Project

General

Profile

1
<?xml version="1.0" encoding="UTF-8"?>
2
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
3
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0">
4
 
5
    <display-name>Shibboleth Identity Provider</display-name>
6

    
7
    <!-- Spring application context files. Files are loaded in the order they appear with subsequent files overwriting 
8
        same named beans in previous files. -->
9
    <context-param>
10
        <param-name>contextConfigLocation</param-name>
11
        <param-value>classpath*:/META-INF/net.shibboleth.idp/preconfig.xml,${idp.home}/system/conf/global-system.xml,classpath*:/META-INF/net.shibboleth.idp/config.xml,classpath*:/META-INF/net.shibboleth.idp/postconfig.xml</param-value>
12
    </context-param>
13
    
14
    <context-param>
15
        <param-name>contextClass</param-name>
16
        <param-value>net.shibboleth.ext.spring.context.DelimiterAwareApplicationContext</param-value>
17
    </context-param>
18
    
19
    <context-param>
20
        <param-name>contextInitializerClasses</param-name>
21
        <param-value>net.shibboleth.idp.spring.IdPPropertiesApplicationContextInitializer</param-value>
22
    </context-param>
23

    
24
    <!-- Spring listener used to load up the configuration -->
25
    <listener>
26
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
27
    </listener>
28

    
29
    <!-- Filter for CORS -->
30
    <filter>
31
        <filter-name>CorsFilter</filter-name>
32
        <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
33
        <init-param>
34
            <param-name>cors.allowed.origins</param-name>
35
            <param-value>*</param-value>
36
        </init-param>
37
        <init-param>
38
            <param-name>cors.allowed.methods</param-name>
39
            <param-value>GET,POST,HEAD,OPTIONS,DELETE</param-value>
40
        </init-param>
41
        <init-param>
42
            <param-name>cors.exposed.headers</param-name>
43
            <param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials,Access-Control-Allow-Methods</param-value>
44
        </init-param>
45
        <init-param>
46
            <param-name>cors.support.credentials</param-name>
47
            <param-value>true</param-value>
48
        </init-param>
49
        <init-param>
50
            <param-name>cors.allowed.headers</param-name>
51
            <param-value>Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers,X-XSRF-TOKEN,withcredentials</param-value>
52
        </init-param>
53
    </filter>
54
    <filter-mapping>
55
        <filter-name>CorsFilter</filter-name>
56
        <url-pattern>/*</url-pattern>
57
    </filter-mapping>
58

    
59
    <!-- CORS FILTER -->
60
    
61
    <!-- Filters and filter mappings -->
62
    <!-- Try and force I18N, probably won't help much. -->
63
    <filter>
64
        <filter-name>CharacterEncodingFilter</filter-name>
65
        <filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
66
        <init-param>
67
            <param-name>encoding</param-name>
68
            <param-value>UTF-8</param-value>
69
        </init-param>
70
        <init-param>
71
            <param-name>forceEncoding</param-name>
72
            <param-value>true</param-value>
73
        </init-param>
74
    </filter>
75
    <!-- Lets us lump repeated Set-Cookie headers into one, something containers rarely support. -->
76
    <filter>
77
        <filter-name>CookieBufferingFilter</filter-name>
78
        <filter-class>net.shibboleth.utilities.java.support.net.CookieBufferingFilter</filter-class>
79
    </filter>
80
    <!-- Automates TLS-based propagation of HttpServletRequest/Response into beans. -->
81
    <filter>
82
        <filter-name>RequestResponseContextFilter</filter-name>
83
        <filter-class>net.shibboleth.utilities.java.support.net.RequestResponseContextFilter</filter-class>
84
    </filter>
85
    <!-- Manages logging MDC. -->
86
    <filter>
87
        <filter-name>SLF4JMDCServletFilter</filter-name>
88
        <filter-class>net.shibboleth.idp.log.SLF4JMDCServletFilter</filter-class>
89
    </filter>
90
    <filter-mapping>
91
        <filter-name>CookieBufferingFilter</filter-name>
92
        <url-pattern>/profile/Logout</url-pattern>
93
        <url-pattern>/profile/Shibboleth/SSO</url-pattern>
94
        <url-pattern>/profile/SAML2/Unsolicited/SSO</url-pattern>
95
        <url-pattern>/profile/SAML2/Redirect/SSO</url-pattern>
96
        <url-pattern>/profile/SAML2/POST/SSO</url-pattern>
97
        <url-pattern>/profile/SAML2/POST-SimpleSign/SSO</url-pattern>
98
        <url-pattern>/profile/SAML2/Redirect/SLO</url-pattern>
99
        <url-pattern>/profile/SAML2/POST/SLO</url-pattern>
100
        <url-pattern>/profile/SAML2/POST-SimpleSign/SLO</url-pattern>
101
        <url-pattern>/profile/cas/login</url-pattern>
102
    </filter-mapping>
103
    <filter-mapping>
104
        <filter-name>CharacterEncodingFilter</filter-name>
105
        <url-pattern>/*</url-pattern>
106
    </filter-mapping>
107
    <filter-mapping>
108
        <filter-name>RequestResponseContextFilter</filter-name>
109
        <url-pattern>/*</url-pattern>
110
    </filter-mapping>
111
    <filter-mapping>
112
        <filter-name>SLF4JMDCServletFilter</filter-name>
113
        <url-pattern>/*</url-pattern>
114
    </filter-mapping>
115

