##########################################################################
## ##
## Copyright (c) 2018-2019 by Progress Software Corporation ##
## ##
## All rights reserved. No part of this program or document may be ##
## reproduced in any form or by any means without permission in writing ##
## from Progress Software Corporation. ##
## ##
##########################################################################
#
# Spring Security bean properties definition file for a specific oeabl.war
# based web applications found in a PASOE instance
#
# The properties values found in this file constitute a subset of all Spring
# Security configuration properties and their values. Any property value
# declared in this file will supersede a declaration found in any other
# oeablSecurity.properties file in the conf/ or ablapps/<ablappname>/conf.
#
# PAS for OE will resolve properties by loading multiple .properties files
# and using the last declared value it finds. The minimum requirement
# is that PAS for OE must find one oeablSecurity.properties file in one
# of the following locations:
# 1) conf/oeablSecurity.properties
# 2) [ ablapps/<abl-app-name>/conf/oeablSecurity.properties ]
# 3) webapps/<web-app-name>/WEB-INF/oeablSecurity.properties
#
# The best practice is to declare the properties and values that span
# multiple ABL business applications and their web applications in the
# conf/oeablSecurity.properties file.
#
# To set a properties and values that apply to all web applications mapped
# to a single ABL business application, create and declare properties in a
# ablapps/<abl-app-name>/conf/oeablSecurity.properties
# 1) create a directory having the name of the deployed ABL application
# found in the conf/openedge.properties file
# 2) Copy the conf/oeablSecurity.properties into that directory
# 3) Edit the file to contain only the properties that apply to the ABL
# application, leaving the conf/oeablSecurity.properties file to hold
# the defaults
#
# Last, declare the properties and values specific to a web application
# in the:
# /WEB-INF/oeablSecurity.properties file.
#
# The web application develop may choose to include the full superset
# of Spring Security properties in their application's
# ablapps/<abl-app-name>/conf/oeablSecurity.properties
# OR
# WEB-INF/oeablSecurity.properties file.
#
# Refer to conf/oeablSecurity.properties for default settings used by
# all web applications.
#
# To use per web application settings, copy the property settings from
# /conf/oeablSecurity.properties into this file and set the web application
# specific value.
#
# -------------------- oeablSecurity.properties ------------------------------
# All information about the properties in this property file may be found
# in the file:
#
# conf/oeablSecurity.properties.README.
#
##########################################################################
##
##%% version 0001
##%% Mar 02, 2016 2:29:12 PM
################# Authentication Manager Name list #####################
## The following names apply to the authmanager properties in the
## various transports:
## http.apsv.authmanager
## http.soap.authmanager
## http.rest.authmanager
## http.web.authmanager
## http.authmanager
##
## Authentication Managers will only apply to loginModels that perform
## direct logins using user accounts. Therefore, this property is used only
## for 'basic' and 'form' login models (below)
##
## http.all.authmanager will apply the same authentication to all transports.
##
## manager name Description
## ===================================================================
## local web application WEB-INF/user.properties
## extlocal web application WEB-INF/user.properties w.
## encrypted passwords
## ldap LDAPv3 Directory Service client (simple)
## ad Microsoft Active Directory Service client
## oerealm ABL class callback to application accounts
## sts OpenEdge Authentication Gateway client
##
## The http.xxxx.authmanager properties will be ignored for the following
## client.login.model configurations:
## oauth2
## saml
## anonymous
##
http.all.authmanager=oerealm
################## The HTTP client Authentication Model to use ##########
## This property controls which HTTP client authentication model is used
## between the PASOE client application and the PASOE server application
## for the . The allowed names are:
##
## name Description
## ===================================================================
## anonymous No user login - all clients have public access
## basic Users authenticate using the HTTP BASIC standard
## form Users authenticate using a HTTP POST message &
## form data
## container Users authenticate via Tomcat realm services and
## authorize URL access via Spring Security
## sso OpenEdge Single Sign-on using ClientPrincipal
## access tokens
## oauth2 OpenEdge support for validating OAuth2 JWT
## tokens for URL Authorization
## saml Users authenticate and authorize using SAML token
##
client.login.model=${PASOE_LOGIN_MODEL}
################## HTTP BASIC Realm name for All Transports ##################
## Set the BASIC realm name used by browsers to prompt the user for a
## user-id/password.
##
http.all.realm=OpenEdge
