|
1
|
<?xml version="1.0" encoding="UTF-8"?>
|
|
2
|
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
|
3
|
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0">
|
|
4
|
|
|
5
|
<display-name>Shibboleth Identity Provider</display-name>
|
|
6
|
|
|
7
|
<!-- Spring application context files. Files are loaded in the order they appear with subsequent files overwriting
|
|
8
|
same named beans in previous files. -->
|
|
9
|
<context-param>
|
|
10
|
<param-name>contextConfigLocation</param-name>
|
|
11
|
<param-value>classpath*:/META-INF/net.shibboleth.idp/preconfig.xml,${idp.home}/system/conf/global-system.xml,classpath*:/META-INF/net.shibboleth.idp/config.xml,classpath*:/META-INF/net.shibboleth.idp/postconfig.xml</param-value>
|
|
12
|
</context-param>
|
|
13
|
|
|
14
|
<context-param>
|
|
15
|
<param-name>contextClass</param-name>
|
|
16
|
<param-value>net.shibboleth.ext.spring.context.DelimiterAwareApplicationContext</param-value>
|
|
17
|
</context-param>
|
|
18
|
|
|
19
|
<context-param>
|
|
20
|
<param-name>contextInitializerClasses</param-name>
|
|
21
|
<param-value>net.shibboleth.idp.spring.IdPPropertiesApplicationContextInitializer</param-value>
|
|
22
|
</context-param>
|
|
23
|
|
|
24
|
<!-- Spring listener used to load up the configuration -->
|
|
25
|
<listener>
|
|
26
|
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
|
|
27
|
</listener>
|
|
28
|
|
|
29
|
<!-- Filter for CORS -->
|
|
30
|
<filter>
|
|
31
|
<filter-name>CorsFilter</filter-name>
|
|
32
|
<filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
|
|
33
|
<init-param>
|
|
34
|
<param-name>cors.allowed.origins</param-name>
|
|
35
|
<param-value>*</param-value>
|
|
36
|
</init-param>
|
|
37
|
<init-param>
|
|
38
|
<param-name>cors.allowed.methods</param-name>
|
|
39
|
<param-value>GET,POST,HEAD,OPTIONS,DELETE</param-value>
|
|
40
|
</init-param>
|
|
41
|
<init-param>
|
|
42
|
<param-name>cors.exposed.headers</param-name>
|
|
43
|
<param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials,Access-Control-Allow-Methods</param-value>
|
|
44
|
</init-param>
|
|
45
|
<init-param>
|
|
46
|
<param-name>cors.support.credentials</param-name>
|
|
47
|
<param-value>true</param-value>
|
|
48
|
</init-param>
|
|
49
|
<init-param>
|
|
50
|
<param-name>cors.allowed.headers</param-name>
|
|
51
|
<param-value>Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers,X-XSRF-TOKEN,withcredentials</param-value>
|
|
52
|
</init-param>
|
|
53
|
</filter>
|
|
54
|
<filter-mapping>
|
|
55
|
<filter-name>CorsFilter</filter-name>
|
|
56
|
<url-pattern>/*</url-pattern>
|
|
57
|
</filter-mapping>
|
|
58
|
|
|
59
|
<!-- CORS FILTER -->
|
|
60
|
|
|
61
|
<!-- Filters and filter mappings -->
|
|
62
|
<!-- Try and force I18N, probably won't help much. -->
|
|
63
|
<filter>
|
|
64
|
<filter-name>CharacterEncodingFilter</filter-name>
|
|
65
|
<filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
|
|
66
|
<init-param>
|
|
67
|
<param-name>encoding</param-name>
|
|
68
|
<param-value>UTF-8</param-value>
|
|
69
|
</init-param>
|
|
70
|
<init-param>
|
|
71
|
<param-name>forceEncoding</param-name>
|
|
72
|
<param-value>true</param-value>
|
|
73
|
</init-param>
|
|
74
|
</filter>
|
|
75
|
<!-- Lets us lump repeated Set-Cookie headers into one, something containers rarely support. -->
|
|
76
|
<filter>
|
|
77
|
<filter-name>CookieBufferingFilter</filter-name>
|
|
78
|
<filter-class>net.shibboleth.utilities.java.support.net.CookieBufferingFilter</filter-class>
|
|
79
|
</filter>
|
|
80
|
<!-- Automates TLS-based propagation of HttpServletRequest/Response into beans. -->
|
|
81
|
<filter>
|
|
82
|
