Shibboleth Developer's Meeting, 2019-03-15
Call Administrivia
09:00 Central US / 10:00 Eastern US / 14:00 UK / 16:00 FI
Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2019-04-05. Any reason to deviate from this?
60 to 90 minute call window.
This week's call will use the Zoom system at GU, see ZoomGU for access info.
AGENDA
- Duration (or Instant/DateTime) parsing - JAXP vs. java.time
Attendees:
Brent
Jira Legacy server Shibboleth JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId 180d847f-bce4-36b2-9964-771bff586829 key OSJ-265 - Unless we (really) bind our rules, tentative plan would be to do a new minor release of java-support 7.5.0, and a patch release of java-opensaml (and possibly java-identity-provider). Concerns?
...
- Work on IDP-1191.
- Since servlet spec 3.0 (session tracking config is a bit more standardised since 3.0), setting session tracking mode to COOKIE (and only that) in web.xml, should not expose jsessionid unless bug (as it already in . This is already being set by the IdP).
- Not sure the impact of stolen JSESSIONID, ship_idp_session is more a form of ambient authority. Although is used by webflow for conversation state and shib session manager internals (needs more looking into)
- Looked at the potential to steal cookies with injected JavaScript - unlikely - although httpOnly bypasses have existed in the past. Also injected script could steal any anti-csrf token if used - but can not see how JavaScript could be injected into the views (dynamic stuff is being escaped).
- Will look at anti-csrf token - and or the impact of session surfing, as not sure how useful that is.
- Will write something small up unless somebody tells me I am wasting time.
...