Versions Compared

Old Version 7

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version 8

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

However, it is possible for newer releases to introduce changes that deprecate older configuration options or formats, and you are encouraged to review this page for any changes required to "modernize" your configuration after an upgrade to make production support simpler, and future upgrades smoother. Some new features may also depend on making these changes.

Table of Contents

Shibboleth 2.4.3 Configuration Changes

The following represent new default settings and other significant configuration changes made since the 2.4.2 release.

Elimination of Xerces-J and Xalan Dependencies

IMPACT: high

This release addresses a denial of service issue present in the Xerces parser that has been a required component of the software for most of its history. The 2.4.3 distribution no longer includes any special XML libraries and eliminates the requirement to endorse those jars to override the Java-supplied JAXP implementation. In conjunction with this, the internal.xml configuration file has changed to install a parser SecurityManager compatible only with the standard Oracle-supplied JAXP layer, reflecting the fact that there is no portable way to install a SecurityManager into the JAXP parser implementation and the Oracle JDK/JRE is the only officially supported option.

The first line of defense against the denial of service issue is to prevent large POST bodies from being accepted, as outlined in the advisory text. This should be done immediately and can be done independently of any other fix.

A secondary task for older installations is to unendorse the Xerces and Xalan libraries from your container, remove the libraries (optionally), and lastly, modify the internal.xml file as described in the advisory. The latter change is not optional, and will guarantee that the Oracle-supplied parser is used. The IdP will fail to load if this change is not done, and conversely, the IdP will also fail to load if the file is changed but the endorsement is not undone.

Lastly, if you choose to use an unsupported Java implementation, you will need to change the file to either remove the SecurityManager property from the ParserPool bean, or change the class to the correct value for that unsupported JAXP parser.

Shibboleth 2.4.1 Configuration Changes

The following represent new default settings and other significant configuration changes made since the 2.4.0 release.

...