Changeset 4682 for TI12-security/trunk/python
- Timestamp:
- 18/12/08 17:05:05 (12 years ago)
- Location:
- TI12-security/trunk/python
- Files:
-
- 8 edited
Legend:
- Unmodified
- Added
- Removed
-
TI12-security/trunk/python/ndg.security.common/ndg/security/common/X509.py
r4680 r4682 13 13 import logging 14 14 log = logging.getLogger(__name__) 15 from warnings import warn # warn of impendi ong certificate expiry15 from warnings import warn # warn of impending certificate expiry 16 16 17 17 import types -
TI12-security/trunk/python/ndg.security.common/ndg/security/common/utils/configfileparsers.py
r4680 r4682 171 171 172 172 if cfg is None: 173 self.cfg = CaseSensitiveConfigParser() 173 hereDef = {'here': os.path.dirname(propFilePath)} 174 self.cfg = CaseSensitiveConfigParser(defaults=hereDef) 174 175 self.cfg.read(propFilePath) 175 176 if not os.path.isfile(propFilePath): -
TI12-security/trunk/python/ndg.security.server/ndg/security/server/templates/default_project/services.ini_tmpl
r4680 r4682 5 5 # * Session Manager 6 6 # * Attribute Authority 7 # * OpenID Provider8 7 # 9 8 # The %(here)s variable will be replaced with the parent directory of this file … … 11 10 # Author: P J Kershaw 12 11 # date: 30/11/05 13 # Copyright: (C) 2008 STFC 12 # Copyright: (C) 2008 STFC & NERC 14 13 # license: This software may be distributed under the terms of the Q Public 15 14 # License, version 1.0 or later. 16 15 # Contact: Philip.Kershaw@stfc.ac.uk 16 # Revision: $$Id$$ 17 17 18 18 [DEFAULT] … … 20 20 # Attribute Authority settings 21 21 # 'name' setting MUST agree with map config file 'thisHost' name attribute 22 attributeAuthority.name: ${attributeAuthorityID}22 attributeAuthority.name: Site A 23 23 24 24 # Lifetime is measured in seconds … … 31 31 32 32 # All Attribute Certificates issued are recorded in this dir 33 attributeAuthority.attCertDir: $NDGSEC_CONFIG_DIR/siteAAttributeAuthority/attCertLog33 attributeAuthority.attCertDir: %(here)s/siteAAttributeAuthority/attCertLog 34 34 35 35 # Files in attCertDir are stored using a rotating file handler … … 41 41 42 42 # Location of role mapping file 43 attributeAuthority.mapConfigFile: $NDGSEC_CONFIG_DIR/siteAAttributeAuthority/siteAMapConfig.xml43 attributeAuthority.mapConfigFile: %(here)s/siteAAttributeAuthority/siteAMapConfig.xml 44 44 45 45 # Settings for custom AAUserRoles derived class to get user roles for given 46 46 # user ID 47 attributeAuthority.userRolesModFilePath: $NDGSEC_CONFIG_DIR/siteAAttributeAuthority47 attributeAuthority.userRolesModFilePath: %(here)s/siteAAttributeAuthority 48 48 attributeAuthority.userRolesModName: siteAUserRoles 49 49 attributeAuthority.userRolesClassName: TestUserRoles 50 50 51 51 # Config for XML signature of Attribute Certificate 52 attributeAuthority.signingPriKeyFilePath: $NDGSEC_CONFIG_DIR/siteAAttributeAuthority/siteA-aa.key53 attributeAuthority.signingCertFilePath: $NDGSEC_CONFIG_DIR/siteAAttributeAuthority/siteA-aa.crt54 attributeAuthority.caCertFilePathList: $NDGSEC_CONFIG_DIR/ca/ndg-test-ca.crt52 attributeAuthority.signingPriKeyFilePath: %(here)s/siteAAttributeAuthority/siteA-aa.key 53 attributeAuthority.signingCertFilePath: %(here)s/siteAAttributeAuthority/siteA-aa.crt 54 attributeAuthority.caCertFilePathList: %(here)s/ca/ndg-test-ca.crt 55 55 56 56 #______________________________________________________________________________ … … 62 62 # 63 63 # CA certificates for Attribute Certificate signature validation 64 sessionManager.credentialWallet.caCertFilePathList= $NDGSEC_CONFIG_DIR/ca/ndg-test-ca.crt64 sessionManager.credentialWallet.caCertFilePathList=%(here)s/ca/ndg-test-ca.crt 65 65 66 66 # CA certificates for SSL connection peer cert. validation - required if 67 67 # connecting to an Attribute Authority over SSL 68 