...
Bloc de code | ||||
---|---|---|---|---|
| ||||
<util:map id="sgcMappingGroupesRoles"> <beans:entry key="group_admin" value="ROLE_ADMIN" /> <beans:entry key="group_manager" value="ROLE_SUPER_MANAGER" /> <beans:entry key="group_livreur" value="ROLE_LIVREUR" /> <beans:entry key="group_updater" value="ROLE_UPDATER" /> <beans:entry key="group_consult" value="ROLE_CONSULT" /> <beans:entry key="group_user" value="ROLE_USER" /> </util:map> |
Configurations esup-nfc-tag-server
...
La carte est donc laissée en l'état, seul le csn est lu et envoyé à esup-sgc pour enrollement.
Bookworm et Jetty
Ce site de démonstration est portée par une VM qui fonctionne depuis février 2024 sous debian bookworm.
On a choisi au passage ici de déployer esup-sgc et esup-nfc-tag non pas via un Tomcat mais via le Jetty installé via apt.
À toute fin utile, voici un extrait des fichiers de configurations nous permettant cette mise en place
- start.ini instance jetty - /opt/jetty-esup-sgc-demo/start.ini
Bloc de code theme RDark --module=deploy,http,jsp,jstl,websocket,ext,resources jetty.http.port=8080 jetty.http.idleTimeout=30000 jetty.threadPool.minThreads=10 jetty.threadPool.maxThreads=200 jetty.threadPool.idleTimeout=60000
- systemd - /etc/systemd/system/jetty-esup-sgc-demo.service
Bloc de code theme RDark [Unit] Description=Jetty 9 Web Application Server Documentation=https://www.eclipse.org/jetty/documentation/current/ After=network.target [Service] # Configuration Environment="JETTY_HOME=/usr/share/jetty9/" #Environment="JETTY_STATE=/var/lib/jetty9/jetty.state" Environment="JETTY_BASE=/opt/jetty-esup-sgc-demo" Environment="JAVA_OPTS=-Djava.awt.headless=true" EnvironmentFile=-/etc/default/jetty9 # Lifecycle Type=simple ExecStart=/usr/share/jetty9/bin/jetty.sh run SuccessExitStatus=143 Restart=on-abort # Logging SyslogIdentifier=jetty9-esup-sgc-demo # Security User=jetty Group=jetty PrivateTmp=yes AmbientCapabilities=CAP_NET_BIND_SERVICE NoNewPrivileges=true WorkingDirectory=/usr/share/jetty9/ LogsDirectory=jetty9-esup-sgc-demo LogsDirectoryMode=750 ProtectSystem=strict ReadWritePaths=/var/lib/jetty9/ [Install] WantedBy=multi-user.target
- récupération de l'adresse client - important car les accès WS sont fonctions des adresses clients dans esup-sgc / esupn-nfc-tag - /etc/jetty9/jetty.xml
Bloc de code language xml theme RDark ... <New id="httpConfig" class="org.eclipse.jetty.server.HttpConfiguration"> <Call name="addCustomizer"> <Arg><New class="org.eclipse.jetty.server.ForwardedRequestCustomizer"/></Arg> </Call> ...
- configuration apache proxypass - /etc/apache2/sites-enabled/esup-sgc-demo.univ-rouen.fr.conf
Bloc de code theme RDark ... <Location /> AuthType shibboleth ShibRequestSetting requireSession 1 require shib-session ShibUseHeaders On </Location> ProxyPreserveHost On RequestHeader set X-Forwarded-Proto "https" RequestHeader set X-Forwarded-Port 443 ProxyPass / http://localhost:8080/ ttl=10 timeout=3600 loadfactor=100 retry=1 ProxyPassReverse / http://localhost:8080/ ...
- configuration shibboleth (avec sp 3) - /etc/shibboleth/shibboleth2.xml
Bloc de code language xml theme RDark <SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config" xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" clockSkew="180"> <RequestMapper type="Native"> <RequestMap applicationId="default"> <Host name="esup-sgc-demo.univ-rouen.fr" applicationId="default" authType="shibboleth" requireSession="false"/> <Host name="esup-nfc-tag-demo.univ-rouen.fr" applicationId="esup-nfc-tag-demo" authType="shibboleth" requireSession="false"/> </RequestMap> </RequestMapper> <ApplicationDefaults entityID="https://esup-sgc-demo.univ-rouen.fr" REMOTE_USER="eppn subject-id pairwise-id persistent-id" cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1"> <Sessions lifetime="28800" timeout="3600" checkAddress="false" handlerURL="/Shibboleth.sso" handlerSSL="true" cookieProps="https" relayState="ss:mem" redirectLimit="exact" idpHistory="false" idpHistoryDays="7"> <SessionInitiator type="Chaining" Location="/Login" isDefault="true" id="Login" relayState="cookie"> <SessionInitiator type="SAML2" acsIndex="1" acsByIndex="false" template="bindingTemplate.html"/> <SessionInitiator type="Shib1"/> <SessionInitiator type="SAMLDS" URL="https://discovery.renater.fr/edugain/WAYF"/> </SessionInitiator> <md:AssertionConsumerService Location="/SAML2/POST" index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/> <!-- Status reporting service. --> <Handler type="Status" Location="/Status"/> <!-- Session diagnostic service. --> <Handler type="Session" Location="/Session" showAttributeValues="true"/> </Sessions> <MetadataProvider type="XML" validate="false" url="https://metadata.federation.renater.fr/renater/main/main-idps-renater-metadata.xml" backingFilePath="/etc/shibboleth/metadatas/main-idps-renater-metadata.xml" maxRefreshDelay="7200"> </MetadataProvider> <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/> <AttributeExtractor type="Metadata" errorURL="errorURL" DisplayName="displayName"/> <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/> <CredentialResolver type="File" key="esup-sgc-demo.univ-rouen.fr.key" certificate="esup-sgc-demo.univ-rouen.fr.crt"/> <ApplicationOverride id="esup-nfc-tag-demo" entityID="https://esup-nfc-tag-demo.univ-rouen.fr" homeURL="https://esup-nfc-tag-demo.univ-rouen.fr"/> </ApplicationDefaults> <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/> <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/> </SPConfig>