######################################## ## Config chaining hierarchy ######################################## # comma separated config files that override each other (files on the right override the left) # each should start with file: or classpath: # e.g. classpath:grouper-ws.example.properties, file:c:/something/myconfig.properties # {valueType: "string", required: true, multiple: true} ws.config.hierarchy = classpath:grouper-ws-ng.base.properties, classpath:grouper-ws.properties, database:grouper # seconds between checking to see if the config files are updated # {valueType: "integer", required: true} ws.config.secondsBetweenUpdateChecks = 600 ######################################## ## General settings ######################################## # Max number of subjects to be able to pass to addMember service, default is 1000000 # {valueType: "integer", required: true} ws.add.member.subjects.max = 20000 # Max number of subjects to be able to pass to addMember service, default is 1000000 # {valueType: "integer", required: true} ws.has.member.subjects.max = 20000 # Max number of subjects to be able to pass to addMember service, default is 1000000 # {valueType: "integer", required: true} ws.group.save.max = 20000 # Max number of subjects to be able to pass to getGroups service, default is 1000000 # {valueType: "integer", required: true} ws.get.groups.subjects.max = 20000 # This is the number of subjects found which is too many to see if in group. When seeing if # in group, that requires batched in size 80 each subject. So for 800 subjects, that is # 10 queries # {valueType: "integer", required: true} ws.get.subjects.max.filter.by.group = 1000 # Web service users who are in the following group can use the actAs field to act as someone else # You can put multiple groups separated by commas. e.g. a:b:c, e:f:g # You can put a single entry as the group the calling user has to be in, and the grouper the actAs has to be in # separated by 4 colons # e.g. if the configured values is: a:b:c, e:f:d :::: r:e:w, x:e:w # then if the calling user is in a:b:c or x:e:w, then the actAs can be anyone # if not, then if the calling user is in e:f:d, then the actAs must be in r:e:w. If multiple rules, then # if one passes, then it is a success, if they all fail, then fail. # {valueType: "string", multiple: true} #ws.act.as.group = etc:webServiceActAsGroup # similar syntax as ws.act.as.group but for the grouper actas (e.g. for grouper messaging to WS bridge) # {valueType: "group"} ws.grouper.act.as.group = # cache the decision to allow a user to actAs another, so it doesnt have to be calculated each time # defaults to 30 minutes # {valueType: "integer", required: true} ws.act.as.cache.minutes = 30 # If there is an entry here for group name, then all web service client users must be in this group (before the actAs) #ws.client.user.group.name = etc:webServiceClientUsers # allow these ids even if not in group, e.g. for testing # subjectIdOrIdentifier or sourceId::::subjectId or ::::subjectId or sourceId::::::subjectIdentifier or ::::::subjectIdentifier # sourceId::::::::subjectIdOrIdentifier or ::::::::subjectIdOrIdentifier # {valueType: "subject", multiple: true} ws.client.user.group.subjects.allow = # cache the decision to allow a user to user web services, so it doesnt have to be calculated each time # defaults to 5 minutes: # {valueType: "integer", required: true} ws.client.user.group.cache.minutes = 5 # if you have subject namespace overlap (or not), set the default subject # sources (comma-separated) to lookup the user if none specified in user name # {valueType: "string"} ws.logged.in.subject.default.source = # prepend to the userid this value (e.g. if using local entities, might be: etc:servicePrincipals: ) # {valueType: "string"} ws.security.prependToUserIdForSubjectLookup = # subject attribute names to send back when a WsSubjectResult is sent, comma separated # e.g. name, netid # default is none # {valueType: "string", multiple: true} ws.subject.result.attribute.names = # subject result attribute names when extended data is requested (comma separated) # default is name, description # note, these will be in addition to ws.subject.result.attribute.names # {valueType: "string", multiple: true} ws.subject.result.detail.attribute.names = # if there are attribute names that need to be sent to the SubjectDecorator # for subsequent dynamic lookup (configured in SubjectFinder), comma separated # {valueType: "string", multiple: true} ws.subject.attributes.for.decorator = # if the request has no content type (http params), and the response content type is not # specified in the url, then put it here. must be a valid value of WsRestResponseContentType # defaults to json if blank. e.g. json, xml, xhtml # {valueType: "string"} ws.rest.default.response.content.type = json # to provide custom authentication (instead of the default httpServletRequest.getUserPrincipal() # for non-Rampart authentication. Class must implement the interface: # edu.internet2.middleware.grouper.ws.security.WsCustomAuthentication # class must be fully qualified. e.g. edu.school.whatever.MyAuthenticator # blank means