sessionManager.credentialWallet.sslCACertFilePathList= $NDGSEC_CONFIG_DIR/ca/ndg-test-ca.crt68 sessionManager.credentialWallet.sslCACertFilePathList=%(here)s/ca/ndg-test-ca.crt 69 69 70 70 # Allow Get Attribute Certificate calls to try to get a mapped certificate … … 95 95 # The CA certificates of other NDG trusted sites should go here. NB, multiple 96 96 # values should be delimited by a space 97 sessionManager.credentialWallet.wssecurity.caCertFilePathList: $NDGSEC_CONFIG_DIR/ca/ndg-test-ca.crt97 sessionManager.credentialWallet.wssecurity.caCertFilePathList: %(here)s/ca/ndg-test-ca.crt 98 98 99 99 # Signature of an outbound message … … 105 105 106 106 # PEM encoded cert 107 sessionManager.credentialWallet.wssecurity.signingCertFilePath: $NDGSEC_CONFIG_DIR/sessionmanager/sm.crt107 sessionManager.credentialWallet.wssecurity.signingCertFilePath: %(here)s/sessionmanager/sm.crt 108 108 109 109 # ... or provide file path to PEM encoded private key file 110 sessionManager.credentialWallet.wssecurity.signingPriKeyFilePath: $NDGSEC_CONFIG_DIR/sessionmanager/sm.key110 sessionManager.credentialWallet.wssecurity.signingPriKeyFilePath: %(here)s/sessionmanager/sm.key 111 111 112 112 # Set the ValueType for the BinarySecurityToken added to the WSSE header for a … … 134 134 # Specific settings for UserCertAuthN Session Manager authentication plugin 135 135 # This sets up PKI credentials for a single test account 136 sessionManager.authNService.userX509CertFilePath: $NDGSEC_CONFIG_DIR/sessionmanager/user.crt137 sessionManager.authNService.userPriKeyFilePath: $NDGSEC_CONFIG_DIR/sessionmanager/user.key136 sessionManager.authNService.userX509CertFilePath: %(here)s/sessionmanager/user.crt 137 sessionManager.authNService.userPriKeyFilePath: %(here)s/sessionmanager/user.key 138 138 sessionManager.authNService.userPriKeyPwd: testpassword 139 139 … … 196 196 paste.filter_app_factory = 197 197 ndg.security.test.combinedservices.serverapp:filter_app_factory 198 198 sessionManagerFilterID = filter:SessionManagerFilter 199 attributeAuthorityFilterID = filter:AttributeAuthorityFilter 199 200 200 201 #______________________________________________________________________________ … … 217 218 # identified by this prefix: 218 219 AttributeAuthority.propPrefix = attributeAuthority 219 AttributeAuthority.propFilePath = $NDGSEC_CONFIG_DIR/services.ini220 AttributeAuthority.wsseSignatureVerificationFilterID = ndg.security.server.wsgi.wsseSignatureVerificationFilter01220 AttributeAuthority.propFilePath = %(here)s/services.ini 221 AttributeAuthority.wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter 221 222 222 223 # Provide an identifier for this filter so that main WSGI app 223 224 # CombinedServicesWSGI Session Manager filter can call this Attribute Authority 224 225 # directly 225 referencedFilters = ndg.security.server.wsgi.wsseSignatureVerificationFilter01226 referencedFilters = filter:wsseSignatureVerificationFilter 226 227 227 228 # Path from URL for Attribute Authority in this Paste deployment … … 231 232 enableWSDLQuery = True 232 233 charset = utf-8 233 filterID = ndg.security.server.wsgi.attributeAuthorityFilter234 filterID = %(__name__)s 234 235 235 236 #______________________________________________________________________________ … … 252 253 # by this prefix: 253 254 SessionManager.propPrefix = sessionManager 254 SessionManager.propFilePath = $NDGSEC_CONFIG_DIR/services.ini255 SessionManager.propFilePath = %(here)s/services.ini 255 256 256 257 # This filter references other filters - a local Attribute Authority (optional) 257 258 # and a WS-Security signature verification filter (required if using signature 258 259 # to authenticate user in requests 259 SessionManager.attributeAuthorityFilterID = ndg.security.server.wsgi.attributeAuthorityFilter260 SessionManager.wsseSignatureVerificationFilterID = ndg.security.server.wsgi.wsseSignatureVerificationFilter01260 SessionManager.attributeAuthorityFilterID = filter:AttributeAuthorityFilter 261 SessionManager.wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter 261 262 262 263 # The SessionManagerWS SOAP interface class needs to know about these other 263 264 # filters 264 referencedFilters = ndg.security.server.wsgi.wsseSignatureVerificationFilter01265 ndg.security.server.wsgi.attributeAuthorityFilter265 referencedFilters = filter:wsseSignatureVerificationFilter 266 filter:AttributeAuthorityFilter 266 267 267 268 # Path from URL for Session Manager in this Paste deployment … … 274 275 # Provide an identifier for this filter so that main WSGI app 275 276 # CombinedServicesWSGI can call this Session Manager directly 276 filterID = ndg.security.server.wsgi.sessionManagerFilter277 filterID = %(__name__)s 277 278 278 279 #______________________________________________________________________________ … … 280 281 [filter:wsseSignatureVerificationFilter] 281 282 paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:SignatureVerificationFilter 282 filterID = ndg.security.server.wsgi.wsseSignatureVerificationFilter01283 filterID = %(__name__)s 283 284 284 285 # Settings for WS-Security SignatureHandler class used by this filter … … 286 287 287 288 # Verify against known CAs - Provide a space separated list of file paths 288 wssecurity.caCertFilePathList=$NDGSEC_CONFIG_DIR/ca/ndg-test-ca.crt 289 #wssecurity.caCertFilePathList=$NDGSEC_CONFIG_DIR/ca/ndg-test-ca.crt $NDGSEC_CONFIG_DIR/ca/java-ca.crt 289 wssecurity.caCertFilePathList=%(here)s/ca/ndg-test-ca.crt 290 290 291 291 #______________________________________________________________________________ … … 296 296 # Reference the verification filter in order to be able to apply signature 297 297 # confirmation 298 referencedFilters = ndg.security.server.wsgi.wsseSignatureVerificationFilter01299 wsseSignatureVerificationFilterID = ndg.security.server.wsgi.wsseSignatureVerificationFilter01298 referencedFilters = filter:wsseSignatureVerificationFilter 299 wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter 300 300 301 301 # Last filter in chain of SOAP handlers writes the response … … 307 307 # Certificate associated with private key used to sign a message. The sign 308 308 # method will add this to the BinarySecurityToken element of the WSSE header. 309 wssecurity.signingCertFilePath= $NDGSEC_CONFIG_DIR/server.crt309 wssecurity.signingCertFilePath=%(here)s/server.crt 310 310 311 311 # PEM encoded private key file 312 wssecurity.signingPriKeyFilePath= $NDGSEC_CONFIG_DIR/server.key312 wssecurity.signingPriKeyFilePath=%(here)s/server.key 313 313 314 314 # Set the ValueType for the BinarySecurityToken added to the WSSE header for a … … 399 399 # setting below is the default and can be omitted if it matches the filterID 400 400 # set for the Session Manager 401 #openid.provider.authN.environKey= ndg.security.server.wsgi.sessionManagerFilter401 #openid.provider.authN.environKey=filter:SessionManagerFilter 402 402 403 403 # Database connection to enable check between username and OpenID identifier -
TI12-security/trunk/python/ndg.security.server/ndg/security/server/templates/template.py
r4674 r4682 1 1 #!/usr/bin/env python 2 2 3 from paste.script.templates import Template, var 3 from paste.script.templates import Template, var, _skip_variables 4 4 5 5 vars = [ -
TI12-security/trunk/python/ndg.security.server/ndg/security/server/wsgi/utils/attributeauthorityclient.py
