目次 |
---|
4.
...
3.
...
1→5.
...
0.
...
0
コード ブロック | ||
---|---|---|
| ||
@@ -1794,6173 +1794,746 @@ <display-name>Shibboleth Identity <Provider</errordisplay-page>name> - <session-config> + <session-timeout>15</session-timeout> <cookie-config> <!-- Spring application context files. Files are loaded in the order they appear with subsequent files overwriting - same named beans in previous <http-only>true</http-only> files. --> + <!-- + The context parameters below <secure>true</secure> |
4.0.1→4.1.0
コード ブロック |
---|
@@ -8,7 +8,7 @@ same named beans in previous files. --> <context-param> control V5+ auto-registration support. + Those desiring complete control over all of these steps can disable them + but this is not generally recommended, apart from toggling the optional + servlets that may not be needed. + --> + + <!-- Registers Spring support. --> <context-param> - <param-name>contextConfigLocation</param-name> - <param-value>classpath*:/META-INF/net.shibboleth.idp/preconfig.xml,${idp.home}/system/classpath:/net/shibboleth/idp/conf/global-system.xml,classpath*:/META-INF/net.shibboleth.idp/postconfig.xml</param-value> + <param-value>classpath*:/META-INF/netname>net.shibboleth.idp/preconfig.xml,classpath:/net/shibboleth/idp/conf/global-system.xml,classpath*:/META-INF/net.shibboleth.idp/postconfig.xml</.registerSpringConfig</param-name> + <param-value>true</param-value> </context-param> - + + <!-- <contextAuto-param> @@ -126,7 +126,7 @@ registers Java filter chain required by IdP. --> <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> <context-param> - <init-param> <param-name>contextClass</param-name> - <param-name>contextConfigLocation<value>net.shibboleth.ext.spring.context.DelimiterAwareApplicationContext</param-name>value> - + <param-value>${name>net.shibboleth.idp.home}/system/conf/mvc-beans.xml, ${idp.home}/system/conf/webflow-config.xml<registerFilterChain</param-name> + <param-value>true</param-value> + </context-param> - + + <param-value>classpath*:/META-INF/net/shibboleth/idp/mvc/preconfig.xml,classpath:/net/shibboleth/idp/conf/mvc-beans.xml,classpath:/net/shibboleth/idp/conf/webflow-config.xml,classpath*:/META-INF/net/shibboleth/idp/mvc/postconfig.xml</param-value><!-- Auto-registers IdP dispatcher servlet. --> </init<context-param> - <init-param> <param-name>contextInitializerClasses</param-name> - <param-value>net.shibboleth.idp.spring.IdPPropertiesApplicationContextInitializer</param-value> + <param-name>contextClass<name>net.shibboleth.idp.registerIdPServlet</param-name> @@ -209,7 +209,7 @@ <param-value>true</param-value> <http-method-omission>OPTIONS</http-method-omission> </context-param> - - <!-- Spring listener used to load up the configuration <http-method-omission>POST</http-method-omission> > - <listener> - </web-resource-collection><listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> - </listener> <authn-constraint/> + - <!-- Filters and filter mappings <auth--constraint/> - </security-constraint> - <!-- AllowTry anyand HTTPforce methodsI18N, toprobably thewon't APIhelp flowsmuch. --> |
4.0.0→4.0.1
コード ブロック |
---|
@@ -186,17 +186,30 @@ - <filter> - <tracking<filter-mode>COOKIE<name>CharacterEncodingFilter</trackingfilter-mode>name> - </session-config> -<filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class> - <!<init-param> - Block commonly flagged methods by using an empty auth-constraint. <param-name>encoding</param->name> +- <!-- Allow intended methods by using an absent auth<param-constraint. --> value>UTF-8</param-value> - <security-constraint> </init-param> - <web<init-resourceparam> -collection> <web-resource-name>Non-API Content</web-resource-name> <param-name>forceEncoding</param-name> - <url<param-pattern>/*</url-pattern>value>true</param-value> - <http-method>PUT</http-method></init-param> - </filter> - <!