diff options
Diffstat (limited to 'odl-aaa-moon/aaa-shiro/src/main/resources')
-rw-r--r-- | odl-aaa-moon/aaa-shiro/src/main/resources/WEB-INF/web.xml | 48 | ||||
-rw-r--r-- | odl-aaa-moon/aaa-shiro/src/main/resources/shiro.ini | 95 |
2 files changed, 143 insertions, 0 deletions
diff --git a/odl-aaa-moon/aaa-shiro/src/main/resources/WEB-INF/web.xml b/odl-aaa-moon/aaa-shiro/src/main/resources/WEB-INF/web.xml new file mode 100644 index 00000000..63288c23 --- /dev/null +++ b/odl-aaa-moon/aaa-shiro/src/main/resources/WEB-INF/web.xml @@ -0,0 +1,48 @@ +<?xml version="1.0" encoding="ISO-8859-1"?> +<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" + version="3.0"> + + <servlet> + <servlet-name>MOON</servlet-name> + <servlet-class>org.opendaylight.aaa.shiro.moon.MoonTokenEndpoint</servlet-class> + <load-on-startup>1</load-on-startup> + </servlet> + + <servlet-mapping> + <servlet-name>MOON</servlet-name> + <url-pattern>/token</url-pattern> + </servlet-mapping> + <servlet-mapping> + <servlet-name>MOON</servlet-name> + <url-pattern>/revoke</url-pattern> + </servlet-mapping> + <servlet-mapping> + <servlet-name>MOON</servlet-name> + <url-pattern>/validate</url-pattern> + </servlet-mapping> + <servlet-mapping> + <servlet-name>MOON</servlet-name> + <url-pattern>/*</url-pattern> + </servlet-mapping> + + <!-- Shiro Filter --> + <context-param> + <param-name>shiroEnvironmentClass</param-name> + <param-value>org.opendaylight.aaa.shiro.web.env.KarafIniWebEnvironment</param-value> + </context-param> + + <listener> + <listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class> + </listener> + + <filter> + <filter-name>ShiroFilter</filter-name> + <filter-class>org.opendaylight.aaa.shiro.filters.AAAFilter</filter-class> + </filter> + + <filter-mapping> + <filter-name>ShiroFilter</filter-name> + <url-pattern>/*</url-pattern> + </filter-mapping> +</web-app>
\ No newline at end of file diff --git a/odl-aaa-moon/aaa-shiro/src/main/resources/shiro.ini b/odl-aaa-moon/aaa-shiro/src/main/resources/shiro.ini new file mode 100644 index 00000000..d84f9fa0 --- /dev/null +++ b/odl-aaa-moon/aaa-shiro/src/main/resources/shiro.ini @@ -0,0 +1,95 @@ +# +# Copyright (c) 2015 Brocade Communications Systems, Inc. and others. All rights reserved. +# +# This program and the accompanying materials are made available under the +# terms of the Eclipse Public License v1.0 which accompanies this distribution, +# and is available at http://www.eclipse.org/legal/epl-v10.html +# + +############################################################################### +# shiro.ini # +# # +# Configuration of OpenDaylight's aaa-shiro feature. Provided Realm # +# implementations include: # +# - TokenAuthRealm (enabled by default) # +# - ODLJndiLdapRealm (disabled by default) # +# - ODLJndiLdapRealmAuthNOnly (disabled by default) # +# Basic user configuration through shiro.ini is disabled for security # +# purposes. # +############################################################################### + + + +[main] +############################################################################### +# realms # +# # +# This section is dedicated to setting up realms for OpenDaylight. Realms # +# are essentially different methods for providing AAA. ODL strives to provide# +# highly-configurable AAA by providing pluggable infrastructure. By deafult, # +# TokenAuthRealm is enabled out of the box (which bridges to the existing AAA # +# mechanisms). More than one realm can be enabled, and the realms are # +# tried Round-Robin until: # +# 1) a realm successfully authenticates the incoming request # +# 2) all realms are exhausted, and 401 is returned # +############################################################################### + +# ODL provides a few LDAP implementations, which are disabled out of the box. +# ODLJndiLdapRealm includes authorization functionality based on LDAP elements +# extracted through and LDAP search. This requires a bit of knowledge about +# how your LDAP system is setup. An example is provided below: +#ldapRealm = org.opendaylight.aaa.shiro.realm.ODLJndiLdapRealm +#ldapRealm.userDnTemplate = uid={0},ou=People,dc=DOMAIN,dc=TLD +#ldapRealm.contextFactory.url = ldap://<URL>:389 +#ldapRealm.searchBase = dc=DOMAIN,dc=TLD +#ldapRealm.ldapAttributeForComparison = objectClass + +# ODL also provides ODLJndiLdapRealmAuthNOnly. Essentially, this allows +# access through AAAFilter to any user that can authenticate against the +# provided LDAP server. +#ldapRealm = org.opendaylight.aaa.shiro.realm.ODLJndiLdapRealmAuthNOnly +#ldapRealm.userDnTemplate = uid={0},ou=People,dc=DOMAIN,dc=TLD +#ldapRealm.contextFactory.url = ldap://<URL>:389 + +# Bridge to existing h2/idmlight/mdsal authentication/authorization mechanisms. +# This realm is enabled by default, and utilizes h2-store by default. +tokenAuthRealm = org.opendaylight.aaa.shiro.realm.TokenAuthRealm +moonAuthRealm = org.opendaylight.aaa.shiro.realm.MoonRealm + +# The CSV list of enabled realms. In order to enable a realm, add it to the +# list below: +securityManager.realms = $moonAuthRealm + + +# adds a custom AuthenticationFilter to support OAuth2 for backwards +# compatibility. To disable OAuth2 access, just comment out the next line +# and authcBasic will default to BasicHttpAuthenticationFilter, a +# Shiro-provided class. +authcBasic = org.opendaylight.aaa.shiro.filters.ODLHttpAuthenticationFilter +# OAuth2 Filer for moon token AuthN +rest = org.opendaylight.aaa.shiro.filters.MoonOAuthFilter + + + +[urls] +############################################################################### +# url authorization section # +# # +# This section is dedicated to defining url-based authorization according to: # +# http://shiro.apache.org/web.html # +############################################################################### +#Filtering REST requests with AAAFilter +/v1/users** = authcBasic +/v1/domains** = authcBasic +/v1/roles** = authcBasic + +#Filter OAuth2 request$ +/token = rest + +# General access through AAAFilter requires valid credentials (AuthN only). +/** = authcBasic + +# Access to the credential store is limited to the valid users who have the +# admin role. The following line is only needed if the mdsal store is enabled +#(the mdsal store is disabled by default). +/config/aaa-authn-model** = authcBasic,roles[admin] |