.sslServer=cf.get('NDG_SECURITY','sslServer','') 
    54         self.globals.getCredentials='%s/getCredentials'%self.globals.sslServer        
    55         self.globals.logout='%s/logout'%self.globals.server 
    56         self.globals.securityCfg = SecurityConfig(cf) 
    5752         
    5853        # for standalone discovery 
    59         standalone={'True':1,'False':0}[cf.get('DISCOVERY','standalone')] 
    60         self.globals.standalone= standalone 
    61           
     54        self.globals.standalone=cf.config.getboolean('DISCOVERY','standalone')        
     55 
    6256         
     57        # Security Related 
     58 
     59        # Single Sign On settings - check for mode of operation: 
     60        # 1) act as a client to a separate Single Sign On Service 
     61        # or 
     62        # 2) Single Sign On service is integrated into THIS service 
     63        securityEnabled = not self.globals.standalone 
     64        isSSOClient = cf.config.has_section('NDG_SECURITY.ssoClient') and \ 
     65            securityEnabled 
     66             
     67        isSSOService = cf.config.has_section('NDG_SECURITY.ssoService') and \ 
     68            securityEnabled 
     69             
     70        if isSSOClient and isSSOService: 
     71            raise NDGConfigError(\ 
     72                "NDG_SECURITY.ssoClient and NDG_SECURITY.ssoService " + \ 
     73                "sections are present in the NDG Config file: " + \ 
     74                "only one or the other may be set") 
     75  
     76        if isSSOClient: 
     77            try: 
     78                from \ 
     79            ndg.security.client.ssoclient.ssoclient.config.ssoClientMiddleware\ 
     80                    import SSOMiddleware 
     81            except ImportError, e: 
     82                # If standalone flag is not present security must be enabled 
     83                raise NDGConfigError(\ 
     84                    '%s: importing Single Sign On Client SSOMiddleware: %s' % \ 
     85                        (__name__, e)) 
     86                         
     87                 
     88            SSOMiddleware(app, cf.config, g, 
     89                          defSection='NDG_SECURITY.ssoClient') 
     90             
     91            self.globals.sslServer = g.ndg.security.client.ssoclient.cfg.sslServer 
     92            self.globals.wayfuri=g.ndg.security.client.ssoclient.cfg.wayfuri 
     93            self.globals.logout=g.ndg.security.client.ssoclient.cfg.logoutURI 
     94             
     95        elif isSSOService: 
     96            try: 
     97                from ndg.security.server.sso.sso.config.ssoServiceMiddleware \ 
     98                    import SSOMiddleware 
     99            except ImportError, e: 
     100                # If standalone flag is not present security must be enabled 
     101                raise NDGConfigError(\ 
     102                    '%s: importing Single Sign On Service SSOMiddleware: %s' %\ 
     103                        (__name__, e)) 
     104                         
     105                 
     106            SSOMiddleware(app, cf.config, g,  
     107                          defSection='NDG_SECURITY.ssoService') 
     108             
     109            self.globals.sslServer=g.ndg.security.server.ssoservice.cfg.sslServer 
     110            self.globals.wayfuri=g.ndg.security.server.ssoservice.cfg.wayfuri 
     111            self.globals.logout=g.ndg.security.server.ssoservice.cfg.logoutURI 
     112            self.globals.getCredentials=g.ndg.security.server.ssoservice.cfg.getCredentials 
     113           
     114        #self.globals.securityCfg = SecurityConfig(cf) 
    63115        self.config=cf 
    64116         
  • TI05-delivery/ows_framework/trunk/ows_server/ows_server/config/routing.py

    r3842 r3893  
    3737    map.connect('login', controller='login') 
    3838    map.connect('getCredentials', controller='login', action='getCredentials') 
    39     map.connect('wayf', controller='login', action='wayf') 
     39    map.connect('wayf', controller='wayf') 
    4040    map.connect('logout', controller='logout') 
    4141    map.connect('semantic',controller='discovery', action='semantic') 
  • TI05-delivery/ows_framework/trunk/ows_server/ows_server/controllers/login.py

    r3536 r3893  
    44 
    55from ows_server.lib.base import * 
    6 from ows_server.lib.security_util import setSecuritySession, SecuritySession,\ 
    7                                          LoginServiceQuery 
    8 from ows_common.exception_report import OwsError 
    9 from paste.request import parse_querystring 
     6 
    107import logging 
    118log = logging.getLogger(__name__) 
    129 
    13 from ndg.security.common.AttAuthority import AttAuthorityClient 
    14 from ndg.security.common.SessionMgr import SessionMgrClient, SessionExpired, \ 
    15     AttributeRequestDenied 
    16 from ndg.security.common.m2CryptoSSLUtility import HTTPSConnection, \ 
    17     HostCheck, InvalidCertSignature, InvalidCertDN 
    18  
    19  
    20 class LoginController(BaseController): 
    21     ''' Provides the pylons controller for local login ''' 
     10try: 
     11    from ndg.security.server.sso.sso.controllers.login \ 
     12        import LoginController as _LoginController 
     13         
     14    class LoginController(_LoginController): 
     15        '''Provides the pylons controller for Login.  This is a wrapper class. 
