| 1 |
51769
|
tsampikos.
|
<?xml version="1.0" encoding="UTF-8"?>
|
| 2 |
|
|
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
| 3 |
|
|
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0">
|
| 4 |
|
|
|
| 5 |
|
|
<display-name>Shibboleth Identity Provider</display-name>
|
| 6 |
|
|
|
| 7 |
|
|
<!-- Spring application context files. Files are loaded in the order they appear with subsequent files overwriting
|
| 8 |
|
|
same named beans in previous files. -->
|
| 9 |
|
|
<context-param>
|
| 10 |
|
|
<param-name>contextConfigLocation</param-name>
|
| 11 |
|
|
<param-value>classpath*:/META-INF/net.shibboleth.idp/preconfig.xml,${idp.home}/system/conf/global-system.xml,classpath*:/META-INF/net.shibboleth.idp/config.xml,classpath*:/META-INF/net.shibboleth.idp/postconfig.xml</param-value>
|
| 12 |
|
|
</context-param>
|
| 13 |
|
|
|
| 14 |
|
|
<context-param>
|
| 15 |
|
|
<param-name>contextClass</param-name>
|
| 16 |
|
|
<param-value>net.shibboleth.ext.spring.context.DelimiterAwareApplicationContext</param-value>
|
| 17 |
|
|
</context-param>
|
| 18 |
|
|
|
| 19 |
|
|
<context-param>
|
| 20 |
|
|
<param-name>contextInitializerClasses</param-name>
|
| 21 |
|
|
<param-value>net.shibboleth.idp.spring.IdPPropertiesApplicationContextInitializer</param-value>
|
| 22 |
|
|
</context-param>
|
| 23 |
|
|
|
| 24 |
|
|
<!-- Spring listener used to load up the configuration -->
|
| 25 |
|
|
<listener>
|
| 26 |
|
|
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
|
| 27 |
|
|
</listener>
|
| 28 |
|
|
|
| 29 |
|
|
<!-- Filter for CORS -->
|
| 30 |
|
|
<filter>
|
| 31 |
|
|
<filter-name>CorsFilter</filter-name>
|
| 32 |
|
|
<filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
|
| 33 |
|
|
<init-param>
|
| 34 |
|
|
<param-name>cors.allowed.origins</param-name>
|
| 35 |
|
|
<param-value>*</param-value>
|
| 36 |
|
|
</init-param>
|
| 37 |
|
|
<init-param>
|
| 38 |
|
|
<param-name>cors.allowed.methods</param-name>
|
| 39 |
|
|
<param-value>GET,POST,HEAD,OPTIONS,DELETE</param-value>
|
| 40 |
|
|
</init-param>
|
| 41 |
|
|
<init-param>
|
| 42 |
|
|
<param-name>cors.exposed.headers</param-name>
|
| 43 |
|
|
<param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials,Access-Control-Allow-Methods</param-value>
|
| 44 |
|
|
</init-param>
|
| 45 |
|
|
<init-param>
|
| 46 |
|
|
<param-name>cors.support.credentials</param-name>
|
| 47 |
|
|
<param-value>true</param-value>
|
| 48 |
|
|
</init-param>
|
| 49 |
|
|
<init-param>
|
| 50 |
|
|
<param-name>cors.allowed.headers</param-name>
|
| 51 |
|
|
<param-value>Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers,X-XSRF-TOKEN,withcredentials</param-value>
|
| 52 |
|
|
</init-param>
|
| 53 |
|
|
</filter>
|
| 54 |
|
|
<filter-mapping>
|
| 55 |
|
|
<filter-name>CorsFilter</filter-name>
|
| 56 |
|
|
<url-pattern>/*</url-pattern>
|
| 57 |
|
|
</filter-mapping>
|
| 58 |
|
|
|
| 59 |
|
|
<!-- CORS FILTER -->
|
| 60 |
|
|
|
| 61 |
|
|
<!-- Filters and filter mappings -->
|
