cas.properties 13.2 KB
Newer Older
1
#
Misagh Moayyed's avatar
Misagh Moayyed committed
2
# Licensed to Apereo under one or more contributor license
3
4
# agreements. See the NOTICE file distributed with this work
# for additional information regarding copyright ownership.
Misagh Moayyed's avatar
Misagh Moayyed committed
5
# Apereo licenses this file to you under the Apache License,
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# Version 2.0 (the "License"); you may not use this file
# except in compliance with the License.  You may obtain a
# copy of the License at the following location:
#
#   http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied.  See the License for the
# specific language governing permissions and limitations
# under the License.
#

20
21
server.name=http://localhost:8080
server.prefix=${server.name}/cas
Scott Battaglia's avatar
NOJIRA  
Scott Battaglia committed
22

23
# Spring Security's EL-based access rules for the /status URI of CAS that exposes health check information
Misagh Moayyed's avatar
Misagh Moayyed committed
24
cas.securityContext.status.access=hasIpAddress('127.0.0.1')
25
26
27

# Spring Security's EL-based access rules for the /statistics URI of CAS that exposes stats about the CAS server
cas.securityContext.statistics.access=hasIpAddress('127.0.0.1')
Scott Battaglia's avatar
NOJIRA  
Scott Battaglia committed
28

Scott Battaglia's avatar
CAS-911    
Scott Battaglia committed
29
cas.themeResolver.defaultThemeName=cas-theme-default
30
31
32

# Path prefix for where views are to be found
# cas.viewResolver.defaultViewsPathPrefix=/WEB-INF/view/jsp/default/ui/
Scott Battaglia's avatar
NOJIRA  
Scott Battaglia committed
33

34
# Location of the Spring xml config file where views may be collected
35
# cas.viewResolver.xmlFile=/META-INF/spring/views.xml
Scott Battaglia's avatar
NOJIRA  
Scott Battaglia committed
36

37
38
39
40
41
##
# Unique CAS node name
# host.name is used to generate unique Service Ticket IDs and SAMLArtifacts.  This is usually set to the specific
# hostname of the machine running the CAS node, but it could be any label so long as it is unique in the cluster.
host.name=cas01.example.org
Scott Battaglia's avatar
NOJIRA  
Scott Battaglia committed
42

43
44
45
46
47
##
# Database flavors for Hibernate
#
# One of these is needed if you are storing Services or Tickets in an RDBMS via JPA.
#
48
49
50
# database.hibernate.dialect=org.hibernate.dialect.OracleDialect
# database.hibernate.dialect=org.hibernate.dialect.MySQLInnoDBDialect
# database.hibernate.dialect=org.hibernate.dialect.HSQLDialect
51
# database.hibernate.batchSize=10
52

53
54
55
56
57
58
59
60
61
62
63
64
65
##
# CAS SSO Cookie Generation & Security
# See https://github.com/mitreid-connect/json-web-key-generator
#
# Do note that the following settings MUST be generated per deployment.
#
# Defaults at spring-configuration/ticketGrantingTicketCookieGenerator.xml
# The encryption secret key. By default, must be a octet string of size 256.
tgc.encryption.key=1PbwSbnHeinpkZOSZjuSJ8yYpUrInm5aaV18J2Ar4rM

# The signing secret key. By default, must be a octet string of size 512.
tgc.signing.key=szxK-5_eJjs-aUj-64MpUZ-GPPzGLhYPLGl0wrYjYNVAGva2P0lLe6UGKGM7k8dWxsOVGutZWgvmY3l5oVPO3w

66
67
68
69
# Decides whether SSO cookie should be created only under secure connections.
# tgc.secure=true

# The expiration value of the SSO cookie
Misagh Moayyed's avatar
Misagh Moayyed committed
70
# tgc.maxAge=-1
71
72
73
74
75
76
77

# The name of the SSO cookie
# tgc.name=TGC

# The path to which the SSO cookie will be scoped
# tgc.path=/cas

Misagh Moayyed's avatar
Misagh Moayyed committed
78
79
80
81
82
83
84
85
86
87
88
89
90
# Decides whether SSO Warning cookie should be created only under secure connections.
# warn.cookie.secure=true

# The expiration value of the SSO Warning cookie
# warn.cookie.maxAge=-1

# The name of the SSO Warning cookie
# warn.cookie.name=CASPRIVACY

# The path to which the SSO Warning cookie will be scoped
# warn.cookie.path=/cas


91
92
93
94
##
# CAS Logout Behavior
# WEB-INF/cas-servlet.xml
#
95
# Specify whether CAS should redirect to the specified service parameter on /logout requests
96
97
# cas.logout.followServiceRedirects=false

