Shibboleth Developer's Meeting, 2019-03-15
Call Administrivia
09:00 Central US / 10:00 Eastern US / 14:00 UK / 16:00 FI
Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2019-04-05. Any reason to deviate from this?
60 to 90 minute call window.
This week's call will use the Zoom system at GU, see ZoomGU for see ZoomGU for access info.
AGENDA
- Duration (or Instant/DateTime) parsing - JAXP vs. java.time
Attendees:
Brent
Jira Legacy server Shibboleth JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId 180d847f-bce4-36b2-9964-771bff586829 key OSJ-265 - Unless we (really) bind our rules, tentative plan would be to do a new minor release of java-support 7.5.0, and a patch release of java-opensaml (and possibly java-identity-provider). Concerns?
Daniel
Jira Legacy server Shibboleth JIRA serverId 180d847f-bce4-36b2-9964-771bff586829 key OSJ-269 - Fighting with standing up MySQL for testing
Jira Legacy server Shibboleth JIRA serverId 180d847f-bce4-36b2-9964-771bff586829 key IDP-1357 - Testing system properties
- Guiding some development for ldaptive 2.0
Henri
- Finishing OIDC flow-tests, polishing, ...
- Aiming at releasing the first official OIDC plugin version before end of March
Ian
- Maven version now enforced:
Jira Legacy server Shibboleth JIRA serverId 180d847f-bce4-36b2-9964-771bff586829 key JPAR-118 - Replaces older
prerequisites
element, so enforcing version 3.3.1 - 3.3.1 was 2015-03-18, so five years ago.
- I'd like to enforce something newer in the interests of consistent builds.
- Maven versions: https://maven.apache.org/docs/history.html
- Replaces older
Marvin
Phil
- Work on IDP-1191.
- Since servlet spec 3.0 (session tracking config is a bit more standardised since 3.0), setting session tracking mode to COOKIE (and only that) in web.xml, should not expose jsessionid unless bug. This is already being set by the IdP.
- Not sure the impact of stolen JSESSIONID, ship_idp_session is more a form of ambient authority. Although is used by webflow for conversation state and shib session manager internals (needs more looking into)
- Looked at the potential to steal cookies with injected JavaScript - unlikely - although httpOnly bypasses have existed in the past. Also injected script could steal any anti-csrf token if used - but can not see how JavaScript could be injected into the views (dynamic stuff is being escaped).
- Will look at anti-csrf token - and or the impact of session surfing, as not sure how useful that is.
- Will write something small up unless somebody tells me I am wasting time.
Rod
- Out for much of last week.
- Working through deprecations in custom schemas
...