Versions Compared

Old Version 4

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version Current

changes.mady.by.user Rod Widdowson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Note

These pages are examples and do not reflect any normative requirements or assumptions on the part of the IdP software and may be a mix of suggestions from both the project team and deployers. You should take any of this advice with a grain of local salt and consider general security/deployment considerations appropriate to the use of web software in your local environment.

The official information about containers and versions we support is solely maintained on the SystemRequirements page. If you wish to operate without complete responsibility for your Java servlet container, you may consider the Windows package we provide that installs a version of Jetty with very limited configurability.

...

Code Block
$ git clone https://git.shibboleth.net/git/java-idp-jetty-base
$ cd java-idp-jetty-base
$ git checkout 12
$ cp -r jetty-impl/src/main/resources/net/shibboleth/idp/module/jetty/jetty-base /my/desired/location/

...

Code Block
languagetext
# Any other required Jetty modules...
 
# Allows setting Java system properties (-Dname=value)
# and JVM flags (-X, -XX) in this file
# NOTE: spawns child Java process
--exec

# Uncomment if IdP is installed somewhere other than /opt/shibboleth-idp
#-Didp.home=/path/to/shibboleth-idp

# Maximum amount of memory that Jetty may use, at least 1.5G is recommended
# for handling larger (> 25M) metadata files but you will need to test on
# your particular metadata configuration. If MDQ metadata on demand is used,
# requirements may be much lower.
-Xmx1500m

# Prevent blocking for entropy.
-Djava.security.egd=file:/dev/urandom

# Set Java tmp location
-Djava.io.tmpdir=tmp

# May be needed in certain cases depending on content of TLS certificate.
#jetty.ssl.sniHostCheck=false

Configure HTTP/HTTPS Connectors

...

One challenge remains that if you want to use standard ports on Linux, you would need to pick one of these options to avoid running as root:

  1. Use the setuid extension module to support listening on the privileged ports as a non-root user. This extension is now JNA-based and is seems to be undocumented at this point, and has not yet been triedbut works fine.

  2. Use a port forwarding approach (load balancer, iptables rules, etc).

  3. Adjust the range of ports considered privileged if supported by your Linux kernel.

  4. Use POSIX capabilities to allow use of priviledged ports by an unpriviledged process, e.g. when using systemd by setting AmbientCapabilities=CAP_NET_BIND_SERVICE 

...

Jetty has had vulnerabilities related to directory indexing (sigh) so we suggest disabling that feature at this point. There are a few different ways this can be done, but one method that's fairly self-contained within the IdP footprint is to modify web.xml (i.e. copy the original version from idp.home/dist/webapp/WEB-INF/web.xml to idp.home/edit-webapp/WEB-INF/web.xml) and then rebuild the war file.

web.xml addition

...

Code Block
languagexml
  <servlet>
    <servlet-name>default</servlet-name>
    <servlet-class>org.eclipse.jetty.ee9.servlet.DefaultServlet</servlet-class>
    <init-param>
      <param-name>dirAllowed</param-name>
      <param-value>false</param-value>
    </init-param>
    <load-on-startup>0</load-on-startup>
  </servlet>

...