Permalink
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
shib-idp-conftree/system/conf/global-system.xml
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
314 lines (271 sloc)
17.8 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="UTF-8"?> | |
| <beans xmlns="http://www.springframework.org/schema/beans" | |
| xmlns:context="http://www.springframework.org/schema/context" | |
| xmlns:util="http://www.springframework.org/schema/util" | |
| xmlns:p="http://www.springframework.org/schema/p" | |
| xmlns:c="http://www.springframework.org/schema/c" | |
| xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | |
| xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd | |
| http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd | |
| http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" | |
| default-init-method="initialize" | |
| default-destroy-method="destroy"> | |
| <bean id="shibboleth.PropertySourcesPlaceholderConfigurer" | |
| class="org.springframework.context.support.PropertySourcesPlaceholderConfigurer" | |
| p:placeholderPrefix="%{" p:placeholderSuffix="}" /> | |
| <!-- This bean MUST be called "conversionService" to work properly. --> | |
| <bean id="conversionService" class="org.springframework.context.support.ConversionServiceFactoryBean"> | |
| <property name="converters"> | |
| <set> | |
| <bean class="net.shibboleth.ext.spring.config.DurationToLongConverter" /> | |
| <bean class="net.shibboleth.ext.spring.config.StringToIPRangeConverter" /> | |
| <bean class="net.shibboleth.ext.spring.config.BooleanToPredicateConverter" /> | |
| <bean class="net.shibboleth.ext.spring.config.StringBooleanToPredicateConverter" /> | |
| <bean class="net.shibboleth.ext.spring.config.StringToResourceConverter" /> | |
| </set> | |
| </property> | |
| </bean> | |
| <!-- This BeanPostProcessor auto-sets identifiable beans with the bean name (if not already set). --> | |
| <bean id="shibboleth.IdentifiableBeanPostProcessor" | |
| class="net.shibboleth.ext.spring.config.IdentifiableBeanPostProcessor" /> | |
| <bean id="messageSource" class="org.springframework.context.support.ReloadableResourceBundleMessageSource" | |
| p:cacheSeconds="%{idp.message.cacheSeconds:300}" | |
| p:basenames-ref="#{'%{idp.message.resources:shibboleth.MessageSourceResources}'.trim()}" | |
| p:defaultEncoding="UTF-8" /> | |
| <import resource="../../conf/global.xml" /> | |
| <import resource="../../conf/errors.xml" /> | |
| <import resource="general-authn-system.xml" /> | |
| <import resource="session-manager-system.xml" /> | |
| <import resource="services-system.xml" /> | |
| <import resource="saml-binding-config.xml" /> | |
| <import resource="subject-c14n-system.xml" /> | |
| <import resource="profile-intercept-system.xml" /> | |
| <import resource="cas-protocol-system.xml" /> | |
| <import resource="utilities.xml" /> | |
| <bean id="shibboleth.OpenSAMLConfig" class="net.shibboleth.idp.spring.OpenSAMLConfigBean" | |
| depends-on="shibboleth.LoggingService,shibboleth.ParserPool" p:parserPool-ref="shibboleth.ParserPool" /> | |
| <bean id="shibboleth.VelocityEngine" class="org.springframework.ui.velocity.VelocityEngineFactoryBean" | |
| depends-on="shibboleth.LoggingService"> | |
| <property name="overrideLogging" value="false"/> | |
| <property name="velocityProperties"> | |
| <props> | |
| <prop key="runtime.log.logsystem.class"> | |
| net.shibboleth.utilities.java.support.velocity.SLF4JLogChute | |
| </prop> | |
