parent
502999307a
commit
63200bec45
@ -0,0 +1,32 @@
|
||||
<processor>
|
||||
<!-- Remove the scope validator from the identity.xml if it exists. Otherwise running the build several times
|
||||
causes several scope validator elements to be added-->
|
||||
<remove>
|
||||
<name>//s:Server/s:OAuth/s:OAuthScopeValidator</name>
|
||||
</remove>
|
||||
<!-- Add the scope validator config element -->
|
||||
<add>
|
||||
<after>//s:Server/s:OAuth/s:OAuthCallbackHandlers</after>
|
||||
<value><![CDATA[<OAuthScopeValidator class="org.wso2.carbon.device.mgt.oauth.extensions.validators.ExtendedJDBCScopeValidator"/>]]></value>
|
||||
</add>
|
||||
<!-- Add the ntlm grant type validator config element -->
|
||||
<add>
|
||||
<after>//s:Server/s:OAuth/s:SupportedGrantTypes/s:SupportedGrantType[s:GrantTypeName='iwa:ntlm']/s:GrantTypeName</after>
|
||||
<value>
|
||||
<![CDATA[<GrantTypeValidatorImplClass>org.wso2.carbon.identity.oauth.common.NTLMAuthenticationValidator</GrantTypeValidatorImplClass>]]></value>
|
||||
</add>
|
||||
<add>
|
||||
<after>//s:Server/s:OAuth/s:SupportedGrantTypes/s:SupportedGrantType[s:GrantTypeName='iwa:ntlm']/s:GrantTypeName</after>
|
||||
<value>
|
||||
<![CDATA[<GrantTypeValidatorImplClass>org.wso2.carbon.identity.oauth.common.NTLMAuthenticationValidator</GrantTypeValidatorImplClass>]]></value>
|
||||
</add>
|
||||
<add>
|
||||
<after>//s:Server/s:OAuth/s:SupportedGrantTypes/s:SupportedGrantType[s:GrantTypeName='iwa:ntlm']</after>
|
||||
<value>
|
||||
<![CDATA[<SupportedGrantType>
|
||||
<GrantTypeName>urn:ietf:params:oauth:grant-type:jwt-bearer</GrantTypeName>
|
||||
<GrantTypeHandlerImplClass>org.wso2.carbon.identity.oauth2.grant.jwt.JWTBearerGrantHandler</GrantTypeHandlerImplClass>
|
||||
<GrantTypeValidatorImplClass>org.wso2.carbon.identity.oauth2.grant.jwt.JWTGrantValidator</GrantTypeValidatorImplClass>
|
||||
</SupportedGrantType>]]></value>
|
||||
</add>
|
||||
</processor>
|
@ -1,286 +0,0 @@
|
||||
<?xml version="1.0" encoding="ISO-8859-1"?>
|
||||
<!--
|
||||
~ Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
|
||||
~
|
||||
~ WSO2 Inc. licenses this file to you under the Apache License,
|
||||
~ Version 2.0 (the "License"); you may not use this file except
|
||||
~ in compliance with the License.
|
||||
~ You may obtain a copy of the License at
|
||||
~
|
||||
~ http://www.apache.org/licenses/LICENSE-2.0
|
||||
~
|
||||
~ Unless required by applicable law or agreed to in writing,
|
||||
~ software distributed under the License is distributed on an
|
||||
~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
~ KIND, either express or implied. See the License for the
|
||||
~ specific language governing permissions and limitations
|
||||
~ under the License.
|
||||
-->
|
||||
<Server xmlns="http://wso2.org/projects/carbon/carbon.xml">
|
||||
<JDBCPersistenceManager>
|
||||
<DataSource>
|
||||
<!-- Include a data source name (jndiConfigName) from the set of data
|
||||
sources defined in master-datasources.xml -->
|
||||
<Name>jdbc/WSO2AM_DB</Name>
|
||||
</DataSource>
|
||||
<!-- If the identity database is created from another place and if it is
|
||||
required to skip schema initialization during the server start up, set the
|
||||
following property to "true". -->
|
||||
<!-- <SkipDBSchemaCreation>false</SkipDBSchemaCreation> -->
|
||||
<SessionDataPersist>
|
||||
<Enable>false</Enable>
|
||||
<!--RememberMePeriod>20160</RememberMePeriod-->
|
||||
<!--CleanUp>
|
||||
<Enable>true</Enable>
|
||||
<Period>1</Period>
|
||||
<TimeOut>20160</TimeOut-->
|
||||
<!--/CleanUp>
|
||||
<Temporary>false</Temporary-->
|
||||
</SessionDataPersist>
|
||||
</JDBCPersistenceManager>
|
||||
|
||||
<!-- Security configurations -->
|
||||
<Security>
|
||||
<UserTrustedRPStore>
|
||||
<Location>${carbon.home}/repository/resources/security/userRP.jks
|
||||
</Location>
|
||||
<!-- Keystore type (JKS/PKCS12 etc.) -->
|
||||
<Type>JKS</Type>
|
||||
<!-- Keystore password -->
|
||||
<Password>wso2carbon</Password>
|
||||
<!-- Private Key password -->
|
||||
<KeyPassword>wso2carbon</KeyPassword>
|
||||
</UserTrustedRPStore>
|
||||
|
||||
<!-- The directory under which all other KeyStore files will be stored -->
|
||||