| 62 |
|
|
<!-- Try and force I18N, probably won't help much. -->
|
| 63 |
|
|
<filter>
|
| 64 |
|
|
<filter-name>CharacterEncodingFilter</filter-name>
|
| 65 |
|
|
<filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
|
| 66 |
|
|
<init-param>
|
| 67 |
|
|
<param-name>encoding</param-name>
|
| 68 |
|
|
<param-value>UTF-8</param-value>
|
| 69 |
|
|
</init-param>
|
| 70 |
|
|
<init-param>
|
| 71 |
|
|
<param-name>forceEncoding</param-name>
|
| 72 |
|
|
<param-value>true</param-value>
|
| 73 |
|
|
</init-param>
|
| 74 |
|
|
</filter>
|
| 75 |
|
|
<!-- Lets us lump repeated Set-Cookie headers into one, something containers rarely support. -->
|
| 76 |
|
|
<filter>
|
| 77 |
|
|
<filter-name>CookieBufferingFilter</filter-name>
|
| 78 |
|
|
<filter-class>net.shibboleth.utilities.java.support.net.CookieBufferingFilter</filter-class>
|
| 79 |
|
|
</filter>
|
| 80 |
|
|
<!-- Automates TLS-based propagation of HttpServletRequest/Response into beans. -->
|
| 81 |
|
|
<filter>
|
| 82 |
|
|
<filter-name>RequestResponseContextFilter</filter-name>
|
| 83 |
|
|
<filter-class>net.shibboleth.utilities.java.support.net.RequestResponseContextFilter</filter-class>
|
| 84 |
|
|
</filter>
|
| 85 |
|
|
<!-- Manages logging MDC. -->
|
| 86 |
|
|
<filter>
|
| 87 |
|
|
<filter-name>SLF4JMDCServletFilter</filter-name>
|
| 88 |
|
|
<filter-class>net.shibboleth.idp.log.SLF4JMDCServletFilter</filter-class>
|
| 89 |
|
|
</filter>
|
| 90 |
|
|
<filter-mapping>
|
| 91 |
|
|
<filter-name>CookieBufferingFilter</filter-name>
|
| 92 |
|
|
<url-pattern>/profile/Logout</url-pattern>
|
| 93 |
|
|
<url-pattern>/profile/Shibboleth/SSO</url-pattern>
|
| 94 |
|
|
<url-pattern>/profile/SAML2/Unsolicited/SSO</url-pattern>
|
| 95 |
|
|
<url-pattern>/profile/SAML2/Redirect/SSO</url-pattern>
|
| 96 |
|
|
<url-pattern>/profile/SAML2/POST/SSO</url-pattern>
|
| 97 |
|
|
<url-pattern>/profile/SAML2/POST-SimpleSign/SSO</url-pattern>
|
| 98 |
|
|
<url-pattern>/profile/SAML2/Redirect/SLO</url-pattern>
|
| 99 |
|
|
<url-pattern>/profile/SAML2/POST/SLO</url-pattern>
|
| 100 |
|
|
<url-pattern>/profile/SAML2/POST-SimpleSign/SLO</url-pattern>
|
| 101 |
|
|
<url-pattern>/profile/cas/login</url-pattern>
|
| 102 |
|
|
</filter-mapping>
|
| 103 |
|
|
<filter-mapping>
|
| 104 |
|
|
<filter-name>CharacterEncodingFilter</filter-name>
|
| 105 |
|
|
<url-pattern>/*</url-pattern>
|
| 106 |
|
|
</filter-mapping>
|
| 107 |
|
|
<filter-mapping>
|
| 108 |
|
|
<filter-name>RequestResponseContextFilter</filter-name>
|
| 109 |
|
|
<url-pattern>/*</url-pattern>
|
| 110 |
|
|
</filter-mapping>
|
| 111 |
|
|
<filter-mapping>
|
| 112 |
|
|
<filter-name>SLF4JMDCServletFilter</filter-name>
|
| 113 |
|
|
<url-pattern>/*</url-pattern>
|
| 114 |
|
|
</filter-mapping>
|
| 115 |
|
|
|
| 116 |
|
|
<!-- Servlets and servlet mappings -->
|
| 117 |
|
|
<servlet>
|
| 118 |
|
|
<servlet-name>idp</servlet-name>
|
| 119 |
|
|
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
|
| 120 |
|
|
<init-param>
