Changeset 7341 for TI12-security


Ignore:
Timestamp:
18/08/10 16:40:10 (9 years ago)
Author:
pjkersha
Message:

Incomplete - task 2: XACML-Security Integration

  • initial integration of SAML/XACML authorisation service with browser based full_system integration test setup. Policy file needs tweaking to get correct behaviour.
Location:
TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/config/authorisationservice/authorisation-service.ini

    r7330 r7341  
    2121paste.app_factory = ndg.saml.test.binding.soap:TestApp 
    2222 
     23#______________________________________________________________________________ 
     24# SAML/SOAP query interface to the Authorisation Service 
    2325[filter:SAMLSoapAuthzDecisionInterfaceFilter] 
    2426paste.filter_app_factory = ndg.saml.saml2.binding.soap.server.wsgi.queryinterface:SOAPQueryInterfaceMiddleware.filter_app_factory 
    2527prefix = saml. 
     28 
     29# The URI path for this service 
    2630saml.mountPath = /authorisation-service 
     31 
     32# The key name in environ which the upstream authorisation service must assign 
     33# to its authorisation query callback 
    2734saml.queryInterfaceKeyName = AUTHZ_DECISION_QUERY_FUNC 
     35 
     36# ElementTree based XML parsing and serialisation used for SAML messages 
    2837saml.deserialise = ndg.saml.xml.etree:AuthzDecisionQueryElementTree.fromXML 
    2938saml.serialise = ndg.saml.xml.etree:ResponseElementTree.toXML 
     39 
     40# Sets the identity of THIS authorisation service when filling in SAML responses 
    3041saml.issuerName = /O=Test/OU=Authorisation Service 
    3142saml.issuerFormat = urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName 
     
    3344#______________________________________________________________________________ 
    3445# Authorisation Service WSGI settings 
    35 # 
    3646[filter:TestAuthorisationServiceFilter] 
    37 # This filter is a container for a binding to a SOAP based interface to the 
    38 # Attribute Authority 
     47# This filter is a container for a binding to a SOAP/SAML based interface to the 
     48# Authorisation Service.  It contains a XACML Context handler which manages 
     49# requests from Policy Enforcement Points to the PDP and also enables the PDP 
     50# to make attribute queries to Policy Information Point 
    3951paste.filter_app_factory = ndg.security.server.wsgi.authz.service:AuthorisationServiceMiddleware.filter_app_factory 
    4052prefix = authz. 
    4153authz.queryInterfaceKeyName = AUTHZ_DECISION_QUERY_FUNC 
    4254 
     55# Lifetime for authorisation assertions issued from this service 
    4356authz.xacmlContext.assertionLifetime = 86400 
    4457 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/full_system/securedapp.ini

    r7077 r7341  
    3030pipeline = BeakerSessionFilter  
    3131                   AuthenticationFilter  
    32                    AuthorizationFilter  
     32                   PolicyEnforcementPointFilter  
    3333                   AuthZTestApp 
    3434 
     
    8181authkit.session.middleware = %(beakerSessionKeyName)s 
    8282 
    83 [filter:AuthorizationFilter] 
    84 paste.filter_app_factory=ndg.security.server.wsgi.authz:SAMLAuthorizationMiddleware.filter_app_factory 
    85 prefix = authz. 
    86 authz.pepResultHandler = ndg.security.server.wsgi.authz.result_handler.genshi.GenshiPEPResultHandlerMiddleware 
    87 authz.pepResultHandler.staticContentDir = %(here)s/pep_result_handler 
    88 authz.pepResultHandler.baseURL = http://localhost:7080 
    89 authz.pepResultHandler.heading = Access Denied 
    90 authz.pepResultHandler.messageTemplate = Access is forbidden for this resource:<div id="accessDeniedMessage">$pdpResponseMsg</div>Please check with your site administrator that you have the required access privileges. 
    91 authz.pepResultHandler.footerText = This site is for test purposes only. 
    92 authz.pepResultHandler.rightLink = http://ceda.ac.uk/ 
    93 authz.pepResultHandler.rightImage = %(authz.pepResultHandler.baseURL)s/layout/CEDA_RightButton60.png 
    94 authz.pepResultHandler.rightAlt = Centre for Environmental Data Archival 
    95 authz.pepResultHandler.helpIcon = %(authz.pepResultHandler.baseURL)s/layout/icons/help.png 
    96  
    97 policy.filePath = %(here)s/policy.xml 
     83# 
     84# Policy Enforcement Point enforces access control decisions made by the  
     85# Authorisation Service  
     86[filter:PolicyEnforcementPointFilter] 
     87paste.filter_app_factory=ndg.security.server.wsgi.authz.pep:SamlPepFilter.filter_app_factory 
     88prefix = pep. 
     89pep.sessionKey = beaker.session.ndg.security 
     90pep.authzServiceURI = https://localhost:7443/AuthorisationService 
    9891 
    9992# Settings for Policy Information Point used by the Policy Decision Point to 
     
    10295 
    10396# If omitted, DN of SSL Cert is used 
    104 pip.attributeQuery.issuerName =  
    105 pip.attributeQuery.subjectIdFormat = urn:esg:openid 
    106 pip.attributeQuery.clockSkewTolerance = 0. 
    107 pip.attributeQuery.queryAttributes.0 = urn:siteA:security:authz:1.0:attr, , http://www.w3.org/2001/XMLSchema#string 
    108 pip.attributeQuery.sslCACertDir=%(testConfigDir)s/ca 
    109 pip.attributeQuery.sslCertFilePath=%(testConfigDir)s/pki/test.crt 
    110 pip.attributeQuery.sslPriKeyFilePath=%(testConfigDir)s/pki/test.key 
     97pep.authzDecisionQuery.issuerName = /O=NDG/OU=BADC/CN=test 
     98pep.authzDecisionQuery.issuerFormat = urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName 
     99pep.authzDecisionQuery.subjectIdFormat = urn:esg:openid 
     100pep.authzDecisionQuery.clockSkewTolerance = 0. 
     101pep.authzDecisionQuery.sslCACertDir=%(testConfigDir)s/ca 
     102pep.authzDecisionQuery.sslCertFilePath=%(testConfigDir)s/pki/test.crt 
     103pep.authzDecisionQuery.sslPriKeyFilePath=%(testConfigDir)s/pki/test.key 
    111104 
    112105# Logging configuration 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/full_system/securityservices.ini

    r7337 r7341  
    460460 
    461461# These settings configure SSL mutual authentication for the query to the SAML Attribute Authority 
    462 authz.ctx_handler.pip.attributeQuery.sslCertFilePath = $NDGSEC_TEST_CONFIG_DIR/pki/localhost.crt 
    463 authz.ctx_handler.pip.attributeQuery.sslPriKeyFilePath = $NDGSEC_TEST_CONFIG_DIR/pki/localhost.key 
    464 authz.ctx_handler.pip.attributeQuery.sslCACertDir = $NDGSEC_TEST_CONFIG_DIR/ca 
     462authz.ctx_handler.pip.attributeQuery.sslCertFilePath = %(testConfigDir)s/pki/localhost.crt 
     463authz.ctx_handler.pip.attributeQuery.sslPriKeyFilePath = %(testConfigDir)s/pki/localhost.key 
     464authz.ctx_handler.pip.attributeQuery.sslCACertDir = %(testConfigDir)s/ca 
    465465 
    466466# Logging configuration 
Note: See TracChangeset for help on using the changeset viewer.