<KeyStoresDir>${carbon.home}/conf/keystores</KeyStoresDir>
|
||||
</Security>
|
||||
|
||||
<Identity>
|
||||
<IssuerPolicy>SelfAndManaged</IssuerPolicy>
|
||||
<TokenValidationPolicy>CertValidate</TokenValidationPolicy>
|
||||
<BlackList/>
|
||||
<WhiteList/>
|
||||
<System>
|
||||
<KeyStore/>
|
||||
<StorePass/>
|
||||
</System>
|
||||
</Identity>
|
||||
|
||||
<OpenID>
|
||||
<OpenIDServerUrl>https://localhost:9443/openidserver</OpenIDServerUrl>
|
||||
<OpenIDUserPattern>https://localhost:9443/openid/</OpenIDUserPattern>
|
||||
<!-- If the users must be prompted for approval -->
|
||||
<OpenIDSkipUserConsent>false</OpenIDSkipUserConsent>
|
||||
<!-- Expiry time of the OpenID RememberMe token in minutes -->
|
||||
<OpenIDRememberMeExpiry>7200</OpenIDRememberMeExpiry>
|
||||
<!-- Multifactor Authentication configuration -->
|
||||
<UseMultifactorAuthentication>false</UseMultifactorAuthentication>
|
||||
<!-- To enable or disable openid dumb mode -->
|
||||
<DisableOpenIDDumbMode>false</DisableOpenIDDumbMode>
|
||||
<!-- remember me session timeout in seconds -->
|
||||
<SessionTimeout>36000</SessionTimeout>
|
||||
<!-- skips authentication if valid SAML2 Web SSO browser session available -->
|
||||
<AcceptSAMLSSOLogin>false</AcceptSAMLSSOLogin>
|
||||
<ClaimsRetrieverImplClass>org.wso2.carbon.identity.provider.openid.claims.DefaultClaimsRetriever</ClaimsRetrieverImplClass>
|
||||
</OpenID>
|
||||
|
||||
<OAuth>
|
||||
<RequestTokenUrl>https://localhost:9443/oauth/request-token</RequestTokenUrl>
|
||||
<AccessTokenUrl>https://localhost:9443/oauth/access-token</AccessTokenUrl>
|
||||
<AuthorizeUrl>https://localhost:9443/oauth/authorize-url</AuthorizeUrl>
|
||||
<OAuth2TokenEPUrl>https://localhost:${mgt.transport.https.port}/oauth2/token</OAuth2TokenEPUrl>
|
||||
<!-- Default validity period for Authorization Code in seconds -->
|
||||
<AuthorizationCodeDefaultValidityPeriod>300</AuthorizationCodeDefaultValidityPeriod>
|
||||
<!-- Default validity period for user access tokens in seconds -->
|
||||
<AccessTokenDefaultValidityPeriod>3600</AccessTokenDefaultValidityPeriod>
|
||||
<!-- Default validity period for application access tokens in seconds -->
|
||||
<UserAccessTokenDefaultValidityPeriod>3600</UserAccessTokenDefaultValidityPeriod>
|
||||
<!-- Validity period for refresh token -->
|
||||
<RefreshTokenValidityPeriod>84600</RefreshTokenValidityPeriod>
|
||||
<!-- Timestamp skew in seconds -->
|
||||
<TimestampSkew>300</TimestampSkew>
|
||||
<!-- Enable OAuth caching -->
|
||||
<EnableOAuthCache>true</EnableOAuthCache>
|
||||
<!-- Enable renewal of refresh token for refresh_token grant -->
|
||||
<RenewRefreshTokenForRefreshGrant>true</RenewRefreshTokenForRefreshGrant>
|
||||
<!-- Process the token before storing it in database, e.g. encrypting -->
|
||||
<TokenPersistenceProcessor>org.wso2.carbon.identity.oauth.tokenprocessor.PlainTextPersistenceProcessor</TokenPersistenceProcessor>
|
||||
<!-- Supported Client Autnetication Methods -->
|
||||
<ClientAuthHandlers>
|
||||
<ClientAuthHandler Class="org.wso2.carbon.identity.oauth2.token.handlers.clientauth.BasicAuthClientAuthHandler">
|
||||
<Property Name="StrictClientCredentialValidation">false</Property>
|
||||
</ClientAuthHandler>
|
||||
</ClientAuthHandlers>
|
||||
<!-- Supported Response Types -->
|
||||
<SupportedResponseTypes>
|
||||
<SupportedResponseType>
|
||||
<ResponseTypeName>token</ResponseTypeName>
|
||||
<ResponseTypeHandlerImplClass>org.wso2.carbon.identity.oauth2.authz.handlers.TokenResponseTypeHandler</ResponseTypeHandlerImplClass>
|
||||
</SupportedResponseType>
|
||||
<SupportedResponseType>
|
||||
<ResponseTypeName>code</ResponseTypeName>
|
||||
<ResponseTypeHandlerImplClass>org.wso2.carbon.identity.oauth2.authz.handlers.CodeResponseTypeHandler</ResponseTypeHandlerImplClass>
|
||||
</SupportedResponseType>
|
||||
</SupportedResponseTypes>
|
||||
<!-- Supported Grant Types -->
|
||||
<SupportedGrantTypes>
|
||||
<SupportedGrantType>
|
||||
<GrantTypeName>authorization_code</GrantTypeName>
|
||||
<GrantTypeHandlerImplClass>org.wso2.carbon.identity.oauth2.token.handlers.grant.AuthorizationCodeGrantHandler</GrantTypeHandlerImplClass>
|
||||
</SupportedGrantType>