|
| 121 |
|
|
<param-name>contextConfigLocation</param-name>
|
| 122 |
|
|
<param-value>${idp.home}/system/conf/mvc-beans.xml, ${idp.home}/system/conf/webflow-config.xml</param-value>
|
| 123 |
|
|
</init-param>
|
| 124 |
|
|
<init-param>
|
| 125 |
|
|
<param-name>contextClass</param-name>
|
| 126 |
|
|
<param-value>net.shibboleth.ext.spring.context.DelimiterAwareApplicationContext</param-value>
|
| 127 |
|
|
</init-param>
|
| 128 |
|
|
<load-on-startup>1</load-on-startup>
|
| 129 |
|
|
</servlet>
|
| 130 |
|
|
<servlet-mapping>
|
| 131 |
|
|
<servlet-name>idp</servlet-name>
|
| 132 |
|
|
<url-pattern>/status</url-pattern>
|
| 133 |
|
|
<url-pattern>/profile/*</url-pattern>
|
| 134 |
|
|
</servlet-mapping>
|
| 135 |
|
|
|
| 136 |
|
|
<!-- Servlet protected by container used for RemoteUser authentication -->
|
| 137 |
|
|
<servlet>
|
| 138 |
|
|
<servlet-name>RemoteUserAuthHandler</servlet-name>
|
| 139 |
|
|
<servlet-class>net.shibboleth.idp.authn.impl.RemoteUserAuthServlet</servlet-class>
|
| 140 |
|
|
<load-on-startup>2</load-on-startup>
|
| 141 |
|
|
</servlet>
|
| 142 |
|
|
<servlet-mapping>
|
| 143 |
|
|
<servlet-name>RemoteUserAuthHandler</servlet-name>
|
| 144 |
|
|
<url-pattern>/Authn/RemoteUser</url-pattern>
|
| 145 |
|
|
</servlet-mapping>
|
| 146 |
|
|
|
| 147 |
|
|
<!-- Servlet protected by container used for X.509 authentication -->
|
| 148 |
|
|
<servlet>
|
| 149 |
|
|
<servlet-name>X509AuthHandler</servlet-name>
|
| 150 |
|
|
<servlet-class>net.shibboleth.idp.authn.impl.X509AuthServlet</servlet-class>
|
| 151 |
|
|
<load-on-startup>3</load-on-startup>
|
| 152 |
|
|
</servlet>
|
| 153 |
|
|
<servlet-mapping>
|
| 154 |
|
|
<servlet-name>X509AuthHandler</servlet-name>
|
| 155 |
|
|
<url-pattern>/Authn/X509</url-pattern>
|
| 156 |
|
|
</servlet-mapping>
|
| 157 |
|
|
|
| 158 |
|
|
<!-- Send request for the EntityID to the SAML metadata echoing JSP. -->
|
| 159 |
|
|
<servlet>
|
| 160 |
|
|
<servlet-name>shibboleth_jsp</servlet-name>
|
| 161 |
|
|
<jsp-file>/WEB-INF/jsp/metadata.jsp</jsp-file>
|
| 162 |
|
|
</servlet>
|
| 163 |
|
|
<servlet-mapping>
|
| 164 |
|
|
<servlet-name>shibboleth_jsp</servlet-name>
|
| 165 |
|
|
<url-pattern>/shibboleth</url-pattern>
|
| 166 |
|
|
</servlet-mapping>
|
| 167 |
|
|
|
| 168 |
|
|
<!-- Send servlet errors through the IdP's MVC error handling. -->
|
| 169 |
|
|
<error-page>
|
| 170 |
|
|
<exception-type>net.shibboleth.idp.authn.ExternalAuthenticationException</exception-type>
|
| 171 |
|
|
<location>/profile/RaiseError</location>
|
| 172 |
|
|
</error-page>
|
| 173 |
|
|
|
| 174 |
|
|
<!-- Block commonly flagged methods by using an empty auth-constraint. -->
|
| 175 |
|
|
<security-constraint>
|
| 176 |
|
|
<web-resource-collection>
|
| 177 |
|
|
<web-resource-name>Non-API Content</web-resource-name>
|
| 178 |
|
|
<url-pattern>/*</url-pattern>
|
| 179 |
|
|
<http-method>PUT</http-method>
|
| 180 |
|
|
<http-method>PATCH</http-method>
|
| 181 |
|
|
