/
2019-11-15

2019-11-15

Jul 29, 2021

Shibboleth Developer's Meeting, 2019-11-15

Call Administrivia

09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI

Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 6 dec (3 week delay). Any reason to deviate from this?

60 to 90 minute call window.

 

Call Details

This week's call will use the Zoom system at GU, see ZoomGU for access info.

 

AGENDA

  • Ldaptive - V1 vs V2

  • Sanity check:  Spring wiring for data connectors is still a "thing" in V4? (

    IDP-1179 - Getting issue details... STATUS

  • IDP-1457 - Getting issue details... STATUS

    • But also note this link

      • "This function is all deprecated and should have been removed in V4, however the change was not warned sufficiently. This will be removed in V5"

    • ... and the open question about what to do when people worry about the Nashorn warning.

  • Remaining steps to close CVE-2019-3465?

Attendees:

 

Brent

  • Proxied SAML authentication - Eclipse upgrade, got IdP + Jetty 9.4 java-idp-testbed working.  Now starting on the fun stuff.

 

Daniel

 

Henri

 

Ian

 

Marvin

 

Phil

  • Refactored more of the CSRF Listener than I said I would (git@git.shibboleth.net:philsmart/java-identity-provider branch feature/anti-csrf-flowlistener) .

    • Add an includes list alongside the excludes list.  

    • Cleaned up default predicates and config.

    • Added full set of unit tests. 

    • Updated the implementation details Anti-CSRF FlowExecutionListener Implementation

    • Think the implementation is done...until somebody decides it needs more work etc.

  • If included in the IdP, I think the approach would be:

    • Import the implementation

    • Add the config - as by default it is disabled.

    • **Maybe update the important views to include the velocity logic to add the token (or not if no token present).  Hence a clean install will be ready to enable.

    • Document how to enabled it and what needs adding to views if you upgraded etc. (taken from the implementation doc above)

 

Rod

  • Installer

  • Documentation

  • Guava and other general code cleanup

 

Scott

  • Documentation

  • IDP-1494 - Getting issue details... STATUS

    • Decryption working

    • AuthnRequest options mostly done

    • Starting on some unit tests

Tom

  • V4 prep 

    • JIRA

      • most assigned issues are resolvable

    • Testing

      •  Versions

        • When do we freeze ? 

          • Jetty 9.4.?

          • Java ...

          • Dependencies

    • Consent attribute value hash issue

      • How to follow a "dead-end" in git / svn history ?

        • backup of svn ?

    • What else should be on my todo list ?

Other