Changeset 5454


Ignore:
Timestamp:
02/07/09 10:18:42 (10 years ago)
Author:
pjkersha
Message:

Important fix: remove credentialWallet key on logout

Location:
TI12-security/trunk/python
Files:
6 edited

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/wsgi/authn.py

    r5436 r5454  
    259259    prefix = 'sessionHandler.' 
    260260     
    261     sessionKeyNames = ('username', 'sessionManagerURI', 'sessionId', 'pepCtx') 
     261    sessionKeyNames = ( 
     262        'username',  
     263        'sessionManagerURI',  
     264        'sessionId',  
     265        'pepCtx',  
     266        'credentialWallet' 
     267    ) 
    262268     
    263269    propertyDefaults = { 
  • TI12-security/trunk/python/ndg.security.server/ndg/security/server/wsgi/authz.py

    r5447 r5454  
    417417        ''' 
    418418        # Check for a wallet in the current session - if not present, create 
    419         # one 
     419        # one.  See ndg.security.server.wsgi.authn.SessionHandlerMiddleware 
     420        # for session keys.  The 'credentialWallet' key is deleted along with 
     421        # any other security keys when the user logs out 
    420422        if not 'credentialWallet' in self.session: 
    421423            log.debug("PIPMiddleware._getAttributeCertificate: adding a " 
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/integration/authz/attributeinterface.py

    r5447 r5454  
    2323 
    2424    def getRoles(self, userId): 
     25        """Restrict to limited OpenID account""" 
     26         
    2527        if userId.endswith("/openid/PhilipKershaw"): 
    2628            return [ 
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/integration/authz/securedapp.ini

    r5355 r5454  
    11# 
    2 # NDG Security AuthZ WSGI Testing environment configuration 
     2# NDG Security AuthZ WSGI Testing environment configuration.  This ini file 
     3# defines the configuration for a an application to be secured.  Security 
     4# filters placed in front of the application in the WSGI pipeline act as 
     5# client to security services running on a separate application stack.  - See 
     6# securityservices.ini 
    37# 
    48# NERC DataGrid 
     
    610# Author: P J Kershaw 
    711# 
     12# Date: 20/11/08 
     13# 
    814# Copyright: STFC 2009 
    915# 
    10 # Licence: BSD 
     16# Licence: BSD - See top-level LICENCE file for licence details 
    1117# 
    1218# The %(here)s variable will be replaced with the parent directory of this file 
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/integration/authz/securedapp.py

    r5329 r5454  
    3232"/test_accessDeniedToSecuredURI": "test_accessDeniedToSecuredURI" 
    3333    } 
     34    header = """        <h1>Authorisation Integration Tests:</h1> 
     35        <p>Test Authorisation middleware with no Session Manager running. 
     36        See the authz/ integration test directory for a configuration including 
     37        a Session Manager</p> 
     38        <p>These tests use require the security services application to be 
     39        running.  See securityserviceapp.py and securityservices.ini in the  
     40        authz_lite/ integration test directory.</p> 
     41        <h2>To Run:</h2> 
     42        <p>Try any of the links below.  When prompt for username and password, 
     43        enter one of the sets of credentials from securityservices.ini 
     44        openid.provider.authN.userCreds section.  The defaults are: 
     45        </p> 
     46        <p>pjk/testpassword</p> 
     47        <p>another/testpassword</p> 
     48        <p>The attributeinterface.py AttributeAuthority plugin is configured to 
     49        grant access to 'pjk' for all URLs below apart from  
     50        'test_accessDeniedToSecuredURI'.  The 'another' account will be denied 
     51        access from all URLs apart from 'test_401'</p> 
     52""" 
    3453 
    3554    def __init__(self, app, globalConfig, **localConfig): 
     
    5675    <head/> 
    5776    <body> 
    58         <h1>Authorisation integration tests:</h1> 
    59         <ul>%s</ul> 
    60         <p>You are logged in with OpenID [%s].  <a href="/logout">Logout</a></p> 
    61     </body> 
    62 </html> 
    63 """ % ('\n'.join(['<li><a href="%s">%s</a></li>' % (link, name)  
     77        %s 
     78        <ul>%s</ul> 
     79        <p>You are logged in with OpenID [%s].  <a href="/logout">Logout</a></p> 
     80    </body> 
     81</html> 
     82""" % (AuthZTestMiddleware.header, 
     83       '\n'.join(['<li><a href="%s">%s</a></li>' % (link, name)  
    6484                 for link,name in self.method.items() if name != 'default']), 
    6585       environ['REMOTE_USER']) 
     
    128148                            ('Content-length', str(len(response)))]) 
    129149        else: 
    130             response = ("Authorization middleware is triggered becuase this " 
     150            response = ("Authorization middleware is triggered because this " 
    131151                        "page returns a 403 Forbidden status.") 
    132152            start_response('403 Forbidden',  
  • TI12-security/trunk/python/ndg.security.test/ndg/security/test/integration/authz_lite/securityservices.ini

    r5448 r5454  
    22# NERC DataGrid Security 
    33# 
    4 # Paste configuration for combined Session Manager, Attribute Authority, 
    5 # OpenID Relying Party and Provider services 
     4# Paste configuration for combined Attribute Authority, OpenID Relying Party  
     5# and Provider services 
    66# 
    77# The %(here)s variable will be replaced with the parent directory of this file 
    88# 
    99# Author: P J Kershaw 
    10 # date: 26/02/09 
     10# date: 01/07/09 
    1111# Copyright: (C) 2009 Science and Technology Facilities Council 
    1212# license: BSD - see LICENSE file in top-level directory 
    1313# Contact: Philip.Kershaw@stfc.ac.uk 
    14 # Revision: $Id$ 
     14# Revision: $Id:$ 
    1515 
    1616[DEFAULT] 
     