|
||||
|
||||
<SupportedGrantType>
|
||||
<GrantTypeName>password</GrantTypeName>
|
||||
<GrantTypeHandlerImplClass>org.wso2.carbon.apimgt.keymgt.handlers.ExtendedPasswordGrantHandler</GrantTypeHandlerImplClass>
|
||||
</SupportedGrantType>
|
||||
<SupportedGrantType>
|
||||
<GrantTypeName>refresh_token</GrantTypeName>
|
||||
<GrantTypeHandlerImplClass>org.wso2.carbon.identity.oauth2.token.handlers.grant.RefreshGrantHandler</GrantTypeHandlerImplClass>
|
||||
</SupportedGrantType>
|
||||
<SupportedGrantType>
|
||||
<GrantTypeName>client_credentials</GrantTypeName>
|
||||
<GrantTypeHandlerImplClass>org.wso2.carbon.identity.oauth2.token.handlers.grant.ClientCredentialsGrantHandler</GrantTypeHandlerImplClass>
|
||||
</SupportedGrantType>
|
||||
<SupportedGrantType>
|
||||
<GrantTypeName>urn:ietf:params:oauth:grant-type:saml2-bearer</GrantTypeName>
|
||||
<GrantTypeHandlerImplClass>org.wso2.carbon.identity.oauth2.token.handlers.grant.saml.SAML2BearerGrantHandler</GrantTypeHandlerImplClass>
|
||||
</SupportedGrantType>
|
||||
<SupportedGrantType>
|
||||
<GrantTypeName>iwa:ntlm</GrantTypeName>
|
||||
<GrantTypeHandlerImplClass>org.wso2.carbon.identity.oauth2.token.handlers.grant.iwa.ntlm.NTLMAuthenticationGrantHandler</GrantTypeHandlerImplClass>
|
||||
</SupportedGrantType>
|
||||
<SupportedGrantType>
|
||||
<GrantTypeName>urn:ietf:params:oauth:grant-type:jwt-bearer</GrantTypeName>
|
||||
<GrantTypeHandlerImplClass>org.wso2.carbon.identity.oauth2.grant.jwt.JWTBearerGrantHandler</GrantTypeHandlerImplClass>
|
||||
<GrantTypeValidatorImplClass>org.wso2.carbon.identity.oauth2.grant.jwt.JWTGrantValidator</GrantTypeValidatorImplClass>
|
||||
</SupportedGrantType>
|
||||
</SupportedGrantTypes>
|
||||
<OAuthCallbackHandlers>
|
||||
<OAuthCallbackHandler Class="org.wso2.carbon.device.mgt.oauth.extensions.handlers.DeviceMgtOAuthCallbackHandler"/>
|
||||
</OAuthCallbackHandlers>
|
||||
<OAuthScopeValidator class="org.wso2.carbon.device.mgt.oauth.extensions.validators.ExtendedJDBCScopeValidator"/>
|
||||
<TokenValidators>
|
||||
<TokenValidator type="bearer" class="org.wso2.carbon.identity.oauth2.validators.DefaultOAuth2TokenValidator"/>
|
||||
</TokenValidators>
|
||||
<!-- Assertions can be used to embedd parameters into access token. -->
|
||||
<EnableAssertions>
|
||||
<UserName>false</UserName>
|
||||
</EnableAssertions>
|
||||
|
||||
<!-- This should be set to true when using multiple user stores and keys
|
||||
should saved into different tables according to the user store. By default
|
||||
all the application keys are saved in to the same table. UserName Assertion
|
||||
should be 'true' to use this. -->
|
||||
<EnableAccessTokenPartitioning>false</EnableAccessTokenPartitioning>
|
||||
<!-- user store domain names and mapping to new table name. eg: if you
|
||||
provide 'A:foo.com', foo.com should be the user store domain name and 'A'
|
||||
represent the relavant mapping of token store table, i.e. tokens will be
|
||||
added to a table called IDN_OAUTH2_ACCESS_TOKEN_A. -->
|
||||
<AccessTokenPartitioningDomains><!-- A:foo.com, B:bar.com -->
|
||||
</AccessTokenPartitioningDomains>
|
||||
<AuthorizationContextTokenGeneration>
|
||||
<Enabled>false</Enabled>
|
||||
<TokenGeneratorImplClass>org.wso2.carbon.identity.oauth2.authcontext.JWTTokenGenerator</TokenGeneratorImplClass>
|
||||
<ClaimsRetrieverImplClass>org.wso2.carbon.identity.oauth2.authcontext.DefaultClaimsRetriever</ClaimsRetrieverImplClass>
|
||||
<ConsumerDialectURI>http://wso2.org/claims</ConsumerDialectURI>
|
||||
<SignatureAlgorithm>SHA256withRSA</SignatureAlgorithm>
|
||||
<AuthorizationContextTTL>15</AuthorizationContextTTL>
|
||||
</AuthorizationContextTokenGeneration>
|
||||
<SAML2Grant>
|
||||
<!--SAML2TokenHandler></SAML2TokenHandler-->
|
||||
</SAML2Grant>
|
||||
<OpenIDConnect>
|
||||
<IDTokenBuilder>org.wso2.carbon.identity.openidconnect.DefaultIDTokenBuilder</IDTokenBuilder>
|
||||
<IDTokenIssuerID>https://localhost:9443/oauth2endpoints/token</IDTokenIssuerID>
|
||||
<IDTokenSubjectClaim>http://wso2.org/claims/givenname</IDTokenSubjectClaim>
|
||||
<IDTokenCustomClaimsCallBackHandler>org.wso2.carbon.identity.openidconnect.SAMLAssertionClaimsCallback</IDTokenCustomClaimsCallBackHandler>
