diff options
Diffstat (limited to 'conf-from-container/conf/intercept')
5 files changed, 271 insertions, 0 deletions
diff --git a/conf-from-container/conf/intercept/consent-intercept-config.xml b/conf-from-container/conf/intercept/consent-intercept-config.xml new file mode 100644 index 0000000..ca183a7 --- /dev/null +++ b/conf-from-container/conf/intercept/consent-intercept-config.xml @@ -0,0 +1,136 @@ +<?xml version="1.0" encoding="UTF-8"?> +<beans xmlns="http://www.springframework.org/schema/beans" + xmlns:context="http://www.springframework.org/schema/context" + xmlns:util="http://www.springframework.org/schema/util" + xmlns:p="http://www.springframework.org/schema/p" + xmlns:c="http://www.springframework.org/schema/c" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd + http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd + http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" + + default-init-method="initialize" + default-destroy-method="destroy"> + + <!-- Terms of Use configuration --> + + <!-- + Terms of use is driven by a lookup function returning a key into messages/consent-messages.properties + + The default mapping returns the relying party / SP name as the key. The second example below + demonstrates use of a custom mapping table from the relying party name to the key to use. + --> + + <alias alias="shibboleth.consent.terms-of-use.Key" name="shibboleth.RelyingPartyIdLookup.Simple" /> + + <!-- + <bean id="shibboleth.consent.terms-of-use.Key" + class="com.google.common.base.Functions" factory-method="compose"> + <constructor-arg name="g"> + <bean class="com.google.common.base.Functions" factory-method="forMap" c:defaultValue="terms-of-use"> + <constructor-arg name="map"> + <map> + <entry key="https://sp.example.org/shibboleth" value="example-terms" /> + </map> + </constructor-arg> + </bean> + </constructor-arg> + <constructor-arg name="f"> + <ref bean="shibboleth.RelyingPartyIdLookup.Simple" /> + </constructor-arg> + </bean> + --> + + <!-- Attribute Release configuration --> + + <!-- + Attribute release whitelist, blacklist, and match expressions to determine + whether consent should be obtained for an attribute based on the attribute ID. + --> + + <util:list id="shibboleth.consent.attribute-release.WhitelistedAttributeIDs"> + <!-- + <value>mail</value> + --> + </util:list> + + <util:list id="shibboleth.consent.attribute-release.BlacklistedAttributeIDs"> + <value>transientId</value> + <value>persistentId</value> + <value>eduPersonTargetedID</value> + </util:list> + + <!-- + <bean id="shibboleth.consent.attribute-release.MatchExpression" class="java.util.regex.Pattern" factory-method="compile" + c:_0="^exampleAttribute.*$" /> + --> + + <!-- + Customize the order in which attributes are displayed. + Attribute IDs not present in this list will be sorted according to their + natural order and displayed subsequent to any attribute IDs specified here. + --> + <!-- + <util:list id="shibboleth.consent.attribute-release.AttributeDisplayOrder"> + <value>mail</value> + </util:list> + --> + + <!-- + These beans define mappings between audit log categories and formatting strings. + --> + + <!-- + For terms-of-use acceptance, the default entry is : + 'YYYYMMDDTHHMMSSZ|TermsAccepted|jdoe|example-tou-1|rHo...rrw=|true' + + For terms-of-use refusal, the default entry is : + 'YYYYMMDDTHHMMSSZ|TermsRejected|jdoe|example-tou-1|rHo...rrw=|false' + --> + <util:map id="shibboleth.consent.terms-of-use.AuditFormattingMap"> + <entry key="Shibboleth-Consent-Audit" value="%T|%SP|%e|%u|%CCI|%CCV|%CCA" /> + </util:map> + + <!-- + For attribute-release consent, the default entry is : + 'YYYYMMDDTHHMMSSZ|https://sp.example.org|AttributeReleaseConsent|jdoe|email,eduPersonAffiliation|rHo...rrw=,rHo...rrw=|false,false' + --> + <util:map id="shibboleth.consent.attribute-release.AuditFormattingMap"> + <entry key="Shibboleth-Consent-Audit" value="%T|%SP|%e|%u|%CCI|%CCV|%CCA" /> + </util:map> + + <!-- + The beans below need to be defined, even if left empty. They can be ignored in most cases. + + If you write your own function to extract a new piece of data for auditing, you can install it into one or more + of the maps below to add it to the auditing framework, keyed by an audit field label to be used in formatting. + --> + <bean id="shibboleth.consent.PreConsentAuditExtractors" parent="shibboleth.consent.DefaultPreConsentAuditExtractors" lazy-init="true"> + <property name="sourceMap"> + <map merge="true"> + </map> + </property> + </bean> + + <bean id="shibboleth.consent.ConsentAuditExtractors" parent="shibboleth.consent.DefaultConsentAuditExtractors" lazy-init="true"> + <property name="sourceMap"> + <map merge="true"> + </map> + </property> + </bean> + + <!-- + Specify custom symbolic replacements for attribute names to shrink the size of results saved to client-side storage + such as cookies. + --> + <bean id="shibboleth.consent.AttributeSymbolics" parent="shibboleth.consent.DefaultAttributeSymbolics" lazy-init="true"> + <property name="sourceMap"> + <map merge="true"> + <!-- + <entry key="myAttribute" value="900" /> + --> + </map> + </property> + </bean> + +</beans>
\ No newline at end of file diff --git a/conf-from-container/conf/intercept/context-check-intercept-config.xml b/conf-from-container/conf/intercept/context-check-intercept-config.xml new file mode 100644 index 0000000..809f1d4 --- /dev/null +++ b/conf-from-container/conf/intercept/context-check-intercept-config.xml @@ -0,0 +1,42 @@ +<?xml version="1.0" encoding="UTF-8"?> +<beans xmlns="http://www.springframework.org/schema/beans" + xmlns:context="http://www.springframework.org/schema/context" + xmlns:util="http://www.springframework.org/schema/util" + xmlns:p="http://www.springframework.org/schema/p" + xmlns:c="http://www.springframework.org/schema/c" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd + http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd + http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" + + default-init-method="initialize" + default-destroy-method="destroy"> + + <!-- + Condition to evaluate to interrupt SSO flows to check the state of the transaction before allowing. + + Typically the flow itself will be activated based on configuration in relying-party.xml, and this controls + whether to proceed if the flow is activated. The most common use for this flow is to check the set of + resolved/filtered attributes and values to see if the user is authorized or provisioned into a service. + --> + <bean id="shibboleth.context-check.Condition" parent="shibboleth.Conditions.AND"> + <constructor-arg> + <list> + <bean parent="shibboleth.Conditions.RelyingPartyId" c:candidates="#{ 'https://sp.example.org' }" /> + <bean class="net.shibboleth.idp.profile.logic.SimpleAttributePredicate" + p:useUnfilteredAttributes="true"> + <property name="attributeValueMap"> + <map> + <entry key="eppn"> + <list> + <value>*</value> + </list> + </entry> + </map> + </property> + </bean> + </list> + </constructor-arg> + </bean> + +</beans>
\ No newline at end of file diff --git a/conf-from-container/conf/intercept/expiring-password-intercept-config.xml b/conf-from-container/conf/intercept/expiring-password-intercept-config.xml new file mode 100644 index 0000000..5447b16 --- /dev/null +++ b/conf-from-container/conf/intercept/expiring-password-intercept-config.xml @@ -0,0 +1,37 @@ +<?xml version="1.0" encoding="UTF-8"?> +<beans xmlns="http://www.springframework.org/schema/beans" + xmlns:context="http://www.springframework.org/schema/context" + xmlns:util="http://www.springframework.org/schema/util" + xmlns:p="http://www.springframework.org/schema/p" + xmlns:c="http://www.springframework.org/schema/c" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd + http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd + http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" + + default-init-method="initialize" + default-destroy-method="destroy"> + + <!-- + Condition to evaluate to determine if expiring password view should be displayed, false means to notify. + + The example uses a built-in class to evaluate an attribute containing a date/time of password expiration. + The format pattern parses the value and the negative offset determines how soon to warn the user beforehand. + --> + <bean id="shibboleth.expiring-password.Condition" class="net.shibboleth.idp.profile.logic.DateAttributePredicate" + c:attribute="passwordExpiration" p:resultIfMissing="true"> + <constructor-arg name="formatter"> + <bean class="org.joda.time.format.DateTimeFormat" factory-method="forPattern" c:_0="yyyyMMddHHmmss'T'" /> + </constructor-arg> + <property name="systemTimeOffset"> + <bean class="org.joda.time.Duration" factory-method="standardDays" c:_0="-14" /> + </property> + </bean> + + <!-- Name of cookie to track when user was last notified. --> + <bean id="shibboleth.expiring-password.NotifyCookieName" class="java.lang.String" c:_0="shib_idp_exp_pwd" /> + + <!-- Interval (milliseconds) between notifications, default is 8 hours. --> + <bean id="shibboleth.expiring-password.NotifyInterval" class="java.lang.Long" c:_0="28800000" /> + +</beans> diff --git a/conf-from-container/conf/intercept/intercept-events-flow.xml b/conf-from-container/conf/intercept/intercept-events-flow.xml new file mode 100644 index 0000000..5cb30d5 --- /dev/null +++ b/conf-from-container/conf/intercept/intercept-events-flow.xml @@ -0,0 +1,18 @@ +<flow xmlns="http://www.springframework.org/schema/webflow" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://www.springframework.org/schema/webflow http://www.springframework.org/schema/webflow/spring-webflow.xsd" + abstract="true"> + + <!-- ADVANCED USE ONLY --> + + <!-- + You can ignore this file unless you are creating your own custom intercept subflows that want to + report custom events in response to unusual conditions. + --> + + <!-- Custom error events to reflect back from user-supplied intercept subflows. --> + <!-- + <end-state id="MyCustomEvent" /> + --> + +</flow> diff --git a/conf-from-container/conf/intercept/profile-intercept.xml b/conf-from-container/conf/intercept/profile-intercept.xml new file mode 100644 index 0000000..4040a10 --- /dev/null +++ b/conf-from-container/conf/intercept/profile-intercept.xml @@ -0,0 +1,38 @@ +<?xml version="1.0" encoding="UTF-8"?> +<beans xmlns="http://www.springframework.org/schema/beans" + xmlns:context="http://www.springframework.org/schema/context" + xmlns:util="http://www.springframework.org/schema/util" + xmlns:p="http://www.springframework.org/schema/p" + xmlns:c="http://www.springframework.org/schema/c" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd + http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd + http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" + + default-init-method="initialize" + default-destroy-method="destroy"> + + <!-- + Intercept flows are used at various injection points to modify processing. This is the master list + of flows available that provide interesting features to deployers, but flows are actually enabled by + specifying them in various profile configuration beans via relying-party.xml + + This list of flows is merged with a built-in set defined in a system configuration file, and may be + empty, but should not be removed. You must add your own custom flows to this list if you create any. + --> + + <bean id="shibboleth.AvailableInterceptFlows" parent="shibboleth.DefaultInterceptFlows" lazy-init="true"> + <property name="sourceList"> + <list merge="true"> + <bean id="intercept/context-check" parent="shibboleth.InterceptFlow" /> + + <bean id="intercept/expiring-password" parent="shibboleth.InterceptFlow" /> + + <bean id="intercept/terms-of-use" parent="shibboleth.consent.TermsOfUseFlow" /> + + <bean id="intercept/attribute-release" parent="shibboleth.consent.AttributeReleaseFlow" /> + </list> + </property> + </bean> + +</beans> |