     16        - All functionality is provided from ndg.security.server.sso.sso 
     17        the NDG Security Single Sign On Service package''' 
     18             
     19except ImportError, e: 
     20    from warnings import warn 
     21    warn("Importing LoginController for Single Sign On Service: %s" % e,  
     22         RuntimeWarning) 
    2223     
    23     def __before__(self, action):  
    24         """For each action, get 'r' return to URL argument from current URL  
    25         query string.  c.returnTo is used in some of the .kid files""" 
    26         c.returnTo = request.params.get('r', '') 
     24    class LoginController(BaseController): 
     25        '''Raise a 404 error for case where Single Sign ON Service is disabled 
     26        '''     
    2727         
    28         # Check return to address - getCredentials should NOT be returned to 
    29         # with its query args intact 
    30         b64decReturnTo = base64.urlsafe_b64decode(c.returnTo) 
    31         scheme, netloc, pathInfo, query, frag = urlsplit(b64decReturnTo) 
    32         if 'getCredentials' in pathInfo: 
    33             # Swap to discovery and remove sensitive creds query args 
    34             # 
    35             # TODO: re-write to be more robust and modular.  Nb.  
    36             # BaseController.__call__ should filter out 'getCredentials' 
    37             # calls from c.requestURL so this code should never need to be  
    38             # executed. 
    39             filteredReturnTo = urlunsplit((scheme,netloc,'/discovery','','')) 
    40             c.returnTo = base64.urlsafe_b64encode(filteredReturnTo) 
    41          
    42         # Check return to address - getCredentials should NOT be returned to 
    43         # with its query args intact 
    44         log.debug("LoginController.__before__: Decoded c.returnTo = %s" % \ 
    45                                       base64.urlsafe_b64decode(c.returnTo)) 
    46      
    47      
    48     def index(self): 
    49         ''' Ok, you really want to login here ''' 
    50         log.debug("LoginController.index ...")    
    51  
    52         if 'ndgSec' not in session:  
    53             log.debug('No security session details found - offering login...') 
    54             return render('login') 
    55          
    56         # Session is set in this domain - check it  
    57         try:     
    58             smClnt = SessionMgrClient(uri=session['ndgSec']['h'], 
    59                     sslCACertFilePathList=g.securityCfg.sslCACertFilePathList, 
    60                     sslPeerCertCN=g.securityCfg.sslPeerCertCN, 
    61                     signingCertFilePath=g.securityCfg.wssCertFilePath, 
    62                     signingPriKeyFilePath=g.securityCfg.wssPriKeyFilePath, 
    63                     signingPriKeyPwd=g.securityCfg.wssPriKeyPwd, 
    64                     caCertFilePathList=g.securityCfg.wssCACertFilePathList, 
    65                     tracefile=g.securityCfg.tracefile) 
    66                                  
    67         except Exception, e: 
    68             c.xml='Error establishing security context.  Please report ' + \ 
    69                   'the error to your site administrator' 
    70             log.error("Initialising SessionMgrClient for " + \ 
    71                       "getSessionStatus call: %s" % e) 
    72             SecuritySession.delete() 
    73             response.status_code = 400 
    74             return render('content') 
    75          
    76         # Check session status 
    77         log.debug('Calling Session Manager "%s" getSessionStatus ' % \ 
    78                   session['ndgSec']['h'] + 'for user "%s" with sid="%s" ...'%\ 
    79                   (session['ndgSec']['u'], session['ndgSec']['sid'])) 
    80         try: 
    81             bSessOK = smClnt.getSessionStatus(sessID=session['ndgSec']['sid']) 
    82         except Exception, e: 
    83             c.xml = "Error checking your session details.  Please re-login" 
    84             log.error("Session Manager getSessionStatus returned: %s" % e) 
    85             SecuritySession.delete() 
    86             response.status_code = 400 
    87             return render('login') 
    88     
    89         if bSessOK: 
    90             log.debug("Session found - redirect back to site requesting " + \ 
    91                       "credentials ...") 
    92             # ... Return across http GET passing security parameters... 
    93             return self.__doRedirect() 
    94         else: 
    95             log.debug("Session wasn't found - removing security details " + \ 
    96                       "from cookie and re-displaying login...") 
    97             SecuritySession.delete() 
    98             return render('login') 
    99  
    100  
    101     def getCredentials(self): 
    102         """Authenticate user and cache user credentials in 
    103         Session Manager following user login""" 
    104         log.debug("LoginController.getCredentials ...")    