|
||||
<IDTokenExpiration>3600</IDTokenExpiration>
|
||||
<UserInfoEndpointClaimDialect>http://wso2.org/claims</UserInfoEndpointClaimDialect>
|
||||
<UserInfoEndpointClaimRetriever>org.wso2.carbon.identity.oauth.endpoint.user.impl.UserInfoUserStoreClaimRetriever</UserInfoEndpointClaimRetriever>
|
||||
<UserInfoEndpointRequestValidator>org.wso2.carbon.identity.oauth.endpoint.user.impl.UserInforRequestDefaultValidator</UserInfoEndpointRequestValidator>
|
||||
<UserInfoEndpointAccessTokenValidator>org.wso2.carbon.identity.oauth.endpoint.user.impl.UserInfoISAccessTokenValidator</UserInfoEndpointAccessTokenValidator>
|
||||
<UserInfoEndpointResponseBuilder>org.wso2.carbon.identity.oauth.endpoint.user.impl.UserInfoJSONResponseBuilder</UserInfoEndpointResponseBuilder>
|
||||
<SkipUserConsent>false</SkipUserConsent>
|
||||
</OpenIDConnect>
|
||||
</OAuth>
|
||||
|
||||
<MultifactorAuthentication>
|
||||
<XMPPSettings>
|
||||
<XMPPConfig>
|
||||
<XMPPProvider>gtalk</XMPPProvider>
|
||||
<XMPPServer>talk.google.com</XMPPServer>
|
||||
<XMPPPort>5222</XMPPPort>
|
||||
<XMPPExt>gmail.com</XMPPExt>
|
||||
<XMPPUserName>multifactor1@gmail.com</XMPPUserName>
|
||||
<XMPPPassword>wso2carbon</XMPPPassword>
|
||||
</XMPPConfig>
|
||||
</XMPPSettings>
|
||||
</MultifactorAuthentication>
|
||||
|
||||
<SSOService>
|
||||
<EntityId>localhost</EntityId>
|
||||
<IdentityProviderURL>https://localhost:9443/samlsso</IdentityProviderURL>
|
||||
<SingleLogoutRetryCount>5</SingleLogoutRetryCount>
|
||||
<SingleLogoutRetryInterval>60000</SingleLogoutRetryInterval> <!-- in milli seconds -->
|
||||
<TenantPartitioningEnabled>false</TenantPartitioningEnabled>
|
||||
<PersistanceCacheTimeout>157680000</PersistanceCacheTimeout>
|
||||
<SessionIndexCacheTimeout>157680000</SessionIndexCacheTimeout>
|
||||
<SessionTimeout>36000</SessionTimeout> <!-- remember me session timeout in seconds -->
|
||||
<!-- skips authentication if valid SAML2 Web SSO browser session available -->
|
||||
<AttributeStatementBuilder>org.wso2.carbon.identity.sso.saml.attributes.UserAttributeStatementBuilder</AttributeStatementBuilder>
|
||||
<AttributesClaimDialect>http://wso2.org/claims</AttributesClaimDialect>
|
||||
<AcceptOpenIDLogin>false</AcceptOpenIDLogin>
|
||||
<ClaimsRetrieverImplClass>org.wso2.carbon.identity.sso.saml.builders.claims.DefaultClaimsRetriever</ClaimsRetrieverImplClass>
|
||||
<SAMLSSOAssertionBuilder>org.wso2.carbon.identity.sso.saml.builders.assertion.DefaultSAMLAssertionBuilder</SAMLSSOAssertionBuilder>
|
||||
<SAMLSSOEncrypter>org.wso2.carbon.identity.sso.saml.builders.encryption.DefaultSSOEncrypter</SAMLSSOEncrypter>
|
||||
<SAMLSSOSigner>org.wso2.carbon.identity.sso.saml.builders.signature.DefaultSSOSigner</SAMLSSOSigner>
|
||||
<SAML2HTTPRedirectSignatureValidator>org.wso2.carbon.identity.sso.saml.validators.SAML2HTTPRedirectDeflateSignatureValidator</SAML2HTTPRedirectSignatureValidator>
|
||||
<!--SAMLSSOResponseBuilder>org.wso2.carbon.identity.sso.saml.builders.DefaultResponseBuilder</SAMLSSOResponseBuilder-->
|
||||
|
||||
<!-- SAML Token validity period in minutes -->
|
||||
<SAMLResponseValidityPeriod>5</SAMLResponseValidityPeriod>
|
||||
<UseAuthenticatedUserDomainCrypto>false</UseAuthenticatedUserDomainCrypto>
|
||||
</SSOService>
|
||||
|
||||
<EntitlementSettings>
|
||||
<!-- Uncomment this to enable on-demand policy loading -->
|
||||
<!--OnDemandPolicyLoading> <Enable>true</Enable> <MaxInMemoryPolicies>100</MaxInMemoryPolicies>
|
||||
</OnDemandPolicyLoading -->
|
||||
<DecisionCaching>
|
||||
<Enable>true</Enable>
|
||||
<CachingInterval>36000</CachingInterval>
|
||||
</DecisionCaching>
|
||||
<AttributeCaching>
|
||||
<Enable>true</Enable>
|
||||
</AttributeCaching>
|
||||
<ThirftBasedEntitlementConfig>
|
||||
<EnableThriftService>true</EnableThriftService>
|
||||
<ReceivePort>${Ports.ThriftEntitlementReceivePort}</ReceivePort>
|
||||
<ClientTimeout>10000</ClientTimeout>
|
||||
<KeyStore>
|
||||
<Location>${carbon.home}/repository/resources/security/wso2carbon.jks</Location>
|
||||
<Password>wso2carbon</Password>
|
||||
</KeyStore>
|
||||
<!-- Enable this element to mention the host-name of your IS machine -->
|
||||