################## Container (Tomcat) Role mapping properties #################
## This property is used by the 'container' Login Model configuration. It
## provides a [comma separated - no whitespace] list of Role names supplied
## by the Tomcat realm login token that will be passed through to Spring's
## URL authorization.
##
## Each PAS for OE transport and the default URI space has its own settable
## list. The property http.jee.all.mappableRoles can be used to set all
## transports & default at one time.
##
http.jee.all.mappableRoles=ROLE_PSCUser,ROLE_PSCAdmin,ROLE_PSCOper
#################APSV Transport Specific Property #######################
## For APSV Transport authentication and authorization is disable by default
## i.e. apsv.security.enable=none.
##
## Valid values are:
## none No HTTP authentication or authorization [default]
## basic enable HTTP BASIC authentication & Roll-based authorization
## container Users authenticate via Tomcat realm services and
## authorize URL access via Spring Security
##
apsv.security.enable=none
#################SOAP Transport Specific property ########################
## For SOAP Transport authentication and authorization is disable by default
## i.e. apsv.security.enable=none.
##
## If there is a requirement to enable this in production, then set
## soap.security.enable property value as "basic".
## Example: soap.security.enable=basic
##
## The http.soap.authprovider property is used to configure the authentication
## manager as per production need.
##########################################################################
soap.security.enable=none
################# ClientPrincpal creation properties ######################
## Properties for the OEClientPrincipalFilter bean
## The security filter that turns a Spring token into an OpenEdge
## ClientPrincipal object. The filter is thus responsible for:
## 1. Creating a ClientPrincipal if one was not created in a previous
## authentication process step
## 2. If the previous authentication process produced a Spring token -
## copy that information into the ClientPrincipal
## 3. If the ClientPrincipal is not already sealed - seal it is using this
## filter's domain and registry configuration
## 4. If enablecp is true, then send the ClientPrincipal to the ABL business
## logic
##
## NOTE: The oerealm Authentication Manager configuration does not use these
## properties. Because of the nature of calling the ABL language,
## special property handling is required and most of the ClientPrincipal
## properties are replicated there.
##
OEClientPrincipalFilter.enabled=true
## Location of the encrypted OE Domain Access-codes used to seal Client-Princpals
OEClientPrincipalFilter.registryFile=ABLDomainRegistry.keystore
# OEClientPrincipalFilter.key=oech1::113926283f2407362326
## Default OE Domain name to append if not supplied by the user
OEClientPrincipalFilter.domain=
## Default ROLE names if none are found for the authenticated user
OEClientPrincipalFilter.roles=PSCUser
## Add authentication process details to Client-Principal
OEClientPrincipalFilter.authz=true
## Set Client-Princpal token expiration
OEClientPrincipalFilter.expires=0
## Add [any] source user account information to Client-Princpal
OEClientPrincipalFilter.accntinfo=false
OEClientPrincipalFilter.ccid=false
## Generate a Client-Princpal for an annonymousUser client
OEClientPrincipalFilter.anonymous=false
## Seal a Client-Princpal for an annonymousUser client
OEClientPrincipalFilter.sealAnonymous=false
OEClientPrincipalFilter.appName=OE
## Forward an OAuth2 token as a Client-Principal property
OEClientPrincipalFilter.forwardToken=false
## Pass an unsealed Client-Princpal for an unauthented user-id to the
## ABL application
OEClientPrincipalFilter.passthru=false
## Used to obtain an OE Domain name from the authenticated user's list of
## roles if the user did not supply one (overrides the default domain property)
OEClientPrincipalFilter.domainRoleFilter=ROLE_
## LDAP/AD specific: load these user account attributes into the Client-Princpal
## properties
OEClientPrincipalFilter.loadAccntAttrList=
## LDAP/AD specific: Validate that the user-id input OE Domain name is valid
## for the LDAP user account
OEClientPrincipalFilter.validateClientDomain=false
## Optional & Advanced 'OEClientPrincpalFilter' properties can be found
## in the instance and/or ABL application's 'conf/' directory.
################# CORS security filter properties #########################
## Properties for the OECORSFilter Filter bean
## The security filter that implements the CORS standard for controlling
## cross site resource access by http clients.
##
OECORSFilter.allowAll=true
OECORSFilter.responseHeaders=Cache-Control,Content-Language,Content-Type,Expires,Last-Modified,Pragma,X-CLIENT-CONTEXT-ID
OECORSFilter.allowDomains=
OECORSFilter.allowSubdomains=false
OECORSFilter.allowMethods=GET,POST,PUT,DELETE,OPTIONS,PATCH
OECORSFilter.messageHeaders=Accept,Accept-Language,Content-Language,Content-Type,X-CLIENT-CONTEXT-ID,Origin,Access-Control-Request-Headers,Access-Control-Request-Method,Pragma,Cache-control,Authorization