| <prop key="input.encoding">UTF-8</prop> | |
| <prop key="output.encoding">UTF-8</prop> | |
| <prop key="resource.loader">file, classpath, string</prop> | |
| <prop key="classpath.resource.loader.class"> | |
| org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader | |
| </prop> | |
| <prop key="string.resource.loader.class"> | |
| org.apache.velocity.runtime.resource.loader.StringResourceLoader | |
| </prop> | |
| <prop key="file.resource.loader.class"> | |
| org.apache.velocity.runtime.resource.loader.FileResourceLoader | |
| </prop> | |
| <prop key="file.resource.loader.path">#{'%{idp.views:%{idp.home}/views}'.trim()}</prop> | |
| <prop key="file.resource.loader.cache">false</prop> | |
| </props> | |
| </property> | |
| </bean> | |
| <bean id="shibboleth.ParserPool" class="net.shibboleth.utilities.java.support.xml.BasicParserPool" | |
| depends-on="shibboleth.LoggingService" | |
| p:maxPoolSize="100" | |
| p:coalescing="true" | |
| p:ignoreComments="true" | |
| p:ignoreElementContentWhitespace="true" | |
| p:namespaceAware="true"> | |
| <property name="builderAttributes"> | |
| <map> | |
| <!-- Sun/Oracle is the default, for Xerces, set property to org.apache.xerces.util.SecurityManager --> | |
| <entry key="http://apache.org/xml/properties/security-manager"> | |
| <bean class="%{idp.xml.securityManager:com.sun.org.apache.xerces.internal.util.SecurityManager}" /> | |
| </entry> | |
| </map> | |
| </property> | |
| <property name="builderFeatures"> | |
| <map> | |
| <entry key="http://apache.org/xml/features/disallow-doctype-decl"> | |
| <util:constant static-field="java.lang.Boolean.TRUE" /> | |
| </entry> | |
| <entry key="http://apache.org/xml/features/validation/schema/normalized-value"> | |
| <util:constant static-field="java.lang.Boolean.FALSE" /> | |
| </entry> | |
| <entry key="http://javax.xml.XMLConstants/feature/secure-processing"> | |
| <util:constant static-field="java.lang.Boolean.TRUE" /> | |
| </entry> | |
| </map> | |
| </property> | |
| </bean> | |
| <!-- Bean used by the SchemaValidation metadata filter and anything else doing basic schema validation. --> | |
| <bean id="shibboleth.SchemaBuilder" lazy-init="true" | |
| class="org.opensaml.saml.common.xml.SAMLSchemaBuilder" c:ver="SAML_11" > | |
| <property name="schemaBuilder"> | |
| <bean class="net.shibboleth.utilities.java.support.xml.SchemaBuilder"> | |
| <property name="resourceResolver"> | |
| <bean class="net.shibboleth.utilities.java.support.xml.ClasspathResolver" /> | |
| </property> | |
| <property name="schemaResources"> | |
| <list> | |
| <value>#{'classpath:' + T(org.opensaml.saml.common.xml.SAMLConstants).XMLSIG_SCHEMA_LOCATION }</value> | |
| <value>#{'classpath:' + T(net.shibboleth.idp.saml.xmlobject.ExtensionsConstants).SHIB_MDEXT10_SCHEMA_LOCATION }</value> | |
| </list> | |
| </property> | |
| </bean> | |
| </property> | |
| </bean> | |
| <bean id="shibboleth.HttpServletRequest" class="net.shibboleth.utilities.java.support.net.ThreadLocalHttpServletRequestProxy" /> | |
| <bean id="shibboleth.HttpServletResponse" class="net.shibboleth.utilities.java.support.net.ThreadLocalHttpServletResponseProxy" /> | |
| <bean id="shibboleth.BuilderFactory" factory-method="getBuilderFactory" class="org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport" depends-on="shibboleth.OpenSAMLConfig" /> | |
| <bean id="shibboleth.MarshallerFactory" factory-method="getMarshallerFactory" class="org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport" depends-on="shibboleth.OpenSAMLConfig" /> | |
