Versions Compared

Old Version 3

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version Current

changes.mady.by.user Rod Widdowson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
$ git clone https://git.shibboleth.net/git/java-idp-jetty-base
$ cd java-idp-jetty-base
$ git checkout 12
$ cp -r jetty-impl/src/main/resources/net/shibboleth/idp/module/jetty/jetty-base /my/desired/location/

...

Code Block
languagetext
# Any other required Jetty modules...
 
# Allows setting Java system properties (-Dname=value)
# and JVM flags (-X, -XX) in this file
# NOTE: spawns child Java process
--exec

# Uncomment if IdP is installed somewhere other than /opt/shibboleth-idp
#-Didp.home=/path/to/shibboleth-idp

# Maximum amount of memory that Jetty may use, at least 1.5G is recommended
# for handling larger (> 25M) metadata files but you will need to test on
# your particular metadata configuration. If MDQ metadata on demand is used,
# requirements may be much lower.
-Xmx1500m

# Prevent blocking for entropy.
-Djava.security.egd=file:/dev/urandom

# Set Java tmp location
-Djava.io.tmpdir=tmp

# May be needed in certain cases depending on content of TLS certificate.
#jetty.ssl.sniHostCheck=false

Configure HTTP/HTTPS Connectors

...

One challenge remains that if you want to use standard ports on Linux, you would need to pick one of these options to avoid running as root:

  1. Use the setuid extension module to support listening on the privileged ports as a non-root user. This extension is now JNA-based and is seems to be undocumented at this point, and has not yet been triedbut works fine.

  2. Use a port forwarding approach (load balancer, iptables rules, etc).

  3. Adjust the range of ports considered privileged if supported by your Linux kernel.

  4. Use POSIX capabilities to allow use of priviledged ports by an unpriviledged process, e.g. when using systemd by setting AmbientCapabilities=CAP_NET_BIND_SERVICE 

...

Code Block
languagexml
<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure.dtd">
<Configure class="org.eclipse.jetty.ee9.webapp.WebAppContext">
  <Set name="war">/opt/shibboleth-idp/war/idp.war</Set>
  <Set name="contextPath">/idp</Set>
  <Set name="extractWAR">false</Set>
  <Set name="copyWebDir">false</Set>
  <Set name="copyWebInf">true</Set>
</Configure>

...

Jetty has had vulnerabilities related to directory indexing (sigh) so we suggest disabling that feature at this point. There are a few different ways this can be done, but one method that's fairly self-contained within the IdP footprint is to modify web.xml (i.e. copy the original version from idp.home/dist/webapp/WEB-INF/web.xml to idp.home/edit-webapp/WEB-INF/web.xml) and then rebuild the war file.

web.xml addition

...

Code Block
languagexml
  <servlet>
    <servlet-name>default</servlet-name>
    <servlet-class>org.eclipse.jetty.ee9.servlet.DefaultServlet</servlet-class>
    <init-param>
      <param-name>dirAllowed</param-name>
      <param-value>false</param-value>
    </init-param>
    <load-on-startup>0</load-on-startup>
  </servlet>

...