Date: Thu, 28 Mar 2024 18:41:04 +0000 (UTC) Message-ID: <1323714555.21.1711651264694@47de1ffcf2fd> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_20_1380540574.1711651264694" ------=_Part_20_1380540574.1711651264694 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
These pages are examples and do not reflect any normative requirements o= r assumptions on the part of the IdP software and may be a mix of suggestio= ns from both the project team and deployers. You should take any of this ad= vice with a grain of local salt and consider general security/deployment co= nsiderations appropriate to the use of web software in your local environme= nt.
The official information about containers and versions we support is sol= ely maintained on the SystemRequirements pag= e. If you wish to operate without complete responsibility for your Java ser= vlet container, you may consider the Windows package we provide that includes an embedded container.
The following conventions are used this document:
idp.home
refers to the IdP installation directory (as=
specified during the installation process)JETTY_HOME
refers to the location of the Jetty instal=
lation (jetty-dist-$VERSION)JETTY_BASE
refers to the directory containing your de=
ployment-specific Jetty configuration filesJETTY_BASE
unless otherwise note=
dWe strongly recommend placing all IdP-specific Jetty configuration under=
JETTY_BASE
to facilitate Jetty upgrades.
If you have used the Windows Installer to install Jetty then none of the= changes below can be made. If you need such changes then you should instal= l and maintain Jetty yourself (and use the instructions below)
There are no known issues with any specific Jetty 9.2 release. The latest stable version should be used.
A typical JETTY_BASE
directory for the IdP webap=
p contains the following files, each of which will be described in the foll=
owing sections.
lib/logging/jcl-over-slf4j-1.7.7.jar (optional)
lib/logging/logback-access-1.1.2.jar (optional)
lib/logging/logback-classic-1.1.2.jar (optional)
lib/logging/logback-core-1.1.2.jar (optional)
resources/logback-access.xml (optional)
File(s): start.ini
Create a JETTY_BASE/start.ini file with the following contents.=
# Requi= red Jetty modules --module=3Dserver --module=3Ddeploy --module=3Dannotations --module=3Dresources --module=3Dlogging --module=3Drequestlog --module=3Dservlets --module=3Djsp --module=3Djstl --module=3Dext --module=3Dplus # Allows setting Java system properties (-Dname=3Dvalue) # and JVM flags (-X, -XX) in this file # NOTE: spawns child Java process --exec # Uncomment if IdP is installed somewhere other than /opt/shibboleth-idp #-Didp.home=3D/path/to/shibboleth-idp # Alternate garbage collector that reduces memory needed for larger metadat= a files -XX:+UseG1GC # Maximum amount of memory that Jetty may use, at least 1.5G is recommended # for handling larger (> 25M) metadata files but you will need to test o= n # your particular metadata configuration -Xmx1500m # Maximum amount of memory allowed for the JVM permanent generation (Java 7= only) -XX:MaxPermSize=3D128m
File(s): /opt/shibboleth-idp/credentials/idp-b= rowser.p12, etc/jetty-ss= l.xml, etc/jetty-https.xml, start.d/http.ini= , start.d/https.ini, start.d/ssl.ini<= /p>
Jetty listens on ports 8080 and 8443 for user-facing web traffic by defa= ult. In order to serve requests at the default HTTP/HTTPS ports one of the = following is required.
Copy the following files from JETTY_HOME/demo-base/star=
t.d
to JETTY_BASE/start.d
:
If you elect to change the default listening ports, modify the htt=
p.port
property in http.ini and https.port
in =
https.ini accordingly.
Modify ssl.ini so that it contains the following properties:
jetty.k= eystore=3D/opt/shibboleth-idp/credentials/idp-browser.p12 jetty.keystore.type=3DPKCS12 jetty.keystore.password=3Dthepasswordgoeshere
If you have deployed the IdP to an alternate location, change the path o=
f jetty.keystore
accordingly. The idp-browser.p12 fil=
e is a PKCS12 file containing the X.509 certificate and private key used to=
secure the HTTPS channel that users access during authentication and other=
browser-based message exchanges involving the IdP. This is generally the o=
ne you get from a browser-compatible CA.
Create the following files using the sample configurations that follow a= s a starting point.