    
116
    <!-- Servlets and servlet mappings -->    
117
    <servlet>
118
        <servlet-name>idp</servlet-name>
119
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
120
        <init-param>
121
            <param-name>contextConfigLocation</param-name>
122
            <param-value>${idp.home}/system/conf/mvc-beans.xml, ${idp.home}/system/conf/webflow-config.xml</param-value>
123
        </init-param>
124
        <init-param>
125
            <param-name>contextClass</param-name>
126
            <param-value>net.shibboleth.ext.spring.context.DelimiterAwareApplicationContext</param-value>
127
        </init-param>
128
        <load-on-startup>1</load-on-startup>
129
    </servlet>
130
    <servlet-mapping>
131
        <servlet-name>idp</servlet-name>
132
        <url-pattern>/status</url-pattern>
133
        <url-pattern>/profile/*</url-pattern>
134
    </servlet-mapping>
135

    
136
    <!-- Servlet protected by container used for RemoteUser authentication -->
137
    <servlet>
138
        <servlet-name>RemoteUserAuthHandler</servlet-name>
139
        <servlet-class>net.shibboleth.idp.authn.impl.RemoteUserAuthServlet</servlet-class>
140
        <load-on-startup>2</load-on-startup>
141
    </servlet>
142
    <servlet-mapping>
143
        <servlet-name>RemoteUserAuthHandler</servlet-name>
144
        <url-pattern>/Authn/RemoteUser</url-pattern>
145
    </servlet-mapping>
146

    
147
    <!-- Servlet protected by container used for X.509 authentication -->
148
    <servlet>
149
        <servlet-name>X509AuthHandler</servlet-name>
150
        <servlet-class>net.shibboleth.idp.authn.impl.X509AuthServlet</servlet-class>
151
        <load-on-startup>3</load-on-startup>
152
    </servlet>
153
    <servlet-mapping>
154
        <servlet-name>X509AuthHandler</servlet-name>
155
        <url-pattern>/Authn/X509</url-pattern>
156
    </servlet-mapping>
157

    
158
    <!-- Send request for the EntityID to the SAML metadata echoing JSP. -->
159
    <servlet>
160
        <servlet-name>shibboleth_jsp</servlet-name>
161
        <jsp-file>/WEB-INF/jsp/metadata.jsp</jsp-file>
162
    </servlet>
163
    <servlet-mapping>
164
        <servlet-name>shibboleth_jsp</servlet-name>
165
        <url-pattern>/shibboleth</url-pattern>
166
    </servlet-mapping>
167
    
168
    <!-- Send servlet errors through the IdP's MVC error handling. -->
169
    <error-page>
170
        <exception-type>net.shibboleth.idp.authn.ExternalAuthenticationException</exception-type>
171
        <location>/profile/RaiseError</location>
172
    </error-page>
173

    
174
    <!-- Block commonly flagged methods by using an empty auth-constraint. -->
175
    <security-constraint>
176
        <web-resource-collection>
177
            <web-resource-name>Non-API Content</web-resource-name>
178
            <url-pattern>/*</url-pattern>
179
            <http-method>PUT</http-method>
180
            <http-method>PATCH</http-method>
181
            <http-method>DELETE</http-method>
182
            <http-method>OPTIONS</http-method>
183
            <http-method>TRACE</http-method>
184
        </web-resource-collection>
185
        <auth-constraint/>
186
    </security-constraint>
187

    
188
    <!-- Allow any HTTP methods to the API flows. -->
189
    <security-constraint>
190
        <web-resource-collection>
191
            <web-resource-name>Administrative APIs</web-resource-name>
192
            <url-pattern>/profile/admin/*</url-pattern>
193
        </web-resource-collection>
194
        <!-- no auth-constraint tag here -->
195
    </security-constraint>
196

    
197
    <!--
198
    Uncomment to use container managed authentication. The new servlet spec (3.1)
199
    supports "**" as a wildcard syntax to avoid role usage, which is normally desirable.
200
    Older containers usually support "*" when proprietary options are used (e.g., Jetty
201
    requires setting the Strict property on the SecurityManager.)
202
    -->
203
    <!--
204
    <security-constraint>
205
        <display-name>Web Login Service</display-name>
206
        <web-resource-collection>
207
            <web-resource-name>user authentication</web-resource-name>
208
            <url-pattern>/Authn/RemoteUser</url-pattern>
209
            <url-pattern>/profile/SAML2/SOAP/ECP</url-pattern>
210
            <http-method>POST</http-method> 
211
        </web-resource-collection>
212
        <auth-constraint>
213
            <role-name>**</role-name>
214
        </auth-constraint>
215
        <user-data-constraint>
216
            <transport-guarantee>CONFIDENTIAL</transport-guarantee> 
217
        </user-data-constraint>
218
    </security-constraint>
219
    -->
220

    
221
    <!-- Uncomment if you want BASIC auth managed by the container. -->
222
    <!--
223
    <login-config>
224
        <auth-method>BASIC</auth-method>
225
        <realm-name>Web Login Service</realm-name>
226
    </login-config>
227
    -->
228
     
229
    <!--
230
    Uncomment if you want form-based auth managed by the container.
231
    NOTE that the default form-login UI in the IdP is not compatible
232
    with this option, and you will need to supply your own JSP form
233
    and error page. This is not a recommended approach and is severely
234
    limited in functionality as compared to using the IdP's own UI.
235
    -->
236
    <!--
237
    <login-config>
238
        <auth-method>FORM</auth-method>
239
        <realm-name>Web Login Service</realm-name>
240
        <form-login-config> 
241
            <form-login-page>/login.jsp</form-login-page>
242
            <form-error-page>/login-error.jsp</form-error-page>
243
        </form-login-config>
244
    </login-config>
245
    -->
246
</web-app>
    (1-1/1)