...
MDA-52: A new stage
ElementsStrippingStage
has been added to allow stripping a number of different elements (all from the same namespace) from a DOM document. The stage may be operated in a blacklisting or whitelisting mode, with blacklisting the default. LikeElementStrippingStage
, anelementNamespace
property determines the namespace in question, and all elements in other namespaces are ignored.MDA-56: A new stage
EntityAttributeAddingStage
has been added to add entity attributes to the metadata for SAML entities. This is configured usingattributeName
,attributeNameFormat
andattributeValue
properties, withattributeName
andattributeNameFormat
defaulting to the values required to add an entity category attribute. The stage is based on a newContainer
framework which attempts to generate reasonably well formatted XML for nested container elements, and handles the insertion of the required parent containers (Extensions
,EntityAttributes
,Attribute
) when they are not already present.MDA-116: The
ScriptletStage
has a newvariableName
property controlling the name of the variable in the script context to which the item list is assigned. This defaults to"items"
as before but may be overridden for languages or scripts that require a different value. For example, settingvariableName
to"$items"
allows use of the stage with Ruby.MDA-138: A new
SAMLStringElementCheckingStage
can be used to check the general rule in SAML that elements with string values must have at least one non-whitespace character.MDA-160: The
EntityAttributesFilteringStage
has been extended with a newrecordingRemovals
property, defaulting to false. IfrecordingRemovals
is set totrue
, each removed entity attribute is recorded as aWarningStatus
in the item's item metadata, indicating the name and value of the entity attribute removed. This can then be processed by subsequent stages, such as aStatusMetadataLoggingStage
.MDA-173: A new
DiscoFeedCollectionSerializer
can be used in conjunction with the existingSerializationStage
to generate a JSON discovery feed compatible with the Shibboleth Embedded Discovery Service (EDS), as an alternative to the Shibboleth SP's ability to generate such a feed at its/DiscoFeed
endpoint. A configuration example is available. The following properties may be set; all arefalse
by default:prettyPrinting
creates more human-readable output using white space, this is the Shibboleth SP's default but is disabled by default for theDiscoFeedCollectionSerializer
.includingLegacyDisplayNames
is equivalent to the SP'slegacyOrgNames
attribute.includingEntityAttributes
is equivalent to the SP'stagsInFeed
attribute.
MDA-177: An entity attribute matcher
AssuranceCertificationMatcher
has been added to allow simpler matching of entity attributes containing assurance certifications, such as that used by the SIRTFI framework.MDA-178: A Standard bean definition resource has been added to simplify access to each bean class in the aggregator-pipeline artifact. In XML configuration, this can be accessed by
<import resource="classpath:net/shibboleth/metadata/beans.xml"/>
. One abstract bean is defined for each available bean class, named after the class's simple name prefixed by "mda.
". After including this resource, for example,class="net.shibboleth.metadata.dom.XMLSignatureValidationStage"
can be replaced byparent="mda.XMLSignatureValidationStage"
; this definition will also include theinit-method
anddestroy-method
properties for the bean when appropriate. This resource also implements MDA-277 to provide migration assistance from old releases of the MDA.MDA-179: The simple command-line interface now includes a
--version
option to request the printing of the framework version number.MDA-184: A new utility class
RegexFileFilter
has been added to support one of the common use cases of theDOMFilesystemSourceStage
, where only certain files should be processed from a directory, based on their names.MDA-187: A new
IPHintValidationStage
has been added to allow validation of<mdui:IPHint>
elements in SAML metadata. ThecheckingNetworks
property (defaulttrue
) requires that the value represents a network and not a host, thus faulting values such as "127.0.0.1/24".MDA-193: To make using the
Validator
framework more straightforward, the newValidatorSequence
class abstracts the concept of a sequence ofValidators
which can be maintained and applied as a group. Existing classes requiring this behaviour have been refactored to take advantage ofValidatorSequence
.MDA-199: A new
X509ROCAValidator
component allows RSA public keys in X.509 certificates to be checked for vulnerability to ROCA (the Return of Coppersmith's Attack, also known as CVE-2017-15361).MDA-200: The
BaseValidator
abstract class has been extended to add anaddErrorMessage
method and amessage
property, which acts as a format string forErrorStatus
item metadata generated throughaddErrorMessage
.MDA-201: New
AcceptAllValidator
andRejectAllValidator
