forked from community/product-iots
parent
502999307a
commit
63200bec45
@ -0,0 +1,32 @@
|
|||||||
|
<processor>
|
||||||
|
<!-- Remove the scope validator from the identity.xml if it exists. Otherwise running the build several times
|
||||||
|
causes several scope validator elements to be added-->
|
||||||
|
<remove>
|
||||||
|
<name>//s:Server/s:OAuth/s:OAuthScopeValidator</name>
|
||||||
|
</remove>
|
||||||
|
<!-- Add the scope validator config element -->
|
||||||
|
<add>
|
||||||
|
<after>//s:Server/s:OAuth/s:OAuthCallbackHandlers</after>
|
||||||
|
<value><![CDATA[<OAuthScopeValidator class="org.wso2.carbon.device.mgt.oauth.extensions.validators.ExtendedJDBCScopeValidator"/>]]></value>
|
||||||
|
</add>
|
||||||
|
<!-- Add the ntlm grant type validator config element -->
|
||||||
|
<add>
|
||||||
|
<after>//s:Server/s:OAuth/s:SupportedGrantTypes/s:SupportedGrantType[s:GrantTypeName='iwa:ntlm']/s:GrantTypeName</after>
|
||||||
|
<value>
|
||||||
|
<![CDATA[<GrantTypeValidatorImplClass>org.wso2.carbon.identity.oauth.common.NTLMAuthenticationValidator</GrantTypeValidatorImplClass>]]></value>
|
||||||
|
</add>
|
||||||
|
<add>
|
||||||
|
<after>//s:Server/s:OAuth/s:SupportedGrantTypes/s:SupportedGrantType[s:GrantTypeName='iwa:ntlm']/s:GrantTypeName</after>
|
||||||
|
<value>
|
||||||
|
<![CDATA[<GrantTypeValidatorImplClass>org.wso2.carbon.identity.oauth.common.NTLMAuthenticationValidator</GrantTypeValidatorImplClass>]]></value>
|
||||||
|
</add>
|
||||||
|
<add>
|
||||||
|
<after>//s:Server/s:OAuth/s:SupportedGrantTypes/s:SupportedGrantType[s:GrantTypeName='iwa:ntlm']</after>
|
||||||
|
<value>
|
||||||
|
<![CDATA[<SupportedGrantType>
|
||||||
|
<GrantTypeName>urn:ietf:params:oauth:grant-type:jwt-bearer</GrantTypeName>
|
||||||
|
<GrantTypeHandlerImplClass>org.wso2.carbon.identity.oauth2.grant.jwt.JWTBearerGrantHandler</GrantTypeHandlerImplClass>
|
||||||
|
<GrantTypeValidatorImplClass>org.wso2.carbon.identity.oauth2.grant.jwt.JWTGrantValidator</GrantTypeValidatorImplClass>
|
||||||
|
</SupportedGrantType>]]></value>
|
||||||
|
</add>
|
||||||
|
</processor>
|
@ -1,286 +0,0 @@
|
|||||||
<?xml version="1.0" encoding="ISO-8859-1"?>
|
|
||||||
<!--
|
|
||||||
~ Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
|
|
||||||
~
|
|
||||||
~ WSO2 Inc. licenses this file to you under the Apache License,
|
|
||||||
~ Version 2.0 (the "License"); you may not use this file except
|
|
||||||
~ in compliance with the License.
|
|
||||||
~ You may obtain a copy of the License at
|
|
||||||
~
|
|
||||||
~ http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
~
|
|
||||||
~ Unless required by applicable law or agreed to in writing,
|
|
||||||
~ software distributed under the License is distributed on an
|
|
||||||
~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
|
||||||
~ KIND, either express or implied. See the License for the
|
|
||||||
~ specific language governing permissions and limitations
|
|
||||||
~ under the License.
|
|
||||||
-->
|
|
||||||
<Server xmlns="http://wso2.org/projects/carbon/carbon.xml">
|
|
||||||
<JDBCPersistenceManager>
|
|
||||||
<DataSource>
|
|
||||||
<!-- Include a data source name (jndiConfigName) from the set of data
|
|
||||||
sources defined in master-datasources.xml -->
|
|
||||||
<Name>jdbc/WSO2AM_DB</Name>
|
|
||||||
</DataSource>
|
|
||||||
<!-- If the identity database is created from another place and if it is
|
|
||||||
required to skip schema initialization during the server start up, set the
|
|
||||||
following property to "true". -->
|
|
||||||
<!-- <SkipDBSchemaCreation>false</SkipDBSchemaCreation> -->
|
|
||||||
<SessionDataPersist>
|
|
||||||
<Enable>false</Enable>
|
|
||||||
<!--RememberMePeriod>20160</RememberMePeriod-->
|
|
||||||
<!--CleanUp>
|
|
||||||
<Enable>true</Enable>
|
|
||||||
<Period>1</Period>
|
|
||||||
<TimeOut>20160</TimeOut-->
|
|
||||||
<!--/CleanUp>
|
|
||||||
<Temporary>false</Temporary-->
|
|
||||||
</SessionDataPersist>
|
|
||||||
</JDBCPersistenceManager>
|
|
||||||
|
|
||||||
<!-- Security configurations -->
|
|
||||||
<Security>
|
|
||||||
<UserTrustedRPStore>
|
|
||||||
<Location>${carbon.home}/repository/resources/security/userRP.jks
|
|
||||||
</Location>
|
|
||||||
<!-- Keystore type (JKS/PKCS12 etc.) -->
|
|
||||||
<Type>JKS</Type>
|
|
||||||
<!-- Keystore password -->
|
|
||||||
<Password>wso2carbon</Password>
|
|
||||||
<!-- Private Key password -->
|
|
||||||
<KeyPassword>wso2carbon</KeyPassword>
|
|
||||||
</UserTrustedRPStore>
|
|
||||||
|
|
||||||