| <bean id="shibboleth.UnmarshallerFactory" factory-method="getUnmarshallerFactory" class="org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport" depends-on="shibboleth.OpenSAMLConfig" /> | |
| <bean id="shibboleth.EndpointResolver" class="org.opensaml.saml.common.binding.impl.DefaultEndpointResolver" /> | |
| <bean id="shibboleth.CookieManager" class="net.shibboleth.utilities.java.support.net.CookieManager" | |
| p:httpServletRequest-ref="shibboleth.HttpServletRequest" | |
| p:httpServletResponse-ref="shibboleth.HttpServletResponse" | |
| p:secure="%{idp.cookie.secure:false}" | |
| p:httpOnly="%{idp.cookie.httpOnly:true}" | |
| p:cookieDomain="%{idp.cookie.domain:}" | |
| p:cookiePath="%{idp.cookie.path:}" | |
| p:maxAge="-1" /> | |
| <bean id="shibboleth.PersistentCookieManager" class="net.shibboleth.utilities.java.support.net.CookieManager" | |
| p:httpServletRequest-ref="shibboleth.HttpServletRequest" | |
| p:httpServletResponse-ref="shibboleth.HttpServletResponse" | |
| p:secure="%{idp.cookie.secure:false}" | |
| p:httpOnly="%{idp.cookie.httpOnly:true}" | |
| p:cookieDomain="%{idp.cookie.domain:}" | |
| p:cookiePath="%{idp.cookie.path:}" | |
| p:maxAge="%{idp.cookie.maxAge:31536000}" /> | |
| <bean id="shibboleth.UserPrefsCookieManager" class="net.shibboleth.utilities.java.support.net.CookieManager" | |
| p:httpServletRequest-ref="shibboleth.HttpServletRequest" | |
| p:httpServletResponse-ref="shibboleth.HttpServletResponse" | |
| p:secure="%{idp.cookie.secure:false}" | |
| p:httpOnly="false" | |
| p:cookieDomain="%{idp.cookie.domain:}" | |
| p:cookiePath="%{idp.cookie.path:}" | |
| p:maxAge="%{idp.cookie.maxAge:31536000}" /> | |
| <bean id="shibboleth.DataSealerKeyStrategy" | |
| class="net.shibboleth.utilities.java.support.security.BasicKeystoreKeyStrategy" | |
| p:keystoreType="%{idp.sealer.storeType:JCEKS}" | |
| p:keystoreResource="%{idp.sealer.storeResource}" | |
| p:keyVersionResource="%{idp.sealer.versionResource}" | |
| p:keystorePassword="%{idp.sealer.storePassword}" | |
| p:keyAlias="%{idp.sealer.aliasBase:secret}" | |
| p:keyPassword="%{idp.sealer.keyPassword}" | |
| p:updateInterval="%{idp.sealer.updateInterval:PT15M}" /> | |
| <bean id="shibboleth.DataSealer" class="net.shibboleth.utilities.java.support.security.DataSealer" | |
| p:keyStrategy-ref="shibboleth.DataSealerKeyStrategy" /> | |
| <!-- This is a convenience for compatibility with the examples for configuring this in V2. --> | |
| <alias name="shibboleth.DataSealer" alias="shibboleth.TransientIDDataSealer"/> | |
| <bean id="shibboleth.StorageService" lazy-init="true" | |
| class="%{idp.storage.StorageService:org.opensaml.storage.impl.MemoryStorageService}" | |
| p:cleanupInterval="%{idp.storage.cleanupInterval:PT10M}" /> | |
| <bean id="shibboleth.ClientSessionStorageService" | |
| class="org.opensaml.storage.impl.client.ClientStorageService" | |
| p:httpServletRequest-ref="shibboleth.HttpServletRequest" | |
| p:cookieManager-ref="shibboleth.CookieManager" | |
| p:storageName="shib_idp_session_ss" | |
| p:dataSealer-ref="shibboleth.DataSealer" /> | |
| <bean id="shibboleth.ClientPersistentStorageService" | |
| class="org.opensaml.storage.impl.client.ClientStorageService" | |
| p:httpServletRequest-ref="shibboleth.HttpServletRequest" | |
| p:cookieManager-ref="shibboleth.PersistentCookieManager" | |
| p:storageName="shib_idp_persistent_ss" | |
| p:dataSealer-ref="shibboleth.DataSealer" | |