OECORSFilter.supportCredentials=true
OECORSFilter.maxAge=-1
## Common OpenEdge SSO Producer and Consumer properties
## (see properties for OESSOTokenManager, OESSOFilter, OESSORefreshFilter )
OESSO.error.detail=0
OESSO.require.https=true
################# 'sso' Login Model producer/consume properties ###########
## Properties for the SSO Producer and Consumer properties
## The OESSOTokenManager bean is the primary component for the verification
## and generation of OECP SSO tokens. The OESSOTokenManager works a
## supporting role for other Spring filter beans that are actively involved
## in the HTTP request authentication process.
##
## <b:bean id="OESSOTokenManager" ...
##
OESSOTokenManager.tokenPolicy=disabled
OESSOTokenManager.ssoTokenURLOption=OECP
OESSOTokenManager.ssoTokenExpires=3600
OESSOTokenManager.ssoAllowScope=
OESSOTokenManager.ssoGrantScope=
OESSOTokenManager.ssoTokenRefresh=true
OESSOTokenManager.ssoRefreshDeltaTime=3600
OESSOTokenManager.springRolePrefix=
## Properties for the OESSOFilter bean (see authFilters.xml)
## The OESSOFilter bean is injected into the HTTP authentication process
## to look for HTTP [Authorization] header that contains an OECP SSO token.
##
## <b:bean id="OESSOFilter" ...
##
OESSOFilter.authPolicy=disabled
OESSOFilter.authClientType=*
## Properties for the OESSORefreshFilter bean (see authFilters.xml)
## The OESSORefreshFilter bean is injected into the authentication process
## and intercepts client requests to refresh an expired OECS SSO token.
##
## <b:bean id="OESSORefreshFilter" ...
##
OESSORefreshFilter.refreshURL=/static/auth/token
OESSORefreshFilter.refreshClientType=*
########## 'ldap' Authentication Manager properties #######################
##
## Required LDAP Server Authentication Manager configuration properties
ldap.url=ldap://localhost:389
ldap.root.dn=
## Generic LDAP server's ldap.manager-dn MUST be an LDAP DN of the user account
## Active Directory LDAP server's ldap.manager-dn MUST be an LDAP DN of the
## user account, OR it may be an Active Directory Windows user login ID
## (username@ad-domain)
##
ldap.manager-dn=bsmith@acme.com
## The ldap.manager-password is used with the ldap.manager-dn user account.
## It has no affect on the user being authenticated. The value may be
## clear-text or a value generated by the utility:
## DLC/bin/stspwdutil encrypt <clear-text-pwd>
##
ldap.manager-password=secret
## Where and how to being searching for the user's account being authenticated
## Note: default filter templates are located in conf/oeablSecurity.properties
## or DLC/servers/pasoe/conf/oeablSecurity.properties
ldap.usersearch.base=
ldap.usersearch.searchSubtree=true
## Default LDAP Server user account search filter. Edit if necessary.
## ActiveDirectory [default]: (|(userPrincipalName={0}) (sAMAccountName={0}) (mail={0}) (cn={0}))
## Generic LDAP Directory: (|(mail={0}) (cn={0}))
ldap.usersearch.filter=(|(userPrincipalName={0}) (sAMAccountName={0}) (mail={0}) (cn={0}))
## Where and how to search for the authenticated user's LDAP groups, and how to
## convert the located LDAP group object's attribte value into a Spring ROLE
## Note: default filter templates are located in conf/oeablSecurity.properties
## or DLC/servers/pasoe/conf/oeablSecurity.properties
ldap.groupsearch.base=
ldap.grouprole.attribute=cn
ldap.groupsearch.searchSubtree=true
## Active Directory [default]: (&(objectclass=group) (member={0}))
## Generic LDAP Directory: (|(&(objectclass=groupofnames) (member={0})) (&(objectclass=groupofuniquenames) (uniqueMember={0})) )
ldap.groupsearch.filter=(&(objectclass=group) (member={0}))