<!-- The directory under which all other KeyStore files will be stored -->
|
|
||||||
<KeyStoresDir>${carbon.home}/conf/keystores</KeyStoresDir>
|
|
||||||
</Security>
|
|
||||||
|
|
||||||
<Identity>
|
|
||||||
<IssuerPolicy>SelfAndManaged</IssuerPolicy>
|
|
||||||
<TokenValidationPolicy>CertValidate</TokenValidationPolicy>
|
|
||||||
<BlackList/>
|
|
||||||
<WhiteList/>
|
|
||||||
<System>
|
|
||||||
<KeyStore/>
|
|
||||||
<StorePass/>
|
|
||||||
</System>
|
|
||||||
</Identity>
|
|
||||||
|
|
||||||
<OpenID>
|
|
||||||
<OpenIDServerUrl>https://localhost:9443/openidserver</OpenIDServerUrl>
|
|
||||||
<OpenIDUserPattern>https://localhost:9443/openid/</OpenIDUserPattern>
|
|
||||||
<!-- If the users must be prompted for approval -->
|
|
||||||
<OpenIDSkipUserConsent>false</OpenIDSkipUserConsent>
|
|
||||||
<!-- Expiry time of the OpenID RememberMe token in minutes -->
|
|
||||||
<OpenIDRememberMeExpiry>7200</OpenIDRememberMeExpiry>
|
|
||||||
<!-- Multifactor Authentication configuration -->
|
|
||||||
<UseMultifactorAuthentication>false</UseMultifactorAuthentication>
|
|
||||||
<!-- To enable or disable openid dumb mode -->
|
|
||||||
<DisableOpenIDDumbMode>false</DisableOpenIDDumbMode>
|
|
||||||
<!-- remember me session timeout in seconds -->
|
|
||||||
<SessionTimeout>36000</SessionTimeout>
|
|
||||||
<!-- skips authentication if valid SAML2 Web SSO browser session available -->
|
|
||||||
<AcceptSAMLSSOLogin>false</AcceptSAMLSSOLogin>
|
|
||||||
<ClaimsRetrieverImplClass>org.wso2.carbon.identity.provider.openid.claims.DefaultClaimsRetriever</ClaimsRetrieverImplClass>
|
|
||||||
</OpenID>
|
|
||||||
|
|
||||||
<OAuth>
|
|
||||||
<RequestTokenUrl>https://localhost:9443/oauth/request-token</RequestTokenUrl>
|
|
||||||
<AccessTokenUrl>https://localhost:9443/oauth/access-token</AccessTokenUrl>
|
|
||||||
<AuthorizeUrl>https://localhost:9443/oauth/authorize-url</AuthorizeUrl>
|
|
||||||
<OAuth2TokenEPUrl>https://localhost:${mgt.transport.https.port}/oauth2/token</OAuth2TokenEPUrl>
|
|
||||||
<!-- Default validity period for Authorization Code in seconds -->
|
|
||||||
<AuthorizationCodeDefaultValidityPeriod>300</AuthorizationCodeDefaultValidityPeriod>
|
|
||||||
<!-- Default validity period for user access tokens in seconds -->
|
|
||||||
<AccessTokenDefaultValidityPeriod>3600</AccessTokenDefaultValidityPeriod>
|
|
||||||
<!-- Default validity period for application access tokens in seconds -->
|
|
||||||
<UserAccessTokenDefaultValidityPeriod>3600</UserAccessTokenDefaultValidityPeriod>
|
|
||||||
<!-- Validity period for refresh token -->
|
|
||||||
<RefreshTokenValidityPeriod>84600</RefreshTokenValidityPeriod>
|
|
||||||
<!-- Timestamp skew in seconds -->
|
|
||||||
<TimestampSkew>300</TimestampSkew>
|
|
||||||
<!-- Enable OAuth caching -->
|
|
||||||
<EnableOAuthCache>true</EnableOAuthCache>
|
|
||||||
<!-- Enable renewal of refresh token for refresh_token grant -->
|
|
||||||
<RenewRefreshTokenForRefreshGrant>true</RenewRefreshTokenForRefreshGrant>
|
|
||||||
<!-- Process the token before storing it in database, e.g. encrypting -->
|
|
||||||
<TokenPersistenceProcessor>org.wso2.carbon.identity.oauth.tokenprocessor.PlainTextPersistenceProcessor</TokenPersistenceProcessor>
|
|
||||||
<!-- Supported Client Autnetication Methods -->
|
|
||||||
<ClientAuthHandlers>
|
|
||||||
<ClientAuthHandler Class="org.wso2.carbon.identity.oauth2.token.handlers.clientauth.BasicAuthClientAuthHandler">
|
|
||||||
<Property Name="StrictClientCredentialValidation">false</Property>
|
|
||||||
</ClientAuthHandler>
|
|
||||||
</ClientAuthHandlers>
|
|
||||||
<!-- Supported Response Types -->
|
|
||||||
<SupportedResponseTypes>
|
|
||||||
<SupportedResponseType>
|
|
||||||
<ResponseTypeName>token</ResponseTypeName>
|
|
||||||
<ResponseTypeHandlerImplClass>org.wso2.carbon.identity.oauth2.authz.handlers.TokenResponseTypeHandler</ResponseTypeHandlerImplClass>
|
|
||||||
</SupportedResponseType>
|
|
||||||
<SupportedResponseType>
|
|
||||||
<ResponseTypeName>code</ResponseTypeName>
|
|
||||||
<ResponseTypeHandlerImplClass>org.wso2.carbon.identity.oauth2.authz.handlers.CodeResponseTypeHandler</ResponseTypeHandlerImplClass>
|
|
||||||
</SupportedResponseType>
|
|
||||||
</SupportedResponseTypes>
|
|
||||||
<!-- Supported Grant Types -->
|
|
||||||
<SupportedGrantTypes>
|
|
||||||
<SupportedGrantType>
|
|
||||||
<GrantTypeName>authorization_code</GrantTypeName>
|
|
||||||
<GrantTypeHandlerImplClass>org.wso2.carbon.identity.oauth2.token.handlers.grant.AuthorizationCodeGrantHandler</GrantTypeHandlerImplClass>
|
|
||||||
