-
Notifications
You must be signed in to change notification settings - Fork 22
/
cas.properties
344 lines (305 loc) · 10.9 KB
/
cas.properties
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
#
# Copyright (c) 2015. Center for Open Science
#
# Licensed to Apereo under one or more contributor license
# agreements. See the NOTICE file distributed with this work
# for additional information regarding copyright ownership.
# Apereo licenses this file to you under the Apache License,
# Version 2.0 (the "License"); you may not use this file
# except in compliance with the License. You may obtain a
# copy of the License at the following location:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
#
####
#### OSF CAS
####
#### This section "OSF CAS" contains new properties for OSF-oriented CAS customization.
####
##
# Google Analytics
#
google.analytics.id=
google.analytics.autoLink=
##
# CAS Login and Logout URLs
#
cas.osf.login.url=/login?
cas.logout.url=/logout
cas.institution.login.url=/login?campaign=institution
cas.institution.unsupported.url=/login?campaign=unsupportedinstitution
##
# Login Rate Limiting
#
cas.rateLimiting.failureRangeInSeconds=1
cas.rateLimiting.failureThreshold=5
cas.rateLimiting.usernameParameter=username
cas.rateLimiting.startDelay=1000
cas.rateLimiting.repeatInterval=5000
##
# Authentication Delegation: General
#
delegation.redirect.uri=${server.name}/login
##
# Authentication Delegation: Clients
#
# CAS Client: California Lutheran University
cas.callutheran.login.url=https://sso.callutheran.edu/cas/login
cas.callutheran.prefix.url=https://sso.callutheran.edu/cas/
cas.callutheran.client.name=callutheran
cas.callutheran.cas.protocol=SAML
#
# CAS Client: Concordia College
cas.cord.login.url=https://bprdeis.cord.edu:8443/cas/login
cas.cord.prefix.url=https://bprdeis.cord.edu:8443/cas/
cas.cord.client.name=cord
cas.cord.cas.protocol=SAML
#
# CAS Client: Oklahoma State University
cas.okstate.login.url=https://stwcas.okstate.edu/cas/login
cas.okstate.prefix.url=https://stwcas.okstate.edu/cas/
cas.okstate.client.name=okstate
cas.okstate.cas.protocol=SAML
#
# OAuth Client: ORCiD
oauth.orcid.authorize.url=https://orcid.org/oauth/authorize
oauth.orcid.token.url=https://pub.orcid.org/oauth/token
oauth.orcid.client.id=osf_orcid_developer_app_client_id
oauth.orcid.client.secret=osf_orcid_developer_app_client_secret
oauth.orcid.member=false
oauth.orcid.scope=/authenticate
oauth.orcid.connect.timeout=10000
oauth.orcid.read.timeout=60000
##
# OSF URLs
#
osf.url=http://localhost:5000/
osf.resendConfirmation.url=http://localhost:5000/resend/
osf.forgotPassword.url=http://localhost:5000/forgotpassword/
osf.forgotPasswordInstitution.url=http://localhost:5000/forgotpassword-institution/
osf.createAccount.url=http://localhost:5000/register/
osf.osfi.url=http://localhost:5000/institutions/
##
# API URLs
#
osf.api.institutions.auth.url=http://localhost:8000/v2/institutions/auth/
# The encryption secret key. By default, must be a octet string of size 256.
osf.api.institutions.auth.jweSecret=osf_api_cas_login_jwe_secret_32b
osf.api.institutions.auth.jwtSecret=osf_api_cas_login_jwt_secret_32b
osf.api.institutions.auth.xslLocation=file:etc/institutions-auth.xsl
##
# OSF Postgres Database
#
osf.database.driverClass=org.postgresql.Driver
osf.database.url=jdbc:postgresql://192.168.168.167:5432/osf?targetServerType=master
osf.database.user=postgres
osf.database.password=
osf.database.hibernate.dialect=io.cos.cas.adaptors.postgres.hibernate.OSFPostgreSQLDialect