<ThriftHostName>localhost</ThriftHostName>
|
||||
</ThirftBasedEntitlementConfig>
|
||||
</EntitlementSettings>
|
||||
|
||||
<SCIMAuthenticators>
|
||||
<Authenticator class="org.wso2.carbon.identity.scim.provider.auth.BasicAuthHandler">
|
||||
<Property name="Priority">5</Property>
|
||||
</Authenticator>
|
||||
<Authenticator class="org.wso2.carbon.identity.scim.provider.auth.OAuthHandler">
|
||||
<Property name="Priority">10</Property>
|
||||
<Property name="AuthorizationServer">local://services</Property>
|
||||
<!--Property name="AuthorizationServer">https://localhost:9443/services</Property>
|
||||
<Property name="UserName">admin</Property>
|
||||
<Property name="Password">admin</Property-->
|
||||
</Authenticator>
|
||||
</SCIMAuthenticators>
|
||||
<!--SessionContextCache>
|
||||
<Enable>true</Enable>
|
||||
<Capacity>100000</Capacity>
|
||||
</SessionContextCache-->
|
||||
</Server>
|
@ -1,44 +0,0 @@
|
||||
<?xml version="1.0" encoding="ISO-8859-1"?>
|
||||
<!--
|
||||
~ Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
|
||||
~
|
||||
~ WSO2 Inc. licenses this file to you under the Apache License,
|
||||
~ Version 2.0 (the "License"); you may not use this file except
|
||||
~ in compliance with the License.
|
||||
~ You may obtain a copy of the License at
|
||||
~
|
||||
~ http://www.apache.org/licenses/LICENSE-2.0
|
||||
~
|
||||
~ Unless required by applicable law or agreed to in writing,
|
||||
~ software distributed under the License is distributed on an
|
||||
~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
~ KIND, either express or implied. See the License for the
|
||||
~ specific language governing permissions and limitations
|
||||
~ under the License.
|
||||
-->
|
||||
|
||||
<Server xmlns="http://wso2.org/projects/carbon/carbon.xml">
|
||||
|
||||
|
||||
<JDBCPersistenceManager>
|
||||
<DataSource>
|
||||
<!-- Include a data source name (jndiConfigName) from the set of data sources defined in master-datasources.xml -->
|
||||
<Name>jdbc/WSO2AM_DB</Name>
|
||||
</DataSource>
|
||||
<!-- If the identity database is created from another place and if it is required to skip schema initialization during the server start up, set the following
|
||||
property to "true". -->
|
||||
<!--<SkipDBSchemaCreation>true</SkipDBSchemaCreation>-->
|
||||
</JDBCPersistenceManager>
|
||||
|
||||
<ThriftSessionDAO>org.wso2.carbon.identity.thrift.authentication.dao.DBThriftSessionDAO</ThriftSessionDAO>
|
||||
<!--<ThriftSessionDAO>org.wso2.carbon.identity.thrift.authentication.dao.InMemoryThriftSessionDAO</ThriftSessionDAO>-->
|
||||
|
||||
<ClientTimeout>30000</ClientTimeout>
|
||||
|
||||
<!--<Hostname>localhost</Hostname>-->
|
||||
<Port>10711</Port>
|
||||
|
||||
<!--30 min-->
|
||||
<ThriftSessionTimeout>1800000</ThriftSessionTimeout>
|
||||
|
||||
</Server>
|
@ -0,0 +1,260 @@
|
||||
<!--
|
||||
~ Copyright WSO2, Inc. (http://wso2.com)
|
||||
~
|
||||
~ Licensed under the Apache License, Version 2.0 (the "License");
|
||||
~ you may not use this file except in compliance with the License.
|
||||
~ You may obtain a copy of the License at
|
||||
~
|
||||
~ http://www.apache.org/licenses/LICENSE-2.0
|
||||
~
|
||||
~ Unless required by applicable law or agreed to in writing, software
|
||||
~ distributed under the License is distributed on an "AS IS" BASIS,
|
||||
~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
~ See the License for the specific language governing permissions and
|
||||
~ limitations under the License.
|
||||
-->
|
||||
|
||||
<UserManager>
|
||||
<Realm>
|
||||
<Configuration>
|
||||
<AddAdmin>true</AddAdmin>
|
||||
<AdminRole>admin</AdminRole>
|
||||
<AdminUser>
|
||||
<UserName>admin</UserName>
|
||||
<Password>admin</Password>
|
||||
</AdminUser>
|
||||
<EveryOneRoleName>everyone</EveryOneRoleName> <!-- By default users in this role sees the registry root -->
|
||||
<Property name="isCascadeDeleteEnabled">true</Property>
|
||||
<Property name="initializeNewClaimManager">true</Property>
|
||||
<Property name="dataSource">jdbc/WSO2CarbonDB</Property>
|
||||
</Configuration>
|
||||
|
||||
<!-- Following is the configuration for internal JDBC user store. This user store manager is based on JDBC.