    105  
    106         try:     
    107             smClnt = SessionMgrClient(uri=g.securityCfg.smURI, 
    108                     sslCACertFilePathList=g.securityCfg.sslCACertFilePathList, 
    109                     sslPeerCertCN=g.securityCfg.sslPeerCertCN, 
    110                     signingCertFilePath=g.securityCfg.wssCertFilePath, 
    111                     signingPriKeyFilePath=g.securityCfg.wssPriKeyFilePath, 
    112                     signingPriKeyPwd=g.securityCfg.wssPriKeyPwd, 
    113                     caCertFilePathList=g.securityCfg.wssCACertFilePathList, 
    114                     tracefile=g.securityCfg.tracefile) 
    115                                  
    116             username = request.params['username'] 
    117             passphrase = request.params['passphrase']                      
    118                                  
    119         except Exception, e: 
    120             c.xml='Error establishing security context.  Please report ' + \ 
    121                   'the error to your site administrator' 
    122             log.error("Login: initialising SessionMgrClient: %s" % e) 
    123             response.status_code = 400 
    124             return render('content') 
    125          
    126         # Connect to Session Manager 
    127         log.debug('Calling Session Manager "%s" connect for user "%s" ...' % \ 
    128                   (g.securityCfg.smURI, username)) 
    129         try: 
    130             sessID = smClnt.connect(username, passphrase=passphrase)[-1] 
    131         except Exception, e: 
    132             c.xml = "Error logging in.  Please check your username/" + \ 
    133                     "pass-phrase and try again." 
    134             log.error("Session Manager connect returned: %s" % e) 
    135             response.status_code = 401 
    136             return render('login') 
    137          
    138         # Cache user attributes in Session Manager 
    139         log.debug("Calling Session Manager getAttCert for user ") 
    140         try: 
    141             # Make request for attribute certificate 
    142             attCert = smClnt.getAttCert(sessID=sessID,  
    143                                         attAuthorityURI=g.securityCfg.aaURI) 
    144         except SessionExpired, e: 
    145             log.info("Session expired getting Attribute Certificate: %s" % e) 
    146             c.xml = "Session has expired, please re-login" 
    147             response.status_code = 401 
    148             return render('login') 
     28        def index(self): 
     29            ''' Ok, you really want to login here ''' 
     30            log.info("Single Sign On Service is disabled setting 404 error...") 
     31            abort(404) 
    14932             
    150         except AttributeRequestDenied, e: 
    151             log.error("Login: attribute Certificate request denied: %s" % e) 
    152             c.xml = "No authorisation roles are available for your " + \ 
    153                     "account.  Please check with your site administrator." 
    154             response.status_code = 401 
    155             return render('login') 
    156              
    157         except Exception, e: 
    158             log.error("Login: attribute Certificate request: %s" % e) 
    159             c.xml = "An internal error occured.  Please report this to " + \ 
    160                     "your site administrator." 
    161             response.status_code = 400 
    162             return render('login') 
    163  
    164         log.debug('Completing login...') 
    165          
    166         # Make security session details 
    167         setSecuritySession(h=g.securityCfg.smURI, 
    168                            u=username, 
    169                            org=attCert.issuerName, 
    170                            roles=attCert.roles, 
    171                            sid=sessID) 
    172         session.save() 
    173  
    174         log.info("user %s logged in with roles %s" % (session['ndgSec']['u'], 
    175                                                   session['ndgSec']['roles'])) 
    176         return self.__doRedirect() 
    177              
    178              
    179     def wayf(self): 
    180         ''' NDG equivalent to Shibboleth WAYF ''' 
    181         log.debug("LoginController.wayf ...")    
    182  
    183         # May be better as a 'g' global set-up at start-up? 
    184         # 
    185         # tracefile could be removed for production use 
    186         aaClnt = AttAuthorityClient(uri=g.securityCfg.aaURI, 
    187                     signingCertFilePath=g.securityCfg.wssCertFilePath, 
    188                     signingPriKeyFilePath=g.securityCfg.wssPriKeyFilePath, 
    189                     signingPriKeyPwd=g.securityCfg.wssPriKeyPwd, 
    190                     caCertFilePathList=g.securityCfg.wssCACertFilePathList, 
    191                     tracefile=g.securityCfg.tracefile) 
    192  
    193         # Get list of login uris for trusted sites including THIS one 
    194         log.debug("Calling Attribute Authority getTrustedHostInfo and " + \ 
    195                   "getHostInfo for wayf") 
    196  
    197         hosts = aaClnt.getAllHostsInfo()     
    198         c.providers=dict([(k, v['loginURI']) for k, v in hosts.items()]) 
    199          
    200         session.save() 
    201          
    202         return render('wayf') 
    203          
    204          
    205     def __doRedirect(self): 
    206         """Pass security creds back to requestor so that they can make 
    207         a cookie.  If the requestor is in the same domain as the login then 
    208         this is not necessary.""" 
    209          
    210         # and now go back to whence we had come 
    211         if c.returnTo!='': 
    212             # is there a keyword on redirect_to that can make this https? See: 
    213             # http://pylonshq.com/project/pylonshq/browser/Pylons/trunk/pylons/decorators/secure.py#L69 
    214  
    215             # Only add token if return URI is in a different domain 
    216             thisHostname = request.host.split(':')[0] 
    217              
    218             # Decode return to address 
    219             cc = base64.urlsafe_b64decode(c.returnTo) 
    220             log.debug('Login redirect to [%s]' % cc) 
    221  
    222             returnToHostname = urlsplit(cc)[1] 
    223 #            returnToHostname = 'localhost' 
    224 #            if thisHostname not in returnToHostname: 
    225             if True: 
    226                 # Returning to a different domain - copy the security session 
    227                 # details into the URL query string 
    228                 if '?' in cc: 
    229                     cc+='&%s' % LoginServiceQuery() 
    230                 else: 
    231                     cc+='?%s' % LoginServiceQuery() 
    232              
    233             # Check return-to address by examining peer cert 
    234             log.debug("Checking return-to URL for valid SSL peer cert. ...") 