r4680 r4682 18 18 from ndg.security.common.attributeauthority import AttributeAuthorityClient 19 19 20 class WSGIAttributeAuthorityClientError(Exception): 21 """Base class for WSGIAttributeAuthorityClient exceptions""" 22 23 class WSGIAttributeAuthorityClientConfigError( 24 WSGIAttributeAuthorityClientError): 25 """Configuration error""" 26 20 27 class WSGIAttributeAuthorityClient(object): 21 28 """Client interface to Attribute Authority for WSGI based applications … … 76 83 # Connect to local instance 77 84 return self.ref.hostInfo 78 else: 85 86 elif self._soapClient is None: 87 raise WSGIAttributeAuthorityClientConfigError("No reference to a " 88 "local Attribute Authority is set and no SOAP client " 89 "to a remote service has been initialized") 90 else: 79 91 # Make connection to remote service 80 92 return self._soapClient.getHostInfo() … … 97 109 # Connect to local instance 98 110 return self.ref.getTrustedHostInfo(**kw) 111 elif self._soapClient is None: 112 raise WSGIAttributeAuthorityClientConfigError("No reference to a " 113 "local Attribute Authority is set and no SOAP client " 114 "to a remote service has been initialized") 99 115 else: 100 116 # Make connection to remote service … … 116 132 allHostsInfo.update(self.ref.getTrustedHostInfo()) 117 133 return allHostsInfo 134 elif self._soapClient is None: 135 raise WSGIAttributeAuthorityClientConfigError("No reference to a " 136 "local Attribute Authority is set and no SOAP client " 137 "to a remote service has been initialized") 118 138 else: 119 139 # Make connection to remote service … … 142 162 143 163 return self.ref.getAttCert(**kw) 164 elif self._soapClient is None: 165 raise WSGIAttributeAuthorityClientConfigError("No reference to a " 166 "local Attribute Authority is set and no SOAP client " 167 "to a remote service has been initialized") 144 168 else: 145 169 # Make connection to remote service -
TI12-security/trunk/python/ndg.security.server/ndg/security/server/wsgi/utils/sessionmanagerclient.py
r4680 r4682 57 57 SessionManagerClientError, SessionCertTimeError 58 58 59 # Combine Session not found exception classes as raised from server and60 # client side to enable convenient exception handling by a client to this61 # class. e.g. a call to WSGISessionManager.connect without the need to know62 # whether the wrapper is calling a remote service over the SOAP interface or63 # the service locally via a reference a Session Manager in environ:64 #65 # try:66 # wsgiClnt.connect(username, passphrase=p)67 # except SessionNotFound, e:68 # # do something69 # raise70 #71 # Rather than having to do:72 #73 # try:74 # wsgiClnt.connect(username, passphrase=p)75 # except (ndg.security.server.sessionmanager.SessionNotFound,76 # ndg.security.common.sessionmanager.SessionNotFound), e:77 # # do something78 # raise79 59 SessionNotFound = (_SrvSessionNotFound, _ClntSessionNotFound) 80 60 … … 116 96 a Session Manager instance in the same code stack available via an environ 117 97 keyword 98 99 @type environKey: basestring 100 @cvar environKey: default WSGI environ keyword name for reference to a 101 local Session Manager instance. Override with the environKey keyword to 102 __init__ 103 104 @type attributeAuthorityEnvironKey: basestring 105 @cvar attributeAuthorityEnvironKey: default WSGI environ keyword name for 106 reference to a local Attribute Authority instance used in calls to 107 getAttCert(). Override with the attributeAuthorityEnvironKey keyword to 108 __init__ 118 109 """ 119 110 environKey = "ndg.security.server.wsgi.sessionManagerFilter" 120 111 attributeAuthorityEnvironKey = WSGIAttributeAuthorityClient.environKey 112 121 113 _refInEnviron = lambda self: self._environKey in self._environ 122 114 … … 130 122 131 123 132 def __init__(self, environKey=None, environ={}, **soapClientKw): 124 def __init__(self, 125 environKey=None, 126 attributeAuthorityEnvironKey=None, 127 environ={}, 128 **soapClientKw): 133 129 134 130 log.debug("WSGISessionManagerClient.__init__ ...") 135 131 136 132 self._environKey = environKey or WSGISessionManagerClient.environKey 137 133 self._attributeAuthorityEnvironKey = attributeAuthorityEnvironKey or \ 134 WSGISessionManagerClient.attributeAuthorityEnvironKey 135 138 136 # Standard WSGI environment dict 139 137 self._environ = environ … … 171 169 # Connect to local instance 172 170 res = self.ref.connect(username=username, **kw) 171 172 elif self._soapClient is None: 173 raise WSGISessionManagerClientConfigError("No reference to a " 174 "local Session Manager is set and no SOAP client " 175 "to a remote service has been initialized") 173 176 else: 174 177 log.debug("Connecting to remote Session Manager service") … … 207 210 208 211 self.ref.deleteUserSession(**kw) 212 213 elif self._soapClient is None: 214 raise WSGISessionManagerClientConfigError("No reference to a " 215 "local Session Manager is set and no SOAP client " 216 "to a remote service has been initialized") 209 217 else: 210 218 if 'userX509Cert' in kw: … … 226 234 if self.refInEnviron: 227 235 return self.ref.getSessionStatus(**kw) 236 237 elif self._soapClient is None: 238 raise WSGISessionManagerClientConfigError("No reference to a " 239 "local Session Manager is set and no SOAP client " 240 "to a remote service has been initialized") 228 241 else: 229 242 return self._soapClient.getSessionStatus(**kw) … … 249 262 kw.get('attributeAuthority') is None: 250 263 wsgiAttributeAuthorityClient = WSGIAttributeAuthorityClient( 251 environ=self._environ) 264 environ=self._environ, 265 environKey=self._attributeAuthorityEnvironKey) 252 266 253 267 if wsgiAttributeAuthorityClient.refInEnviron: … … 259 273 260 274 return self.ref.getAttCert(**kw) 275 276 elif self._soapClient is None: 277 raise WSGISessionManagerClientConfigError("No reference to a " 278 "local Session Manager is set and no SOAP client " 279 "to a remote service has been initialized") 261 280 else: 262 281 # Filter out keywords which apply to a Session Manager local -
TI12-security/trunk/python/ndg.security.test/ndg/security/test/combinedservices/serverapp.py
r4680 r4682 31 31 """validation function""" 32 32 try: 33 client = WSGISessionManagerClient(environ=environ) 33 client = WSGISessionManagerClient(environ=environ, 34 environKey=self.sessionManagerFilterID) 34 35 res = client.connect(username, passphrase=password) 35 36 … … 61 62 def __init__(self, app, globalConfig, **localConfig): 62 63 self.app = app 63 64 self.sessionManagerFilterID = localConfig.get('sessionManagerFilterID') 65 self.attributeAuthorityFilterID = \ 66 localConfig.get('attributeAuthorityFilterID') 67 68 CombinedServicesWSGI.httpBasicAuthentication.sessionManagerFilterID = \ 69 self.sessionManagerFilterID 70 64 71 def __call__(self, environ, start_response): 65 72 … … 85 92 @authorize(httpBasicAuthentication._userIn) 86 93 def test_localSessionManagerGetSessionStatus(self, environ,start_response): 87 client = WSGISessionManagerClient(environ=environ) 94 client = WSGISessionManagerClient(environ=environ, 95 environKey=self.sessionManagerFilterID) 88 96 stat=client.getSessionStatus(sessID=environ[client.environKey+'.user']) 89 97 start_response('200 OK', [('Content-type', 'text/xml')]) … … 93 101 @authorize(httpBasicAuthentication._userIn) 94 102 def test_localSessionManagerDisconnect(self, environ, start_response): 95 client = WSGISessionManagerClient(environ=environ) 103 client = WSGISessionManagerClient(environ=environ, 104 environKey=self.sessionManagerFilterID) 96 105 client.disconnect(sessID=environ[client.environKey+'.user']) 97 106 … … 103 112 @authorize(httpBasicAuthentication._userIn) 104 113 def test_localSessionManagerGetAttCert(self, environ, start_response): 105 client = WSGISessionManagerClient(environ=environ) 114 client = WSGISessionManagerClient(environ=environ, 115 environKey=self.sessionManagerFilterID, 116 