Misagh Moayyed's avatar
Misagh Moayyed committed
98
99
100
101
102
103
104
##
# CAS Cached Attributes Timeouts
# Controls the cached attribute expiration policy
#
# Notes the duration in which attributes will be kept alive
# cas.attrs.timeToExpireInHours=2

105
106
107
108
109
##
# Single Sign-On Session
#
# Indicates whether an SSO session should be created for renewed authentication requests.
# create.sso.renewed.authn=true
110
111
112
#
# Indicates whether an SSO session can be created if no service is present.
# create.sso.missing.service=true
113

114
115
116
117
118
119
120
121
122
123
124
125
126
##
# Spring Webflow Web Application Session
# Define the settings that are required to encrypt and persist the CAS web application session.
# See the cas-servlet.xml file to understand how these properties are used.
#
# cas.webflow.cipher.alg=AES
# cas.webflow.cipher.mode=CBC
# cas.webflow.cipher.padding=PKCS7
# cas.webflow.keystore=classpath:/etc/keystore.jceks
# cas.webflow.keystore.type=JCEKS
# cas.webflow.keystore.password=changeit
# cas.webflow.keyalias=aes128
# cas.webflow.keypassword=changeit
Misagh Moayyed's avatar
Misagh Moayyed committed
127

128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
##
# Single Sign-On Session Timeouts
# Defaults sourced from WEB-INF/spring-configuration/ticketExpirationPolices.xml
#
# Maximum session timeout - TGT will expire in maxTimeToLiveInSeconds regardless of usage
# tgt.maxTimeToLiveInSeconds=28800
#
# Idle session timeout -  TGT will expire sooner than maxTimeToLiveInSeconds if no further requests
# for STs occur within timeToKillInSeconds
# tgt.timeToKillInSeconds=7200

##
# Service Ticket Timeout
# Default sourced from WEB-INF/spring-configuration/ticketExpirationPolices.xml
#
# Service Ticket timeout - typically kept short as a control against replay attacks, default is 10s.  You'll want to
# increase this timeout if you are manually testing service ticket creation/validation via tamperdata or similar tools
# st.timeToKillInSeconds=10

147
## 
148
# Http Client Settings
149
150
151
152
153
#
# The http client read timeout in milliseconds
# http.client.read.timeout=5000

# The http client connection timeout in milliseconds
154
# http.client.connection.timeout=5000
155
156
157
158
159
160
161
#
# The http client truststore file, in addition to the default's
# http.client.truststore.file=classpath:truststore.jks
#
# The http client truststore's password
# http.client.truststore.psw=changeit
          
162
163
164
165
##
# Single Logout Out Callbacks
# Default sourced from WEB-INF/spring-configuration/argumentExtractorsConfiguration.xml
#
166
# To turn off all back channel SLO requests set this to true
167
# slo.callbacks.disabled=false
168
#
169
# To send callbacks to endpoints synchronously, set this to false
170
# slo.callbacks.asynchronous=true
171

Misagh Moayyed's avatar
Misagh Moayyed committed
172
173
174
175
176
177
178
179
180
181
182
183
##
# CAS Protocol Security Filter
#
# Are multi-valued parameters accepted?
# cas.http.allow.multivalue.params=false

# Define the list of request parameters to examine for sanity
# cas.http.check.params=ticket,service,renew,gateway,warn,target,SAMLart,pgtUrl,pgt,pgtId,pgtIou,targetService

# Define the list of request parameters only allowed via POST
# cas.http.allow.post.params=username,password

184
185
186
##
# JSON Service Registry
#
187
# Directory location where JSON service files may be found.
188
189
# service.registry.config.location=classpath:services

190
##
191
# Service Registry Periodic Reloading Scheduler
192
193
194
# Default sourced from WEB-INF/spring-configuration/applicationContext.xml
#
# Force a startup delay of 2 minutes.
195
# service.registry.quartz.reloader.startDelay=120000
196
197
# 
# Reload services every 2 minutes
198
# service.registry.quartz.reloader.repeatInterval=120000
199

200
201
202
203
204
##
# Log4j
# Default sourced from WEB-INF/spring-configuration/log4jConfiguration.xml:
#
# It is often time helpful to externalize log4j.xml to a system path to preserve settings between upgrades.
Misagh Moayyed's avatar
Misagh Moayyed committed
205
# log4j.config.location=file:///etc/cas/log4j2.xml
Misagh Moayyed's avatar
Misagh Moayyed committed
206
# log4j.config.location=classpath:log4j2.xml
207