    235              
    236             # Look-up list of Cert DNs for trusted requestors 
    237             aaClnt = AttAuthorityClient(uri=g.securityCfg.aaURI, 
    238                     signingCertFilePath=g.securityCfg.wssCertFilePath, 
    239                     signingPriKeyFilePath=g.securityCfg.wssPriKeyFilePath, 
    240                     signingPriKeyPwd=g.securityCfg.wssPriKeyPwd, 
    241                     caCertFilePathList=g.securityCfg.wssCACertFilePathList, 
    242                     tracefile=g.securityCfg.tracefile) 
    243              
    244             HostInfo = aaClnt.getAllHostsInfo() 
    245             requestServerDN = [val['loginRequestServerDN'] \ 
    246                                for val in HostInfo.values()] 
    247             log.debug("Expecting DN for SSL peer one of: %s"%requestServerDN) 
    248             hostCheck=HostCheck(acceptedDNs=requestServerDN, 
    249                     caCertFilePathList=g.securityCfg.sslCACertFilePathList)             
    250             testConnection = HTTPSConnection(returnToHostname,  
    251                                              None,  
    252                                              postConnectionCheck=hostCheck) 
    253  
    254             log.debug('Testing connection to "%s"' % returnToHostname) 
    255             try: 
    256                 try: 
    257                     testConnection.connect() 
    258                 except (InvalidCertSignature, InvalidCertDN), e: 
    259                     log.error("Login: requestor SSL certificate: %s" % e) 
    260                     c.xml = """Request to redirect back to %s with your  
    261 credentials refused: there is a problem with the SSL certificate of this site. 
    262   Please report this to your site administrator.""" % returnToHostname 
    263                     response.status_code = 400 
    264                     return render('login') 
    265             finally:     
    266                 testConnection.close() 
    267  
    268             log.debug("SSL peer cert. is OK - redirecting to [%s] ..." % cc) 
    269             h.redirect_to(cc) 
    270         else: 
    271             c.xml='<p> Logged in </p>' 
    272             return render('content') 
  • TI05-delivery/ows_framework/trunk/ows_server/ows_server/controllers/logout.py

    r3536 r3893  
    11from ows_server.lib.base import * 
    2 from ows_server.lib.security_util import SecuritySession 
    32import logging 
    43log = logging.getLogger(__name__) 
    54 
    6 from paste.request import parse_querystring 
    7 import sys # include in case tracefile is set to sys.stderr  
    8 import base64 # decode the return to address 
    9 from urlparse import urlsplit, urlunsplit 
     5try: 
     6    from ndg.security.server.sso.sso.controllers.logout import LogoutController as\ 
     7        _LogoutController 
     8         
     9    class LogoutController(_LogoutController): 
     10        '''Provides the pylons controller for logout.  This is a wrapper class. 
     11        - All functionality is provided from ndg.security.server.sso.sso the  
     12        NDG Security Single Sign On Service package''' 
     13             
     14except ImportError, e: 
     15    from warnings import warn 
     16    warn("Importing LogoutController for Single Sign On Service: %s" % e,  
     17         RuntimeWarning) 
     18     
     19    # Default to base version to avoid an exception if 'Logout' is invoked         
     20    class LogoutController(BaseController): 
     21        '''Raise a 404 error for case where Single Sign ON Service is disabled 
     22        '''         
     23        def index(self): 
     24            log.info("Single Sign On Service is disabled setting 404 error...") 
     25            abort(404) 
    1026 
    11 from ndg.security.common.SessionMgr import SessionMgrClient 
    12  
    13  
    14 class LogoutController(BaseController): 
    15     '''Provides the pylons controller for logging out and killing the cookies 
    16     ''' 
    17      
    18     def __before__(self): 
    19         """Get return to URL""" 
    20         c.returnTo = request.params.get('r', '') 
    21          
    22         # Check return to address - getCredentials should NOT be returned to 
    23         # with its query args intact 
    24         b64decReturnTo = base64.urlsafe_b64decode(c.returnTo) 
    25         scheme, netloc, pathInfo, query, frag = urlsplit(b64decReturnTo) 
    26         if 'getCredentials' in pathInfo: 
    27             # Swap to discovery and remove sensitive creds query args 
    28             # 
    29             # TODO: re-write to be more robust and modular.  Nb.  
    30             # BaseController.__call__ should filter out 'getCredentials' 
    31             # calls from c.requestURL so this code should never need to be  
    32             # executed. 
    33             filteredReturnTo = urlunsplit((scheme,netloc,'/discovery','','')) 
    34             c.returnTo = base64.urlsafe_b64encode(filteredReturnTo) 
    35  
    36      
    37     def index(self): 
    38         ''' Ok, you really want to logout here ''' 
    39  
    40         if 'ndgSec' not in session: 
    41             # There's no handle to a security session 
    42             log.error("logout called but no 'ndgSec' key in session object") 
    43             return self.__redirect() 
    44          
    45         # Fixed URI to be equal to the session's security settings 'h' param! 
