|
1 <?xml version="1.0" encoding="UTF-8"?> |
|
2 <!-- |
|
3 |
|
4 Licensed to Jasig under one or more contributor license |
|
5 agreements. See the NOTICE file distributed with this work |
|
6 for additional information regarding copyright ownership. |
|
7 Jasig licenses this file to you under the Apache License, |
|
8 Version 2.0 (the "License"); you may not use this file |
|
9 except in compliance with the License. You may obtain a |
|
10 copy of the License at the following location: |
|
11 |
|
12 http://www.apache.org/licenses/LICENSE-2.0 |
|
13 |
|
14 Unless required by applicable law or agreed to in writing, |
|
15 software distributed under the License is distributed on an |
|
16 "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
|
17 KIND, either express or implied. See the License for the |
|
18 specific language governing permissions and limitations |
|
19 under the License. |
|
20 |
|
21 --> |
|
22 <!-- |
|
23 | deployerConfigContext.xml centralizes into one file some of the declarative configuration that |
|
24 | all CAS deployers will need to modify. |
|
25 | |
|
26 | This file declares some of the Spring-managed JavaBeans that make up a CAS deployment. |
|
27 | The beans declared in this file are instantiated at context initialization time by the Spring |
|
28 | ContextLoaderListener declared in web.xml. It finds this file because this |
|
29 | file is among those declared in the context parameter "contextConfigLocation". |
|
30 | |
|
31 | By far the most common change you will need to make in this file is to change the last bean |
|
32 | declaration to replace the default authentication handler with |
|
33 | one implementing your approach for authenticating usernames and passwords. |
|
34 +--> |
|
35 |
|
36 <beans xmlns="http://www.springframework.org/schema/beans" |
|
37 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" |
|
38 xmlns:p="http://www.springframework.org/schema/p" |
|
39 xmlns:c="http://www.springframework.org/schema/c" |
|
40 xmlns:tx="http://www.springframework.org/schema/tx" |
|
41 xmlns:util="http://www.springframework.org/schema/util" |
|
42 xmlns:sec="http://www.springframework.org/schema/security" |
|
43 xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd |
|
44 http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.2.xsd |
|
45 http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd |
|
46 http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"> |
|
47 |
|
48 <!-- |
|
49 | The authentication manager defines security policy for authentication by specifying at a minimum |
|
50 | the authentication handlers that will be used to authenticate credential. While the AuthenticationManager |
|
51 | interface supports plugging in another implementation, the default PolicyBasedAuthenticationManager should |
|
52 | be sufficient in most cases. |
|
53 +--> |
|
54 <bean id="authenticationManager" class="org.jasig.cas.authentication.PolicyBasedAuthenticationManager"> |
|
55 <constructor-arg> |
|
56 <map> |
|
57 <!-- |
|
58 | IMPORTANT |
|
59 | Every handler requires a unique name. |
|
60 | If more than one instance of the same handler class is configured, you must explicitly |
|
61 | set its name to something other than its default name (typically the simple class name). |
|
62 --> |
|
63 <entry key-ref="proxyAuthenticationHandler" value-ref="proxyPrincipalResolver" /> |
|
64 <entry key-ref="primaryAuthenticationHandler" value-ref="primaryPrincipalResolver" /> |
|
65 </map> |
|
66 </constructor-arg> |
|
67 |
|
68 <!-- Uncomment the metadata populator to allow clearpass to capture and cache the password |
|
69 This switch effectively will turn on clearpass. |
|
70 <property name="authenticationMetaDataPopulators"> |
|
71 <util:list> |
|
72 <bean class="org.jasig.cas.extension.clearpass.CacheCredentialsMetaDataPopulator" |
|
73 c:credentialCache-ref="encryptedMap" /> |
|
74 </util:list> |
|
75 </property> |
|
76 --> |
|
77 |
|
78 <!-- |
|
79 | Defines the security policy around authentication. Some alternative policies that ship with CAS: |
|
80 | |
|
81 | * NotPreventedAuthenticationPolicy - all credential must either pass or fail authentication |
|
82 | * AllAuthenticationPolicy - all presented credential must be authenticated successfully |
|
83 | * RequiredHandlerAuthenticationPolicy - specifies a handler that must authenticate its credential to pass |
|
84 --> |
|
85 <property name="authenticationPolicy"> |
|
86 <bean class="org.jasig.cas.authentication.AnyAuthenticationPolicy" /> |
|
87 </property> |
|
88 </bean> |
|
89 |
|
90 <!-- Required for proxy ticket mechanism. --> |
|
91 <bean id="proxyAuthenticationHandler" |
|
92 class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" |
|
93 p:httpClient-ref="httpClient" /> |
|
94 |
|
95 <!-- |
|
96 | TODO: Replace this component with one suitable for your enviroment. |
