authserver/casserver/simple-cas4-overlay-template/src/main/webapp/WEB-INF/deployerConfigContext.xml
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/authserver/casserver/simple-cas4-overlay-template/src/main/webapp/WEB-INF/deployerConfigContext.xml Wed Apr 01 15:31:12 2015 +0200
@@ -0,0 +1,194 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+ Licensed to Jasig under one or more contributor license
+ agreements. See the NOTICE file distributed with this work
+ for additional information regarding copyright ownership.
+ Jasig licenses this file to you under the Apache License,
+ Version 2.0 (the "License"); you may not use this file
+ except in compliance with the License. You may obtain a
+ copy of the License at the following location:
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+
+-->
+<!--
+| deployerConfigContext.xml centralizes into one file some of the declarative configuration that
+| all CAS deployers will need to modify.
+|
+| This file declares some of the Spring-managed JavaBeans that make up a CAS deployment.
+| The beans declared in this file are instantiated at context initialization time by the Spring
+| ContextLoaderListener declared in web.xml. It finds this file because this
+| file is among those declared in the context parameter "contextConfigLocation".
+|
+| By far the most common change you will need to make in this file is to change the last bean
+| declaration to replace the default authentication handler with
+| one implementing your approach for authenticating usernames and passwords.
++-->
+
+<beans xmlns="http://www.springframework.org/schema/beans"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xmlns:p="http://www.springframework.org/schema/p"
+ xmlns:c="http://www.springframework.org/schema/c"
+ xmlns:tx="http://www.springframework.org/schema/tx"
+ xmlns:util="http://www.springframework.org/schema/util"
+ xmlns:sec="http://www.springframework.org/schema/security"
+ xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
+ http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.2.xsd
+ http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd
+ http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">
+
+ <!--
+ | The authentication manager defines security policy for authentication by specifying at a minimum
+ | the authentication handlers that will be used to authenticate credential. While the AuthenticationManager
+ | interface supports plugging in another implementation, the default PolicyBasedAuthenticationManager should
+ | be sufficient in most cases.
+ +-->
+ <bean id="authenticationManager" class="org.jasig.cas.authentication.PolicyBasedAuthenticationManager">
+ <constructor-arg>
+ <map>
+ <!--
+ | IMPORTANT
+ | Every handler requires a unique name.
+ | If more than one instance of the same handler class is configured, you must explicitly
+ | set its name to something other than its default name (typically the simple class name).
+ -->
+ <entry key-ref="proxyAuthenticationHandler" value-ref="proxyPrincipalResolver" />
+ <entry key-ref="primaryAuthenticationHandler" value-ref="primaryPrincipalResolver" />
+ </map>
+ </constructor-arg>
+
+ <!-- Uncomment the metadata populator to allow clearpass to capture and cache the password
+ This switch effectively will turn on clearpass.
+ <property name="authenticationMetaDataPopulators">
+ <util:list>
+ <bean class="org.jasig.cas.extension.clearpass.CacheCredentialsMetaDataPopulator"
+ c:credentialCache-ref="encryptedMap" />
+ </util:list>
+ </property>
+ -->
+
+ <!--
+ | Defines the security policy around authentication. Some alternative policies that ship with CAS:
+ |
+ | * NotPreventedAuthenticationPolicy - all credential must either pass or fail authentication
+ | * AllAuthenticationPolicy - all presented credential must be authenticated successfully
+ | * RequiredHandlerAuthenticationPolicy - specifies a handler that must authenticate its credential to pass
+ -->
+ <property name="authenticationPolicy">
+ <bean class="org.jasig.cas.authentication.AnyAuthenticationPolicy" />
+ </property>
+ </bean>
+
+ <!-- Required for proxy ticket mechanism. -->
+ <bean id="proxyAuthenticationHandler"
+ class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
+ p:httpClient-ref="httpClient" />
+
+ <!--
+ | TODO: Replace this component with one suitable for your enviroment.
+ |
+ | This component provides authentication for the kind of credential used in your environment. In most cases
+ | credential is a username/password pair that lives in a system of record like an LDAP directory.