use default: edu.internet2.middleware.grouper.ws.security.WsGrouperDefaultAuthentication # kerberos: edu.internet2.middleware.grouper.ws.security.WsGrouperKerberosAuthentication # {valueType: "class", mustImplementInterface: "edu.internet2.middleware.grouper.ws.security.WsCustomAuthentication"} ws.security.non-rampart.authentication.class = # if providing a custom non-rampart authentication class (including kerberos and ldap), whether to # return a 401 error in the servlet filter if authentication fails # {valueType: "boolean", required: true} ws.security.non-rampart.error.401.authentication.error = true # to provide rampart authentication, Class must implement the interface: # edu.internet2.middleware.grouper.ws.security.GrouperWssecAuthentication # class must be fully qualified. e.g. edu.school.whatever.MyAuthenticator # blank means rampart will throw 404 status code # {valueType: "class", mustImplementInterface: "edu.internet2.middleware.grouper.ws.security.GrouperWssecAuthentication"} ws.security.rampart.authentication.class = ############################################### ## Misc settings ############################################### # ignore extraneous xml fields from server (e.g. on server upgrade, when the client isnt upgraded) # if you dont ignore, and there is an extraneous field which is not omitted (below), then an exception # will be thrown # {valueType: "boolean", required: true} ws.ignoreExtraneousXmlFieldsRest = false # register fields to be ignored with xstream. this is useful if you are not # ignoring extraneous fields (above), but know that there are a few to be ignored # place them here with fully qualified classname dont property name, comma separated # e.g. edu.internet2.middleware.grouper.ws.soap.WsResponseMeta.millis, edu.internet2.middleware.grouper.ws.soap.WsResponseMeta.millis2 # {valueType: "string", multiple: true} ws.omitXmlPropertiesRest = # will add the charset to the content type, blank to omit # {valueType: "string"} ws.restHttpContentTypeCharset = UTF-8 # Content type of REST responses. In 2.3, xml was "text/xml" and json was "text/x-json". # Change if applications need a specific response type # {valueType: "string"} ws.restResponseContentType.xhtml = application/xhtml+xml # content type of rest responses # {valueType: "string"} ws.restResponseContentType.xml = application/xml # content type of rest responses # {valueType: "string"} ws.restResponseContentType.json = application/json # configure the pluggable json converter (defaults to json.org implementation), must implement the JsonConverter interface # to use the xstream converter, set to edu.internet2.middleware.grouper.ws.rest.json.XstreamJsonConverter # {valueType: "class", mustImplementInterface: "edu.internet2.middleware.grouper.ws.rest.json.JsonConverter"} jsonConverter = # if a request takes longer than this many millis then log the request to a separate file # {valueType: "integer", required: true} ws.longRunningRequestLogMillis = 30000 ################################################################# ## KERBEROS settings, only needed if doing kerberos simple auth ################################################################# # if you specify where this is, e.g. /etc/krb5.conf, then it will read it from there, else the classpath, else use the realm and address below # {valueType: "string"} kerberos.krb5.conf.location = # IT IS RECOMMENDED TO USE krb5.conf ON FILE SYSTEM OR CLASSPATH INSTEAD! realm, whatever your realm is, e.g. SCHOOL.EDU # {valueType: "string"} kerberos.realm = # IT IS RECOMMENDED TO USE krb5.conf ON FILE SYSTEM OR CLASSPATH INSTEAD! address of your kdc, e.g. kdc.school.edu # {valueType: "string"} kerberos.kdc.address = # debug kerberos, sets system property sun.security.krb5.debug = true # {valueType: "boolean"} kerberos.debug = false #################################################################### ## TESTING #################################################################### # for testing only, where the main dir is from the test project (or any) # {valueType: "string"} ws.testing.grouper-ws.dir=../grouper-ws # for testing only, where is the generated client dir for samples / testing # {valueType: "string"} ws.testing.generated.client.dir=../grouper-ws-java-generated-client # for testing only, where is the manual client dir for samples / testing # {valueType: "string"} ws.testing.manual.client.dir=../grouper-ws-java-manual-client # http prefix for hitting tests # {valueType: "string"} ws.testing.httpPrefix=http # host for hitting tests # {valueType: "string"} ws.testing.host=localhost # port for hitting tests # {valueType: "integer", required: true} ws.testing.port=8090 # port that the sample capture proxy will forward to # {valueType: "integer", required: true} ws.sampleForwardTo.port=8089 # app name for hitting tests # {valueType: "string"} ws.testing.appName=grouper-ws # user to login to tests # {valueType: "string"} ws.testing.user=GrouperSystem # pass to login to tests # {valueType: "password", sensitive: true} ws.testing.pass=private # version the client advertises to server # {valueType: "string"} ws.testing.version=v2_5_000