    2222openIDProviderIDSelectURI = %(baseURI)s%(openIDProviderIDBase)s 
    2323testConfigDir = %(here)s/../../config 
    24 sessionManagerPath = /SessionManager 
    25 sessionManagerURI = %(baseURI)s%(sessionManagerPath)s 
    26 openid.ax.sessionManagerURI.typeURI=urn:ndg:security:openid:sessionManagerURI 
    27 openid.ax.sessionId.typeURI=urn:ndg:security:openid:sessionId 
    2824 
    2925#______________________________________________________________________________ 
     
    162158authkit.openid.baseurl = %(baseURI)s 
    163159 
    164 authkit.openid.ax.typeuri.sessionManagerURI=%(openid.ax.sessionManagerURI.typeURI)s 
    165 authkit.openid.ax.required.sessionManagerURI=True 
    166 authkit.openid.ax.alias.sessionManagerURI=sessionManagerURI 
    167  
    168 authkit.openid.ax.typeuri.sessionId=%(openid.ax.sessionId.typeURI)s 
    169 authkit.openid.ax.required.sessionId=True 
    170 authkit.openid.ax.alias.sessionId=sessionId 
    171  
    172160# Template for signin 
    173161#authkit.openid.template.obj =  
     
    224212# Basic Authentication interface to demonstrate capabilities 
    225213openid.provider.authNInterface=ndg.security.server.wsgi.openid.provider.authninterface.basic.BasicAuthNInterface 
    226 openid.provider.authN.userCreds=pjk:test 
    227 openid.provider.authN.username2UserIdentifiers=pjk:PhilipKershaw,P.J.Kershaw another:A.N.Other 
     214 
     215# user login details format is: 
     216# <username>:<password>:<OpenID name>, ... <OpenID name N> <username>:... etc 
     217# Each user entry is delimited by a space. username, password and OpenID name 
     218# list are delimited by a colon.  The list of OpenID names are delimited by 
     219# commas.  The OpenID name represents the unique part of the OpenID URL for the 
     220# individual user.  Each username may have more than one OpenID alias but only 
     221# alias at a time may be registered with a given Attribute Authority 
     222openid.provider.authN.userCreds=pjk:testpassword:PhilipKershaw,P.J.Kershaw another:testpassword:A.N.Other 
    228223 
    229224# Basic authentication for testing/admin - comma delimited list of  
     
    277272 
    278273#______________________________________________________________________________ 
    279 # Session Manager WSGI settings 
    280 # 
    281 [filter:SessionManagerFilter] 
    282 # This filter is a container for a binding to a SOAP based interface to the 
    283 # Session Manager 
    284 paste.filter_app_factory = ndg.security.server.wsgi.soap:SOAPBindingMiddleware 
    285  
    286 # Use this ZSI generated SOAP service interface class to handle i/o for this 
    287 # filter 
    288 ServiceSOAPBindingClass = ndg.security.server.zsi.sessionmanager.SessionManagerWS 
    289  
    290 # SOAP Binding Class specific keywords are in this section identified by this 
    291 # prefix: 
    292 ServiceSOAPBindingPropPrefix = SessionManager 
    293  
    294 # The SessionManager class has settings in the default section above identified 
    295 # by this prefix: 
    296 SessionManager.propPrefix = sessionManager 
    297 SessionManager.propFilePath = %(here)s/securityservices.ini 
    298  
    299 # This filter references other filters - a local Attribute Authority (optional) 
    300 # and a WS-Security signature verification filter (required if using signature 
    301 # to authenticate user in requests 
    302 SessionManager.attributeAuthorityFilterID = filter:AttributeAuthorityFilter 
    303 SessionManager.wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter 
    304  
    305 # The SessionManagerWS SOAP interface class needs to know about these other  
    306 # filters 
    307 referencedFilters = filter:wsseSignatureVerificationFilter  
    308                                         filter:AttributeAuthorityFilter 
    309  
    310 # Path from URI for Session Manager in this Paste deployment 
    311 path = %(sessionManagerPath)s 
    312  
    313 # External endpoint for this Session Manager - must agree with setting used to 
    314 # invoke this service set in: 
    315 # * securityservicesapp.py  
    316 # * or port in [server:main] if calling with paster serve securityservices.ini 
    317 # * or something else e.g. proxied through Apache? 
    318 # This setting is used by Session Manager clients in this WSGI stack to see if 
    319 # a request is being made to the local service or to another session manager 
    320 # running elsewhere 
    321 publishedURI = %(sessionManagerURI)s 
    322  
    323 # Enable ?wsdl query argument to list the WSDL content 
    324 enableWSDLQuery = True 
    325 charset = utf-8 
    326  
    327 # Provide an identifier for this filter so that main WSGI app  
    328 # CombinedServicesWSGI can call this Session Manager directly 
    329 filterID = %(__name__)s 
    330  
    331 #______________________________________________________________________________ 
    332274# WS-Security Signature Verification 
    333275[filter:wsseSignatureVerificationFilter] 
Note: See TracChangeset for help on using the changeset viewer.