    46         # This contains the location of the Session Manager where the users 
    47         # session is held. 
    48         # 
    49         # Removed sslPeerCertCN setting here - the session manager could at  
    50         # any of a number of different trusted sites where the user logged in 
    51         # from.  There's no way of predicting an alternate SSL cert Common 
    52         # Name through the config file settings 
    53         # 
    54         # P J Kershaw 21/11/2007 
    55         try: 
    56             smClnt = SessionMgrClient(uri=session['ndgSec']['h'], 
    57                     sslCACertFilePathList=g.securityCfg.sslCACertFilePathList, 
    58                     signingCertFilePath=g.securityCfg.wssCertFilePath, 
    59                     signingPriKeyFilePath=g.securityCfg.wssPriKeyFilePath, 
    60                     signingPriKeyPwd=g.securityCfg.wssPriKeyPwd, 
    61                     caCertFilePathList=g.securityCfg.wssCACertFilePathList, 
    62                     tracefile=g.securityCfg.tracefile)        
    63         except Exception, e: 
    64             log.error("logout - creating Session Manager client: %s" % e) 
    65             return self.__cleanupAndRedirect()   
    66          
    67         # Disconnect from Session Manager 
    68         log.info('Calling Session Manager "%s" disconnect for logout...' % \ 
    69                  g.securityCfg.smURI) 
    70         try: 
    71             smClnt.disconnect(sessID=session['ndgSec']['sid']) 
    72         except Exception, e: 
    73             log.error("Error with Session Manager logout: %s" % e) 
    74             # don't exit here - instead proceed to delete session and  
    75             # redirect ... 
    76  
    77         return self.__cleanupAndRedirect() 
    78  
    79  
    80     def __cleanupAndRedirect(self): 
    81         """Remove security session and call _redirect""" 
    82         try: 
    83             # easy to kill our cookie 
    84             SecuritySession.delete() 
    85             if 'ndgCleared' in session: del session['ndgCleared'] 
    86             session.save() 
    87              
    88         except Exception, e:    
    89             log.error("logout - clearing security session: %s" % e) 
    90  
    91         return self.__redirect() 
    92      
    93      
    94     def __redirect(self): 
    95         """Handle redirect back to previous page""" 
    96         if c.returnTo: 
    97             # Decode the return to address 
    98             try: 
    99                 b64decReturnTo = base64.urlsafe_b64decode(c.returnTo) 
    100             except Exception, e: 
    101                 log.error("logout - decoding return URL: %s" % e)  
    102                 return render('content') 
    103              
    104             # and now go back to whence we had come 
    105             h.redirect_to(b64decReturnTo) 
    106         else: 
    107             return render('content') 
     27#from ows_server.lib.security_util import SecuritySession 
     28#import logging 
     29#log = logging.getLogger(__name__) 
     30# 
     31#from paste.request import parse_querystring 
     32#import sys # include in case tracefile is set to sys.stderr  
     33#import base64 # decode the return to address 
     34#from urlparse import urlsplit, urlunsplit 
     35# 
     36#from ndg.security.common.SessionMgr import SessionMgrClient 
     37# 
     38# 
     39#class LogoutController(BaseController): 
     40#    '''Provides the pylons controller for logging out and killing the cookies 
     41#    ''' 
     42#     
     43#    def __before__(self): 
     44#        """Get return to URL""" 
     45#        c.returnTo = request.params.get('r', '') 
     46#         
     47#        # Check return to address - getCredentials should NOT be returned to 
     48#        # with its query args intact 
     49#        b64decReturnTo = base64.urlsafe_b64decode(c.returnTo) 
     50#        scheme, netloc, pathInfo, query, frag = urlsplit(b64decReturnTo) 
     51#        if 'getCredentials' in pathInfo: 
     52#            # Swap to discovery and remove sensitive creds query args 
     53#            # 
     54#            # TODO: re-write to be more robust and modular.  Nb.  
     55#            # BaseController.__call__ should filter out 'getCredentials' 
     56#            # calls from c.requestURL so this code should never need to be  
     57#            # executed. 
     58#            filteredReturnTo = urlunsplit((scheme,netloc,'/discovery','','')) 
     59#            c.returnTo = base64.urlsafe_b64encode(filteredReturnTo) 
     60# 
     61#     
     62#    def index(self): 
     63#        ''' Ok, you really want to logout here ''' 
     64# 
     65#        if 'ndgSec' not in session: 
     66#            # There's no handle to a security session 
     67#            log.error("logout called but no 'ndgSec' key in session object") 
     68#            return self.__redirect() 
     69#         
     70#        # Fixed URI to be equal to the session's security settings 'h' param! 
     71#        # This contains the location of the Session Manager where the users 
     72#        # session is held. 