+ | The most common authentication handler beans:
+ |
+ | * org.jasig.cas.authentication.LdapAuthenticationHandler
+ | * org.jasig.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler
+ | * org.jasig.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler
+ | * org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler
+ -->
+ <bean id="primaryAuthenticationHandler"
+ class="org.jasig.cas.authentication.AcceptUsersAuthenticationHandler">
+ <property name="users">
+ <map>
+ <entry key="casuser" value="Mellon"/>
+ <entry key="casadmin" value="casadmin"/>
+ </map>
+ </property>
+ </bean>
+
+ <!-- Required for proxy ticket mechanism -->
+ <bean id="proxyPrincipalResolver"
+ class="org.jasig.cas.authentication.principal.BasicPrincipalResolver" />
+
+ <!--
+ | Resolves a principal from a credential using an attribute repository that is configured to resolve
+ | against a deployer-specific store (e.g. LDAP).
+ -->
+ <bean id="primaryPrincipalResolver"
+ class="org.jasig.cas.authentication.principal.PersonDirectoryPrincipalResolver" >
+ <property name="attributeRepository" ref="attributeRepository" />
+ </bean>
+
+ <!--
+ Bean that defines the attributes that a service may return. This example uses the Stub/Mock version. A real implementation
+ may go against a database or LDAP server. The id should remain "attributeRepository" though.
+ +-->
+ <bean id="attributeRepository" class="org.jasig.services.persondir.support.StubPersonAttributeDao"
+ p:backingMap-ref="attrRepoBackingMap" />
+
+ <util:map id="attrRepoBackingMap">
+ <entry key="uid" value="uid" />
+ <entry key="eduPersonAffiliation" value="eduPersonAffiliation" />
+ <entry key="groupMembership" value="groupMembership" />
+ </util:map>
+
+ <!--
+ Sample, in-memory data store for the ServiceRegistry. A real implementation
+ would probably want to replace this with the JPA-backed ServiceRegistry DAO
+ The name of this bean should remain "serviceRegistryDao".
+ +-->
+ <bean id="serviceRegistryDao" class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl"
+ p:registeredServices-ref="registeredServicesList" />
+
+ <util:list id="registeredServicesList">
+ <bean class="org.jasig.cas.services.RegexRegisteredService"
+ p:id="0" p:name="HTTP and IMAP" p:description="Allows HTTP(S) and IMAP(S) protocols"
+ p:serviceId="^(https?|imaps?)://.*" p:evaluationOrder="10000001" />
+ <!--
+ Use the following definition instead of the above to further restrict access
+ to services within your domain (including sub domains).
+ Note that example.com must be replaced with the domain you wish to permit.
+ This example also demonstrates the configuration of an attribute filter
+ that only allows for attributes whose length is 3.
+ -->
+ <!--
+ <bean class="org.jasig.cas.services.RegexRegisteredService">
+ <property name="id" value="1" />
+ <property name="name" value="HTTP and IMAP on example.com" />
+ <property name="description" value="Allows HTTP(S) and IMAP(S) protocols on example.com" />
+ <property name="serviceId" value="^(https?|imaps?)://([A-Za-z0-9_-]+\.)*example\.com/.*" />
+ <property name="evaluationOrder" value="0" />
+ <property name="attributeFilter">
+ <bean class="org.jasig.cas.services.support.RegisteredServiceRegexAttributeFilter" c:regex="^\w{3}$" />
+ </property>
+ </bean>
+ -->
+ </util:list>
+
+ <bean id="auditTrailManager" class="com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager" />
+
+ <bean id="healthCheckMonitor" class="org.jasig.cas.monitor.HealthCheckMonitor" p:monitors-ref="monitorsList" />
+
+ <util:list id="monitorsList">
+ <bean class="org.jasig.cas.monitor.MemoryMonitor" p:freeMemoryWarnThreshold="10" />
+ <!--
+ NOTE
+ The following ticket registries support SessionMonitor:
+ * DefaultTicketRegistry
+ * JpaTicketRegistry
+ Remove this monitor if you use an unsupported registry.
+ -->
+ <bean class="org.jasig.cas.monitor.SessionMonitor"
+ p:ticketRegistry-ref="ticketRegistry"
+ p:serviceTicketCountWarnThreshold="5000"
+ p:sessionCountWarnThreshold="100000" />
+ </util:list>
+</beans>