| p:keyStrategy-ref="shibboleth.DataSealerKeyStrategy" /> | |
| <!-- | |
| Default list of ClientStorageService plugins needed for injection into storage read/write flows. | |
| Declared here for compatibility with pre-3.2 installs that don't declare this list inside | |
| session-manager.xml | |
| --> | |
| <util:list id="shibboleth.DefaultClientStorageServices"> | |
| <ref bean="shibboleth.ClientSessionStorageService" /> | |
| <ref bean="shibboleth.ClientPersistentStorageService" /> | |
| </util:list> | |
| <bean id="shibboleth.ReplayCache" class="org.opensaml.storage.ReplayCache" depends-on="shibboleth.LoggingService" | |
| p:storage-ref="#{'%{idp.replayCache.StorageService:shibboleth.StorageService}'.trim()}" p:strict="true" /> | |
| <bean id="shibboleth.SAMLArtifactMap" depends-on="shibboleth.StorageService" | |
| class="org.opensaml.saml.common.binding.artifact.impl.StorageServiceSAMLArtifactMap" | |
| p:storageService-ref="#{'%{idp.artifact.StorageService:shibboleth.StorageService}'.trim()}" /> | |
| <bean id="shibboleth.DefaultIdentifierGenerationStrategy" | |
| class="net.shibboleth.utilities.java.support.security.SecureRandomIdentifierGenerationStrategy" /> | |
| <!-- Parent beans for Signature/Encryption/TLS Configuration objects. --> | |
| <bean id="shibboleth.BasicSignatureValidationConfiguration" abstract="true" | |
| class="org.opensaml.xmlsec.impl.BasicSignatureValidationConfiguration" | |
| p:whitelistedAlgorithms="#{getObject('shibboleth.SignatureWhitelist')}" | |
| p:blacklistedAlgorithms="#{getObject('shibboleth.SignatureBlacklist')}" /> | |
| <bean id="shibboleth.BasicClientTLSValidationConfiguration" abstract="true" | |
| class="org.opensaml.security.x509.tls.impl.BasicClientTLSValidationConfiguration" /> | |
| <bean id="shibboleth.BasicSignatureSigningConfiguration" abstract="true" | |
| class="org.opensaml.xmlsec.impl.BasicSignatureSigningConfiguration" | |
| p:whitelistedAlgorithms="#{getObject('shibboleth.SignatureWhitelist')}" | |
| p:blacklistedAlgorithms="#{getObject('shibboleth.SignatureBlacklist')}" /> | |
| <bean id="shibboleth.BasicEncryptionConfiguration" abstract="true" | |
| class="org.opensaml.xmlsec.impl.BasicEncryptionConfiguration" | |
| p:whitelistedAlgorithms="#{getObject('shibboleth.EncryptionWhitelist')}" | |
| p:blacklistedAlgorithms="#{getObject('shibboleth.EncryptionBlacklist')}" /> | |
| <bean id="shibboleth.BasicDecryptionConfiguration" abstract="true" | |
| class="org.opensaml.xmlsec.impl.BasicDecryptionConfiguration" | |
| p:whitelistedAlgorithms="#{getObject('shibboleth.EncryptionWhitelist')}" | |
| p:blacklistedAlgorithms="#{getObject('shibboleth.EncryptionBlacklist')}" /> | |
| <!-- Beans that implement the mashing of security configurations into final parameter sets. --> | |
| <bean id="shibboleth.SignatureValidationParametersResolver" | |
| class="org.opensaml.xmlsec.impl.BasicSignatureValidationParametersResolver" /> | |
| <bean id="shibboleth.SignatureSigningParametersResolver" | |
| class="org.opensaml.saml.security.impl.SAMLMetadataSignatureSigningParametersResolver" /> | |
| <bean id="shibboleth.DecryptionParametersResolver" | |
| class="org.opensaml.xmlsec.impl.BasicDecryptionParametersResolver" /> | |
| <bean id="shibboleth.EncryptionParametersResolver" | |
| class="org.opensaml.saml.security.impl.SAMLMetadataEncryptionParametersResolver" | |
| c:resolver-ref="shibboleth.MetadataCredentialResolver" /> | |
| <bean id="shibboleth.ClientTLSValidationParametersResolver" | |