<filter-name>RequestResponseContextFilter</filter-name>
|
|
83
|
<filter-class>net.shibboleth.utilities.java.support.net.RequestResponseContextFilter</filter-class>
|
|
84
|
</filter>
|
|
85
|
<!-- Manages logging MDC. -->
|
|
86
|
<filter>
|
|
87
|
<filter-name>SLF4JMDCServletFilter</filter-name>
|
|
88
|
<filter-class>net.shibboleth.idp.log.SLF4JMDCServletFilter</filter-class>
|
|
89
|
</filter>
|
|
90
|
<filter-mapping>
|
|
91
|
<filter-name>CookieBufferingFilter</filter-name>
|
|
92
|
<url-pattern>/profile/Logout</url-pattern>
|
|
93
|
<url-pattern>/profile/Shibboleth/SSO</url-pattern>
|
|
94
|
<url-pattern>/profile/SAML2/Unsolicited/SSO</url-pattern>
|
|
95
|
<url-pattern>/profile/SAML2/Redirect/SSO</url-pattern>
|
|
96
|
<url-pattern>/profile/SAML2/POST/SSO</url-pattern>
|
|
97
|
<url-pattern>/profile/SAML2/POST-SimpleSign/SSO</url-pattern>
|
|
98
|
<url-pattern>/profile/SAML2/Redirect/SLO</url-pattern>
|
|
99
|
<url-pattern>/profile/SAML2/POST/SLO</url-pattern>
|
|
100
|
<url-pattern>/profile/SAML2/POST-SimpleSign/SLO</url-pattern>
|
|
101
|
<url-pattern>/profile/cas/login</url-pattern>
|
|
102
|
</filter-mapping>
|
|
103
|
<filter-mapping>
|
|
104
|
<filter-name>CharacterEncodingFilter</filter-name>
|
|
105
|
<url-pattern>/*</url-pattern>
|
|
106
|
</filter-mapping>
|
|
107
|
<filter-mapping>
|
|
108
|
<filter-name>RequestResponseContextFilter</filter-name>
|
|
109
|
<url-pattern>/*</url-pattern>
|
|
110
|
</filter-mapping>
|
|
111
|
<filter-mapping>
|
|
112
|
<filter-name>SLF4JMDCServletFilter</filter-name>
|
|
113
|
<url-pattern>/*</url-pattern>
|
|
114
|
</filter-mapping>
|
|
115
|
|
|
116
|
<!-- Servlets and servlet mappings -->
|
|
117
|
<servlet>
|
|
118
|
<servlet-name>idp</servlet-name>
|
|
119
|
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
|
|
120
|
<init-param>
|
|
121
|
<param-name>contextConfigLocation</param-name>
|
|
122
|
<param-value>${idp.home}/system/conf/mvc-beans.xml, ${idp.home}/system/conf/webflow-config.xml</param-value>
|
|
123
|
</init-param>
|
|
124
|
<init-param>
|
|
125
|
<param-name>contextClass</param-name>
|
|
126
|
<param-value>net.shibboleth.ext.spring.context.DelimiterAwareApplicationContext</param-value>
|
|
127
|
</init-param>
|
|
128
|
<load-on-startup>1</load-on-startup>
|
|
129
|
</servlet>
|
|
130
|
<servlet-mapping>
|
|
131
|
<servlet-name>idp</servlet-name>
|
|
132
|
<url-pattern>/status</url-pattern>
|
|
133
|
<url-pattern>/profile/*</url-pattern>
|
|
134
|
</servlet-mapping>
|
|
135
|
|
|
136
|
<!-- Servlet protected by container used for RemoteUser authentication -->
|
|
137
|
<servlet>
|
|
138
|
<servlet-name>RemoteUserAuthHandler</servlet-name>
|
|
139
|
<servlet-class>net.shibboleth.idp.authn.impl.RemoteUserAuthServlet</servlet-class>
|
|
140
|
<load-on-startup>2</load-on-startup>
|
|
141
|
</servlet>
|
|
142
|
<servlet-mapping>
|
|
143
|
<servlet-name>RemoteUserAuthHandler</servlet-name>
|
|
144
|
<url-pattern>/Authn/RemoteUser</url-pattern>
|
|
145
|
</servlet-mapping>
|
|
146
|
|
|
147
|
<!-- Servlet protected by container used for X.509 authentication -->
|
|
148
|
<servlet>
|
|
149
|
<servlet-name>X509AuthHandler</servlet-name>
|
|
150
|
<servlet-class>net.shibboleth.idp.authn.impl.X509AuthServlet</servlet-class>
|
|
151
|
<load-on-startup>3</load-on-startup>
|
|
152
|
</servlet>
|
|
153
|
<servlet-mapping>
|
|
154
|
<servlet-name>X509AuthHandler</servlet-name>
|
|
155
|
<url-pattern>/Authn/X509</url-pattern>
|
|
156
|
</servlet-mapping>
|
|
157
|
|
|
158
|
<!-- Send request for the EntityID to the SAML metadata echoing JSP. -->
|
|
159
|
<servlet>
|
|
160
|
<servlet-name>shibboleth_jsp</servlet-name>