</SupportedGrantType>
|
|
||||||
|
|
||||||
<SupportedGrantType>
|
|
||||||
<GrantTypeName>password</GrantTypeName>
|
|
||||||
<GrantTypeHandlerImplClass>org.wso2.carbon.apimgt.keymgt.handlers.ExtendedPasswordGrantHandler</GrantTypeHandlerImplClass>
|
|
||||||
</SupportedGrantType>
|
|
||||||
<SupportedGrantType>
|
|
||||||
<GrantTypeName>refresh_token</GrantTypeName>
|
|
||||||
<GrantTypeHandlerImplClass>org.wso2.carbon.identity.oauth2.token.handlers.grant.RefreshGrantHandler</GrantTypeHandlerImplClass>
|
|
||||||
</SupportedGrantType>
|
|
||||||
<SupportedGrantType>
|
|
||||||
<GrantTypeName>client_credentials</GrantTypeName>
|
|
||||||
<GrantTypeHandlerImplClass>org.wso2.carbon.identity.oauth2.token.handlers.grant.ClientCredentialsGrantHandler</GrantTypeHandlerImplClass>
|
|
||||||
</SupportedGrantType>
|
|
||||||
<SupportedGrantType>
|
|
||||||
<GrantTypeName>urn:ietf:params:oauth:grant-type:saml2-bearer</GrantTypeName>
|
|
||||||
<GrantTypeHandlerImplClass>org.wso2.carbon.identity.oauth2.token.handlers.grant.saml.SAML2BearerGrantHandler</GrantTypeHandlerImplClass>
|
|
||||||
</SupportedGrantType>
|
|
||||||
<SupportedGrantType>
|
|
||||||
<GrantTypeName>iwa:ntlm</GrantTypeName>
|
|
||||||
<GrantTypeHandlerImplClass>org.wso2.carbon.identity.oauth2.token.handlers.grant.iwa.ntlm.NTLMAuthenticationGrantHandler</GrantTypeHandlerImplClass>
|
|
||||||
</SupportedGrantType>
|
|
||||||
<SupportedGrantType>
|
|
||||||
<GrantTypeName>urn:ietf:params:oauth:grant-type:jwt-bearer</GrantTypeName>
|
|
||||||
<GrantTypeHandlerImplClass>org.wso2.carbon.identity.oauth2.grant.jwt.JWTBearerGrantHandler</GrantTypeHandlerImplClass>
|
|
||||||
<GrantTypeValidatorImplClass>org.wso2.carbon.identity.oauth2.grant.jwt.JWTGrantValidator</GrantTypeValidatorImplClass>
|
|
||||||
</SupportedGrantType>
|
|
||||||
</SupportedGrantTypes>
|
|
||||||
<OAuthCallbackHandlers>
|
|
||||||
<OAuthCallbackHandler Class="org.wso2.carbon.device.mgt.oauth.extensions.handlers.DeviceMgtOAuthCallbackHandler"/>
|
|
||||||
</OAuthCallbackHandlers>
|
|
||||||
<OAuthScopeValidator class="org.wso2.carbon.device.mgt.oauth.extensions.validators.ExtendedJDBCScopeValidator"/>
|
|
||||||
<TokenValidators>
|
|
||||||
<TokenValidator type="bearer" class="org.wso2.carbon.identity.oauth2.validators.DefaultOAuth2TokenValidator"/>
|
|
||||||
</TokenValidators>
|
|
||||||
<!-- Assertions can be used to embedd parameters into access token. -->
|
|
||||||
<EnableAssertions>
|
|
||||||
<UserName>false</UserName>
|
|
||||||
</EnableAssertions>
|
|
||||||
|
|
||||||
<!-- This should be set to true when using multiple user stores and keys
|
|
||||||
should saved into different tables according to the user store. By default
|
|
||||||
all the application keys are saved in to the same table. UserName Assertion
|
|
||||||
should be 'true' to use this. -->
|
|
||||||
<EnableAccessTokenPartitioning>false</EnableAccessTokenPartitioning>
|
|
||||||
<!-- user store domain names and mapping to new table name. eg: if you
|
|
||||||
provide 'A:foo.com', foo.com should be the user store domain name and 'A'
|
|
||||||
represent the relavant mapping of token store table, i.e. tokens will be
|
|
||||||
added to a table called IDN_OAUTH2_ACCESS_TOKEN_A. -->
|
|
||||||
<AccessTokenPartitioningDomains><!-- A:foo.com, B:bar.com -->
|
|
||||||
</AccessTokenPartitioningDomains>
|
|
||||||
<AuthorizationContextTokenGeneration>
|
|
||||||
<Enabled>false</Enabled>
|
|
||||||
<TokenGeneratorImplClass>org.wso2.carbon.identity.oauth2.authcontext.JWTTokenGenerator</TokenGeneratorImplClass>
|
|
||||||
<ClaimsRetrieverImplClass>org.wso2.carbon.identity.oauth2.authcontext.DefaultClaimsRetriever</ClaimsRetrieverImplClass>
|
|
||||||
<ConsumerDialectURI>http://wso2.org/claims</ConsumerDialectURI>
|
|
||||||
<SignatureAlgorithm>SHA256withRSA</SignatureAlgorithm>
|
|
||||||
<AuthorizationContextTTL>15</AuthorizationContextTTL>
|
|
||||||
</AuthorizationContextTokenGeneration>
|
|
||||||
<SAML2Grant>
|
|
||||||
<!--SAML2TokenHandler></SAML2TokenHandler-->
|
|
||||||
</SAML2Grant>
|
|
||||||
<OpenIDConnect>
|
|
||||||
<IDTokenBuilder>org.wso2.carbon.identity.openidconnect.DefaultIDTokenBuilder</IDTokenBuilder>
|
|
||||||
<IDTokenIssuerID>https://localhost:9443/oauth2endpoints/token</IDTokenIssuerID>
|
|
||||||
<IDTokenSubjectClaim>http://wso2.org/claims/givenname</IDTokenSubjectClaim>
|
|
||||||
<IDTokenCustomClaimsCallBackHandler>org.wso2.carbon.identity.openidconnect.SAMLAssertionClaimsCallback</IDTokenCustomClaimsCallBackHandler>
|
|
||||||