<?xml version=3D"1.0"?> <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse= .org/jetty/configure_9_0.dtd"> <Configure id=3D"Server" class=3D"org.eclipse.jetty.server.Server"> <!-- =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --> <!-- TLS context factory without client auth --&= gt; <!-- =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --> <New id=3D"sslContextFactory" class=3D"org.eclipse.jetty.util.ssl.SslC= ontextFactory"> <Set name=3D"KeyStorePath"><Property name=3D"jetty.keystore" /= ></Set> <Set name=3D"KeyStoreType"><Property name=3D"jetty.keystore.ty= pe" /></Set> <Set name=3D"KeyStorePassword"><Property name=3D"jetty.keystor= e.password" /></Set> <Set name=3D"EndpointIdentificationAlgorithm"></Set> <Set name=3D"NeedClientAuth">false</Set> <Set name=3D"WantClientAuth">false</Set> <Set name=3D"excludeProtocols"> <Array type=3D"String"> <Item>SSL SSLv2 SSLv3</Item> </Array> </Set> =09<!-- If you're on Java 8, you can use these regular expressions inste= ad. --> =09<!-- =09<Set name=3D"IncludeCipherSuites"> =09 <Array type=3D"java.lang.String"> <Item>TLS_ECDHE.*</Item> <Item>TLS_RSA.*</Item> =09 </Array> =09</Set> =09<Set name=3D"ExcludeCipherSuites"> <Array type=3D"String"> <Item>.*NULL.*</Item> <Item>.*RC4.*</Item> <Item>.*MD5.*</Item> <Item>.*DES.*</Item> <Item>.*DSS.*</Item> </Array> =09</Set> =09--> =09<Set name=3D"IncludeCipherSuites"> <Array type=3D"String"> <Item>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256</Item> <Item>TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384</Item> <Item>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</Item> <Item>TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384</Item> <Item>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256</Item> <Item>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384</Item> <Item>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA</Item> <Item>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA</Item> <Item>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256</Item> <Item>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384</Item> <Item>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</Item> <Item>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</Item> <Item>TLS_RSA_WITH_AES_128_GCM_SHA256</Item> <Item>TLS_RSA_WITH_AES_256_GCM_SHA384</Item> <Item>TLS_RSA_WITH_AES_128_CBC_SHA256</Item> <Item>TLS_RSA_WITH_AES_256_CBC_SHA256</Item> <Item>TLS_RSA_WITH_AES_128_CBC_SHA</Item> <Item>TLS_RSA_WITH_AES_256_CBC_SHA</Item> </Array> </Set> </New> <!-- =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --> <!-- Create a TLS specific HttpConfiguration based on the -->= ; <!-- common HttpConfiguration defined in jetty.xml -->= ; <!-- Add a SecureRequestCustomizer to extract certificate and -->= ; <!-- session information -->= ; <!-- =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --> <New id=3D"sslHttpConfig" class=3D"org.eclipse.jetty.server.HttpConfig= uration"> <Arg><Ref refid=3D"httpConfig"/></Arg> <Call name=3D"addCustomizer"> <Arg><New class=3D"org.eclipse.jetty.server.SecureRequestCus= tomizer"/></Arg> </Call> </New> </Configure>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www= .eclipse.org/jetty/configure_9_0.dtd"> <!-- =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --> <!-- Configure HTTPS connectors. -->= ; <!-- This configuration must be used in conjunction with jetty.xml -->= ; <!-- and jetty-ssl.xml. -->= ; <!-- =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --> <Configure id=3D"Server" class=3D"org.eclipse.jetty.server.Server"> <!-- =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --> <!-- Anonymous (no client TLS) HTTPS connector --&= gt; <!