|
|
161
|
<jsp-file>/WEB-INF/jsp/metadata.jsp</jsp-file>
|
|
162
|
</servlet>
|
|
163
|
<servlet-mapping>
|
|
164
|
<servlet-name>shibboleth_jsp</servlet-name>
|
|
165
|
<url-pattern>/shibboleth</url-pattern>
|
|
166
|
</servlet-mapping>
|
|
167
|
|
|
168
|
<!-- Send servlet errors through the IdP's MVC error handling. -->
|
|
169
|
<error-page>
|
|
170
|
<exception-type>net.shibboleth.idp.authn.ExternalAuthenticationException</exception-type>
|
|
171
|
<location>/profile/RaiseError</location>
|
|
172
|
</error-page>
|
|
173
|
|
|
174
|
<!-- Block commonly flagged methods by using an empty auth-constraint. -->
|
|
175
|
<security-constraint>
|
|
176
|
<web-resource-collection>
|
|
177
|
<web-resource-name>Non-API Content</web-resource-name>
|
|
178
|
<url-pattern>/*</url-pattern>
|
|
179
|
<http-method>PUT</http-method>
|
|
180
|
<http-method>PATCH</http-method>
|
|
181
|
<http-method>DELETE</http-method>
|
|
182
|
<http-method>OPTIONS</http-method>
|
|
183
|
<http-method>TRACE</http-method>
|
|
184
|
</web-resource-collection>
|
|
185
|
<auth-constraint/>
|
|
186
|
</security-constraint>
|
|
187
|
|
|
188
|
<!-- Allow any HTTP methods to the API flows. -->
|
|
189
|
<security-constraint>
|
|
190
|
<web-resource-collection>
|
|
191
|
<web-resource-name>Administrative APIs</web-resource-name>
|
|
192
|
<url-pattern>/profile/admin/*</url-pattern>
|
|
193
|
</web-resource-collection>
|
|
194
|
<!-- no auth-constraint tag here -->
|
|
195
|
</security-constraint>
|
|
196
|
|
|
197
|
<!--
|
|
198
|
Uncomment to use container managed authentication. The new servlet spec (3.1)
|
|
199
|
supports "**" as a wildcard syntax to avoid role usage, which is normally desirable.
|
|
200
|
Older containers usually support "*" when proprietary options are used (e.g., Jetty
|
|
201
|
requires setting the Strict property on the SecurityManager.)
|
|
202
|
-->
|
|
203
|
<!--
|
|
204
|
<security-constraint>
|
|
205
|
<display-name>Web Login Service</display-name>
|
|
206
|
<web-resource-collection>
|
|
207
|
<web-resource-name>user authentication</web-resource-name>
|
|
208
|
<url-pattern>/Authn/RemoteUser</url-pattern>
|
|
209
|
<url-pattern>/profile/SAML2/SOAP/ECP</url-pattern>
|
|
210
|
<http-method>POST</http-method>
|
|
211
|
</web-resource-collection>
|
|
212
|
<auth-constraint>
|
|
213
|
<role-name>**</role-name>
|
|
214
|
</auth-constraint>
|
|
215
|
<user-data-constraint>
|
|
216
|
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
|
|
217
|
</user-data-constraint>
|
|
218
|
</security-constraint>
|
|
219
|
-->
|
|
220
|
|
|
221
|
<!-- Uncomment if you want BASIC auth managed by the container. -->
|
|
222
|
<!--
|
|
223
|
<login-config>
|
|
224
|
<auth-method>BASIC</auth-method>
|
|
225
|
<realm-name>Web Login Service</realm-name>
|
|
226
|
</login-config>
|
|
227
|
-->
|
|
228
|
|
|
229
|
<!--
|
|
230
|
Uncomment if you want form-based auth managed by the container.
|
|
231
|
NOTE that the default form-login UI in the IdP is not compatible
|
|
232
|
with this option, and you will need to supply your own JSP form
|
|
233
|
and error page. This is not a recommended approach and is severely
|
|
234
|
limited in functionality as compared to using the IdP's own UI.
|
|
235
|
-->
|
|
236
|
<!--
|
|
237
|
<login-config>
|
|
238
|
<auth-method>FORM</auth-method>
|
|
239
|
<realm-name>Web Login Service</realm-name>
|
|
240
|
<form-login-config>
|
|
241
|
<form-login-page>/login.jsp</form-login-page>
|
|
242
|
<form-error-page>/login-error.jsp</form-error-page>
|
|
243
|
</form-login-config>
|
|
244
|
</login-config>
|
|
245
|
-->
|
|
246
|
</web-app>
|