-- Automates SameSite handling until Java API catches up. <http-method>PATCH</http-method>> - <filter> - <http<filter-method>DELETE<name>SameSiteCookieFilter</httpfilter-method>name> - <http-method>TRACE</http-method> +<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> - <http-method>GET</http-method> +<init-param> - <http<param-method>HEAD<name>targetBeanName</httpparam-method>name> +- <http<param-method>OPTIONS<value>shibboleth.SameSiteCookieFilter</httpparam-method>value> +- </init-param> - <http-method>POST</http-method> </filter> - <!-- Lets us lump repeated </web-resource-collection> - <auth-constraint/> +Set-Cookie headers into one, something containers rarely support. --> - <filter> - <!-- no auth-constraint tag here --> + <filter-name>CookieBufferingFilter</filter-name> - <filter-class>net.shibboleth.utilities.java.support.net.CookieBufferingFilter</filter-class> - </security-constraint> + +filter> - <!-- DisallowAllows control otherof methodsresponse byheaders usingfrom anwithin emptySpring auth-constraintbeans. --> +- <security<filter> -constraint> + <web<filter-resourcename>DynamicResponseHeaderFilter</filter-collection>name> +- <web-resource-name>Non-API Content</web-resource-name> +<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> - <url-pattern>/*</url-pattern> +<init-param> - <http<param-method-omission>GET<name>targetBeanName</httpparam-methodname> -omission> + <http-method-omission>HEAD</http-method-omission> +<param-value>shibboleth.ResponseHeaderFilter</param-value> - <http-method-omission>OPTIONS</http-method-omission> +</init-param> - </filter> - <http-method-omission>POST</http-method-omission> + </web-resource-collection> +<!-- Automates TLS-based propagation of HttpServletRequest/Response into beans. --> - <filter> - <authn-constraint/> </security-constraint> <filter-name>RequestResponseContextFilter</filter-name> - <!-- Allow any HTTP methods to the API flows. --> |
3.4.8→4.0.0
コード ブロック |
---|
@@ -8,7 +8,7 @@ same named beans in previous files <filter-class>net.shibboleth.utilities.java.support.net.RequestResponseContextFilter</filter-class> - </filter> - <!-- Manages logging MDC. --> - <context<filter> -param> <param<filter-name>contextConfigLocation<name>SLF4JMDCServletFilter</paramfilter-name> - <param-value>classpath*:/META-INF/net<filter-class>net.shibboleth.idp.log.SLF4JMDCServletFilter</filter-class> - </filter> + <!-- Registers optional servlets used for RemoteUser and X509 login flows. --> + <context-param> + <param-name>net.shibboleth.idp.registerRemoteUserServlet</param-name> + <param-value>true</param-value> + </context-param> + <context-param> + <param-name>net.shibboleth.idp.registerX509Servlet</param-name> + <param-value>true</param-value> + </context-param> - <filter-mapping> - <filter-name>SameSiteCookieFilter</filter-name> - <url-pattern>/*</url-pattern> - </filter-mapping> - <filter-mapping> - <filter-name>CookieBufferingFilter</filter-name> - <url-pattern>/profile/admin/*</url-pattern> - <url-pattern>/profile/Logout</url-pattern> - <url-pattern>/profile/Shibboleth/SSO</url-pattern> - <url-pattern>/profile/SAML2/Unsolicited/SSO</url-pattern> - <url-pattern>/profile/SAML2/Redirect/SSO</url-pattern> - <url-pattern>/profile/SAML2/POST/SSO</url-pattern> - <url-pattern>/profile/SAML2/POST-SimpleSign/SSO</url-pattern> - <url-pattern>/profile/SAML2/Artifact/SSO</url-pattern> - <url-pattern>/profile/SAML2/Redirect/SLO</url-pattern> - <url-pattern>/profile/SAML2/POST/SLO</url-pattern> - <url-pattern>/profile/SAML2/POST-SimpleSign/SLO</url-pattern> - <url-pattern>/profile/SAML2/Artifact/SLO</url-pattern> - <url-pattern>/profile/cas/login</url-pattern> - </filter-mapping> - <filter-mapping> - <filter-name>DynamicResponseHeaderFilter</filter-name> - <url-pattern>/profile/admin/*</url-pattern> - <url-pattern>/profile/Shibboleth/SSO</url-pattern> - <url-pattern>/profile/SAML2/Unsolicited/SSO</url-pattern> - <url-pattern>/profile/SAML2/Redirect/SSO</url-pattern> - <url-pattern>/profile/SAML2/POST/SSO</url-pattern> - <url-pattern>/profile/SAML2/POST-SimpleSign/SSO</url-pattern> - <url-pattern>/profile/SAML2/Artifact/SSO</url-pattern> - <url-pattern>/profile/cas/login</url-pattern> - <url-pattern>/Authn/*</url-pattern> - </filter-mapping> - <filter-mapping> - <filter-name>CharacterEncodingFilter</filter-name> - <url-pattern>/*</url-pattern> - </filter-mapping> - <filter-mapping> - <filter-name>RequestResponseContextFilter</filter-name> - <url-pattern>/*</url-pattern> - </filter-mapping> - <filter-mapping> - <filter-name>SLF4JMDCServletFilter</filter-name> - <url-pattern>/*</url-pattern> - </filter-mapping> - - <!-- Servlets and servlet mappings --> - <servlet> - <servlet-name>idp</servlet-name> - <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> - <init-param> - <param-name>contextConfigLocation</param-name> - <param-value>classpath*:/META-INF/net/shibboleth/idp/mvc/preconfig.xml,classpath:/net/shibboleth/idp/conf/mvc-beans.xml,classpath:/net/shibboleth/idp/conf/webflow-config.xml,classpath*:/META-INF/net/shibboleth/idp/mvc/postconfig.xml</param-value> - </init-param> - <init-param> - <param-name>contextClass</param-name> - <param-value>net.shibboleth.ext.spring.context.DelimiterAwareApplicationContext</param-value> - </init-param> - <load-on-startup>1</load-on-startup> - </servlet> - <servlet-mapping> - <servlet-name>idp</servlet-name> - <url-pattern>/status</url-pattern> - <url-pattern>/profile/*</url-pattern> - </servlet-mapping> - - <!-- Servlet protected by container used for RemoteUser authentication --> - <servlet> - <servlet-name>RemoteUserAuthHandler</servlet-name> - <servlet-class>net.shibboleth.idp.authn.impl.RemoteUserAuthServlet</servlet-class> - <load-on-startup>2</load-on-startup> - </servlet> - <servlet-mapping> - <servlet-name>RemoteUserAuthHandler</servlet-name> - <url-pattern>/Authn/RemoteUser</url-pattern> - </servlet-mapping> - - <!-- Servlet protected by container used for X.509 authentication --> - <servlet> - <servlet-name>X509AuthHandler</servlet-name> - <servlet-class>net.shibboleth.idp.authn.impl.X509AuthServlet</servlet-class> - <load-on-startup>3</load-on-startup> - </servlet> - <servlet-mapping> - <servlet-name>X509AuthHandler</servlet-name> - <url-pattern>/Authn/X509</url-pattern> - </servlet-mapping> - - <!-- Send request for the EntityID to the SAML metadata echoing JSP. --> - <servlet> - <servlet-name>shibboleth_jsp</servlet-name> - <jsp-file>/WEB-INF/jsp/metadata.jsp</jsp-file> - </servlet> - <servlet-mapping> - <servlet-name>shibboleth_jsp</servlet-name> - <url-pattern>/shibboleth</url-pattern> - </servlet-mapping> + <!-- Registers /shibboleth to return metadata file. --> + <context-param> + <param-name>net.shibboleth.idp.registerMetadataServlet</param-name> + <param-value>true</param-value> + </context-param> <!-- Send servlet errors through the IdP's MVC error handling. --> <error-page> @@ -181,11 +54,9 @@ <session-config> <session-timeout>15</session-timeout> <cookie-config> - <!-- Uncomment to add __Host- protection. --> - <!-- + <!-- Comment name and path to revert __Host- protection. --> <name>__Host-JSESSIONID</name> <path>/</path> - --> <secure>true</secure> <http-only>true</http-only> </cookie-config> |
4.2.1→4.3.1
変更なし
4.1.7→4.2.1
コード ブロック | ||
---|---|---|
| ||
@@ -181,8 +181,13 @@
<session-config>