-- =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --> <Call id=3D"httpsConnector" name=3D"addConnector"> <Arg> <New class=3D"org.eclipse.jetty.server.ServerConnector"> <Arg name=3D"server"><Ref refid=3D"Server" /></Arg&g= t; <Arg name=3D"acceptors" type=3D"int"><Property name=3D"ssl= .acceptors" default=3D"-1"/></Arg> <Arg name=3D"selectors" type=3D"int"><Property name=3D"ssl= .selectors" default=3D"-1"/></Arg> <Arg name=3D"factories"> <Array type=3D"org.eclipse.jetty.server.ConnectionFactory"> <Item> <New class=3D"org.eclipse.jetty.server.SslConnectionFactor= y"> <Arg name=3D"next">http/1.1</Arg> <Arg name=3D"sslContextFactory"><Ref refid=3D"sslC= ontextFactory"/></Arg> </New> </Item> <Item> <New class=3D"org.eclipse.jetty.server.HttpConnectionFacto= ry"> <Arg name=3D"config"><Ref refid=3D"sslHttpConfig"/= ></Arg> </New> </Item> </Array> </Arg> <Set name=3D"host"><Property name=3D"jetty.host" /><= /Set> <Set name=3D"port"><Property name=3D"https.port" /><= /Set> <Set name=3D"idleTimeout"><Property name=3D"https.timeout"= default=3D"30000"/></Set> <Set name=3D"soLingerTime"><Property name=3D"https.soLinge= rTime" default=3D"-1"/></Set> <Set name=3D"acceptorPriorityDelta"><Property name=3D"ssl.= acceptorPriorityDelta" default=3D"0"/></Set> <Set name=3D"selectorPriorityDelta"><Property name=3D"ssl.= selectorPriorityDelta" default=3D"0"/></Set> <Set name=3D"acceptQueueSize"><Property name=3D"https.acce= ptQueueSize" default=3D"0"/></Set> </New> </Arg> </Call> </Configure>
File(s): webapps/idp.xml
In order to deploy the IdP, Jetty must be informed of the location of th= e IdP war file. This file is called a context descriptor and the recommende= d content is provided below. Since the following example relies upon t= he idp.home System Property being set, it must either be defined in start.i= ni, or included in the command line string used to start Jetty.
Note this file controls the context path to which the application is dep= loyed, which is /idp in the following configurat= ion block.
<Conf= igure class=3D"org.eclipse.jetty.webapp.WebAppContext"> <Set name=3D"war"><SystemProperty name=3D"idp.home"/>/war/idp= .war</Set> <Set name=3D"contextPath">/idp</Set> <Set name=3D"extractWAR">false</Set> <Set name=3D"copyWebDir">false</Set> <Set name=3D"copyWebInf">true</Set> </Configure>
File(s): = etc/jetty-requestlog.xml, resources/logback.xml, resources/logback-access.xml
The recommended approach is to use =
logback for all Jetty logging. The logback and slf4j libraries are needed t=
o support this configuration and must be copied into JETTY_BASE/lib/logging
.
Configure Jetty to use logback for request logging by creating JETTY= _BASE/etc/jetty-requestlog.xml with the following content:
<?xml version=3D"1.0"?> <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse= .org/jetty/configure_9_0.dtd"> <!-- =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --> <!-- Configure the Jetty Request Log --&= gt; <!-- =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --> <Configure id=3D"Server" class=3D"org.eclipse.jetty.server.Server"> <!-- =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --> <!-- Configure Request Log --> <!-- =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --> <Ref refid=3D"Handlers"> <Call name=3D"addHandler"> <Arg> <New id=3D"RequestLog" class=3D"org.eclipse.jetty.server.handler= .RequestLogHandler"> <Set name=3D"requestLog"> <New id=3D"RequestLogImpl" class=3D"ch.qos.logback.access.je= tty.RequestLogImpl"> <Set name=3D"fileName"><Property name=3D"jetty.base"= default=3D"." />/resources/logback-access.xml</Set> </New> </Set> </New> </Arg> </Call> </Ref> </Configure>
Configure logging policy for Jetty internals logging and request logging= . Sample logback configuration files are provided for convenience.