attributeAuthorityEnvironKey=self.attributeAuthorityFilterID) 117 106 118 attCert = client.getAttCert(sessID=environ[client.environKey+'.user']) 107 119 start_response('200 OK', [('Content-type', 'text/xml')]) … … 109 121 110 122 def test_localAttributeAuthorityGetHostInfo(self, environ, start_response): 111 client = WSGIAttributeAuthorityClient(environ=environ) 123 client = WSGIAttributeAuthorityClient(environ=environ, 124 environKey=self.attributeAuthorityFilterID) 112 125 hostInfo = client.getHostInfo() 113 126 start_response('200 OK', [('Content-type', 'text/html')]) … … 118 131 environ, 119 132 start_response): 120 client = WSGIAttributeAuthorityClient(environ=environ) 133 client = WSGIAttributeAuthorityClient(environ=environ, 134 environKey=self.attributeAuthorityFilterID) 121 135 role = environ.get('QUERY_STRING', '').split('=')[-1] or None 122 136 hostInfo = client.getTrustedHostInfo(role=role) … … 128 142 environ, 129 143 start_response): 130 client = WSGIAttributeAuthorityClient(environ=environ) 144 client = WSGIAttributeAuthorityClient(environ=environ, 145 environKey=self.attributeAuthorityFilterID) 131 146 hostInfo = client.getAllHostsInfo() 132 147 start_response('200 OK', [('Content-type', 'text/html')]) … … 137 152 def test_localAttributeAuthorityGetAttCert(self, environ, start_response): 138 153 139 client = WSGIAttributeAuthorityClient(environ=environ) 154 client = WSGIAttributeAuthorityClient(environ=environ, 155 environKey=self.attributeAuthorityFilterID) 140 156 username=CombinedServicesWSGI.httpBasicAuthentication._userIn.users[-1] 141 157 -
TI12-security/trunk/python/ndg.security.test/ndg/security/test/combinedservices/services.ini
r4672 r4682 31 31 32 32 # All Attribute Certificates issued are recorded in this dir 33 attributeAuthority.attCertDir: $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/siteAAttributeAuthority/attCertLog33 attributeAuthority.attCertDir: %(here)s/siteAAttributeAuthority/attCertLog 34 34 35 35 # Files in attCertDir are stored using a rotating file handler … … 41 41 42 42 # Location of role mapping file 43 attributeAuthority.mapConfigFile: $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/siteAAttributeAuthority/siteAMapConfig.xml43 attributeAuthority.mapConfigFile: %(here)s/siteAAttributeAuthority/siteAMapConfig.xml 44 44 45 45 # Settings for custom AAUserRoles derived class to get user roles for given 46 46 # user ID 47 attributeAuthority.userRolesModFilePath: $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/siteAAttributeAuthority47 attributeAuthority.userRolesModFilePath: %(here)s/siteAAttributeAuthority 48 48 attributeAuthority.userRolesModName: siteAUserRoles 49 49 attributeAuthority.userRolesClassName: TestUserRoles 50 50 51 51 # Config for XML signature of Attribute Certificate 52 attributeAuthority.signingPriKeyFilePath: $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/siteAAttributeAuthority/siteA-aa.key53 attributeAuthority.signingCertFilePath: $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/siteAAttributeAuthority/siteA-aa.crt54 attributeAuthority.caCertFilePathList: $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/ca/ndg-test-ca.crt52 attributeAuthority.signingPriKeyFilePath: %(here)s/siteAAttributeAuthority/siteA-aa.key 53 attributeAuthority.signingCertFilePath: %(here)s/siteAAttributeAuthority/siteA-aa.crt 54 attributeAuthority.caCertFilePathList: %(here)s/ca/ndg-test-ca.crt 55 55 56 56 #______________________________________________________________________________ … … 62 62 # 63 63 # CA certificates for Attribute Certificate signature validation 64 sessionManager.credentialWallet.caCertFilePathList= $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/ca/ndg-test-ca.crt64 sessionManager.credentialWallet.caCertFilePathList=%(here)s/ca/ndg-test-ca.crt 65 65 