     73#        # 
     74#        # Removed sslPeerCertCN setting here - the session manager could at  
     75#        # any of a number of different trusted sites where the user logged in 
     76#        # from.  There's no way of predicting an alternate SSL cert Common 
     77#        # Name through the config file settings 
     78#        # 
     79#        # P J Kershaw 21/11/2007 
     80#        try: 
     81#            smClnt = SessionMgrClient(uri=session['ndgSec']['h'], 
     82#                    sslCACertFilePathList=g.securityCfg.sslCACertFilePathList, 
     83#                    signingCertFilePath=g.securityCfg.wssCertFilePath, 
     84#                    signingPriKeyFilePath=g.securityCfg.wssPriKeyFilePath, 
     85#                    signingPriKeyPwd=g.securityCfg.wssPriKeyPwd, 
     86#                    caCertFilePathList=g.securityCfg.wssCACertFilePathList, 
     87#                    tracefile=g.securityCfg.tracefile)        
     88#        except Exception, e: 
     89#            log.error("logout - creating Session Manager client: %s" % e) 
     90#            return self.__cleanupAndRedirect()   
     91#         
     92#        # Disconnect from Session Manager 
     93#        log.info('Calling Session Manager "%s" disconnect for logout...' % \ 
     94#                 g.securityCfg.smURI) 
     95#        try: 
     96#            smClnt.disconnect(sessID=session['ndgSec']['sid']) 
     97#        except Exception, e: 
     98#            log.error("Error with Session Manager logout: %s" % e) 
     99#            # don't exit here - instead proceed to delete session and  
     100#            # redirect ... 
     101# 
     102#        return self.__cleanupAndRedirect() 
     103# 
     104# 
     105#    def __cleanupAndRedirect(self): 
     106#        """Remove security session and call _redirect""" 
     107#        try: 
     108#            # easy to kill our cookie 
     109#            SecuritySession.delete() 
     110#            if 'ndgCleared' in session: del session['ndgCleared'] 
     111#            session.save() 
     112#             
     113#        except Exception, e:    
     114#            log.error("logout - clearing security session: %s" % e) 
     115# 
     116#        return self.__redirect() 
     117#     
     118#     
     119#    def __redirect(self): 
     120#        """Handle redirect back to previous page""" 
     121#        if c.returnTo: 
     122#            # Decode the return to address 
     123#            try: 
     124#                b64decReturnTo = base64.urlsafe_b64decode(c.returnTo) 
     125#            except Exception, e: 
     126#                log.error("logout - decoding return URL: %s" % e)  
     127#                return render('content') 
     128#             
     129#            # and now go back to whence we had come 
     130#            h.redirect_to(b64decReturnTo) 
     131#        else: 
     132#            return render('content') 
  • TI05-delivery/ows_framework/trunk/ows_server/ows_server/lib/base.py

    r3661 r3893  
    2525import ows_common.xml 
    2626 
     27# NDG Security import enables Single Sign On capability but note this is not 
     28# required for a standalone discovery service deployment 
     29try: 
     30    from ndg.security.client.ssoclient.ssoclient.lib.base import \ 
     31        BaseController as _BaseController 
     32except ImportError, e: 
     33    from warnings import warn 
     34    warn('%s: ndg.security.client unavailable - ' % __name__ + \ 
     35         'Single Sign on functionality disabled: %s' % e, 
     36         RuntimeWarning) 
    2737 
     38    # Extend BaseController from WSGIController instead 
     39    _BaseController = WSGIController 
     40 
     41  
    2842try: 
    2943    from xml.etree import ElementTree as ET 
     
    3751EXCEPTION_TYPE = request.environ['ndgConfig'].get('OWS_SERVER', 'exception_type', 'ogc').lower() 
    3852 
    39 class BaseController(WSGIController): 
     53class BaseController(_BaseController): 
    4054     
    4155    def __call__(self, environ, start_response):         
     
    4458        # the action or route vars here 
    4559 
    46         logger.debug("BaseController.__call__ ...") 
    47          
    48         # construct URL picking up setting of server name from config to  
    49         # avoid exposing absolute URL hidden behind mod_proxy see #857  
    50         # Also, avoid returning to getCredentials and potentially exposing 
    51         # username/pass-phrase on URL. 
    52         # TODO: rework getCredentials get-out for more modular solution 
    53         pathInfo = urllib.quote(environ.get('PATH_INFO', ''))  
    54         if 'getCredentials' in pathInfo: 
    55             logger.debug(\ 
    56                 "Reverting request URL from getCredentials to discovery...") 
    57             c.requestURL = g.server + '/discovery'        
    58         else: 
    59             c.requestURL = g.server + pathInfo 
    60             query='&'.join(["%s=%s"%item for item in request.params.items()]) 
    61             if query: 
    62                 c.requestURL += '?' + query 
    63          
    64         # Base 64 encode to enable passing around in 'r' argument of query 
    65         # string for use with login/logout 
    66         c.b64encRequestURL = urlsafe_b64encode(c.requestURL) 
    67  
    68         if 'h' in request.params: 
    69             # 'h' corresponds to the setting of a session manager host i.e. 
    70             # the request has come from a completed login from the login  
    71             # service 
    72             logger.debug("Setting security session from URL query args ...") 
    73              
    74             # Copy the query arguments into security session keys 
    75             setSecuritySession() 
    76              
    77             session.save() 
    78              
    79             # Re-construct the URL removing the security related arguments 
    80             qs = LoginServiceQuery.stripFromURI() 
    81  
    82             logger.debug('Switching from https to http...') 
