Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <?xml version="1.0" encoding="UTF-8"?>
- <!--
- Licensed to Apereo under one or more contributor license
- agreements. See the NOTICE file distributed with this work
- for additional information regarding copyright ownership.
- Apereo licenses this file to you under the Apache License,
- Version 2.0 (the "License"); you may not use this file
- except in compliance with the License. You may obtain a
- copy of the License at the following location:
- http://www.apache.org/licenses/LICENSE-2.0
- Unless required by applicable law or agreed to in writing,
- software distributed under the License is distributed on an
- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- KIND, either express or implied. See the License for the
- specific language governing permissions and limitations
- under the License.
- -->
- <!--
- | deployerConfigContext.xml centralizes into one file some of the declarative configuration that
- | all CAS deployers will need to modify.
- |
- | This file declares some of the Spring-managed JavaBeans that make up a CAS deployment.
- | The beans declared in this file are instantiated at context initialization time by the Spring
- | ContextLoaderListener declared in web.xml. It finds this file because this
- | file is among those declared in the context parameter "contextConfigLocation".
- |
- | By far the most common change you will need to make in this file is to change the last bean
- | declaration to replace the default authentication handler with
- | one implementing your approach for authenticating usernames and passwords.
- +-->
- <beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xmlns:p="http://www.springframework.org/schema/p"
- xmlns:c="http://www.springframework.org/schema/c"
- xmlns:tx="http://www.springframework.org/schema/tx"
- xmlns:util="http://www.springframework.org/schema/util"
- xmlns:sec="http://www.springframework.org/schema/security"
- xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
- http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx.xsd
- http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd
- http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">
- <!--
- | The authentication manager defines security policy for authentication by specifying at a minimum
- | the authentication handlers that will be used to authenticate credential. While the AuthenticationManager
- | interface supports plugging in another implementation, the default PolicyBasedAuthenticationManager should
- | be sufficient in most cases.
- +-->
- <bean id="authenticationManager" class="org.jasig.cas.authentication.PolicyBasedAuthenticationManager">
- <constructor-arg>
- <map>
- <!--
- | IMPORTANT
- | Every handler requires a unique name.
- | If more than one instance of the same handler class is configured, you must explicitly
- | set its name to something other than its default name (typically the simple class name).
- -->
- <!--<entry key-ref="proxyAuthenticationHandler" value-ref="proxyPrincipalResolver" />
- <entry key-ref="primaryAuthenticationHandler" value-ref="primaryPrincipalResolver" />-->
- <entry key-ref="ldapAuthenticationHandler" value-ref="primaryPrincipalResolver"/>
- </map>
- </constructor-arg>
- <!-- Uncomment the metadata populator to allow clearpass to capture and cache the password
- This switch effectively will turn on clearpass.
- <property name="authenticationMetaDataPopulators">
- <util:list>
- <bean class="org.jasig.cas.extension.clearpass.CacheCredentialsMetaDataPopulator"
- c:credentialCache-ref="encryptedMap" />
- </util:list>
- </property>
- -->
- <!--
- | Defines the security policy around authentication. Some alternative policies that ship with CAS:
- |
- | * NotPreventedAuthenticationPolicy - all credential must either pass or fail authentication
- | * AllAuthenticationPolicy - all presented credential must be authenticated successfully
- | * RequiredHandlerAuthenticationPolicy - specifies a handler that must authenticate its credential to pass
- -->
- <property name="authenticationPolicy">
- <bean class="org.jasig.cas.authentication.AnyAuthenticationPolicy" />
- </property>
- </bean>
- <!-- Required for proxy ticket mechanism. -->
- <bean id="proxyAuthenticationHandler"
- class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
- p:httpClient-ref="supportsTrustStoreSslSocketFactoryHttpClient" />
- <!--
- | TODO: Replace this component with one suitable for your enviroment.
- |
- | This component provides authentication for the kind of credential used in your environment. In most cases
- | credential is a username/password pair that lives in a system of record like an LDAP directory.
- | The most common authentication handler beans:
- |
- | * org.jasig.cas.authentication.LdapAuthenticationHandler
- | * org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler
- | * org.jasig.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler
- | * org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler
- -->
- <bean id="primaryAuthenticationHandler"
- class="org.jasig.cas.authentication.AcceptUsersAuthenticationHandler">
- <property name="users">
- <map>
- <entry key="casuser" value="Mellon"/>
- </map>
- </property>
- </bean>
- <!-- Required for proxy ticket mechanism -->
- <bean id="proxyPrincipalResolver"
- class="org.jasig.cas.authentication.principal.BasicPrincipalResolver" />
- <!--
- | Resolves a principal from a credential using an attribute repository that is configured to resolve
- | against a deployer-specific store (e.g. LDAP).
- -->
- <bean id="primaryPrincipalResolver"
- class="org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver" >
- <property name="attributeRepository" ref="attributeRepository" />
- </bean>
- <bean id="attributeRepository" class="org.jasig.services.persondir.support.StubPersonAttributeDao"
- p:backingMap-ref="attrRepoBackingMap" />
- <util:map id="attrRepoBackingMap">
- <entry key="uid" value="uid" />
- <!--<entry key="eduPersonAffiliation" value="eduPersonAffiliation" />
- <entry key="groupMembership" value="groupMembership" />
- <entry>
- <key><value>memberOf</value></key>
- <list>
- <value>Administratorzy domeny</value>
- <value>staff</value>
- <value>org</value>
- .</list>
- </entry>-->
- </util:map>
- <!--
- Sample, in-memory data store for the ServiceRegistry. A real implementation
- would probably want to replace this with the JPA-backed ServiceRegistry DAO
- The name of this bean should remain "serviceRegistryDao".