|
||||
In case if application needs to manage passwords externally set property
|
||||
<Property name="PasswordsExternallyManaged">true</Property>.
|
||||
In case if user core cache domain is needed to identify uniquely set property
|
||||
<Property name="UserCoreCacheIdentifier">domain</Property>.
|
||||
Furthermore properties, IsEmailUserName and DomainCalculation are readonly properties.
|
||||
Note: Do not comment within UserStoreManager tags. Cause, specific tag names are used as tokens
|
||||
when building configurations for products.
|
||||
-->
|
||||
<UserStoreManager class="org.wso2.carbon.user.core.jdbc.JDBCUserStoreManager">
|
||||
<Property name="TenantManager">org.wso2.carbon.user.core.tenant.JDBCTenantManager</Property>
|
||||
<Property name="ReadOnly">false</Property>
|
||||
<Property name="ReadGroups">true</Property>
|
||||
<Property name="WriteGroups">true</Property>
|
||||
<Property name="UsernameJavaRegEx">^[\S]{3,30}$</Property>
|
||||
<Property name="UsernameJavaScriptRegEx">^[\S]{3,30}$</Property>
|
||||
<Property name="UsernameJavaRegExViolationErrorMsg">Username pattern policy violated</Property>
|
||||
<Property name="PasswordJavaRegEx">^[\S]{5,30}$</Property>
|
||||
<Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property>
|
||||
<Property name="PasswordJavaRegExViolationErrorMsg">Password length should be within 5 to 30 characters</Property>
|
||||
<Property name="RolenameJavaRegEx">^[\S]{3,30}$</Property>
|
||||
<Property name="RolenameJavaScriptRegEx">^[\S]{3,30}$</Property>
|
||||
<Property name="CaseInsensitiveUsername">true</Property>
|
||||
<Property name="SCIMEnabled">false</Property>
|
||||
<Property name="IsBulkImportSupported">true</Property>
|
||||
<Property name="PasswordDigest">SHA-256</Property>
|
||||
<Property name="StoreSaltedPassword">true</Property>
|
||||
<Property name="MultiAttributeSeparator">,</Property>
|
||||
<Property name="MaxUserNameListLength">100</Property>
|
||||
<Property name="MaxRoleNameListLength">100</Property>
|
||||
<Property name="UserRolesCacheEnabled">true</Property>
|
||||
<Property name="UserNameUniqueAcrossTenants">false</Property>
|
||||
</UserStoreManager>
|
||||
|
||||
<!-- If product is using an external LDAP as the user store in READ ONLY mode, use following user manager.
|
||||
In case if user core cache domain is needed to identify uniquely set property
|
||||
<Property name="UserCoreCacheIdentifier">domain</Property>
|
||||
-->
|
||||
<!--UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager">
|
||||
<Property name="TenantManager">org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager</Property>
|
||||
<Property name="ConnectionURL">ldap://localhost:10389</Property>
|
||||
<Property name="ConnectionName">uid=admin,ou=system</Property>
|
||||
<Property name="ConnectionPassword">admin</Property>
|
||||
<Property name="AnonymousBind">false</Property>
|
||||
<Property name="UserSearchBase">ou=system</Property>
|
||||
<Property name="UserNameAttribute">uid</Property>
|
||||
<Property name="UserNameSearchFilter">(&(objectClass=person)(uid=?))</Property>
|
||||
<Property name="UserNameListFilter">(objectClass=person)</Property>
|
||||
<Property name="DisplayNameAttribute"/>
|
||||
<Property name="ReadGroups">true</Property>
|
||||
<Property name="GroupSearchBase">ou=system</Property>
|
||||
<Property name="GroupNameAttribute">cn</Property>
|
||||
<Property name="GroupNameSearchFilter">(&(objectClass=groupOfNames)(cn=?))</Property>
|
||||
<Property name="GroupNameListFilter">(objectClass=groupOfNames)</Property>
|
||||
<Property name="MembershipAttribute">member</Property>
|
||||
<Property name="BackLinksEnabled">false</Property>
|
||||
<Property name="UsernameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
|
||||
<Property name="PasswordJavaRegEx">^[\S]{5,30}$</Property>
|
||||
<Property name="RolenameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
|
||||
<Property name="SCIMEnabled">false</Property>
|
||||
<Property name="PasswordHashMethod">PLAIN_TEXT</Property>
|
||||
<Property name="MultiAttributeSeparator">,</Property>
|
||||
<Property name="MaxUserNameListLength">100</Property>
|
||||
<Property name="MaxRoleNameListLength">100</Property>
|
||||
<Property name="UserRolesCacheEnabled">true</Property>
|
||||
<Property name="ConnectionPoolingEnabled">true</Property>
|
||||
<Property name="LDAPConnectionTimeout">5000</Property>
|
||||
<Property name="ReadTimeout"/>
|
||||
<Property name="RetryAttempts"/>
|
||||
<Property name="ReplaceEscapeCharactersAtUserLogin">true</Property>
|
||||
</UserStoreManager-->
|
||||
|
||||
<!-- Active directory configuration is as follows.
|
||||
In case if user core cache domain is needed to identify uniquely set property
|
||||
<Property name="UserCoreCacheIdentifier">domain</Property>
|
||||
There are few special properties for "Active Directory".
|
||||
They are :
|
||||
1.Referral - (comment out this property if this feature is not reuired) This enables LDAP referral support.