##---------------------------------------------------------------------------
## Optional LDAP Server Authentication Manager configuration properties
##---------------------------------------------------------------------------
## Follow LDAP server referral objects
ldap.contxtSrc.referral=ignore
## Connection/read timeout in seconds
ldap.contxtSrc.timeout=5000
## Prefix for LDAP group attribute name to identify it as a Spring ROLE name
ldap.authpopulator.rolePrefix=ROLE_
## Ignore Active Directory exceptions for very large return result-sets
ldap.authpopulator.ignorePartialResultException=true
## Convert all LDAP group attribute names used as Spring ROLES to uppercase
ldap.authpopulator.convertToUpperCase=true
##---------------------------------------------------------------------------
## Advanced LDAP Server Authentication Manager configuration properties
## are found in conf/oeablSecuirty.properties and
## ablapps/<abl-app-name>/conf/p
##---------------------------------------------------------------------------
########## 'oerealm' Authentication Manager properties #######################
## Properties that connects to an MS-Agent Realm service and uses it as a
## source of user account information during the Spring authentication process.
## These properties are special case versions of the ClientPrincpalFilter
## property set and only apply to the 'oerealm' Authentication Mangaer.
##
OERealm.AuthProvider.multiTenant=true
OERealm.AuthProvider.userDomain=
OERealm.AuthProvider.expires=0
## Encrypted file containing OE Domain Access-codes used to seal
## Client-Principal tokens
OERealm.AuthProvider.registryFile=ABLDomainRegistry.keystore
## Properties for the 'oerealm' Authentication Manager's use of the
## MS-Agent's OERealm server OOABL class
##
# OERealm.UserDetails.realmURL=http://localhost:43090/apsv
OERealm.UserDetails.realmClass=Akioma.Swat.Security.HybridRealm
OERealm.UserDetails.grantedAuthorities=ROLE_PSCUser
OERealm.UserDetails.appendRealmError=false
OERealm.UserDetails.propertiesAttrName=
OERealm.UserDetails.userIdAttrName=
## The file holding a ClientPrincipal token used to authenticate
## the PASOE server to the OERealm ABL class.
OERealm.UserDetails.realmTokenFile=oespaclient.cp
## Optional & Advanced 'oerealm' properties can be found in the instance and/or
## ABL application's 'conf/' directory.
########## 'ad' Authentication Manager properties #########################
## Required properties for the 'ad' (Active Directory) Authentication
## Manager.
## For all Active Directory authenticaiton manager configuration
## property details refer to:
## conf/oeablSecurity.properties.README
##
ad.ldap.url=ldap://hostname:389
ad.ldap.rootdn=dc=acme,dc=com
## Optional properties for the 'ad' (Active Directory) Authentication
## Manager.
##
ad.user.domain=acme.com
ad.AuthoritiesMapper.prefix=ROLE_
ad.AuthoritiesMapper.convertToUpperCase=true
########## 'sts' Authention Manager properties ############################
## OpenEdge Authentication Gateway client configuration
## for direct user logins to a PASOE server
##
## Required Authentication Gateway URL
sts.UserDetails.stsURL=https://host:port
sts.UserDetails.stsKeystore=
## How to handle user-id Domain fields
sts.AuthProvider.multiTenant=true
sts.AuthProvider.registryFile=ABLDomainRegistry.keystore
sts.AuthProvider.userDomain=
## TLS connection to Authentication Gateway Server
sts.UserDetails.noHostVerify=false
sts.UserDetails.tlsCipherSuites=
sts.UserDetails.tlsProtocols=
sts.UserDetails.sniHost=
########## 'oauth2' Login Model properties ###############################