<?xml version=3D"1.0" encoding=3D"UTF-8"?> <configuration scan=3D"true"> <appender name=3D"jetty" class=3D"ch.qos.logback.core.rolling.Rollin= gFileAppender"> <File>${jetty.base}/logs/jetty.log</File> =20 <rollingPolicy class=3D"ch.qos.logback.core.rolling.TimeBasedRol= lingPolicy"> <FileNamePattern>${jetty.base}/logs/jetty-%d{yyyy-MM-dd}.= log.gz</FileNamePattern> </rollingPolicy> <encoder class=3D"ch.qos.logback.classic.encoder.PatternLayoutEn= coder"> <charset>UTF-8</charset> <Pattern>%date{HH:mm:ss.SSS} - %level [%logger:%line] - %= msg%n</Pattern> </encoder> </appender> =20 <root level=3D"INFO"> <appender-ref ref=3D"jetty" /> </root> <logger name=3D"org.springframework" level=3D"OFF" /> <logger name=3D"ch.qos.logback" level=3D"WARN" /> </configuration>
<configuration> <statusListener class=3D"ch.qos.logback.core.status.OnConsoleStatusLis= tener" /> =20 <appender name=3D"FILE" class=3D"ch.qos.logback.core.rolling.RollingFi= leAppender"> <file>${jetty.base}/logs/access.log</file> <rollingPolicy class=3D"ch.qos.logback.core.rolling.TimeBasedRolling= Policy"> <fileNamePattern>${jetty.base}/logs/access-%d{yyyy-MM-dd}.log.g= z</fileNamePattern> </rollingPolicy> <encoder> <pattern>combined</pattern> </encoder> </appender> =20 <appender-ref ref=3D"FILE" /> </configuration>
Jetty will use /tmp
as a staging area for unpacking the war=
file, and if you have cron jobs sweeping that for old files, the IdP will b=
e disrupted. You will want to create JETTY_BASE/tmp
, and add t=
he following configuration directive to JETTY_BASE/start.ini:=
-Djava.io.tmpdir=3Dtmp
File(s): /opt/shibboleth-idp/credentials/idp-b=
ackchannel.p12, etc/jetty-ssl.xml, etc/jetty-https.xml,&=
nbsp;modules/backchannel.mod, start.d/backchannel.ini
The use of the back-channel is discussed in the SecurityAndNetworking topic, and you should review that to unders= tand whether or not you need to support this feature.
If you do need this support, these connections generally require special= security properties that are not appropriate for user-facing/browser use. = Therefore an additional endpoint must be configured.
JETTY_BASE/lib/ext
Create JETTY_BASE/modules/backchannel.mod:
[name] backchannel [depend] server [xml] etc/jetty-backchannel.xml
Create JETTY_BASE/start.d/backchannel.ini:
--modul= e=3Dbackchannel jetty.backchannel.port=3D8443 jetty.backchannel.sslContext.keyStorePath=3D/opt/shibboleth-idp/credentials= /idp-backchannel.p12 jetty.backchannel.sslContext.keyStoreType=3DPKCS12 jetty.backchannel.sslContext.keyStorePassword=3Dpasswordgoeshere
Create JETTY_BASE/etc/jetty-backchannel.xml:
<!-- =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --> <!-- TLS context factory with optional client auth --&= gt; <!-- and no container trust (delegate to application) --&= gt; <!-- for backchannel (SOAP) communication to IdP --&= gt; <!-- =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --> <New id=3D"shibContextFactory" class=3D"net.shibboleth.utilities.jetty= 9.DelegateToApplicationSslContextFactory"> <Set name=3D"KeyStorePath"><Property name=3D"jetty.backchannel= .keystore" /></Set> <Set name=3D"KeyStoreType"><Property name=3D"jetty.backchannel= .keystore.type" /></Set> <Set name=3D"KeyStorePassword"><Property name=3D"jetty.backcha= nnel.keystore.password" /></Set> <Set name=3D"EndpointIdentificationAlgorithm"></Set> <Set name=3D"excludeProtocols"> <Array type=3D"String"> <Item>SSL SSLv2 SSLv3</Item> </Array> </Set> =09<!-- If you're on Java 8, you can use these regular expressions inste= ad. --> =09<!-- =09<Set name=3D"IncludeCipherSuites"> =09 <Array type=3D"java.lang.String"> <Item>TLS_ECDHE.*</Item> <Item>TLS_RSA.*</Item> =09 </Array> =09</Set> =09<Set name=3D"ExcludeCipherSuites"> <Array type=3D"String"> <Item>.*NULL.*</Item> <Item>.*RC4.*</Item> <Item>.*MD5.*</Item> <Item>.*DES.*</Item> <Item>.*DSS.