<http-method>DELETE</http-method>
|
| 182 |
|
|
<http-method>OPTIONS</http-method>
|
| 183 |
|
|
<http-method>TRACE</http-method>
|
| 184 |
|
|
</web-resource-collection>
|
| 185 |
|
|
<auth-constraint/>
|
| 186 |
|
|
</security-constraint>
|
| 187 |
|
|
|
| 188 |
|
|
<!-- Allow any HTTP methods to the API flows. -->
|
| 189 |
|
|
<security-constraint>
|
| 190 |
|
|
<web-resource-collection>
|
| 191 |
|
|
<web-resource-name>Administrative APIs</web-resource-name>
|
| 192 |
|
|
<url-pattern>/profile/admin/*</url-pattern>
|
| 193 |
|
|
</web-resource-collection>
|
| 194 |
|
|
<!-- no auth-constraint tag here -->
|
| 195 |
|
|
</security-constraint>
|
| 196 |
|
|
|
| 197 |
|
|
<!--
|
| 198 |
|
|
Uncomment to use container managed authentication. The new servlet spec (3.1)
|
| 199 |
|
|
supports "**" as a wildcard syntax to avoid role usage, which is normally desirable.
|
| 200 |
|
|
Older containers usually support "*" when proprietary options are used (e.g., Jetty
|
| 201 |
|
|
requires setting the Strict property on the SecurityManager.)
|
| 202 |
|
|
-->
|
| 203 |
|
|
<!--
|
| 204 |
|
|
<security-constraint>
|
| 205 |
|
|
<display-name>Web Login Service</display-name>
|
| 206 |
|
|
<web-resource-collection>
|
| 207 |
|
|
<web-resource-name>user authentication</web-resource-name>
|
| 208 |
|
|
<url-pattern>/Authn/RemoteUser</url-pattern>
|
| 209 |
|
|
<url-pattern>/profile/SAML2/SOAP/ECP</url-pattern>
|
| 210 |
|
|
<http-method>POST</http-method>
|
| 211 |
|
|
</web-resource-collection>
|
| 212 |
|
|
<auth-constraint>
|
| 213 |
|
|
<role-name>**</role-name>
|
| 214 |
|
|
</auth-constraint>
|
| 215 |
|
|
<user-data-constraint>
|
| 216 |
|
|
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
|
| 217 |
|
|
</user-data-constraint>
|
| 218 |
|
|
</security-constraint>
|
| 219 |
|
|
-->
|
| 220 |
|
|
|
| 221 |
|
|
<!-- Uncomment if you want BASIC auth managed by the container. -->
|
| 222 |
|
|
<!--
|
| 223 |
|
|
<login-config>
|
| 224 |
|
|
<auth-method>BASIC</auth-method>
|
| 225 |
|
|
<realm-name>Web Login Service</realm-name>
|
| 226 |
|
|
</login-config>
|
| 227 |
|
|
-->
|
| 228 |
|
|
|
| 229 |
|
|
<!--
|
| 230 |
|
|
Uncomment if you want form-based auth managed by the container.
|
| 231 |
|
|
NOTE that the default form-login UI in the IdP is not compatible
|
| 232 |
|
|
with this option, and you will need to supply your own JSP form
|
| 233 |
|
|
and error page. This is not a recommended approach and is severely
|
| 234 |
|
|
limited in functionality as compared to using the IdP's own UI.
|
| 235 |
|
|
-->
|
| 236 |
|
|
<!--
|
| 237 |
|
|
<login-config>
|
| 238 |
|
|
<auth-method>FORM</auth-method>
|
| 239 |
|
|
<realm-name>Web Login Service</realm-name>
|
| 240 |
|
|
<form-login-config>
|
| 241 |
|
|
<form-login-page>/login.jsp</form-login-page>
|
| 242 |
|
|
<form-error-page>/login-error.jsp</form-error-page>
|
| 243 |
|
|
</form-login-config>
|
| 244 |
|
|
</login-config>
|
| 245 |
|
|
-->
|
| 246 |
|
|
</web-app>
|