<session-timeout>15</session-timeout>
<cookie-config>
- <http-only>true</http-only>
+ <!-- Uncomment to add __Host- protection. -->
+ <!--
+ <name>__Host-JSESSIONID</name>
+ <path>/</path>
+ -->
<secure>true</secure>
+ <http-only>true</http-only>
</cookie-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config> |
4.1.2→4.1.7
変更なし
4.1.0→4.1.2
コード ブロック | ||
---|---|---|
| ||
@@ -179,6 +179,7 @@
</error-page>
<session-config>
+ <session-timeout>15</session-timeout>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure> |
4.0.1→4.1.0
コード ブロック | ||
---|---|---|
| ||
@@ -8,7 +8,7 @@
same named beans in previous files. -->
<context-param>
<param-name>contextConfigLocation</param-name>
- <param-value>classpath*:/META-INF/net.shibboleth.idp/preconfig.xml,${idp.home}/system/conf/global-system.xml,classpath*:/META-INF/net.shibboleth.idp/postconfig.xml</param-value>
+ <param-value>classpath*:/META-INF/net.shibboleth.idp/preconfig.xml,classpath:/net/shibboleth/idp/conf/global-system.xml,classpath*:/META-INF/net.shibboleth.idp/postconfig.xml</param-value>
</context-param>
<context-param>
@@ -126,7 +126,7 @@
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
- <param-value>${idp.home}/system/conf/mvc-beans.xml, ${idp.home}/system/conf/webflow-config.xml</param-value>
+ <param-value>classpath*:/META-INF/net/shibboleth/idp/mvc/preconfig.xml,classpath:/net/shibboleth/idp/conf/mvc-beans.xml,classpath:/net/shibboleth/idp/conf/webflow-config.xml,classpath*:/META-INF/net/shibboleth/idp/mvc/postconfig.xml</param-value>
</init-param>
<init-param>
<param-name>contextClass</param-name>
@@ -209,7 +209,7 @@
<http-method-omission>OPTIONS</http-method-omission>
<http-method-omission>POST</http-method-omission>
</web-resource-collection>
- <authn-constraint/>
+ <auth-constraint/>
</security-constraint>
<!-- Allow any HTTP methods to the API flows. --> |
4.0.0→4.0.1
コード ブロック | ||
---|---|---|
| ||
@@ -186,17 +186,30 @@
<tracking-mode>COOKIE</tracking-mode>
</session-config>
- <!-- Block commonly flagged methods by using an empty auth-constraint. -->
+ <!-- Allow intended methods by using an absent auth-constraint. -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Non-API Content</web-resource-name>
<url-pattern>/*</url-pattern>
- <http-method>PUT</http-method>
- <http-method>PATCH</http-method>
- <http-method>DELETE</http-method>
- <http-method>TRACE</http-method>
+ <http-method>GET</http-method>
+ <http-method>HEAD</http-method>
+ <http-method>OPTIONS</http-method>
+ <http-method>POST</http-method>
</web-resource-collection>
- <auth-constraint/>
+ <!-- no auth-constraint tag here -->
+ </security-constraint>
+
+ <!-- Disallow other methods by using an empty auth-constraint. -->
+ <security-constraint>
+ <web-resource-collection>
+ <web-resource-name>Non-API Content</web-resource-name>
+ <url-pattern>/*</url-pattern>
+ <http-method-omission>GET</http-method-omission>
+ <http-method-omission>HEAD</http-method-omission>
+ <http-method-omission>OPTIONS</http-method-omission>
+ <http-method-omission>POST</http-method-omission>
+ </web-resource-collection>
+ <authn-constraint/>
</security-constraint>
<!-- Allow any HTTP methods to the API flows. --> |
3.4.8→4.0.0
コード ブロック | ||
---|---|---|
| ||
@@ -8,7 +8,7 @@
same named beans in previous files. -->
<context-param>
<param-name>contextConfigLocation</param-name>
- <param-value>classpath*:/META-INF/net.shibboleth.idp/preconfig.xml,${idp.home}/system/conf/global-system.xml,classpath*:/META-INF/net.shibboleth.idp/config.xml,classpath*:/META-INF/net.shibboleth.idp/postconfig.xml</param-value>
+ <param-value>classpath*:/META-INF/net.shibboleth.idp/preconfig.xml,${idp.home}/system/conf/global-system.xml,classpath*:/META-INF/net.shibboleth.idp/postconfig.xml</param-value>
