Shibboleth Developer's Meeting, 2019-03-15
Call Administrivia
09:00 Central US / 10:00 Eastern US / 14:00 UK / 16:00 FI
Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2019-04-05. Any reason to deviate from this?
60 to 90 minute call window.
This week's call will use the Zoom system at GU, see ZoomGU for see ZoomGU for access info.
AGENDA
- Duration (or Instant/DateTime) parsing - JAXP vs. java.time
Attendees:
Brent
Jira Legacy server Shibboleth JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId 180d847f-bce4-36b2-9964-771bff586829 key OSJ-265 - Unless we (really) bind our rules, tentative plan would be to do a new minor release of java-support 7.5.0, and a patch release of java-opensaml (and possibly java-identity-provider). Concerns?
...
- Work on IDP-1191.
- Since servlet spec 3.0 (session tracking config is a bit more standardised since 3.0), setting session tracking mode to COOKIE (and only that) in web.xml, should not expose jsessionid unless bug (as it already in . This is already being set by the IdP).
- Not sure the impact of stolen JSESSIONID, ship_idp_session is more a form of ambient authority. Although is used by webflow for conversation state and shib session manager internals (needs more looking into)
- Looked at the potential to steal cookies with injected JavaScript - unlikely - although httpOnly bypasses have existed in the past. Also injected script could steal any anti-csrf token if used - but can not see how JavaScript could be injected into the views (dynamic stuff is being escaped).
- Will look at anti-csrf token - and or the impact of session surfing, as not sure how useful that is.
- Will write something small up unless somebody tells me I am wasting time.
...