Shibboleth Developer's Meeting, 2019-03-15

Brent

• Jira Legacy
  server Shibboleth JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId 180d847f-bce4-36b2-9964-771bff586829 key OSJ-265

  
  
  • Unless we (really) bind our rules, tentative plan would be to do a new minor release of java-support 7.5.0, and a patch release of java-opensaml (and possibly java-identity-provider).  Concerns?

...

• Maven version now enforced: 

  Jira Legacy
  server Shibboleth JIRA serverId 180d847f-bce4-36b2-9964-771bff586829 key JPAR-118

  • Replaces older prerequisites element, so enforcing version 3.3.1
  • 3.3.1 was 2015-03-18, so five years ago.
  • I'd like to enforce something newer in the interests of consistent builds.
  • Maven versions: https://maven.apache.org/docs/history.html 

Marvin

Phil

• Work on IDP-1191.
  • Since servlet spec 3.0 (session tracking config is a bit more standardised since 3.0), setting session tracking mode to COOKIE (and only that) in web.xml, should not expose jsessionid unless bug. This is already being set by the IdP.
  • Not sure the impact of stolen JSESSIONID, ship_idp_session is more a form of ambient authority. Although is used by webflow for conversation state and shib session manager internals (needs more looking into)
  • Looked at the potential to steal cookies with injected JavaScript - unlikely - although httpOnly bypasses have existed in the past. Also injected script could steal any anti-csrf token if used - but can not see how JavaScript could be injected into the views (dynamic stuff is being escaped).
  • Will look at anti-csrf token - and or the impact of session surfing, as not sure how useful that is.
  • Will write something small up unless somebody tells me I am wasting time.

Rod

• Out for much of last week.
• Working through deprecations in custom schemas

...