Shibboleth Developer's Meeting, 2022-11-18

Call Administrivia

09:00 Central US / 10:00 Eastern US / 15:00 UK / 17:00 FI

Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2022-12-02. Any reason to deviate from this?

60 to 90 minute call window.

Call Details

This week's call will use the OSU Zoom system, per message sent to dev list ('Shibboleth Developer call' - MARC)

AGENDA

1. Plan for migration off HttpServletXXX proxies (largely mapped out, just summing up cause, solution)

   1. I believe the Supplier hook was added post-4.2? We may want to switch to a custom non-null interface…

2. JSSH-5: ServiceableComponent should implement AutoCloseClosed

   1. See net.shibboleth.idp.attribute.filter.impl.AttributeFilterImplTest for test weirdness around this

   2. Rod is reworking this change

3. (PS) Pin release plugin versions?

   1. Phil will look at pinning the initial cases.

4. (RDW) Whither SAML1NameIdentifierAttributeDefinition and SAML2NameIDAttributeDefinition?

   1. Still TBD, would like to know what the use cases are at this point. Willing to change warning message if we need to.

Attendees:

Brent

• Absent, updated via Slack that HttpClient 5.2 refactor is moving along

Daniel

Henri

• Absent today

• Relying party bean-wiring problem described in a mail

  • Fixed, see JSE-51: Wildcard classpath imports don't work in our import logicClosed

Ian

John

Marvin

Phil

• DuoOIDC plugin improvements and testing

  • DuoOIDC plugin 1.3.0 release

• Back to RP next week

  • Hopefully a new release before TechEx.

    • Improve code

    • Add key set document endpoint (hopefully before TechEx)

Rod

• SSPCPP-961: Shibboleth SP - Windows - possible Privilege EscalationClosed

• IDP-1793: Use Suppliers for HttpRequest/ResponseClosed I need to document the new beans (but things are still moving in this space)

• IDP-2037: Computed, Pairwise and StoredId DataConnectors to not implement all the common attributesClosed, IDP-2036: Mapped Attribute Definition does not implements all the common AttributesClosed

• Somebody from Red Hat Product Security claims they didn't put any hibernate jars into Maven Central. Doesn’t that make you feel comfortable.

Scott

• Walking the libraries with the Null analyzer enabled, finding a few bugs here and there

  • We probably want to take the V5 opportunity to revisit our method contracts and reduce use of nulls, especially around collections

  • Using asserts to some extent, per Slack to convince analyzer, these are on in the tests automatically

• https://git.shibboleth.net/view/?p=java-identity-provider.git;a=commit;h=0687ed7d180fb4e697351135a96a331c721208ba

  • Removed what seemed to be an unused method, but @Rod Widdowson may want to review

Tom

• testbed

Other