|
||||
2.BackLinksEnabled - (Do not comment, set to true or false) In some cases LDAP works with BackLinksEnabled.
|
||||
In which role is stored at user level. Depending on this value we need to change the Search Base within code.
|
||||
isADLDSRole - (Do not comment) Set to true if connecting to an AD LDS instance else set to false.
|
||||
-->
|
||||
<!--UserStoreManager class="org.wso2.carbon.user.core.ldap.ActiveDirectoryUserStoreManager">
|
||||
<Property name="TenantManager">org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager</Property>
|
||||
<Property name="ConnectionURL">ldaps://10.100.1.100:636</Property>
|
||||
<Property name="ConnectionName">CN=admin,CN=Users,DC=WSO2,DC=Com</Property>
|
||||
<Property name="ConnectionPassword">A1b2c3d4</Property>
|
||||
<Property name="AnonymousBind">false</Property>
|
||||
<Property name="UserSearchBase">CN=Users,DC=WSO2,DC=Com</Property>
|
||||
<Property name="UserEntryObjectClass">user</Property>
|
||||
<Property name="UserNameAttribute">cn</Property>
|
||||
<Property name="UserNameSearchFilter">(&(objectClass=user)(cn=?))</Property>
|
||||
<Property name="UserNameListFilter">(objectClass=user)</Property>
|
||||
<Property name="DisplayNameAttribute"/>
|
||||
<Property name="ReadGroups">true</Property>
|
||||
<Property name="WriteGroups">true</Property>
|
||||
<Property name="GroupSearchBase">CN=Users,DC=WSO2,DC=Com</Property>
|
||||
<Property name="GroupEntryObjectClass">group</Property>
|
||||
<Property name="GroupNameAttribute">cn</Property>
|
||||
<Property name="GroupNameSearchFilter">(&(objectClass=group)(cn=?))</Property>
|
||||
<Property name="GroupNameListFilter">(objectcategory=group)</Property>
|
||||
<Property name="MembershipAttribute">member</Property>
|
||||
<Property name="MemberOfAttribute">memberOf</Property>
|
||||
<Property name="BackLinksEnabled">true</Property>
|
||||
<Property name="Referral">follow</Property>
|
||||
<Property name="UsernameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
|
||||
<Property name="UsernameJavaScriptRegEx">^[\S]{3,30}$</Property>
|
||||
<Property name="UsernameJavaRegExViolationErrorMsg">Username pattern policy violated</Property>
|
||||
<Property name="PasswordJavaRegEx">^[\S]{5,30}$</Property>
|
||||
<Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property>
|
||||
<Property name="PasswordJavaRegExViolationErrorMsg">Password length should be within 5 to 30 characters</Property>
|
||||
<Property name="RolenameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
|
||||
<Property name="RolenameJavaScriptRegEx">^[\S]{3,30}$</Property>
|
||||
<Property name="SCIMEnabled">false</Property>
|
||||
<Property name="IsBulkImportSupported">true</Property>
|
||||
<Property name="EmptyRolesAllowed">true</Property>
|
||||
<Property name="PasswordHashMethod">PLAIN_TEXT</Property>
|
||||
<Property name="MultiAttributeSeparator">,</Property>
|
||||
<Property name="isADLDSRole">false</Property>
|
||||
<Property name="userAccountControl">512</Property>
|
||||
<Property name="MaxUserNameListLength">100</Property>
|
||||
<Property name="MaxRoleNameListLength">100</Property>
|
||||
<Property name="kdcEnabled">false</Property>
|
||||
<Property name="defaultRealmName">WSO2.ORG</Property>
|
||||
<Property name="UserRolesCacheEnabled">true</Property>
|
||||
<Property name="ConnectionPoolingEnabled">false</Property>
|
||||
<Property name="LDAPConnectionTimeout">5000</Property>
|
||||
<Property name="ReadTimeout"/>
|
||||
<Property name="RetryAttempts"/>
|
||||
</UserStoreManager-->
|
||||
|
||||
<!-- Following user manager is used by Identity Server (IS) as its default user manager.
|
||||
IS will do token replacement when building the product. Therefore do not change the syntax.
|
||||
If "kdcEnabled" parameter is true, IS will allow service principle management.