<IDTokenExpiration>3600</IDTokenExpiration>
|
|
||||||
<UserInfoEndpointClaimDialect>http://wso2.org/claims</UserInfoEndpointClaimDialect>
|
|
||||||
<UserInfoEndpointClaimRetriever>org.wso2.carbon.identity.oauth.endpoint.user.impl.UserInfoUserStoreClaimRetriever</UserInfoEndpointClaimRetriever>
|
|
||||||
<UserInfoEndpointRequestValidator>org.wso2.carbon.identity.oauth.endpoint.user.impl.UserInforRequestDefaultValidator</UserInfoEndpointRequestValidator>
|
|
||||||
<UserInfoEndpointAccessTokenValidator>org.wso2.carbon.identity.oauth.endpoint.user.impl.UserInfoISAccessTokenValidator</UserInfoEndpointAccessTokenValidator>
|
|
||||||
<UserInfoEndpointResponseBuilder>org.wso2.carbon.identity.oauth.endpoint.user.impl.UserInfoJSONResponseBuilder</UserInfoEndpointResponseBuilder>
|
|
||||||
<SkipUserConsent>false</SkipUserConsent>
|
|
||||||
</OpenIDConnect>
|
|
||||||
</OAuth>
|
|
||||||
|
|
||||||
<MultifactorAuthentication>
|
|
||||||
<XMPPSettings>
|
|
||||||
<XMPPConfig>
|
|
||||||
<XMPPProvider>gtalk</XMPPProvider>
|
|
||||||
<XMPPServer>talk.google.com</XMPPServer>
|
|
||||||
<XMPPPort>5222</XMPPPort>
|
|
||||||
<XMPPExt>gmail.com</XMPPExt>
|
|
||||||
<XMPPUserName>multifactor1@gmail.com</XMPPUserName>
|
|
||||||
<XMPPPassword>wso2carbon</XMPPPassword>
|
|
||||||
</XMPPConfig>
|
|
||||||
</XMPPSettings>
|
|
||||||
</MultifactorAuthentication>
|
|
||||||
|
|
||||||
<SSOService>
|
|
||||||
<EntityId>localhost</EntityId>
|
|
||||||
<IdentityProviderURL>https://localhost:9443/samlsso</IdentityProviderURL>
|
|
||||||
<SingleLogoutRetryCount>5</SingleLogoutRetryCount>
|
|
||||||
<SingleLogoutRetryInterval>60000</SingleLogoutRetryInterval> <!-- in milli seconds -->
|
|
||||||
<TenantPartitioningEnabled>false</TenantPartitioningEnabled>
|
|
||||||
<PersistanceCacheTimeout>157680000</PersistanceCacheTimeout>
|
|
||||||
<SessionIndexCacheTimeout>157680000</SessionIndexCacheTimeout>
|
|
||||||
<SessionTimeout>36000</SessionTimeout> <!-- remember me session timeout in seconds -->
|
|
||||||
<!-- skips authentication if valid SAML2 Web SSO browser session available -->
|
|
||||||
<AttributeStatementBuilder>org.wso2.carbon.identity.sso.saml.attributes.UserAttributeStatementBuilder</AttributeStatementBuilder>
|
|
||||||
<AttributesClaimDialect>http://wso2.org/claims</AttributesClaimDialect>
|
|
||||||
<AcceptOpenIDLogin>false</AcceptOpenIDLogin>
|
|
||||||
<ClaimsRetrieverImplClass>org.wso2.carbon.identity.sso.saml.builders.claims.DefaultClaimsRetriever</ClaimsRetrieverImplClass>
|
|
||||||
<SAMLSSOAssertionBuilder>org.wso2.carbon.identity.sso.saml.builders.assertion.DefaultSAMLAssertionBuilder</SAMLSSOAssertionBuilder>
|
|
||||||
<SAMLSSOEncrypter>org.wso2.carbon.identity.sso.saml.builders.encryption.DefaultSSOEncrypter</SAMLSSOEncrypter>
|
|
||||||
<SAMLSSOSigner>org.wso2.carbon.identity.sso.saml.builders.signature.DefaultSSOSigner</SAMLSSOSigner>
|
|
||||||
<SAML2HTTPRedirectSignatureValidator>org.wso2.carbon.identity.sso.saml.validators.SAML2HTTPRedirectDeflateSignatureValidator</SAML2HTTPRedirectSignatureValidator>
|
|
||||||
<!--SAMLSSOResponseBuilder>org.wso2.carbon.identity.sso.saml.builders.DefaultResponseBuilder</SAMLSSOResponseBuilder-->
|
|
||||||
|
|
||||||
<!-- SAML Token validity period in minutes -->
|
|
||||||
<SAMLResponseValidityPeriod>5</SAMLResponseValidityPeriod>
|
|
||||||
<UseAuthenticatedUserDomainCrypto>false</UseAuthenticatedUserDomainCrypto>
|
|
||||||
</SSOService>
|
|
||||||
|
|
||||||
<EntitlementSettings>
|
|
||||||
<!-- Uncomment this to enable on-demand policy loading -->
|
|
||||||
<!--OnDemandPolicyLoading> <Enable>true</Enable> <MaxInMemoryPolicies>100</MaxInMemoryPolicies>
|
|
||||||
</OnDemandPolicyLoading -->
|
|
||||||
<DecisionCaching>
|
|
||||||
<Enable>true</Enable>
|
|
||||||
<CachingInterval>36000</CachingInterval>
|
|
||||||
</DecisionCaching>
|
|
||||||
<AttributeCaching>
|
|
||||||
<Enable>true</Enable>
|
|
||||||
</AttributeCaching>
|
|
||||||
<ThirftBasedEntitlementConfig>
|
|
||||||
<EnableThriftService>true</EnableThriftService>
|
|
||||||
<ReceivePort>${Ports.ThriftEntitlementReceivePort}</ReceivePort>
|
|
||||||
<ClientTimeout>10000</ClientTimeout>
|
|
||||||
<KeyStore>
|
|
||||||
<Location>${carbon.home}/repository/resources/security/wso2carbon.jks</Location>
|
|
||||||
<Password>wso2carbon</Password>
|
|
||||||
</KeyStore>
|
|
||||||
<!-- Enable this element to mention the host-name of your IS machine -->
|
|
||||||
<ThriftHostName>localhost</ThriftHostName>
|
|
||||||
</ThirftBasedEntitlementConfig>
|
|
||||||
</EntitlementSettings>
|