- +-->
- <bean id="serviceRegistryDao" class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl"
- p:registeredServices-ref="registeredServicesList" />
- <util:list id="registeredServicesList">
- <bean class="org.jasig.cas.services.RegexRegisteredService"
- p:id="0" p:name="Apereo" p:description="Apereo foundation sample service"
- p:serviceId="^https://www.apereo.org" p:evaluationOrder="0"
- p:theme="apereo" />
- <bean class="org.jasig.cas.services.RegexRegisteredService"
- p:id="10000001" p:name="HTTPS and IMAPS"
- p:description="This service definition authorized all application urls that support HTTPS and IMAPS protocols."
- p:serviceId="^(https|imaps)://.*" p:evaluationOrder="10000001">
- </bean>
- </util:list>
- <bean id="auditTrailManager" class="com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager" />
- <bean id="healthCheckMonitor" class="org.jasig.cas.monitor.HealthCheckMonitor" p:monitors-ref="monitorsList" />
- <util:list id="monitorsList">
- <bean class="org.jasig.cas.monitor.MemoryMonitor" p:freeMemoryWarnThreshold="10" />
- <!--
- NOTE
- The following ticket registries support SessionMonitor:
- * DefaultTicketRegistry
- * JpaTicketRegistry
- Remove this monitor if you use an unsupported registry.
- -->
- <bean class="org.jasig.cas.monitor.SessionMonitor"
- p:ticketRegistry-ref="ticketRegistry"
- p:serviceTicketCountWarnThreshold="5000"
- p:sessionCountWarnThreshold="100000" />
- </util:list>
- <bean id="ldapAuthenticationHandler"
- class="org.jasig.cas.authentication.LdapAuthenticationHandler"
- p:principalIdAttribute="sAMAccountName"
- c:authenticator-ref="authenticator">
- <property name="principalAttributeMap">
- <map>
- <!--
- | This map provides a simple attribute resolution mechanism.
- | Keys are LDAP attribute names, values are CAS attribute names.
- | Use this facility instead of a PrincipalResolver if LDAP is
- | the only attribute source.
- -->
- <entry key="displayName" value="displayName" />
- <entry key="mail" value="mail" />
- <entry key="memberOf" value="memberOf" />
- </map>
- </property>
- </bean>
- <bean id="authenticator" class="org.ldaptive.auth.Authenticator"
- c:resolver-ref="dnResolver"
- c:handler-ref="authHandler"
- p:entryResolver-ref="entryResolver" />
- <!-- Active Directory UPN format. -->
- <bean id="dnResolver"
- class="org.ldaptive.auth.FormatDnResolver"
- c:format="%s@${ldap.domain}" />
- <bean id="authHandler" class="org.ldaptive.auth.PooledBindAuthenticationHandler"
- p:connectionFactory-ref="pooledLdapConnectionFactory" />
- <bean id="pooledLdapConnectionFactory"
- class="org.ldaptive.pool.PooledConnectionFactory"
- p:connectionPool-ref="connectionPool" />
- <bean id="connectionPool"
- class="org.ldaptive.pool.BlockingConnectionPool"
- init-method="initialize"
- p:poolConfig-ref="ldapPoolConfig"
- p:blockWaitTime="${ldap.pool.blockWaitTime}"
- p:validator-ref="searchValidator"
- p:pruneStrategy-ref="pruneStrategy"
- p:connectionFactory-ref="connectionFactory" />
- <bean id="ldapPoolConfig" class="org.ldaptive.pool.PoolConfig"
- p:minPoolSize="${ldap.pool.minSize}"
- p:maxPoolSize="${ldap.pool.maxSize}"
- p:validateOnCheckOut="${ldap.pool.validateOnCheckout}"
- p:validatePeriodically="${ldap.pool.validatePeriodically}"
- p:validatePeriod="${ldap.pool.validatePeriod}" />
- <bean id="connectionFactory" class="org.ldaptive.DefaultConnectionFactory"
- p:connectionConfig-ref="connectionConfig" />
- <bean id="connectionConfig" class="org.ldaptive.ConnectionConfig"
- p:ldapUrl="${ldap.url}"
- p:connectTimeout="${ldap.connectTimeout}"
- p:useStartTLS="${ldap.useStartTLS}"
- p:sslConfig-ref="sslConfig" />
- <bean id="sslConfig" class="org.ldaptive.ssl.SslConfig">
- <property name="credentialConfig">
- <bean class="org.ldaptive.ssl.X509CredentialConfig"
- p:trustCertificates="${ldap.trustedCert}" />
- </property>
- </bean>
- <bean id="pruneStrategy" class="org.ldaptive.pool.IdlePruneStrategy"
- p:prunePeriod="${ldap.pool.prunePeriod}"
- p:idleTime="${ldap.pool.idleTime}" />
- <bean id="searchValidator" class="org.ldaptive.pool.SearchValidator" />
- <bean id="entryResolver"
- class="org.jasig.cas.authentication.support.UpnSearchEntryResolver"
- p:baseDn="${ldap.baseDn}"
- p:searchUserOnly="false"
- p:searchFilter="${ldap.searchFilter}" />
- </beans>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement