conf-from-container/conf/access-control.xml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:context="http://www.springframework.org/schema/context"
       xmlns:util="http://www.springframework.org/schema/util"
       xmlns:p="http://www.springframework.org/schema/p"
       xmlns:c="http://www.springframework.org/schema/c"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
                           
       default-init-method="initialize"
       default-destroy-method="destroy">

    <!--
    Map of access control policies used to limit access to administrative functions.
    The purpose of the map is to label policies with a key/name so they can be reused.
    -->

    <!--
    Use the "shibboleth.IPRangeAccessControl" parent bean for IP-based access control.
    The ranges provided MUST be CIDR network expressions. To specify a single address,
    add "/32" or "/128" for IPv4 or IPv6 respectively.

    The additional examples below demonstrate how to control access by username
    and by attribute(s), in the case of authenticated access to admin functions.
    -->

    <util:map id="shibboleth.AccessControlPolicies">
    
        <entry key="AccessByIPAddress">
            <bean id="AccessByIPAddress" parent="shibboleth.IPRangeAccessControl"
                p:allowedRanges="#{ {'127.0.0.1/32', '::1/128'} }" />
        </entry>
        
        <!--
        <entry key="AccessByUser">
            <bean parent="shibboleth.PredicateAccessControl">
                <constructor-arg>
                    <bean parent="shibboleth.Conditions.SubjectName" c:collection="#{'jdoe'}" />
                </constructor-arg>
            </bean>
        </entry>
        -->
        
        <!--
        <entry key="AccessByAttribute">
            <bean parent="shibboleth.PredicateAccessControl">
                <constructor-arg>
                    <bean class="net.shibboleth.idp.profile.logic.SimpleAttributePredicate">
                        <property name="attributeValueMap">
                            <map>
                                <entry key="eduPersonEntitlement">
                                    <list>
                                        <value>https://example.org/entitlement/idpadmin</value>
                                    </list>
                                </entry>
                            </map>
                        </property>
                    </bean>
                </constructor-arg>
            </bean>
        </entry>
        -->
    
    </util:map>

</beans>