source: TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/openidrelyingparty_withapp/securityservices.ini @ 7077

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg-security/TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/openidrelyingparty_withapp/securityservices.ini@7077
Revision 7077, 11.4 KB checked in by pjkersha, 11 years ago (diff)
  • Property svn:keywords set to Id
Line 
1#
2# NERC DataGrid Security
3#
4# Paste configuration for combined Attribute Authority, OpenID Relying Party
5# and Provider services
6#
7# The %(here)s variable will be replaced with the parent directory of this file
8#
9# Author: P J Kershaw
10# date: 01/07/09
11# Copyright: (C) 2009 Science and Technology Facilities Council
12# license: BSD - see LICENSE file in top-level directory
13# Contact: Philip.Kershaw@stfc.ac.uk
14# Revision: $Id:$
15
16[DEFAULT]
17portNum = 7443
18hostname = localhost
19scheme = http
20baseURI = %(scheme)s://%(hostname)s:%(portNum)s
21openIDProviderIDBase = /openid
22openIDProviderIDSelectURI = %(baseURI)s%(openIDProviderIDBase)s
23testConfigDir = %(here)s/../../config
24beakerSessionKeyName = beaker.session.ndg.security.services
25
26[server:main]
27use = egg:Paste#http
28host = 0.0.0.0
29port = %(portNum)s
30
31[filter-app:OpenIDProviderFilterApp]
32use = egg:Paste#httpexceptions
33next = cascade
34
35# Composite for OpenID Provider to enable settings for picking up static
36# content
37[composit:cascade]
38use = egg:Paste#cascade
39app1 = OpenIDProviderStaticContent
40app2 = OpenIDProviderApp
41catch = 404
42
43[app:OpenIDProviderStaticContent]
44use = egg:Paste#static
45document_root = %(here)s/openidprovider
46
47[pipeline:main]
48pipeline = wsseSignatureVerificationFilter
49                   AttributeAuthorityFilter
50           wsseSignatureFilter
51                   SessionMiddlewareFilter
52                   OpenIDProviderFilterApp
53
54#______________________________________________________________________________
55# Beaker Session Middleware (used by OpenID Provider Filter)
56[filter:SessionMiddlewareFilter]
57paste.filter_app_factory=beaker.middleware:SessionMiddleware
58beaker.session.key = openid
59beaker.session.secret = qKEdQdCr33NE087dRUWX3qUv5r7AsuQU
60# These options enable cookie only type sessions with the cookie content
61# encrypted
62#beaker.session.type = cookie
63#beaker.session.validate_key = 0123456789abcdef
64#beaker.session.encrypt_key = fedcba9876543210
65
66# If you'd like to fine-tune the individual locations of the cache data dirs
67# for the Cache data, or the Session saves, un-comment the desired settings
68# here:
69beaker.cache.data_dir = %(here)s/openidprovider/beaker/cache
70beaker.session.data_dir = %(here)s/openidprovider/beaker/sessions
71beaker.session.cookie_expires = True
72
73# Key name for keying into environ dictionary
74environ_key = %(beakerSessionKeyName)s
75
76#______________________________________________________________________________
77# OpenID Provider WSGI Settings
78[app:OpenIDProviderApp]
79paste.app_factory=ndg.security.server.wsgi.openid.provider:OpenIDProviderMiddleware.app_factory
80
81openid.provider.path.openidserver=/OpenID/Provider/server
82openid.provider.path.login=/OpenID/Provider/login
83openid.provider.path.loginsubmit=/OpenID/Provider/loginsubmit
84
85# Yadis based discovery only - the 'id' path is configured to return 404 not
86# found - see ndg.security.server.wsgi.openid.provider.renderinginterface.
