aboutsummaryrefslogtreecommitdiffstats
path: root/odl-aaa-moon/aaa/aaa-shiro/src/main/resources
diff options
context:
space:
mode:
Diffstat (limited to 'odl-aaa-moon/aaa/aaa-shiro/src/main/resources')
-rw-r--r--odl-aaa-moon/aaa/aaa-shiro/src/main/resources/WEB-INF/web.xml48
-rw-r--r--odl-aaa-moon/aaa/aaa-shiro/src/main/resources/shiro.ini106
2 files changed, 154 insertions, 0 deletions
diff --git a/odl-aaa-moon/aaa/aaa-shiro/src/main/resources/WEB-INF/web.xml b/odl-aaa-moon/aaa/aaa-shiro/src/main/resources/WEB-INF/web.xml
new file mode 100644
index 00000000..63288c23
--- /dev/null
+++ b/odl-aaa-moon/aaa/aaa-shiro/src/main/resources/WEB-INF/web.xml
@@ -0,0 +1,48 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
+ version="3.0">
+
+ <servlet>
+ <servlet-name>MOON</servlet-name>
+ <servlet-class>org.opendaylight.aaa.shiro.moon.MoonTokenEndpoint</servlet-class>
+ <load-on-startup>1</load-on-startup>
+ </servlet>
+
+ <servlet-mapping>
+ <servlet-name>MOON</servlet-name>
+ <url-pattern>/token</url-pattern>
+ </servlet-mapping>
+ <servlet-mapping>
+ <servlet-name>MOON</servlet-name>
+ <url-pattern>/revoke</url-pattern>
+ </servlet-mapping>
+ <servlet-mapping>
+ <servlet-name>MOON</servlet-name>
+ <url-pattern>/validate</url-pattern>
+ </servlet-mapping>
+ <servlet-mapping>
+ <servlet-name>MOON</servlet-name>
+ <url-pattern>/*</url-pattern>
+ </servlet-mapping>
+
+ <!-- Shiro Filter -->
+ <context-param>
+ <param-name>shiroEnvironmentClass</param-name>
+ <param-value>org.opendaylight.aaa.shiro.web.env.KarafIniWebEnvironment</param-value>
+ </context-param>
+
+ <listener>
+ <listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>
+ </listener>
+
+ <filter>
+ <filter-name>ShiroFilter</filter-name>
+ <filter-class>org.opendaylight.aaa.shiro.filters.AAAFilter</filter-class>
+ </filter>
+
+ <filter-mapping>
+ <filter-name>ShiroFilter</filter-name>
+ <url-pattern>/*</url-pattern>
+ </filter-mapping>
+</web-app> \ No newline at end of file
diff --git a/odl-aaa-moon/aaa/aaa-shiro/src/main/resources/shiro.ini b/odl-aaa-moon/aaa/aaa-shiro/src/main/resources/shiro.ini
new file mode 100644
index 00000000..b48abe96
--- /dev/null
+++ b/odl-aaa-moon/aaa/aaa-shiro/src/main/resources/shiro.ini
@@ -0,0 +1,106 @@
+#
+# Copyright (c) 2015 Brocade Communications Systems, Inc. and others. All rights reserved.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License v1.0 which accompanies this distribution,
+# and is available at http://www.eclipse.org/legal/epl-v10.html
+#
+
+###############################################################################
+# shiro.ini #
+# #
+# Configuration of OpenDaylight's aaa-shiro feature. Provided Realm #
+# implementations include: #
+# - TokenAuthRealm (enabled by default) #
+# - ODLJndiLdapRealm (disabled by default) #
+# - ODLJndiLdapRealmAuthNOnly (disabled by default) #
+# Basic user configuration through shiro.ini is disabled for security #
+# purposes. #
+###############################################################################
+
+
+
+[main]
+###############################################################################
+# realms #
+# #
+# This section is dedicated to setting up realms for OpenDaylight. Realms #
+# are essentially different methods for providing AAA. ODL strives to provide#
+# highly-configurable AAA by providing pluggable infrastructure. By deafult, #
+# TokenAuthRealm is enabled out of the box (which bridges to the existing AAA #
+# mechanisms). More than one realm can be enabled, and the realms are #
+# tried Round-Robin until: #
+# 1) a realm successfully authenticates the incoming request #
+# 2) all realms are exhausted, and 401 is returned #
+###############################################################################
+
+# ODL provides a few LDAP implementations, which are disabled out of the box.