Misagh Moayyed's avatar
Misagh Moayyed committed
208
209
210
211
212
213
214
215
##
# Audits
#
# Use single line format for audit blocks
# cas.audit.singleline=true
# Separator to use between each fields in a single audit event
# cas.audit.singleline.separator=|

Misagh Moayyed's avatar
Misagh Moayyed committed
216
217
218
219
220
221
222
##
# Metrics
# Default sourced from WEB-INF/spring-configuration/metricsConfiguration.xml:
#
# Define how often should metric data be reported. Default is 30 seconds.
# metrics.refresh.internal=30s

223
224
225
226
227
228
229
230
231
232
##
# Encoding
#
# Set the encoding to use for requests. Default is UTF-8
# httprequest.web.encoding=UTF-8

# Default is true. Switch this to "false" to not enforce the specified encoding in any case,
# applying it as default response encoding as well.
# httprequest.web.encoding.force=true

Misagh Moayyed's avatar
Misagh Moayyed committed
233
234
235
236
237
238
##
# Reports
#
# Setting to whether include the ticket granting ticket id in the report
# sso.sessions.include.tgt=false

Misagh Moayyed's avatar
Misagh Moayyed committed
239
240
241
242
243
244
245
246
##
# SAML
#
# Indicates the SAML response issuer
# cas.saml.response.issuer=localhost
#
# Indicates the skew allowance which controls the issue instant of the SAML response
# cas.saml.response.skewAllowance=0
Misagh Moayyed's avatar
Misagh Moayyed committed
247
248
249
#
# Indicates whether SAML ticket id generation should be saml2-compliant.
# cas.saml.ticketid.saml2=false
Misagh Moayyed's avatar
Misagh Moayyed committed
250

Misagh Moayyed's avatar
Misagh Moayyed committed
251
252
253
254
255
256
257
##
# Google Apps public/private key
#
# cas.saml.googleapps.publickey.file=classpath:DSAPrivateKey01.key
# cas.saml.googleapps.privatekey.file=classpath:DSAPrivateKey01.key
# cas.saml.googleapps.key.alg=DSA

Misagh Moayyed's avatar
Misagh Moayyed committed
258
259
260
261
262
263
264
##
# WS-FED
#
# The claim from ADFS that should be used as the user's identifier.
# cas.wsfed.idp.idattribute=upn
#
# Federation Service identifier
Misagh Moayyed's avatar
Misagh Moayyed committed
265
# cas.wsfed.idp.id=https://adfs.example.org/adfs/services/trust
Misagh Moayyed's avatar
Misagh Moayyed committed
266
267
#
# The ADFS login url.
Misagh Moayyed's avatar
Misagh Moayyed committed
268
# cas.wsfed.idp.url=https://adfs.example.org/adfs/ls/
Misagh Moayyed's avatar
Misagh Moayyed committed
269
270
271
272
#
# Identifies resource(s) that point to ADFS's signing certificates.
# These are used verify the WS Federation token that is returned by ADFS.
# Multiple certificates may be separated by comma.
Misagh Moayyed's avatar
Misagh Moayyed committed
273
# cas.wsfed.idp.signingcerts=classpath:adfs-signing.crt
Misagh Moayyed's avatar
Misagh Moayyed committed
274
275
276
277
278
279
280
#
# Unique identifier that will be set in the ADFS configuration.
# cas.wsfed.rp.id=urn:cas:localhost
#
# Slack dealing with time-drift between the ADFS Server and the CAS Server.
# cas.wsfed.idp.tolerance=10000

281
282
283
284
##
# Password Policy
#
# Warn all users of expiration date regardless of warningDays value.
285
# password.policy.warnAll=false
286
287

# Threshold number of days to begin displaying password expiration warnings.
288
# password.policy.warningDays=30
289

Misagh Moayyed's avatar
Misagh Moayyed committed
290
# URL to which the user will be redirected to change the password.
291
# password.policy.url=https://password.example.edu/change
Misagh Moayyed's avatar
Misagh Moayyed committed
292
293
294
295
296
297
298
299

##
# Ticket Registry
#
# Secret key to use when encrypting tickets in a distributed ticket registry.
# ticket.encryption.secretkey=C@$W3bSecretKey!