</context-param>
<context-param>
@@ -27,6 +27,7 @@
</listener>
<!-- Filters and filter mappings -->
+
<!-- Try and force I18N, probably won't help much. -->
<filter>
<filter-name>CharacterEncodingFilter</filter-name>
@@ -40,6 +41,15 @@
<param-value>true</param-value>
</init-param>
</filter>
+ <!-- Automates SameSite handling until Java API catches up. -->
+ <filter>
+ <filter-name>SameSiteCookieFilter</filter-name>
+ <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
+ <init-param>
+ <param-name>targetBeanName</param-name>
+ <param-value>shibboleth.SameSiteCookieFilter</param-value>
+ </init-param>
+ </filter>
<!-- Lets us lump repeated Set-Cookie headers into one, something containers rarely support. -->
<filter>
<filter-name>CookieBufferingFilter</filter-name>
@@ -64,6 +74,11 @@
<filter-name>SLF4JMDCServletFilter</filter-name>
<filter-class>net.shibboleth.idp.log.SLF4JMDCServletFilter</filter-class>
</filter>
+
+ <filter-mapping>
+ <filter-name>SameSiteCookieFilter</filter-name>
+ <url-pattern>/*</url-pattern>
+ </filter-mapping>
<filter-mapping>
<filter-name>CookieBufferingFilter</filter-name>
<url-pattern>/profile/admin/*</url-pattern> |
3.4.0→3.4.8
コード ブロック | ||
---|---|---|
| ||
@@ -73,9 +73,11 @@
<url-pattern>/profile/SAML2/Redirect/SSO</url-pattern>
<url-pattern>/profile/SAML2/POST/SSO</url-pattern>
<url-pattern>/profile/SAML2/POST-SimpleSign/SSO</url-pattern>
+ <url-pattern>/profile/SAML2/Artifact/SSO</url-pattern>
<url-pattern>/profile/SAML2/Redirect/SLO</url-pattern>
<url-pattern>/profile/SAML2/POST/SLO</url-pattern>
<url-pattern>/profile/SAML2/POST-SimpleSign/SLO</url-pattern>
+ <url-pattern>/profile/SAML2/Artifact/SLO</url-pattern>
<url-pattern>/profile/cas/login</url-pattern>
</filter-mapping>
<filter-mapping>
@@ -86,6 +88,7 @@
<url-pattern>/profile/SAML2/Redirect/SSO</url-pattern>
<url-pattern>/profile/SAML2/POST/SSO</url-pattern>
<url-pattern>/profile/SAML2/POST-SimpleSign/SSO</url-pattern>
+ <url-pattern>/profile/SAML2/Artifact/SSO</url-pattern>
<url-pattern>/profile/cas/login</url-pattern>
<url-pattern>/Authn/*</url-pattern>
</filter-mapping>
@@ -176,7 +179,6 @@
<http-method>PUT</http-method>
<http-method>PATCH</http-method>
<http-method>DELETE</http-method>
- <http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint/> |
3.3.0→3.4.0
コード ブロック | ||
---|---|---|
| ||
@@ -45,6 +45,15 @@
<filter-name>CookieBufferingFilter</filter-name>
<filter-class>net.shibboleth.utilities.java.support.net.CookieBufferingFilter</filter-class>
</filter>
+ <!-- Allows control of response headers from within Spring beans. -->
+ <filter>
+ <filter-name>DynamicResponseHeaderFilter</filter-name>
+ <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
+ <init-param>
+ <param-name>targetBeanName</param-name>
+ <param-value>shibboleth.ResponseHeaderFilter</param-value>
+ </init-param>
+ </filter>
<!-- Automates TLS-based propagation of HttpServletRequest/Response into beans. -->
<filter>
<filter-name>RequestResponseContextFilter</filter-name>
@@ -57,6 +66,7 @@
</filter>
<filter-mapping>
<filter-name>CookieBufferingFilter</filter-name>
+ <url-pattern>/profile/admin/*</url-pattern>
<url-pattern>/profile/Logout</url-pattern>
<url-pattern>/profile/Shibboleth/SSO</url-pattern>
<url-pattern>/profile/SAML2/Unsolicited/SSO</url-pattern>
@@ -69,6 +79,17 @@
<url-pattern>/profile/cas/login</url-pattern>
</filter-mapping>
<filter-mapping>
+ <filter-name>DynamicResponseHeaderFilter</filter-name>
+ <url-pattern>/profile/admin/*</url-pattern>
+ <url-pattern>/profile/Shibboleth/SSO</url-pattern>
+ <url-pattern>/profile/SAML2/Unsolicited/SSO</url-pattern>
+ <url-pattern>/profile/SAML2/Redirect/SSO</url-pattern>