|
||||||
|
|
||||||
<SCIMAuthenticators>
|
|
||||||
<Authenticator class="org.wso2.carbon.identity.scim.provider.auth.BasicAuthHandler">
|
|
||||||
<Property name="Priority">5</Property>
|
|
||||||
</Authenticator>
|
|
||||||
<Authenticator class="org.wso2.carbon.identity.scim.provider.auth.OAuthHandler">
|
|
||||||
<Property name="Priority">10</Property>
|
|
||||||
<Property name="AuthorizationServer">local://services</Property>
|
|
||||||
<!--Property name="AuthorizationServer">https://localhost:9443/services</Property>
|
|
||||||
<Property name="UserName">admin</Property>
|
|
||||||
<Property name="Password">admin</Property-->
|
|
||||||
</Authenticator>
|
|
||||||
</SCIMAuthenticators>
|
|
||||||
<!--SessionContextCache>
|
|
||||||
<Enable>true</Enable>
|
|
||||||
<Capacity>100000</Capacity>
|
|
||||||
</SessionContextCache-->
|
|
||||||
</Server>
|
|
@ -1,44 +0,0 @@
|
|||||||
<?xml version="1.0" encoding="ISO-8859-1"?>
|
|
||||||
<!--
|
|
||||||
~ Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
|
|
||||||
~
|
|
||||||
~ WSO2 Inc. licenses this file to you under the Apache License,
|
|
||||||
~ Version 2.0 (the "License"); you may not use this file except
|
|
||||||
~ in compliance with the License.
|
|
||||||
~ You may obtain a copy of the License at
|
|
||||||
~
|
|
||||||
~ http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
~
|
|
||||||
~ Unless required by applicable law or agreed to in writing,
|
|
||||||
~ software distributed under the License is distributed on an
|
|
||||||
~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
|
||||||
~ KIND, either express or implied. See the License for the
|
|
||||||
~ specific language governing permissions and limitations
|
|
||||||
~ under the License.
|
|
||||||
-->
|
|
||||||
|
|
||||||
<Server xmlns="http://wso2.org/projects/carbon/carbon.xml">
|
|
||||||
|
|
||||||
|
|
||||||
<JDBCPersistenceManager>
|
|
||||||
<DataSource>
|
|
||||||
<!-- Include a data source name (jndiConfigName) from the set of data sources defined in master-datasources.xml -->
|
|
||||||
<Name>jdbc/WSO2AM_DB</Name>
|
|
||||||
</DataSource>
|
|
||||||
<!-- If the identity database is created from another place and if it is required to skip schema initialization during the server start up, set the following
|
|
||||||
property to "true". -->
|
|
||||||
<!--<SkipDBSchemaCreation>true</SkipDBSchemaCreation>-->
|
|
||||||
</JDBCPersistenceManager>
|
|
||||||
|
|
||||||
<ThriftSessionDAO>org.wso2.carbon.identity.thrift.authentication.dao.DBThriftSessionDAO</ThriftSessionDAO>
|
|
||||||
<!--<ThriftSessionDAO>org.wso2.carbon.identity.thrift.authentication.dao.InMemoryThriftSessionDAO</ThriftSessionDAO>-->
|
|
||||||
|
|
||||||
<ClientTimeout>30000</ClientTimeout>
|
|
||||||
|
|
||||||
<!--<Hostname>localhost</Hostname>-->
|
|
||||||
<Port>10711</Port>
|
|
||||||
|
|
||||||
<!--30 min-->
|
|
||||||
<ThriftSessionTimeout>1800000</ThriftSessionTimeout>
|
|
||||||
|
|
||||||
</Server>
|
|
@ -0,0 +1,260 @@
|
|||||||
|
<!--
|
||||||
|
~ Copyright WSO2, Inc. (http://wso2.com)
|
||||||
|
~
|
||||||
|
~ Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
~ you may not use this file except in compliance with the License.
|
||||||
|
~ You may obtain a copy of the License at
|
||||||
|
~
|
||||||
|
~ http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
~
|
||||||
|
~ Unless required by applicable law or agreed to in writing, software
|
||||||
|
~ distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
~ See the License for the specific language governing permissions and
|
||||||
|
~ limitations under the License.
|
||||||
|
-->
|
||||||
|
|
||||||
|
<UserManager>
|
||||||
|
<Realm>
|
||||||
|
<Configuration>
|
||||||
|
<AddAdmin>true</AddAdmin>
|
||||||
|
<AdminRole>admin</AdminRole>
|
||||||
|
<AdminUser>
|
||||||
|
<UserName>admin</UserName>
|
||||||
|
<Password>admin</Password>
|
||||||
|
</AdminUser>
|
||||||
|
<EveryOneRoleName>everyone</EveryOneRoleName> <!-- By default users in this role sees the registry root -->
|
||||||
|
<Property name="isCascadeDeleteEnabled">true</Property>
|
||||||
|
<Property name="initializeNewClaimManager">true</Property>
|
||||||
|
<Property name="dataSource">jdbc/WSO2CarbonDB</Property>
|
||||||
|
</Configuration>
|
||||||
|
|
||||||
|
<!-- Following is the configuration for internal JDBC user store. This user store manager is based on JDBC.
|
||||||
|
In case if application needs to manage passwords externally set property
|
||||||
|
<Property name="PasswordsExternallyManaged">true</Property>.
