Ignore:
Timestamp:
06/08/10 09:49:47 (11 years ago)
Author:
pjkersha
Message:

Incomplete - task 2: XACML-Security Integration

  • Working WSGI Authorisation filter with connection to SAML/XACML based Authorisation Service - unit tests: ndg.security.test.unit.wsgi.authz.test_authz
  • It may need some optimisation to avoid too many WS callouts to the Authorisation Service - perhaps add a local PDP to the authorisation filter to filter out some requests going over the wire e.g. requests for web page CSS or graphics content.
  • The XACML policy file has some big additions to it to support the various test conditions in ndg.security.test.unit.wsgi.authz.test_authz. These should be ported back to the ndg_xacml package unit tests.
  • Next major task: remove temp fix in XACML Context handler - instead of using hardwired roles for the user alter it so that the PDP makes a request back to the PIP (Policy Enforcement Point) to grab additional attributes. The PIP will call to Attibute Service(s) to pull any additional attributes needed/
File:
1 edited

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/unit/wsgi/authz/pep-result-handler-test.ini

    r7077 r7287  
    1919 
    2020[filter:AuthZFilter] 
    21 paste.filter_app_factory=ndg.security.server.wsgi.authz:SAMLAuthorizationMiddleware.filter_app_factory 
     21paste.filter_app_factory=ndg.security.server.wsgi.authz:AuthorisationFilter.filter_app_factory 
    2222prefix = authz. 
    23 policy.filePath = %(here)s/saml-policy.xml 
    2423 
    25 authz.pepResultHandler = ndg.security.server.wsgi.authz.result_handler.redirect.HTTPRedirectPEPResultHandlerMiddleware 
    26 authz.pepResultHandler.redirectURI = /nowhere 
     24# This result handler responds with a redirect request to the client if access 
     25# denied to the original requested URI 
     26authz.resultHandler = ndg.security.server.wsgi.authz.result_handler.redirect.HTTPRedirectPEPResultHandlerMiddleware 
     27authz.resultHandler.redirectURI = /test_accessGrantedToSecuredURI 
    2728 
    28 # Settings for Policy Information Point used by the Policy Decision Point to 
    29 # retrieve subject attributes from the Attribute Authority associated with the 
    30 # resource to be accessed 
     29# Settings for the Policy Enforcement Point  
     30authz.pep.sessionKey = beaker.session.ndg.security 
     31authz.pep.authzServiceURI = https://localhost:9443/authorisation-service 
    3132 
    3233# If omitted, DN of SSL Cert is used 
    33 pip.attributeQuery.issuerName =  
    34 pip.attributeQuery.clockSkewTolerance = 0. 
    35 pip.attributeQuery.queryAttributes.0 = urn:siteA:security:authz:1.0:attr, , http://www.w3.org/2001/XMLSchema#string 
    36 pip.attributeQuery.sslCACertDir=%(testConfigDir)s/ca 
    37 pip.attributeQuery.sslCertFilePath=%(testConfigDir)s/pki/test.crt 
    38 pip.attributeQuery.sslPriKeyFilePath=%(testConfigDir)s/pki/test.key 
     34authz.pep.authzDecisionQuery.issuerName = /O=NDG/OU=BADC/CN=test 
     35authz.pep.authzDecisionQuery.issuerFormat = urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName 
     36authz.pep.authzDecisionQuery.subjectIdFormat = urn:esg:openid 
     37authz.pep.authzDecisionQuery.clockSkewTolerance = 0. 
     38authz.pep.authzDecisionQuery.sslCACertDir=%(testConfigDir)s/ca 
     39authz.pep.authzDecisionQuery.sslCertFilePath=%(testConfigDir)s/pki/test.crt 
     40authz.pep.authzDecisionQuery.sslPriKeyFilePath=%(testConfigDir)s/pki/test.key 
Note: See TracChangeset for help on using the changeset viewer.