##
# OAuth Provider
#
# OAuth Access Token session length in seconds
oauth.accessTokenDuration=3600
oauth.loginUrl=${server.name}/login
####
#### Central Authentication Service (CAS)
####
#### This section "Central Authentication Service (CAS)" contains default properties from jasig/apereo.
####
server.name=http://192.168.168.167:8080
server.prefix=${server.name}
# Spring Security's EL-based access rules for the /status URI of CAS that exposes health check information
cas.securityContext.status.access=permitAll
# Spring Security's EL-based access rules for the /statistics URI of CAS that exposes stats about the CAS server
cas.securityContext.statistics.access=hasIpAddress('127.0.0.1')
cas.themeResolver.defaultThemeName=cas-theme-default
# Path prefix for where views are to be found
# cas.viewResolver.defaultViewsPathPrefix=/WEB-INF/view/jsp/default/ui/
# Location of the Spring xml config file where views may be collected
# cas.viewResolver.xmlFile=/META-INF/spring/views.xml
##
# Unique CAS node name
# host.name is used to generate unique Service Ticket IDs and SAMLArtifacts. This is usually set to the specific
# hostname of the machine running the CAS node, but it could be any label so long as it is unique in the cluster.
host.name=osf-cas.cos.io
##
# Database flavors for Hibernate
#
database.hibernate.dialect=org.hibernate.dialect.PostgreSQLDialect
database.hibernate.batchSize=1
database.hibernate.showSql=true
database.driverClass=org.postgresql.Driver
database.url=jdbc:postgresql://127.0.0.1:5432/cas?targetServerType=master
database.user=postgres
database.password=
##
# CAS SSO Cookie Generation & Security
# See https://github.com/mitreid-connect/json-web-key-generator
#
# Do note that the following settings MUST be generated per deployment.
#
# Defaults at spring-configuration/ticketGrantingTicketCookieGenerator.xml
# The encryption secret key. By default, must be a octet string of size 256.
tgc.encryption.key=1PbwSbnHeinpkZOSZjuSJ8yYpUrInm5aaV18J2Ar4rM
#
# The signing secret key. By default, must be a octet string of size 512.
tgc.signing.key=szxK-5_eJjs-aUj-64MpUZ-GPPzGLhYPLGl0wrYjYNVAGva2P0lLe6UGKGM7k8dWxsOVGutZWgvmY3l5oVPO3w