|
||||||
|
In case if user core cache domain is needed to identify uniquely set property
|
||||||
|
<Property name="UserCoreCacheIdentifier">domain</Property>.
|
||||||
|
Furthermore properties, IsEmailUserName and DomainCalculation are readonly properties.
|
||||||
|
Note: Do not comment within UserStoreManager tags. Cause, specific tag names are used as tokens
|
||||||
|
when building configurations for products.
|
||||||
|
-->
|
||||||
|
<UserStoreManager class="org.wso2.carbon.user.core.jdbc.JDBCUserStoreManager">
|
||||||
|
<Property name="TenantManager">org.wso2.carbon.user.core.tenant.JDBCTenantManager</Property>
|
||||||
|
<Property name="ReadOnly">false</Property>
|
||||||
|
<Property name="ReadGroups">true</Property>
|
||||||
|
<Property name="WriteGroups">true</Property>
|
||||||
|
<Property name="UsernameJavaRegEx">^[\S]{3,30}$</Property>
|
||||||
|
<Property name="UsernameJavaScriptRegEx">^[\S]{3,30}$</Property>
|
||||||
|
<Property name="UsernameJavaRegExViolationErrorMsg">Username pattern policy violated</Property>
|
||||||
|
<Property name="PasswordJavaRegEx">^[\S]{5,30}$</Property>
|
||||||
|
<Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property>
|
||||||
|
<Property name="PasswordJavaRegExViolationErrorMsg">Password length should be within 5 to 30 characters</Property>
|
||||||
|
<Property name="RolenameJavaRegEx">^[\S]{3,30}$</Property>
|
||||||
|
<Property name="RolenameJavaScriptRegEx">^[\S]{3,30}$</Property>
|
||||||
|
<Property name="CaseInsensitiveUsername">true</Property>
|
||||||
|
<Property name="SCIMEnabled">false</Property>
|
||||||
|
<Property name="IsBulkImportSupported">true</Property>
|
||||||
|
<Property name="PasswordDigest">SHA-256</Property>
|
||||||
|
<Property name="StoreSaltedPassword">true</Property>
|
||||||
|
<Property name="MultiAttributeSeparator">,</Property>
|
||||||
|
<Property name="MaxUserNameListLength">100</Property>
|
||||||
|
<Property name="MaxRoleNameListLength">100</Property>
|
||||||
|
<Property name="UserRolesCacheEnabled">true</Property>
|
||||||
|
<Property name="UserNameUniqueAcrossTenants">false</Property>
|
||||||
|
</UserStoreManager>
|
||||||
|
|
||||||
|
<!-- If product is using an external LDAP as the user store in READ ONLY mode, use following user manager.
|
||||||
|
In case if user core cache domain is needed to identify uniquely set property
|
||||||
|
<Property name="UserCoreCacheIdentifier">domain</Property>
|
||||||
|
-->
|
||||||
|
<!--UserStoreManager class="org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager">
|
||||||
|
<Property name="TenantManager">org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager</Property>
|
||||||
|
<Property name="ConnectionURL">ldap://localhost:10389</Property>
|
||||||
|
<Property name="ConnectionName">uid=admin,ou=system</Property>
|
||||||
|
<Property name="ConnectionPassword">admin</Property>
|
||||||
|
<Property name="AnonymousBind">false</Property>
|
||||||
|
<Property name="UserSearchBase">ou=system</Property>
|
||||||
|
<Property name="UserNameAttribute">uid</Property>
|
||||||
|
<Property name="UserNameSearchFilter">(&(objectClass=person)(uid=?))</Property>
|
||||||
|
<Property name="UserNameListFilter">(objectClass=person)</Property>
|
||||||
|
<Property name="DisplayNameAttribute"/>
|
||||||
|
<Property name="ReadGroups">true</Property>
|
||||||
|
<Property name="GroupSearchBase">ou=system</Property>
|
||||||
|
<Property name="GroupNameAttribute">cn</Property>
|
||||||
|
<Property name="GroupNameSearchFilter">(&(objectClass=groupOfNames)(cn=?))</Property>
|
||||||
|
<Property name="GroupNameListFilter">(objectClass=groupOfNames)</Property>
|
||||||
|
<Property name="MembershipAttribute">member</Property>
|
||||||
|
<Property name="BackLinksEnabled">false</Property>
|
||||||
|
<Property name="UsernameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
|
||||||
|
<Property name="PasswordJavaRegEx">^[\S]{5,30}$</Property>
|
||||||
|
<Property name="RolenameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
|
||||||
|
<Property name="SCIMEnabled">false</Property>
|
||||||
|
<Property name="PasswordHashMethod">PLAIN_TEXT</Property>
|
||||||
|
<Property name="MultiAttributeSeparator">,</Property>
|
||||||
|
<Property name="MaxUserNameListLength">100</Property>
|
||||||
|
<Property name="MaxRoleNameListLength">100</Property>
|
||||||
|
<Property name="UserRolesCacheEnabled">true</Property>
|
||||||
|
<Property name="ConnectionPoolingEnabled">true</Property>
|
||||||
|
<Property name="LDAPConnectionTimeout">5000</Property>
|
||||||
|
<Property name="ReadTimeout"/>
|
||||||
|
<Property name="RetryAttempts"/>
|
||||||
|
<Property name="ReplaceEscapeCharactersAtUserLogin">true</Property>
|
||||||
|
</UserStoreManager-->
|
||||||
|
|
||||||
|
<!-- Active directory configuration is as follows.
|
||||||
|
In case if user core cache domain is needed to identify uniquely set property
|
||||||
|
<Property name="UserCoreCacheIdentifier">domain</Property>
|
||||||
|
There are few special properties for "Active Directory".
|
||||||
|
They are :
|
||||||
|
1.Referral - (comment out this property if this feature is not reuired) This enables LDAP referral support.
|
||||||
|
2.BackLinksEnabled - (Do not comment, set to true or false) In some cases LDAP works with BackLinksEnabled.
|
||||||
|
In which role is stored at user level. Depending on this value we need to change the Search Base within code.