87# buffet.BuffetRendering class
88openid.provider.path.id=/OpenID/Provider/id/${userIdentifier}
89openid.provider.path.yadis=%(openIDProviderIDBase)s/${userIdentifier}
90
91# Yadis based discovery for idselect mode - this is where the user has entered
92# a URI at the Relying Party which identifies their Provider only and not their
93# full ID URI.  e.g. https://badc.nerc.ac.uk instead of
94# https://badc.nerc.ac.uk/John
95openid.provider.path.serveryadis=%(openIDProviderIDBase)s
96openid.provider.path.allow=/OpenID/Provider/allow
97openid.provider.path.decide=/OpenID/Provider/decide
98openid.provider.path.mainpage=/OpenID/Provider/home
99
100openid.provider.session_middleware=%(beakerSessionKeyName)s
101openid.provider.base_url=%(baseURI)s
102openid.provider.trace=False
103openid.provider.consumer_store_dirpath=%(here)s/openidprovider
104openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.renderinginterface.buffet.BuffetRendering
105#openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.DemoRenderingInterface
106
107openid.provider.rendering.templateType = kid
108openid.provider.rendering.templateRoot = ndg.security.server.wsgi.openid.provider.renderinginterface.buffet.templates
109openid.provider.rendering.kid.assume_encoding= utf-8
110openid.provider.rendering.kid.encoding = utf-8
111
112# Layout
113openid.provider.rendering.baseURL = %(openid.provider.base_url)s
114openid.provider.rendering.leftLogo = %(openid.provider.rendering.baseURL)s/layout/NERC_Logo.gif
115openid.provider.rendering.leftAlt = Natural Environment Research Council
116openid.provider.rendering.ndgLink = http://ndg.nerc.ac.uk/
117openid.provider.rendering.ndgImage = %(openid.provider.rendering.baseURL)s/layout/ndg_logo_circle.gif
118openid.provider.rendering.disclaimer = This site is for test purposes only and is under active development.
119openid.provider.rendering.stfcLink = http://www.stfc.ac.uk/
120openid.provider.rendering.stfcImage = %(openid.provider.rendering.baseURL)s/layout/stfc-circle-sm.gif
121openid.provider.rendering.helpIcon = %(openid.provider.rendering.baseURL)s/layout/icons/help.png
122
123# Basic Authentication interface to demonstrate capabilities
124openid.provider.authNInterface=ndg.security.server.wsgi.openid.provider.authninterface.basic.BasicAuthNInterface
125
126# user login details format is:
127# <username>:<password>:<OpenID name>, ... <OpenID name N> <username>:... etc
128# Each user entry is delimited by a space. username, password and OpenID name
129# list are delimited by a colon.  The list of OpenID names are delimited by
130# commas.  The OpenID name represents the unique part of the OpenID URL for the
131# individual user.  Each username may have more than one OpenID alias but only
132# alias at a time may be registered with a given Attribute Authority
133openid.provider.authN.userCreds=pjk:testpassword:PhilipKershaw,P.J.Kershaw another:testpassword:A.N.Other
134
135# Basic authentication for testing/admin - comma delimited list of
136# <username>:<password> pairs
137#openid.provider.usercreds=pjk:test
138
139#______________________________________________________________________________
140# Attribute Authority WSGI settings
141#
142[filter:AttributeAuthorityFilter]
143# This filter is a container for a binding to a SOAP based interface to the
144# Attribute Authority
145paste.filter_app_factory = ndg.security.server.wsgi.zsi:SOAPBindingMiddleware
146
147# Use this ZSI generated SOAP service interface class to handle i/o for this
148# filter
149ServiceSOAPBindingClass = ndg.security.server.zsi.attributeauthority.AttributeAuthorityWS
150
151# SOAP Binding Class specific keywords are in this section identified by this
152# prefix:
153ServiceSOAPBindingPropPrefix = attributeAuthority
154
155attributeAuthority.wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter
156
157# Provide an identifier for this filter so that main WSGI app
158# CombinedServicesWSGI Session Manager filter can call this Attribute Authority
159# directly
160referencedFilters = filter:wsseSignatureVerificationFilter
161
162# Path from URL for Attribute Authority in this Paste deployment
163path = /AttributeAuthority
164
165# External endpoint for this Attribute Authority - must agree with setting used
166# to invoke this service set in:
167# * serverapp.py
168# * or port in [server:main] if calling with paster serve securityservices.ini
169# * or something else e.g. proxied through Apache?