#
# Allow non-secure cookie generation, Must set this `true` for production.
tgc.cookie.secure=false
#
# Do not allow client side script to access the cookie, MUST set this `true` for production.
tgc.cookie.httponly=true
##
# CAS Session Cookie
#
# Allow non-secure cookie generation, Must set this `true` for production.
jsession.cookie.secure=false
#
# Do not allow client side script to access the cookie, MUST set this `true` for production.
jsession.cookie.httponly=true
##
# CAS Logout Behavior
# WEB-INF/cas-servlet.xml
#
# Specify whether CAS should redirect to the specified service parameter on /logout requests
cas.logout.followServiceRedirects=true
##
# CAS Cached Attributes Timeouts
# Controls the cached attribute expiration policy
#
# Notes the duration in which attributes will be kept alive
# cas.attrs.timeToExpireInHours=2
##
# Single Sign-On Session
#
# Indicates whether an SSO session should be created for renewed authentication requests.
# create.sso.renewed.authn=true
#
# Indicates whether an SSO session can be created if no service is present.
# create.sso.missing.service=true
##
# Spring Webflow Web Application Session
# Define the settings that are required to encrypt and persist the CAS web application session.
# See the cas-servlet.xml file to understand how these properties are used.
#
# cas.webflow.cipher.alg=AES
# cas.webflow.cipher.mode=CBC
# cas.webflow.cipher.padding=PKCS7
# cas.webflow.keystore=file:etc/keystore.jceks
# cas.webflow.keystore.type=JCEKS
# cas.webflow.keystore.password=changeit
# cas.webflow.keyalias=aes128
# cas.webflow.keypassword=changeit
##
# Single Sign-On Session Timeouts
# Defaults sourced from WEB-INF/spring-configuration/ticketExpirationPolices.xml
#
# Maximum session timeout - TGT will expire in maxTimeToLiveInSeconds regardless of usage
# tgt.maxTimeToLiveInSeconds=28800
#
# Idle session timeout - TGT will expire sooner than maxTimeToLiveInSeconds if no further requests
# for STs occur within timeToKillInSeconds
# tgt.timeToKillInSeconds=7200
#
# Long term authentication session length in seconds (30 days)
tgt.rememberMeDuration=2592000
##
# Service Ticket Timeout
# Default sourced from WEB-INF/spring-configuration/ticketExpirationPolices.xml
#
# Service Ticket timeout - typically kept short as a control against replay attacks, default is 10s. You'll want to
# increase this timeout if you are manually testing service ticket creation/validation via tamperdata or similar tools
st.timeToKillInSeconds=60
##
# Http Client Settings
#
# The http client read timeout in milliseconds
# http.client.read.timeout=5000
#
# The http client connection timeout in milliseconds
# http.client.connection.timeout=5000
#
# The http client truststore file, in addition to the default's
# http.client.truststore.file=file:etc/truststore.jks
#
# The http client truststore's password
# http.client.truststore.psw=changeit
##
# Single Logout Out Callbacks
# Default sourced from WEB-INF/spring-configuration/argumentExtractorsConfiguration.xml
#
# To turn off all back channel SLO requests set this to true
slo.callbacks.disabled=true
#
# To send callbacks to endpoints synchronously, set this to false
# slo.callbacks.asynchronous=true
##
# CAS Protocol Security Filter
#
# Are multi-valued parameters accepted?
# cas.http.allow.multivalue.params=false
#
# Define the list of request parameters to examine for sanity
# cas.http.check.params=ticket,service,renew,gateway,warn,target,SAMLart,pgtUrl,pgt,pgtId,pgtIou,targetService
#
# Define the list of request parameters only allowed via POST
cas.http.allow.post.params=password,oneTimePassword
##
# JSON Service Registry
#
# Directory location where JSON service files may be found.
service.registry.config.location=file:etc/services
##
# Service Registry Periodic Reloading Scheduler
# Default sourced from WEB-INF/spring-configuration/applicationContext.xml
#
# Force a startup delay of 2 minutes.
# service.registry.quartz.reloader.startDelay=120000
#
# Reload services every 2 minutes
# service.registry.quartz.reloader.repeatInterval=120000
##
# Log4j
# Default sourced from WEB-INF/spring-configuration/log4jConfiguration.xml:
#
# It is often time helpful to externalize log4j.xml to a system path to preserve settings between upgrades.
log4j.config.location=file:etc/log4j2.xml
##
# Metrics
# Default sourced from WEB-INF/spring-configuration/metricsConfiguration.xml:
#
# Define how often should metric data be reported. Default is 30 seconds.
metrics.refresh.internal=9999s
##
# Encoding
#
# Set the encoding to use for requests. Default is UTF-8
# httprequest.web.encoding=UTF-8
#
# Default is true. Switch this to "false" to not enforce the specified encoding in any case,
# applying it as default response encoding as well.
# httprequest.web.encoding.force=true
##
# Reports
#
# Setting to whether include the ticket granting ticket id in the report
# sso.sessions.include.tgt=false
##
# Password Policy
#
# Warn all users of expiration date regardless of warningDays value.
# password.policy.warnAll=false
#
# Threshold number of days to begin displaying password expiration warnings.
# password.policy.warningDays=30
#
# URL to which the user will be redirected to change the password.
# password.policy.url=https://password.example.edu/change