|
||||||
|
isADLDSRole - (Do not comment) Set to true if connecting to an AD LDS instance else set to false.
|
||||||
|
-->
|
||||||
|
<!--UserStoreManager class="org.wso2.carbon.user.core.ldap.ActiveDirectoryUserStoreManager">
|
||||||
|
<Property name="TenantManager">org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager</Property>
|
||||||
|
<Property name="ConnectionURL">ldaps://10.100.1.100:636</Property>
|
||||||
|
<Property name="ConnectionName">CN=admin,CN=Users,DC=WSO2,DC=Com</Property>
|
||||||
|
<Property name="ConnectionPassword">A1b2c3d4</Property>
|
||||||
|
<Property name="AnonymousBind">false</Property>
|
||||||
|
<Property name="UserSearchBase">CN=Users,DC=WSO2,DC=Com</Property>
|
||||||
|
<Property name="UserEntryObjectClass">user</Property>
|
||||||
|
<Property name="UserNameAttribute">cn</Property>
|
||||||
|
<Property name="UserNameSearchFilter">(&(objectClass=user)(cn=?))</Property>
|
||||||
|
<Property name="UserNameListFilter">(objectClass=user)</Property>
|
||||||
|
<Property name="DisplayNameAttribute"/>
|
||||||
|
<Property name="ReadGroups">true</Property>
|
||||||
|
<Property name="WriteGroups">true</Property>
|
||||||
|
<Property name="GroupSearchBase">CN=Users,DC=WSO2,DC=Com</Property>
|
||||||
|
<Property name="GroupEntryObjectClass">group</Property>
|
||||||
|
<Property name="GroupNameAttribute">cn</Property>
|
||||||
|
<Property name="GroupNameSearchFilter">(&(objectClass=group)(cn=?))</Property>
|
||||||
|
<Property name="GroupNameListFilter">(objectcategory=group)</Property>
|
||||||
|
<Property name="MembershipAttribute">member</Property>
|
||||||
|
<Property name="MemberOfAttribute">memberOf</Property>
|
||||||
|
<Property name="BackLinksEnabled">true</Property>
|
||||||
|
<Property name="Referral">follow</Property>
|
||||||
|
<Property name="UsernameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
|
||||||
|
<Property name="UsernameJavaScriptRegEx">^[\S]{3,30}$</Property>
|
||||||
|
<Property name="UsernameJavaRegExViolationErrorMsg">Username pattern policy violated</Property>
|
||||||
|
<Property name="PasswordJavaRegEx">^[\S]{5,30}$</Property>
|
||||||
|
<Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property>
|
||||||
|
<Property name="PasswordJavaRegExViolationErrorMsg">Password length should be within 5 to 30 characters</Property>
|
||||||
|
<Property name="RolenameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
|
||||||
|
<Property name="RolenameJavaScriptRegEx">^[\S]{3,30}$</Property>
|
||||||
|
<Property name="SCIMEnabled">false</Property>
|
||||||
|
<Property name="IsBulkImportSupported">true</Property>
|
||||||
|
<Property name="EmptyRolesAllowed">true</Property>
|
||||||
|
<Property name="PasswordHashMethod">PLAIN_TEXT</Property>
|
||||||
|
<Property name="MultiAttributeSeparator">,</Property>
|
||||||
|
<Property name="isADLDSRole">false</Property>
|
||||||
|
<Property name="userAccountControl">512</Property>
|
||||||
|
<Property name="MaxUserNameListLength">100</Property>
|
||||||
|
<Property name="MaxRoleNameListLength">100</Property>
|
||||||
|
<Property name="kdcEnabled">false</Property>
|
||||||
|
<Property name="defaultRealmName">WSO2.ORG</Property>
|
||||||
|
<Property name="UserRolesCacheEnabled">true</Property>
|
||||||
|
<Property name="ConnectionPoolingEnabled">false</Property>
|
||||||
|
<Property name="LDAPConnectionTimeout">5000</Property>
|
||||||
|
<Property name="ReadTimeout"/>
|
||||||
|
<Property name="RetryAttempts"/>
|
||||||
|
</UserStoreManager-->
|
||||||
|
|
||||||
|
<!-- Following user manager is used by Identity Server (IS) as its default user manager.
|
||||||
|
IS will do token replacement when building the product. Therefore do not change the syntax.
|
||||||
|
If "kdcEnabled" parameter is true, IS will allow service principle management.