    83             cc = g.server + urllib.quote(environ.get('PATH_INFO','')) 
    84             if qs: 
    85                 cc += "?" + qs 
    86                  
    87             logger.debug('URL transport switched to http: "%s"' % cc) 
    88             h.redirect_to(cc) 
    89  
     60        logger.debug("BaseController.__call__ ...")         
    9061                 
    9162        #organise the information needed by pagetabs ...  
     
    10172        if 'viewItems' in session: c.pageTabs.append(('View', h.url_for(controller='viewItems',action='index'))) 
    10273         
    103         return WSGIController.__call__(self, environ, start_response) 
     74        return _BaseController.__call__(self, environ, start_response) 
    10475     
    10576class OwsController(BaseController): 
  • TI05-delivery/ows_framework/trunk/ows_server/ows_server/lib/security_util.py

    r3084 r3893  
    124124        @return: URL query string with security args removed""" 
    125125        keys = params or cls.keys 
    126         return cls.argSep.join(['%s=%s' % (i, request.params[i]) \ 
    127                                 for i in request.params if i not in keys]) 
     126        return str(cls.argSep.join(['%s=%s' % (i, request.params[i]) \ 
     127                                for i in request.params if i not in keys])) 
    128128 
    129129    @classmethod 
     
    182182import sys 
    183183 
    184 class SecurityConfigError(Exception): 
    185     """Handle errors from parsing security config items""" 
    186         
    187 class SecurityConfig(object): 
    188     """Get Security related parameters from the Pylons NDG config file""" 
    189  
    190     def __init__(self, cfg=None): 
    191         '''Get PKI settings for Attribute Authority and Session Manager from 
    192         the configuration file 
    193          
    194         @type param: pylons config file object 
    195         @param cfg: reference to NDG configuration file.  If omitted defaults 
    196         to request.environ['ndgConfig']''' 
    197          
    198         if cfg is None: 
    199             cfg = request.environ['ndgConfig'] 
    200  
    201         tracefileExpr = cfg.get('NDG_SECURITY', 'tracefile') 
    202         if tracefileExpr: 
    203             self.tracefile = eval(tracefileExpr) 
    204  
    205         self.smURI = cfg.get('NDG_SECURITY', 'sessionMgrURI')         
    206         self.aaURI = cfg.get('NDG_SECURITY', 'attAuthorityURI') 
    207          
    208         # ... for SSL connections to security web services 
    209         try: 
    210             self.sslCACertFilePathList = \ 
    211             cfg.get('NDG_SECURITY', 'sslCACertFilePathList').split() 
    212                  
    213         except AttributeError: 
    214             raise SecurityConfigError, \ 
    215                         'No "sslCACertFilePathList" security setting' 
    216  
    217         self.sslPeerCertCN = cfg.get('NDG_SECURITY', 'sslPeerCertCN') 
    218  
    219         # ...and for WS-Security digital signature 
    220         self.wssCertFilePath = cfg.get('NDG_SECURITY', 'wssCertFilePath') 
    221         self.wssPriKeyFilePath = cfg.get('NDG_SECURITY', 'wssKeyFilePath') 
    222         self.wssPriKeyPwd = cfg.get('NDG_SECURITY', 'wssKeyPwd') 
    223  
    224         try: 
    225             self.wssCACertFilePathList = \ 
    226                 cfg.get('NDG_SECURITY', 'wssCACertFilePathList').split() 
    227                  
    228         except AttributeError: 
    229             raise SecurityConfigError, \ 
    230                                 'No "wssCACertFilePathList" security setting' 
    231  
    232         # Gatekeeper params 
    233          
    234         # Attribute Certificate Issuer 
    235         self.acIssuer = cfg.get('NDG_SECURITY', 'acIssuer') 
    236          
    237         # verification of X.509 cert back to CA 
    238         try: 
    239             self.acCACertFilePathList = cfg.get('NDG_SECURITY',  
    240                                             'acCACertFilePathList').split()           
    241         except AttributeError: 
    242             raise SecurityConfigError, \ 
    243                                 'No "acCACertFilePathList" security setting' 
    244  
    245               
    246     def __repr__(self): 
    247         return '\n'.join(["%s=%s" % (k,v) for k,v in self.__dict__.items() \ 
    248                 if k[:2] != "__"]) 
     184# Replaced by ndg.security package equivalent 
     185#class SecurityConfigError(Exception): 
     186#    """Handle errors from parsing security config items""" 
     187#        
     188#class SecurityConfig(object): 
     189#    """Get Security related parameters from the Pylons NDG config file""" 
     190# 
     191#    def __init__(self, cfg=None): 
     192#        '''Get PKI settings for Attribute Authority and Session Manager from 
     193#        the configuration file 
     194#         
     195#        @type param: pylons config file object 
     196#        @param cfg: reference to NDG configuration file.  If omitted defaults 
     197#        to request.environ['ndgConfig']''' 
     198#         
     199#        if cfg is None: 
     200#            cfg = request.environ['ndgConfig'] 