+# ODLJndiLdapRealm includes authorization functionality based on LDAP elements
+# extracted through and LDAP search. This requires a bit of knowledge about
+# how your LDAP system is setup. An example is provided below:
+#ldapRealm = org.opendaylight.aaa.shiro.realm.ODLJndiLdapRealm
+#ldapRealm.userDnTemplate = uid={0},ou=People,dc=DOMAIN,dc=TLD
+#ldapRealm.contextFactory.url = ldap://<URL>:389
+#ldapRealm.searchBase = dc=DOMAIN,dc=TLD
+#ldapRealm.ldapAttributeForComparison = objectClass
+
+# ODL also provides ODLJndiLdapRealmAuthNOnly. Essentially, this allows
+# access through AAAFilter to any user that can authenticate against the
+# provided LDAP server.
+#ldapRealm = org.opendaylight.aaa.shiro.realm.ODLJndiLdapRealmAuthNOnly
+#ldapRealm.userDnTemplate = uid={0},ou=People,dc=DOMAIN,dc=TLD
+#ldapRealm.contextFactory.url = ldap://<URL>:389
+
+# Bridge to existing h2/idmlight/mdsal authentication/authorization mechanisms.
+# This realm is enabled by default, and utilizes h2-store by default.
+#tokenAuthRealm = org.opendaylight.aaa.shiro.realm.TokenAuthRealm
+# Defining moon realm
+moonAuthRealm = org.opendaylight.aaa.shiro.realm.MoonRealm
+
+# The CSV list of enabled realms. In order to enable a realm, add it to the
+# list below:
+#securityManager.realms = $tokenAuthRealm
+# Configure the Shiro Security Manager to use Moon Realm
+securityManager.realms = $moonAuthRealm
+
+# adds a custom AuthenticationFilter to support OAuth2 for backwards
+# compatibility. To disable OAuth2 access, just comment out the next line
+# and authcBasic will default to BasicHttpAuthenticationFilter, a
+# Shiro-provided class.
+authcBasic = org.opendaylight.aaa.shiro.filters.ODLHttpAuthenticationFilter
+# OAuth2 Filer for moon token AuthN
+rest = org.opendaylight.aaa.shiro.filters.MoonOAuthFilter
+
+# add in AuthenticationListener, a Listener that records whether
+# authentication attempts are successful or unsuccessful. This audit
+# information is disabled by default, to avoid log flooding. To enable,
+# issue the following in karaf:
+# >log:set DEBUG org.opendaylight.aaa.shiro.filters.AuthenticationListener
+accountingListener = org.opendaylight.aaa.shiro.filters.AuthenticationListener
+securityManager.authenticator.authenticationListeners = $accountingListener
+
+
+
+[urls]
+###############################################################################
+# url authorization section #
+# #
+# This section is dedicated to defining url-based authorization according to: #
+# http://shiro.apache.org/web.html #
+###############################################################################
+
+# Restrict AAA endpoints to users w/ admin role
+/v1/users/** = authcBasic
+/v1/domains/** = authcBasic
+/v1/roles/** = authcBasic
+
+#Filter OAuth2 request$
+/token = rest
+
+# General access through AAAFilter requires valid credentials (AuthN only).
+/** = authcBasic
+
+# Access to the credential store is limited to the valid users who have the
+# admin role. The following line is only needed if the mdsal store is enabled
+#(the mdsal store is disabled by default).
+/config/aaa-authn-model** = authcBasic,roles[admin]