|
||||||
|
Thus "ServicePasswordJavaRegEx", "ServiceNameJavaRegEx" properties control the service name format and
|
||||||
|
service password formats. In case if user core cache domain is needed to identify uniquely set property
|
||||||
|
<Property name="UserCoreCacheIdentifier">domain</Property>
|
||||||
|
-->
|
||||||
|
<!--ISUserStoreManager class="org.wso2.carbon.user.core.ldap.ReadWriteLDAPUserStoreManager">
|
||||||
|
<Property name="TenantManager">org.wso2.carbon.user.core.tenant.CommonHybridLDAPTenantManager</Property>
|
||||||
|
<Property name="ConnectionURL">ldap://localhost:${Ports.EmbeddedLDAP.LDAPServerPort}</Property>
|
||||||
|
<Property name="ConnectionName">uid=admin,ou=system</Property>
|
||||||
|
<Property name="ConnectionPassword">admin</Property>
|
||||||
|
<Property name="AnonymousBind">false</Property>
|
||||||
|
<Property name="UserSearchBase">ou=Users,dc=wso2,dc=org</Property>
|
||||||
|
<Property name="UserEntryObjectClass">identityPerson</Property>
|
||||||
|
<Property name="UserNameAttribute">uid</Property>
|
||||||
|
<Property name="UserNameSearchFilter">(&(objectClass=person)(uid=?))</Property>
|
||||||
|
<Property name="UserNameListFilter">(objectClass=person)</Property>
|
||||||
|
<Property name="DisplayNameAttribute"/>
|
||||||
|
<Property name="ReadGroups">true</Property>
|
||||||
|
<Property name="WriteGroups">true</Property>
|
||||||
|
<Property name="GroupSearchBase">ou=Groups,dc=wso2,dc=org</Property>
|
||||||
|
<Property name="GroupEntryObjectClass">groupOfNames</Property>
|
||||||
|
<Property name="GroupNameAttribute">cn</Property>
|
||||||
|
<Property name="GroupNameSearchFilter">(&(objectClass=groupOfNames)(cn=?))</Property>
|
||||||
|
<Property name="GroupNameListFilter">(objectClass=groupOfNames)</Property>
|
||||||
|
<Property name="MembershipAttribute">member</Property>
|
||||||
|
<Property name="BackLinksEnabled">false</Property>
|
||||||
|
<Property name="UsernameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
|
||||||
|
<Property name="UsernameJavaScriptRegEx">^[\S]{3,30}$</Property>
|
||||||
|
<Property name="UsernameJavaRegExViolationErrorMsg">Username pattern policy violated</Property>
|
||||||
|
<Property name="PasswordJavaRegEx">^[\S]{5,30}$</Property>
|
||||||
|
<Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property>
|
||||||
|
<Property name="PasswordJavaRegExViolationErrorMsg">Password length should be within 5 to 30 characters</Property>
|
||||||
|
<Property name="RolenameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
|
||||||
|
<Property name="RolenameJavaScriptRegEx">^[\S]{3,30}$</Property>
|
||||||
|
<Property name="SCIMEnabled">true</Property>
|
||||||
|
<Property name="IsBulkImportSupported">true</Property>
|
||||||
|
<Property name="EmptyRolesAllowed">true</Property>
|
||||||
|
<Property name="PasswordHashMethod">PLAIN_TEXT</Property>
|
||||||
|
<Property name="MultiAttributeSeparator">,</Property>
|
||||||
|
<Property name="MaxUserNameListLength">100</Property>
|
||||||
|
<Property name="MaxRoleNameListLength">100</Property>
|
||||||
|
<Property name="kdcEnabled">false</Property>
|
||||||
|
<Property name="defaultRealmName">WSO2.ORG</Property>
|
||||||
|
<Property name="UserRolesCacheEnabled">true</Property>
|
||||||
|
<Property name="ConnectionPoolingEnabled">false</Property>
|
||||||
|
<Property name="LDAPConnectionTimeout">5000</Property>
|
||||||
|
<Property name="ReadTimeout"/>
|
||||||
|
<Property name="RetryAttempts"/>
|
||||||
|
</ISUserStoreManager-->
|
||||||
|
|
||||||
|
<AuthorizationManager class="org.wso2.carbon.user.core.authorization.JDBCAuthorizationManager">
|
||||||
|
<Property name="AdminRoleManagementPermissions">/permission</Property>
|
||||||
|
<Property name="AuthorizationCacheEnabled">true</Property>
|
||||||
|
<Property name="GetAllRolesOfUserEnabled">false</Property>
|
||||||
|
</AuthorizationManager>
|
||||||
|
</Realm>
|
||||||
|
</UserManager>
|
||||||
|
|
||||||
|
<!--
|
||||||
|
|
||||||
|
************* Description of some of the configuration properties used in user-mgt.xml *********************************
|
||||||
|
|
||||||
|
DomainName -
|
||||||
|
This property must be used by all secondary user store managers in multiple user store configuration.
|
||||||
|
DomainName is a unique identifier given to the user store. Users must provide both the domain name and
|
||||||
|
username at log-in as "DomainName\Username"
|
||||||
|
|
||||||
|
UserRolesCacheEnabled -
|
||||||
|
This is to indicate whether to cache role list of a user. By default it is set to true.
|
||||||
|
You may need to disable it if user-roles are changed by external means and need to reflect
|
||||||
|
those changes in the carbon product immediately.
|
||||||
|
|
||||||
|
ReplaceEscapeCharactersAtUserLogin -
|
||||||
|
This is to configure whether escape characters in user name needs to be replaced at user login.
|
||||||
|
Currently the identified escape characters that needs to be replaced are '\' & '\\'
|
||||||
|
|
||||||
|
UserDNPattern -
|
||||||
|
This property will be used when authenticating users. During authentication we do a bind. But if the user is login
|
||||||
|
with email address or some other property we need to first lookup LDAP and retrieve DN for the user.
|
||||||
|
This involves an additional step. If UserDNPattern is specified the DN will be constructed using the pattern
|
||||||
|
specified in this property. Performance of this is much better than looking up DN and binding user.
|
||||||
|
|
||||||
|
RoleDNPattern -
|
||||||
|
This property will be used when checking whether user has been assigned to a given role.
|
||||||
|
Rather than searching the role in search base, by using this property direct search can be done.
|
||||||
|
|
||||||
|
PasswordHashMethod -
|
||||||
|
This says how the password should be stored. Allowed values are as follows,
|
||||||
|
SHA - Uses SHA digest method
|
||||||
|
MD5 - Uses MD 5 digest method
|
||||||
|
PLAIN_TEXT - Plain text passwords
|
||||||
|
In addition to above this supports all digest methods supported by http://docs.oracle.com/javase/6/docs/api/java/security/MessageDigest.html.
|
||||||
|
|
||||||
|
DisplayNameAttribute -
|
||||||
|
This is to have a dedicated LDAP attribute to display an entity(User/Role) in UI, in addition to the UserNameAttribute which is used for IS-UserStore interactions.
|
||||||
|
-->
|
@ -0,0 +1,9 @@
|
|||||||
|
<processor>
|
||||||
|
<remove>
|
||||||
|
<name>//UserManager/Realm/Configuration/Property[@name='initializeNewClaimManager']</name>
|
||||||
|
</remove>
|
||||||
|
<add>
|
||||||
|
<after>//UserManager/Realm/Configuration/Property[@name='isCascadeDeleteEnabled']</after>
|
||||||
|
<value><![CDATA[<Property name="initializeNewClaimManager">true</Property>]]></value>
|
||||||
|
</add>
|
||||||
|
</processor>
|
Loading…
Reference in new issue