|
||||
Thus "ServicePasswordJavaRegEx", "ServiceNameJavaRegEx" properties control the service name format and
|
||||
service password formats. In case if user core cache domain is needed to identify uniquely set property
|
||||
<Property name="UserCoreCacheIdentifier">domain</Property>
|
||||
-->
|
||||
<!--ISUserStoreManager class="org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager">
|
||||
<Property name="TenantManager">org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager</Property>
|
||||
<Property name="ConnectionURL">ldap://localhost:${Ports.EmbeddedLDAP.LDAPServerPort}</Property>
|
||||
<Property name="ConnectionName">uid=admin,ou=system</Property>
|
||||
<Property name="ConnectionPassword">admin</Property>
|
||||
<Property name="AnonymousBind">false</Property>
|
||||
<Property name="UserSearchBase">ou=Users,dc=wso2,dc=org</Property>
|
||||
<Property name="UserEntryObjectClass">identityPerson</Property>
|
||||
<Property name="UserNameAttribute">uid</Property>
|
||||
<Property name="UserNameSearchFilter">(&(objectClass=person)(uid=?))</Property>
|
||||
<Property name="UserNameListFilter">(objectClass=person)</Property>
|
||||
<Property name="DisplayNameAttribute"/>
|
||||
<Property name="ReadGroups">true</Property>
|
||||
<Property name="WriteGroups">true</Property>
|
||||
<Property name="GroupSearchBase">ou=Groups,dc=wso2,dc=org</Property>
|
||||
<Property name="GroupEntryObjectClass">groupOfNames</Property>
|
||||
<Property name="GroupNameAttribute">cn</Property>
|
||||
<Property name="GroupNameSearchFilter">(&(objectClass=groupOfNames)(cn=?))</Property>
|
||||
<Property name="GroupNameListFilter">(objectClass=groupOfNames)</Property>
|
||||
<Property name="MembershipAttribute">member</Property>
|
||||
<Property name="BackLinksEnabled">false</Property>
|
||||
<Property name="UsernameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
|
||||
<Property name="UsernameJavaScriptRegEx">^[\S]{3,30}$</Property>
|
||||
<Property name="UsernameJavaRegExViolationErrorMsg">Username pattern policy violated</Property>
|
||||
<Property name="PasswordJavaRegEx">^[\S]{5,30}$</Property>
|
||||
<Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property>
|
||||
<Property name="PasswordJavaRegExViolationErrorMsg">Password length should be within 5 to 30 characters</Property>
|
||||
<Property name="RolenameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
|
||||
<Property name="RolenameJavaScriptRegEx">^[\S]{3,30}$</Property>
|
||||
<Property name="SCIMEnabled">true</Property>
|
||||
<Property name="IsBulkImportSupported">true</Property>
|
||||
<Property name="EmptyRolesAllowed">true</Property>
|
||||
<Property name="PasswordHashMethod">PLAIN_TEXT</Property>
|
||||
<Property name="MultiAttributeSeparator">,</Property>
|
||||
<Property name="MaxUserNameListLength">100</Property>
|
||||
<Property name="MaxRoleNameListLength">100</Property>
|
||||
<Property name="kdcEnabled">false</Property>
|
||||
<Property name="defaultRealmName">WSO2.ORG</Property>
|
||||
<Property name="UserRolesCacheEnabled">true</Property>
|
||||
<Property name="ConnectionPoolingEnabled">false</Property>
|
||||
<Property name="LDAPConnectionTimeout">5000</Property>
|
||||
<Property name="ReadTimeout"/>
|
||||
<Property name="RetryAttempts"/>
|
||||
</ISUserStoreManager-->
|
||||
|
||||
<AuthorizationManager class="org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager">
|
||||
<Property name="AdminRoleManagementPermissions">/permission</Property>
|
||||
<Property name="AuthorizationCacheEnabled">true</Property>
|
||||
<Property name="GetAllRolesOfUserEnabled">false</Property>
|
||||
</AuthorizationManager>
|
||||
</Realm>
|
||||
</UserManager>
|
||||
|
||||
<!--
|
||||
|
||||
************* Description of some of the configuration properties used in user-mgt.xml *********************************
|
||||
|
||||
DomainName -
|
||||
This property must be used by all secondary user store managers in multiple user store configuration.
|
||||
DomainName is a unique identifier given to the user store. Users must provide both the domain name and
|
||||
username at log-in as "DomainName\Username"
|
||||
|
||||
UserRolesCacheEnabled -
|
||||
This is to indicate whether to cache role list of a user. By default it is set to true.
|
||||
You may need to disable it if user-roles are changed by external means and need to reflect
|
||||
those changes in the carbon product immediately.
|
||||
|
||||
ReplaceEscapeCharactersAtUserLogin -
|
||||
This is to configure whether escape characters in user name needs to be replaced at user login.
|
||||
Currently the identified escape characters that needs to be replaced are '\' & '\\'
|
||||
|
||||
UserDNPattern -
|
||||
This property will be used when authenticating users. During authentication we do a bind. But if the user is login
|
||||
with email address or some other property we need to first lookup LDAP and retrieve DN for the user.
|
||||
This involves an additional step. If UserDNPattern is specified the DN will be constructed using the pattern
|
||||
specified in this property. Performance of this is much better than looking up DN and binding user.
|
||||
|
||||
RoleDNPattern -
|
||||
This property will be used when checking whether user has been assigned to a given role.
|
||||
Rather than searching the role in search base, by using this property direct search can be done.
|
||||
|
||||
PasswordHashMethod -
|
||||
This says how the password should be stored. Allowed values are as follows,
|
||||
SHA - Uses SHA digest method
|
||||
MD5 - Uses MD 5 digest method
|
||||
PLAIN_TEXT - Plain text passwords
|
||||
In addition to above this supports all digest methods supported by http://docs.oracle.com/javase/6/docs/api/java/security/MessageDigest.html.
|
||||
|
||||
DisplayNameAttribute -
|
||||
This is to have a dedicated LDAP attribute to display an entity(User/Role) in UI, in addition to the UserNameAttribute which is used for IS-UserStore interactions.
|
||||
-->
|
@ -0,0 +1,9 @@
|
||||
<processor>
|
||||
<remove>
|
||||
<name>//UserManager/Realm/Configuration/Property[@name='initializeNewClaimManager']</name>
|
||||
</remove>
|
||||
<add>
|
||||
<after>//UserManager/Realm/Configuration/Property[@name='isCascadeDeleteEnabled']</after>
|
||||
<value><![CDATA[<Property name="initializeNewClaimManager">true</Property>]]></value>
|
||||
</add>
|
||||
</processor>
|
Loading…
Reference in new issue