|
97 | |
|
98 | This component provides authentication for the kind of credential used in your environment. In most cases |
|
99 | credential is a username/password pair that lives in a system of record like an LDAP directory. |
|
100 | The most common authentication handler beans: |
|
101 | |
|
102 | * org.jasig.cas.authentication.LdapAuthenticationHandler |
|
103 | * org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler |
|
104 | * org.jasig.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler |
|
105 | * org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler |
|
106 --> |
|
107 <bean id="primaryAuthenticationHandler" |
|
108 class="org.jasig.cas.authentication.AcceptUsersAuthenticationHandler"> |
|
109 <property name="users"> |
|
110 <map> |
|
111 <entry key="casuser" value="Mellon"/> |
|
112 <entry key="casadmin" value="casadmin"/> |
|
113 </map> |
|
114 </property> |
|
115 </bean> |
|
116 |
|
117 <!-- Required for proxy ticket mechanism --> |
|
118 <bean id="proxyPrincipalResolver" |
|
119 class="org.jasig.cas.authentication.principal.BasicPrincipalResolver" /> |
|
120 |
|
121 <!-- |
|
122 | Resolves a principal from a credential using an attribute repository that is configured to resolve |
|
123 | against a deployer-specific store (e.g. LDAP). |
|
124 --> |
|
125 <bean id="primaryPrincipalResolver" |
|
126 class="org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver" > |
|
127 <property name="attributeRepository" ref="attributeRepository" /> |
|
128 </bean> |
|
129 |
|
130 <!-- |
|
131 Bean that defines the attributes that a service may return. This example uses the Stub/Mock version. A real implementation |
|
132 may go against a database or LDAP server. The id should remain "attributeRepository" though. |
|
133 +--> |
|
134 <bean id="attributeRepository" class="org.jasig.services.persondir.support.StubPersonAttributeDao" |
|
135 p:backingMap-ref="attrRepoBackingMap" /> |
|
136 |
|
137 <util:map id="attrRepoBackingMap"> |
|
138 <entry key="uid" value="uid" /> |
|
139 <entry key="eduPersonAffiliation" value="eduPersonAffiliation" /> |
|
140 <entry key="groupMembership" value="groupMembership" /> |
|
141 </util:map> |
|
142 |
|
143 <!-- |
|
144 Sample, in-memory data store for the ServiceRegistry. A real implementation |
|
145 would probably want to replace this with the JPA-backed ServiceRegistry DAO |
|
146 The name of this bean should remain "serviceRegistryDao". |
|
147 +--> |
|
148 <bean id="serviceRegistryDao" class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl" |
|
149 p:registeredServices-ref="registeredServicesList" /> |
|
150 |
|
151 <util:list id="registeredServicesList"> |
|
152 <bean class="org.jasig.cas.services.RegexRegisteredService" |
|
153 p:id="0" p:name="HTTP and IMAP" p:description="Allows HTTP(S) and IMAP(S) protocols" |
|
154 p:serviceId="^(https?|imaps?)://.*" p:evaluationOrder="10000001" /> |
|
155 <!-- |
|
156 Use the following definition instead of the above to further restrict access |
|
157 to services within your domain (including sub domains). |
|
158 Note that example.com must be replaced with the domain you wish to permit. |
|
159 This example also demonstrates the configuration of an attribute filter |
|
160 that only allows for attributes whose length is 3. |
|
161 --> |
|
162 <!-- |
|
163 <bean class="org.jasig.cas.services.RegexRegisteredService"> |
|
164 <property name="id" value="1" /> |
|
165 <property name="name" value="HTTP and IMAP on example.com" /> |
|
166 <property name="description" value="Allows HTTP(S) and IMAP(S) protocols on example.com" /> |
|
167 <property name="serviceId" value="^(https?|imaps?)://([A-Za-z0-9_-]+\.)*example\.com/.*" /> |
|
168 <property name="evaluationOrder" value="0" /> |
|
169 <property name="attributeFilter"> |
|
170 <bean class="org.jasig.cas.services.support.RegisteredServiceRegexAttributeFilter" c:regex="^\w{3}$" /> |
|
171 </property> |
|
172 </bean> |
|
173 --> |
|
174 </util:list> |
|
175 |
|
176 <bean id="auditTrailManager" class="com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager" /> |
|
177 |
|
178 <bean id="healthCheckMonitor" class="org.jasig.cas.monitor.HealthCheckMonitor" p:monitors-ref="monitorsList" /> |
|
179 |
|
180 <util:list id="monitorsList"> |
|
181 <bean class="org.jasig.cas.monitor.MemoryMonitor" p:freeMemoryWarnThreshold="10" /> |
|
182 <!-- |
|
183 NOTE |
|
184 The following ticket registries support SessionMonitor: |
|
185 * DefaultTicketRegistry |
|
186 * JpaTicketRegistry |
|
187 Remove this monitor if you use an unsupported registry. |
|
188 --> |
|
189 <bean class="org.jasig.cas.monitor.SessionMonitor" |
|
190 p:ticketRegistry-ref="ticketRegistry" |
|
191 p:serviceTicketCountWarnThreshold="5000" |
|
192 p:sessionCountWarnThreshold="100000" /> |
|
193 </util:list> |
|
194 </beans> |