     201# 
     202#        tracefileExpr = cfg.get('NDG_SECURITY', 'tracefile') 
     203#        if tracefileExpr: 
     204#            self.tracefile = eval(tracefileExpr) 
     205# 
     206#        self.smURI = cfg.get('NDG_SECURITY', 'sessionMgrURI')         
     207#        self.aaURI = cfg.get('NDG_SECURITY', 'attAuthorityURI') 
     208#         
     209#        # ... for SSL connections to security web services 
     210#        try: 
     211#            self.sslCACertFilePathList = \ 
     212#            cfg.get('NDG_SECURITY', 'sslCACertFilePathList').split() 
     213#                 
     214#        except AttributeError: 
     215#            raise SecurityConfigError, \ 
     216#                        'No "sslCACertFilePathList" security setting' 
     217# 
     218#        self.sslPeerCertCN = cfg.get('NDG_SECURITY', 'sslPeerCertCN') 
     219# 
     220#        # ...and for WS-Security digital signature 
     221#        self.wssCertFilePath = cfg.get('NDG_SECURITY', 'wssCertFilePath') 
     222#        self.wssPriKeyFilePath = cfg.get('NDG_SECURITY', 'wssKeyFilePath') 
     223#        self.wssPriKeyPwd = cfg.get('NDG_SECURITY', 'wssKeyPwd') 
     224# 
     225#        try: 
     226#            self.wssCACertFilePathList = \ 
     227#                cfg.get('NDG_SECURITY', 'wssCACertFilePathList').split() 
     228#                 
     229#        except AttributeError: 
     230#            raise SecurityConfigError, \ 
     231#                                'No "wssCACertFilePathList" security setting' 
     232# 
     233#        # Gatekeeper params 
     234#         
     235#        # Attribute Certificate Issuer 
     236#        self.acIssuer = cfg.get('NDG_SECURITY', 'acIssuer') 
     237#         
     238#        # verification of X.509 cert back to CA 
     239#        try: 
     240#            self.acCACertFilePathList = cfg.get('NDG_SECURITY',  
     241#                                            'acCACertFilePathList').split()           
     242#        except AttributeError: 
     243#            raise SecurityConfigError, \ 
     244#                                'No "acCACertFilePathList" security setting' 
     245# 
     246#              
     247#    def __repr__(self): 
     248#        return '\n'.join(["%s=%s" % (k,v) for k,v in self.__dict__.items() \ 
     249#                if k[:2] != "__"]) 
  • TI05-delivery/ows_framework/trunk/ows_server/ows_server/models/ndgSecurity.py

    r3134 r3893  
    145145        self.smClnt = SessionMgrClient(uri=self.securityTokens['h'], 
    146146                    sslCACertFilePathList=g.securityCfg.sslCACertFilePathList, 
    147                     sslPeerCertCN=g.securityCfg.sslPeerCertCN, 
     147#                    sslPeerCertCN=g.securityCfg.sslPeerCertCN, 
    148148                    signingCertFilePath=g.securityCfg.wssCertFilePath, 
    149149                    signingPriKeyFilePath=g.securityCfg.wssPriKeyFilePath, 
  • TI05-delivery/ows_framework/trunk/ows_server/ows_server/public/layout/ndg2.css

    r3842 r3893  
    3131 border: solid #333333; 
    3232 border-width: 0 0 2px 0; 
    33  background-image:url(/ndg-test/layout/header_image.jpg);background-position:right;background-repeat:repeat-x;} 
     33 background-image:url(/layout/header_image.jpg);background-position:right;background-repeat:repeat-x;} 
    3434 
    3535#logo{ 
  • TI05-delivery/ows_framework/trunk/ows_server/ows_server/templates/__init__.py

    r2484 r3893  
     1 
  • TI05-delivery/ows_framework/trunk/ows_server/ows_server/templates/ndgPage.kid

    r3646 r3893  
    133133    </span> 
    134134     
    135     <!-- Login and out buttons -->     
     135    <!-- Login and out buttons -->   
    136136    <span py:def="logOut()" class="logOut"> 
     137            <?python 
     138            from base64 import urlsafe_b64encode 
     139             
     140            # Base 64 encode to enable passing around in 'r' argument of query 
     141            # string for use with login/logout 
     142            c.returnTo = c.requestURL 
     143            c.b64encReturnTo = urlsafe_b64encode(c.requestURL) 
     144            ?> 
    137145        <form action="$g.logout"> 
    138             <input type="hidden" name="r" value="${c.b64encRequestURL}"/> 
     146            <input type="hidden" name="r" value="${c.b64encReturnTo}"/> 
    139147            <input type="submit" value="Logout"/> 
    140148        </form> 
     
    142150     
    143151    <span py:def="logIn()" class="logIn"> 
     152            <?python 
     153            from base64 import urlsafe_b64encode 
     154             
     155            # Base 64 encode to enable passing around in 'r' argument of query 
     156            # string for use with login/logout 
     157            c.returnTo = c.requestURL 
     158            c.b64encReturnTo = urlsafe_b64encode(c.requestURL) 
     159            ?> 
    144160        <form action="$g.wayfuri"> 
    145             <input type="hidden" name="r" value="${c.b64encRequestURL}"/> 
     161            <input type="hidden" name="r" value="${c.b64encReturnTo}"/> 
    146162            <input type="submit" value="Login"/> 
    147163        </form> 
Note: See TracChangeset for help on using the changeset viewer.