components have been added. Both always returnAction.DONE
so that they can be used to terminate a sequence of validators.AcceptAllValidator
has no other functionality;RejectAllValidator
uses itsmessage
property to format an appropriateErrorStatus
for theItem
on which validation is being performed.MDA-202: Four new validator components (
AcceptStringValueValidator
,RejectStringValueValidator
,AcceptStringRegexValidator
andRejectStringRegexValidator)
have been added to matchString
values. All four returnAction.DONE
if the match occurs and will therefore terminate a sequence of validators;Action.CONTINUE
is returned otherwise. TheReject
forms also add a formattedErrorStatus
on matching.MDA-214: A new
X509DSADetector
component allows DSA keys in metadata to be rejected, or merely warned about.MDA-229: A new
StringElementValidationStage
component allows the validation of the string contents of designated DOM elements. UsesetElementNames
(set theelementNames
property) to specify collection of element names to validate. A second method (setElementName
, or set theelementName
property) provides a shortcut for the common single-element case.MDA-231: A new
StringAttributeValidationStage
component allows the validation of the string contents of designated DOM attributes. Its API mirrors that ofStringElementValidationStage
with the addition of asetAttributeNames
method (anattributeNames
property) to specify a collection of attributes to validate on the selected elements.setAttributeName
(anattributeName
property) provides a shortcut for the common single-attribute case.MDA-233: The
Validator
interface has been extended with a secondvalidate
method with an additionalString valueContext
parameter. This provides a way for a caller to provide context about the validation so that error messages can be more helpful: for example, a failed validation of a particular component in a URL can refer to the entire URL as well as the rejected component value. Bothvalidate
methods are provided with default bodies, so that existingValidator
implementations work without change: new implementations must implement at least one of the methods, but this can be either one. Within the aggregator framework, this functionality has been retrofitted to many existing classes so that thevalueContext
is propagated through a validator hierarchy, and the newValidator<URL>
classes make use of the value in reporting (see MDA-299 below).MDA-234: A new
ItemOrderingStage
allows the collection of entities to be re-ordered according to a suppliedItemOrderingStrategy<T>
(the default strategy does not change the ordering).MDA-282:
CompositeStage
andSimplePipeline
now support a booleanloggingProgress
property which, if enabled, causes instances to log progress through the configured stages at the INFO level. Execution of each stage is surrounded by an indication of the number of items being processed as well as the elapsed time for processing, and a final composite elapsed time is logged at the end.
This feature is enabled for all instances ofCompositeStage
andSimplePipeline
regardless of theirloggingProgress
property if the system propertynet.shibboleth.metadata.loggingAllProgress
is set totrue
. This is intended to allow an initial overall view of processing time before digging in to specific instances ofCompositeStage
later.MDA-287: A new
ScopeValidationStage
component has been added to allow the checking of<shibmd:Scope>
elements in SAML metadata. The stage accepts two lists ofValidator<String>
, one for scopes whereregex="false"
or absent, and another for scopes whereregex="true"
. Additional validator componentsAsLiteralTailStringValidator
,AsDomainNameStringValidator
,RejectDomainNameNotUnderPublicSuffixValidator
andRejectDomainNamePublicSuffixValidator
have also been added to allow the construction of the kind of complex validator policy required in this area. An example of the kind of policy detail achievable with this mechanism (which has been used for some years in the InCommon federation and the UK federation) can be found in this test case.MDA-288: A new
DuplicateEntityInAggregateCheckingStage
allows checking of SAML metadata aggregates to ensure that they do not include entities with duplicateentityID
values.MDA-289: A new
FixedStringIdentifierGenerationStrategy
had been added for use when it is not necessary to use differentID
attribute values for different documents.MDA-299: A new
AsURLStringValidator
allows validating string values (such as DOM attributes usingStringAttributeValidationStage
) as URLs. Additional validators may then be applied to the resulting URL:HTTPSOnlyURLValidator
,EmptyPortURLValidator
andMissingHostURLValidator
are provided for common use cases.MDA-301: The
BaseAsValidator
class now includes detail from anIllegalArgumentException
resulting from a failed conversion in the resulting error message. The extendedaddErrorMessage
method used to implement this is also available for use by otherBaseValidator
subclasses.
...