170# This setting is used by Attribute Authority clients in this WSGI stack to see
171# if a request is being made to the local service or to another Attribute
172# Authority running elsewhere
173publishedURI = %(baseURI)s%(path)s
174
175# Enable ?wsdl query argument to list the WSDL content
176enableWSDLQuery = True
177charset = utf-8
178filterID = %(__name__)s
179
180# Attribute Authority settings
181# 'name' setting MUST agree with map config file 'thisHost' name attribute
182attributeAuthority.name: Site A
183
184# Lifetime is measured in seconds
185attributeAuthority.attCertLifetime: 28800 
186
187# Allow an offset for clock skew between servers running
188# security services. NB, measured in seconds - use a minus sign for time in the
189# past
190attributeAuthority.attCertNotBeforeOff: 0
191
192# All Attribute Certificates issued are recorded in this dir
193attributeAuthority.attCertDir: %(testConfigDir)s/attributeauthority/sitea/attributeCertificateLog
194
195# Files in attCertDir are stored using a rotating file handler
196# attCertFileLogCnt sets the max number of files created before the first is
197# overwritten
198attributeAuthority.attCertFileName: ac.xml
199attributeAuthority.attCertFileLogCnt: 16
200attributeAuthority.dnSeparator:/
201
202# Location of role mapping file
203attributeAuthority.mapConfigFilePath: %(testConfigDir)s/attributeauthority/sitea/siteAMapConfig.xml
204
205# Settings for custom AttributeInterface derived class to get user roles for given
206# user ID
207#attributeAuthority.attributeInterface.modFilePath: %(testConfigDir)s/attributeauthority/sitea
208attributeAuthority.attributeInterface.modName: ndg.security.test.integration.authz.attributeinterface
209attributeAuthority.attributeInterface.className: TestUserRoles
210
211# Config for XML signature of Attribute Certificate
212attributeAuthority.signingPriKeyFilePath: %(testConfigDir)s/attributeauthority/sitea/siteA-aa.key
213attributeAuthority.signingCertFilePath: %(testConfigDir)s/attributeauthority/sitea/siteA-aa.crt
214attributeAuthority.caCertFilePathList: %(testConfigDir)s/ca/ndg-test-ca.crt
215
216
217#______________________________________________________________________________
218# WS-Security Signature Verification
219[filter:wsseSignatureVerificationFilter]
220paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:SignatureVerificationFilter
221filterID = %(__name__)s
222
223# Settings for WS-Security SignatureHandler class used by this filter
224wsseCfgFilePrefix = wssecurity
225
226# Verify against known CAs - Provide a space separated list of file paths
227wssecurity.caCertFilePathList=%(testConfigDir)s/ca/ndg-test-ca.crt
228
229#______________________________________________________________________________
230# Apply WS-Security Signature
231[filter:wsseSignatureFilter]
232paste.filter_app_factory = ndg.security.server.wsgi.wssecurity:ApplySignatureFilter
233
234# Reference the verification filter in order to be able to apply signature
235# confirmation
236referencedFilters = filter:wsseSignatureVerificationFilter
237wsseSignatureVerificationFilterID = filter:wsseSignatureVerificationFilter
238
239# Last filter in chain of SOAP handlers writes the response
240writeResponse = True
241
242# Settings for WS-Security SignatureHandler class used by this filter
243wsseCfgFilePrefix = wssecurity
244
245# Certificate associated with private key used to sign a message.  The sign
246# method will add this to the BinarySecurityToken element of the WSSE header. 
247wssecurity.signingCertFilePath=%(testConfigDir)s/pki/wsse-server.crt
248
249# PEM encoded private key file
250wssecurity.signingPriKeyFilePath=%(testConfigDir)s/pki/wsse-server.key
251
252# Set the ValueType for the BinarySecurityToken added to the WSSE header for a
253# signed message.  See __setReqBinSecTokValType method and binSecTokValType
254# class variable for options - it may be one of X509, X509v3, X509PKIPathv1 or
255# give full namespace to alternative - see
256# ZSI.wstools.Namespaces.OASIS.X509TOKEN
257#
258# binSecTokValType determines whether signingCert or signingCertChain
259# attributes will be used.
260wssecurity.reqBinSecTokValType=X509v3
261
262# Add a timestamp element to an outbound message
263wssecurity.addTimestamp=True
264
265# For WSSE 1.1 - service returns signature confirmation containing signature
266# value sent by client
267wssecurity.applySignatureConfirmation=True
268
269# Logging configuration
270[loggers]
271keys = root, ndg
272
273[handlers]
274keys = console
275
276[formatters]
277keys = generic
278
279[logger_root]
280level = INFO
281handlers = console
282
283[logger_ndg]
284level = DEBUG
285handlers =
286qualname = ndg
287
288[handler_console]
289class = StreamHandler
290args = (sys.stderr,)
291level = NOTSET
292formatter = generic
293
294[formatter_generic]
295format = %(asctime)s,%(msecs)03d %(levelname)-5.5s [%(name)s] %(message)s
296datefmt = %H:%M:%S
297
Note: See TracBrowser for help on using the repository browser.