*</Item> </Array> =09</Set> =09--> =09<Set name=3D"IncludeCipherSuites"> <Array type=3D"String"> <Item>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256</Item> <Item>TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384</Item> <Item>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</Item> <Item>TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384</Item> <Item>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256</Item> <Item>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384</Item> <Item>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA</Item> <Item>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA</Item> <Item>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256</Item> <Item>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384</Item> <Item>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</Item> <Item>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</Item> <Item>TLS_RSA_WITH_AES_128_GCM_SHA256</Item> <Item>TLS_RSA_WITH_AES_256_GCM_SHA384</Item> <Item>TLS_RSA_WITH_AES_128_CBC_SHA256</Item> <Item>TLS_RSA_WITH_AES_256_CBC_SHA256</Item> <Item>TLS_RSA_WITH_AES_128_CBC_SHA</Item> <Item>TLS_RSA_WITH_AES_256_CBC_SHA</Item> </Array> </Set> </New> <New id=3D"shibHttpConfig" class=3D"org.eclipse.jetty.server.HttpConfi= guration"> <Arg><Ref refid=3D"httpConfig"/></Arg> <Call name=3D"addCustomizer"> <Arg><New class=3D"org.eclipse.jetty.server.SecureRequestCus= tomizer"/></Arg> </Call> </New> <!-- =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --> <!-- IdP SOAP protocol connector --&= gt; <!-- =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --> <Call id=3D"shibConnector" name=3D"addConnector"> <Arg> <New class=3D"org.eclipse.jetty.server.ServerConnector"> <Arg name=3D"server"><Ref refid=3D"Server" /></Arg&g= t; <Arg name=3D"acceptors" type=3D"int"><Property name=3D"ssl= .acceptors" default=3D"-1"/></Arg> <Arg name=3D"selectors" type=3D"int"><Property name=3D"ssl= .selectors" default=3D"-1"/></Arg> <Arg name=3D"factories"> <Array type=3D"org.eclipse.jetty.server.ConnectionFactory"> <Item> <New class=3D"org.eclipse.jetty.server.SslConnectionFactor= y"> <Arg name=3D"next">http/1.1</Arg> <Arg name=3D"sslContextFactory"><Ref refid=3D"shib= ContextFactory"/></Arg> </New> </Item> <Item> <New class=3D"org.eclipse.jetty.server.HttpConnectionFacto= ry"> <Arg name=3D"config"><Ref refid=3D"shibHttpConfig"= /></Arg> </New> </Item> </Array> </Arg> <Set name=3D"host"><Property name=3D"jetty.host" /><= /Set> <Set name=3D"port"><Property name=3D"jetty.backchannel.por= t" /></Set> <Set name=3D"idleTimeout"><Property name=3D"https.timeout"= default=3D"30000"/></Set> <Set name=3D"soLingerTime"><Property name=3D"https.soLinge= rTime" default=3D"-1"/></Set> <Set name=3D"acceptorPriorityDelta"><Property name=3D"ssl.= acceptorPriorityDelta" default=3D"0"/></Set> <Set name=3D"selectorPriorityDelta"><Property name=3D"ssl.= selectorPriorityDelta" default=3D"0"/></Set> <Set name=3D"acceptQueueSize"><Property name=3D"https.acce= ptQueueSize" default=3D"0"/></Set> </New> </Arg> </Call>
By default Jetty enables directory indexing. It's possible to turn off u= sing the IdP's deployment descriptor, but to avoid unnecessary edits to tha= t file, you can disable them globally if you're willing to copy and maintai= n a couple of additional default files from Jetty's configuration set.
To disable them globally:
JETTY_BASE/etc
To disable them explicitly for the IdP only:
Add a servlet definition:
<ser= vlet> <servlet-name>default</servlet-name> <servlet-class>org.eclipse.jetty.servlet.DefaultServlet</servlet-= class> <init-param> <param-name>dirAllowed</param-name> <param-value>false</param-value> </init-param> </servlet>
There may be situations where you wish to "offload" TLS to a load balanc= er or http proxy, a setup looking something like:
---(https)---> Apache/LB ---(http)---> Jetty/Shibboleth IdP<= /p>
Attempting a user login service request with the default Jetty configura= tion may result in an error similar to "SAML message intended destination e= ndpoint https://hostname... did not match the recipient endpoint http://h= ostname...".
Jetty can be configured to consume the 'x-forwarded-proto' HTTP header t= o override the connection protocol originating at the load balancer, instea= d respecting the protocol being used between the client and the load balanc= er, communicated in the x-forwarded-proto header. The Proxy / Load Balancer Configu= ration section of the Jetty documentation provides instruction on the r= equired configuration.
The following example achieves that using Apache httpd's mod_proxy=
and mod_headers
. The last line allows passing of REMOTE_USER
&nb=
sp;through to the IdP, useful for external authentication in a browser or E=
CP.
Request= Header set X-Forwarded-Proto "https" env=3DHTTPS ProxyPass /idp http://localhost:8080/idp connectiontimeout=3D5 timeout=3D15 RequestHeader set REMOTE-USER %{REMOTE_USER}s