66 66 # CA certificates for SSL connection peer cert. validation - required if 67 67 # connecting to an Attribute Authority over SSL 68 sessionManager.credentialWallet.sslCACertFilePathList= $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/ca/ndg-test-ca.crt68 sessionManager.credentialWallet.sslCACertFilePathList=%(here)s/ca/ndg-test-ca.crt 69 69 70 70 # Allow Get Attribute Certificate calls to try to get a mapped certificate … … 95 95 # The CA certificates of other NDG trusted sites should go here. NB, multiple 96 96 # values should be delimited by a space 97 sessionManager.credentialWallet.wssecurity.caCertFilePathList: $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/ca/ndg-test-ca.crt97 sessionManager.credentialWallet.wssecurity.caCertFilePathList: %(here)s/ca/ndg-test-ca.crt 98 98 99 99 # Signature of an outbound message … … 105 105 106 106 # PEM encoded cert 107 sessionManager.credentialWallet.wssecurity.signingCertFilePath: $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/sessionmanager/sm.crt107 sessionManager.credentialWallet.wssecurity.signingCertFilePath: %(here)s/sessionmanager/sm.crt 108 108 109 109 # ... or provide file path to PEM encoded private key file 110 sessionManager.credentialWallet.wssecurity.signingPriKeyFilePath: $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/sessionmanager/sm.key110 sessionManager.credentialWallet.wssecurity.signingPriKeyFilePath: %(here)s/sessionmanager/sm.key 111 111 112 112 # Set the ValueType for the BinarySecurityToken added to the WSSE header for a … … 134 134 # Specific settings for UserCertAuthN Session Manager authentication plugin 135 135 # This sets up PKI credentials for a single test account 136 sessionManager.authNService.userX509CertFilePath: $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/sessionmanager/user.crt137 sessionManager.authNService.userPriKeyFilePath: $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/sessionmanager/user.key136 sessionManager.authNService.userX509CertFilePath: %(here)s/sessionmanager/user.crt 137 sessionManager.authNService.userPriKeyFilePath: %(here)s/sessionmanager/user.key 138 138 sessionManager.authNService.userPriKeyPwd: testpassword 139 139 … … 196 196 paste.filter_app_factory = 197 197 ndg.security.test.combinedservices.serverapp:filter_app_factory 198 198 sessionManagerFilterID = filter:SessionManagerFilter 199 attributeAuthorityFilterID = filter:AttributeAuthorityFilter 199 200 200 201 #______________________________________________________________________________ … … 217 218 # identified by this prefix: 218 219 AttributeAuthority.propPrefix = attributeAuthority 219 AttributeAuthority.propFilePath = $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/services.ini220 AttributeAuthority.wsseSignatureVerificationFilterID = ndg.security.server.wsgi.wsseSignatureVerificationFilter01220 AttributeAuthority.propFilePath = %(here)s/services.ini 221 AttributeAuthority.wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter 221 222 222 223 # Provide an identifier for this filter so that main WSGI app 223 224 # CombinedServicesWSGI Session Manager filter can call this Attribute Authority 224 225 # directly 225 referencedFilters = ndg.security.server.wsgi.wsseSignatureVerificationFilter01226 referencedFilters = filter:wsseSignatureVerificationFilter 226 227 227 228 # Path from URL for Attribute Authority in this Paste deployment … … 231 232 enableWSDLQuery = True 232 233 charset = utf-8 233 filterID = ndg.security.server.wsgi.attributeAuthorityFilter234 filterID = %(__name__)s 234 235 235 236 #______________________________________________________________________________ … … 252 253 # by this prefix: 253 254 SessionManager.propPrefix = sessionManager 254 SessionManager.propFilePath = $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/services.ini255 SessionManager.propFilePath = %(here)s/services.ini 255 256 256 257 # This filter references other filters - a local Attribute Authority (optional) 257 258 # and a WS-Security signature verification filter (required if using signature 258 259 # to authenticate user in requests 259 SessionManager.attributeAuthorityFilterID = ndg.security.server.wsgi.attributeAuthorityFilter260 SessionManager.wsseSignatureVerificationFilterID = ndg.security.server.wsgi.wsseSignatureVerificationFilter01260 SessionManager.attributeAuthorityFilterID = filter:AttributeAuthorityFilter 261 SessionManager.wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter 261 262 262 263 # The SessionManagerWS SOAP interface class needs to know about these other 263 264 # filters 264 referencedFilters = ndg.security.server.wsgi.wsseSignatureVerificationFilter01265 ndg.security.server.wsgi.attributeAuthorityFilter265 referencedFilters = filter:wsseSignatureVerificationFilter 266 filter:AttributeAuthorityFilter 266 267 267 268 # Path from URL for Session Manager in this Paste deployment … … 274 275 # Provide an identifier for this filter so that main WSGI app 275 276 # CombinedServicesWSGI can call this Session Manager directly 276 filterID = ndg.security.server.wsgi.sessionManagerFilter277 filterID = %(__name__)s 277 278 278 279 #______________________________________________________________________________ … … 280 281 [filter:wsseSignatureVerificationFilter] 281 282 paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:SignatureVerificationFilter 282 filterID = ndg.security.server.wsgi.wsseSignatureVerificationFilter01283 filterID = %(__name__)s 283 284 284 285 # Settings for WS-Security SignatureHandler class used by this filter … … 286 287 287 288 # Verify against known CAs - Provide a space separated list of file paths 288 wssecurity.caCertFilePathList=$NDGSEC_COMBINED_SRVS_UNITTEST_DIR/ca/ndg-test-ca.crt 289 #wssecurity.caCertFilePathList=$NDGSEC_COMBINED_SRVS_UNITTEST_DIR/ca/ndg-test-ca.crt $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/ca/java-ca.crt 289 wssecurity.caCertFilePathList=%(here)s/ca/ndg-test-ca.crt 290 290 291 291 #______________________________________________________________________________ … … 296 296 # Reference the verification filter in order to be able to apply signature 297 297 # confirmation 298 referencedFilters = ndg.security.server.wsgi.wsseSignatureVerificationFilter01299 wsseSignatureVerificationFilterID = ndg.security.server.wsgi.wsseSignatureVerificationFilter01298 referencedFilters = filter:wsseSignatureVerificationFilter 299 wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter 300 300 301 301 # Last filter in chain of SOAP handlers writes the response … … 307 307 # Certificate associated with private key used to sign a message. The sign 308 308 # method will add this to the BinarySecurityToken element of the WSSE header. 309 wssecurity.signingCertFilePath= $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/server.crt309 wssecurity.signingCertFilePath=%(here)s/server.crt 310 310 311 311 # PEM encoded private key file 312 wssecurity.signingPriKeyFilePath= $NDGSEC_COMBINED_SRVS_UNITTEST_DIR/server.key312 wssecurity.signingPriKeyFilePath=%(here)s/server.key 313 313 314 314 # Set the ValueType for the BinarySecurityToken added to the WSSE header for a … … 399 399 # setting below is the default and can be omitted if it matches the filterID 400 400 # set for the Session Manager 401 #openid.provider.authN.environKey= ndg.security.server.wsgi.sessionManagerFilter401 #openid.provider.authN.environKey=filter:SessionManagerFilter 402 402 403 403 # Database connection to enable check between username and OpenID identifier
Note: See TracChangeset
for help on using the changeset viewer.