| class="org.opensaml.security.x509.tls.impl.BasicClientTLSValidationParametersResolver" /> | |
| <!-- | |
| The beans below are primarily used by trust engines in relying-party-system.xml, but also in the | |
| resolver for encryption parameters above. | |
| --> | |
| <bean id="shibboleth.MetadataCredentialResolver" | |
| class="org.opensaml.saml.security.impl.MetadataCredentialResolver" | |
| p:roleDescriptorResolver-ref="shibboleth.RoleDescriptorResolver" | |
| p:keyInfoCredentialResolver-ref="shibboleth.KeyInfoCredentialResolver"> | |
| </bean> | |
| <bean id="shibboleth.KeyInfoCredentialResolver" | |
| class="org.opensaml.xmlsec.config.DefaultSecurityConfigurationBootstrap" | |
| factory-method="buildBasicInlineKeyInfoCredentialResolver" /> | |
| <!-- These are the common HttpClients wired to by multiple components, such as HTTPResources. --> | |
| <bean id="shibboleth.NonCachingHttpClient" | |
| lazy-init="true" | |
| class="net.shibboleth.idp.profile.spring.relyingparty.metadata.HttpClientFactoryBean" | |
| p:tLSSocketFactory="#{ %{idp.httpclient.useTrustEngineTLSSocketFactory:false} or %{idp.httpclient.useSecurityEnhancedTLSSocketFactory:false} ? @'shibboleth.SecurityEnhancedTLSSocketFactory' : null }" | |
| p:connectionDisregardTLSCertificate="%{idp.httpclient.connectionDisregardTLSCertificate:false}" | |
| p:connectionTimeout="%{idp.httpclient.connectionTimeout:-1}" /> | |
| <bean id="shibboleth.FileCachingHttpClient" | |
| lazy-init="true" | |
| class="net.shibboleth.idp.profile.spring.relyingparty.metadata.FileCachingHttpClientFactoryBean" | |
| p:tLSSocketFactory="#{ %{idp.httpclient.useTrustEngineTLSSocketFactory:false} or %{idp.httpclient.useSecurityEnhancedTLSSocketFactory:false} ? @'shibboleth.SecurityEnhancedTLSSocketFactory' : null }" | |
| p:connectionDisregardTLSCertificate="%{idp.httpclient.connectionDisregardTLSCertificate:false}" | |
| p:connectionTimeout="%{idp.httpclient.connectionTimeout:-1}" | |
| p:cacheDirectory="%{idp.httpclient.filecaching.cacheDirectory}" | |
| p:maxCacheEntries="%{idp.httpclient.filecaching.maxCacheEntries:100}" | |
| p:maxCacheEntrySize="%{idp.httpclient.filecaching.maxCacheEntrySize:10485760}" /> | |
| <bean id="shibboleth.MemoryCachingHttpClient" | |
| lazy-init="true" | |
| class="net.shibboleth.idp.profile.spring.relyingparty.metadata.InMemoryCachingHttpClientFactoryBean" | |
| p:tLSSocketFactory="#{ %{idp.httpclient.useTrustEngineTLSSocketFactory:false} or %{idp.httpclient.useSecurityEnhancedTLSSocketFactory:false} ? @'shibboleth.SecurityEnhancedTLSSocketFactory' : null }" | |
| p:connectionDisregardTLSCertificate="%{idp.httpclient.connectionDisregardTLSCertificate:false}" | |
| p:connectionTimeout="%{idp.httpclient.connectionTimeout:-1}" | |
| p:maxCacheEntries="%{idp.httpclient.memorycaching.maxCacheEntries:50}" | |
| p:maxCacheEntrySize="%{idp.httpclient.memorycaching.maxCacheEntrySize:1048576}" /> | |
| <bean id="shibboleth.SecurityEnhancedTLSSocketFactory" name="shibboleth.TrustEngineTLSSocketFactory" | |
| lazy-init="true" | |
| class="org.opensaml.security.httpclient.impl.SecurityEnhancedTLSSocketFactory"> | |
| <constructor-arg> | |
| <bean class="net.shibboleth.utilities.java.support.httpclient.HttpClientSupport" | |
| factory-method="buildNoTrustTLSSocketFactory" /> | |
| </constructor-arg> | |
| <constructor-arg> | |
| <bean class="org.apache.http.conn.ssl.StrictHostnameVerifier" /> | |
| </constructor-arg> | |
| </bean> | |
| </beans> |