# Seed to use when encrypting tickets in a distributed ticket registry.
Misagh Moayyed's avatar
Misagh Moayyed committed
300
# ticket.encryption.seed=S!ngl3$ign0n4W3b
Misagh Moayyed's avatar
Misagh Moayyed committed
301
302
303
304

# Secret key to use when signing tickets in a distributed ticket registry.
# By default, must be a octet string of size 512.
# ticket.signing.secretkey=szxK-5_eJjs-aUj-64MpUZ-GPPzGLhYPLGl0wrYjYNVAGva2P0lLe6UGKGM7k8dWxsOVGutZWgvmY3l5oVPO3w
Misagh Moayyed's avatar
Misagh Moayyed committed
305

306
307
308
309
310
311
##
# Hazelcast Ticket Registry
#
# hz.cluster.portAutoIncrement=true
# hz.cluster.port=5701
# hz.cluster.multicast.enabled=false
Misagh Moayyed's avatar
Misagh Moayyed committed
312
# hz.cluster.members=cas1.example.com,cas2.example.com
313
314
315
316
317
318
319
# hz.cluster.tcpip.enabled=true
# hz.cluster.max.heapsize.percentage=85
# hz.cluster.max.heartbeat.seconds=5
# hz.cluster.eviction.percentage=10
# hz.cluster.eviction.policy=LRU
# hz.cluster.instance.name=${host.name}

Misagh Moayyed's avatar
Misagh Moayyed committed
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
##
# Ehcache Ticket Registry
#
# ehcache.config.file=classpath:ehcache-replicated.xml
# ehcache.cachemanager.shared=false
# ehcache.cachemanager.name=ticketRegistryCacheManager
# ehcache.disk.expiry.interval.seconds=0
# ehcache.disk.persistent=false
# ehcache.eternal=false
# ehcache.max.elements.memory=10000
# ehcache.max.elements.disk=0
# ehcache.eviction.policy=LRU
# ehcache.overflow.disk=false
# ehcache.cache.st.name=org.jasig.cas.ticket.ServiceTicket
# ehcache.cache.st.timeIdle=0
# ehcache.cache.st.timeAlive=300
# ehcache.cache.tgt.name=org.jasig.cas.ticket.TicketGrantingTicket
# ehcache.cache.tgt.timeIdle=7201
# ehcache.cache.tgt.timeAlive=0
# ehcache.cache.loader.async=true
# ehcache.cache.loader.chunksize=5000000
# ehcache.repl.async.interval=10000
# ehcache.repl.async.batch.size=100
# ehcache.repl.sync.puts=true
# ehcache.repl.sync.putscopy=true
# ehcache.repl.sync.updates=true
# ehcache.repl.sync.updatesCopy=true
# ehcache.repl.sync.removals=true

Misagh Moayyed's avatar
Misagh Moayyed committed
349
350
351
352
353
##
# Memcached Ticket Registry
#
# memcached.servers=cas-1.example.org:11211,cas-2.example.org:11211,cas-3.example.org:11211
# memcached.hashAlgorithm=FNV1_64_HASH
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372

##
# RADIUS Authentication Server
#
# cas.radius.client.inetaddr=localhost
# cas.radius.client.port.acct=
# cas.radius.client.socket.timeout=60
# cas.radius.client.port.authn=
# cas.radius.client.sharedsecret=N0Sh@ar3d$ecReT
# cas.radius.server.protocol=EAP_MSCHAPv2
# cas.radius.server.retries=3
# cas.radius.server.nasIdentifier=-1
# cas.radius.server.nasPort=-1
# cas.radius.server.nasPortId=-1
# cas.radius.server.nasRealPort=-1
# cas.radius.server.nasPortType=-1
# cas.radius.server.nasIpAddress=
# cas.radius.server.nasIpv6Address=
# cas.radius.failover.authn=false
373
# cas.radius.failover.exception=false
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401

##
# SPNEGO Authentication
#
# cas.spnego.ldap.attribute=spnegoattribute
# cas.spnego.ldap.filter=host={0}
# cas.spnego.ldap.basedn=
# cas.spnego.hostname.pattern=.+
# cas.spnego.ip.pattern=
# cas.spnego.alt.remote.host.attribute
# cas.spengo.use.principal.domain=false
# cas.spnego.ntlm.allowed=true
# cas.spnego.kerb.debug=false
# cas.spnego.kerb.realm=EXAMPLE.COM
# cas.spnego.kerb.kdc=172.10.1.10
# cas.spnego.login.conf.file=/path/to/login
# cas.spnego.jcifs.domain=
# cas.spnego.jcifs.domaincontroller=
# cas.spnego.jcifs.netbios.cache.policy:600
# cas.spnego.jcifs.netbios.wins=
# cas.spnego.jcifs.password=
# cas.spnego.jcifs.service.password=
# cas.spnego.jcifs.socket.timeout:300000
# cas.spnego.jcifs.username=
# cas.spnego.kerb.conf=
# cas.spnego.ntlm=false
# cas.spnego.supportedBrowsers=MSIE,Trident,Firefox,AppleWebKit
# cas.spnego.mixed.mode.authn=false
402
# cas.spnego.send.401.authn.failure=false