## Properties for the 'oauth2' Login Model that supplies OAuth2 authorization
## handling for 'Resource Servers' web data service access and
## 'Authorization Servers' for obtaining access & refresh tokens to access a
## Resource server's data.
##
## Configuring the 'oauth2' Login Model involves 3 levels:
## 1) JWT Access/ID token validation (jwtToken.* properties)
## 2) OAuth2 Resource Server run-time operations and coordination with OAuth2
## Authorization Server who issues the JWT tokens
## (oauth2.resSvc.* properties)
## 3) Client-Principal generation (see ClientPrincpalFilter.* properties)
##
## Required enable/disable of the OAuth2 Resource server support.
## The allowable values are {enable}
# oauth2.ResourceServer.enable=enable
## Required JWT token handler properties for validating the inbound
## JWT/OAuth2 ID token passed by the OAuth2 client as a Bearer token.
## The JWT Signature algorithm used by the Authorization Server
jwtToken.signatureAlg=RS256
## The method of obtaining Public/Secret encryption keys from the
## Authorization Server. Each type has separate properties
## following:
jwtToken.keystore.type=jwk
## "jwk": URL path to Authorization Server's JWK distribution
jwtToken.keystore.jwkurl=${AUTHENTICATION_URI}/v1/identity/oidc/.well-known/keys
## "mac": JWT Signature's mac secret-key phrase
jwtToken.macKey=oeph3::B8E894037D0A296A0908F2FAFB0A0148
## "jks": JWT Signature's public-key storage and access
jwtToken.keystore.path=${catalina.base}/conf/jwtkeys/jwtRsaKeys.jks
jwtToken.keystore.userid=
jwtToken.keystore.pwd=oeph3::B8E894037D0A296A0908F2FAFB0A0148
jwtToken.keystore.alias=sample
## After Signature validation, extract key JWT token key assertion values
jwtToken.defaultRoles=psc
jwtToken.usernameField=user_id
jwtToken.mapScopeToRole=true
jwtToken.scopeToRolePrefix=scope.
jwtToken.includeAllClaims=true
jwtToken.scopeNameField=scope
## OAuth2 Resource server configuration
## An OAuth2 Resource Server provides data-services for client applications.
## The client application sends an "access token" obtained from an OAuth2
## Authorization Server, which the Resource server must validate before it
## is accepted.
##
oauth2.resSvc.tokenServices=oauth2
oauth2.resSvc.audience=jdT9AiVGsnNf5kOXuwqMTNEVJ0
oauth2.resSvc.realmName=oeoauth
oauth2.resSvc.clientCfg=file:/workspace/pasoe/webapps/restbasic/WEB-INF/oauth2ResSvcClients.cfg
oauth2.resSvc.csvpath=WEB-INF/oeablSecurityJWT.csv
oauth2.ResourceServer.enable=enable
## Optional & Advanced OAuth2 properties can be found in the instance and/or
## ABL application's 'conf/' directory.
########## 'saml' Authention Manager properties ############################
## Required PASOE SAML Token Processing filter properties
samlToken.webSSOProcessingFilter.checkForACSEndpointUrl=false
samlToken.webSSOProcessingFilter.responseSkew=3600
## Location of Service Provide And Identity Provider Metatdata xml file
## Usually it should be inside WEB-INF/metadata/ folder of the webapp
samlToken.metadata.spMetaDataFileLocation=WEB-INF/metadata/sp.xml
samlToken.metadata.idpMetaDataFileLocation=WEB-INF/metadata/idp.xml
## Allow Binding Methods of incoming request with
## SAML token
samlToken.httpBinding.allowMethods=GET,POST,PUT,DELETE
## SAML UserDetails
## Usually roles comes as part of asseration attribute of SAML token
## If there roles are configured with multiple attributes then use comma separated list of attributes
samlToken.UserDetails.roleAttrName=Attribute1,Attribute2
## If there is not roles found in SAMl token then use default roles as PSCUser
samlToken.UserDetails.defaultGrantedAuthorities=PSCUser
samlToken.UserDetails.rolePrefix=ROLE_
## If the SAML token's user-id does not contain a 'domain', use this default
samlToken.UserDetails.userDomain=
## Required location of the OE Domain encrypted Access-code file used to seal
## Client-Principal tokens with
samlToken.UserDetails.registryFile=
########## MDC (Mapped Diagnostic) properties ############################
## MDC HTTP request header enablement. Only
## the HTTP headers included in this list will
## be available as MDC token fields in ABL SessionManager log files.
MDC.filter.headerList=