+ <url-pattern>/profile/SAML2/POST/SSO</url-pattern>
+ <url-pattern>/profile/SAML2/POST-SimpleSign/SSO</url-pattern>
+ <url-pattern>/profile/cas/login</url-pattern>
+ <url-pattern>/Authn/*</url-pattern>
+ </filter-mapping>
+ <filter-mapping>
<filter-name>CharacterEncodingFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
@@ -139,6 +160,14 @@
<location>/profile/RaiseError</location>
</error-page>
+ <session-config>
+ <cookie-config>
+ <http-only>true</http-only>
+ <secure>true</secure>
+ </cookie-config>
+ <tracking-mode>COOKIE</tracking-mode>
+ </session-config>
+
<!-- Block commonly flagged methods by using an empty auth-constraint. -->
<security-constraint>
<web-resource-collection> |
3.2.1→3.3.0
コード ブロック | ||
---|---|---|
| ||
@@ -8,7 +8,7 @@
same named beans in previous files. -->
<context-param>
<param-name>contextConfigLocation</param-name>
- <param-value>${idp.home}/system/conf/global-system.xml,classpath*:/META-INF/net.shibboleth.idp/config.xml</param-value>
+ <param-value>classpath*:/META-INF/net.shibboleth.idp/preconfig.xml,${idp.home}/system/conf/global-system.xml,classpath*:/META-INF/net.shibboleth.idp/config.xml,classpath*:/META-INF/net.shibboleth.idp/postconfig.xml</param-value>
</context-param>
<context-param>
@@ -52,7 +52,7 @@
</filter>
<!-- Manages logging MDC. -->
<filter>
- <filter-name>SL4JMDCServletFilter</filter-name>
+ <filter-name>SLF4JMDCServletFilter</filter-name>
<filter-class>net.shibboleth.idp.log.SLF4JMDCServletFilter</filter-class>
</filter>
<filter-mapping>
@@ -77,14 +77,10 @@
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
- <filter-name>SL4JMDCServletFilter</filter-name>
+ <filter-name>SLF4JMDCServletFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
- <!-- HTTP headers to every response in order to prevent response caching -->
- <!-- <filter> <filter-name>IdPNoCacheFilter</filter-name> <filter-class>edu.internet2.middleware.shibboleth.idp.util.NoCacheFilter</filter-class>
- </filter> <filter-mapping> <filter-name>IdPNoCacheFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> -->
-
<!-- Servlets and servlet mappings -->
<servlet>
<servlet-name>idp</servlet-name>
@@ -136,6 +132,35 @@
<servlet-name>shibboleth_jsp</servlet-name>
<url-pattern>/shibboleth</url-pattern>
</servlet-mapping>
+
+ <!-- Send servlet errors through the IdP's MVC error handling. -->
+ <error-page>
+ <exception-type>net.shibboleth.idp.authn.ExternalAuthenticationException</exception-type>
+ <location>/profile/RaiseError</location>
+ </error-page>
+
+ <!-- Block commonly flagged methods by using an empty auth-constraint. -->
+ <security-constraint>
+ <web-resource-collection>
+ <web-resource-name>Non-API Content</web-resource-name>
+ <url-pattern>/*</url-pattern>
+ <http-method>PUT</http-method>
+ <http-method>PATCH</http-method>
+ <http-method>DELETE</http-method>
+ <http-method>OPTIONS</http-method>
+ <http-method>TRACE</http-method>
+ </web-resource-collection>
+ <auth-constraint/>
+ </security-constraint>
+
+ <!-- Allow any HTTP methods to the API flows. -->
+ <security-constraint>
+ <web-resource-collection>
+ <web-resource-name>Administrative APIs</web-resource-name>
+ <url-pattern>/profile/admin/*</url-pattern>
+ </web-resource-collection>
+ <!-- no auth-constraint tag here -->
+ </security-constraint>
<!--
Uncomment to use container managed authentication. The new servlet spec (3.1)
@@ -150,7 +175,6 @@
<web-resource-name>user authentication</web-resource-name>
<url-pattern>/Authn/RemoteUser</url-pattern>
<url-pattern>/profile/SAML2/SOAP/ECP</url-pattern>
- <http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint> |
3.1.2→3.2.1
コード ブロック | ||
---|---|---|
| ||
@@ -8,12 +8,12 @@ same named beans in previous files. --> <context-param> <param-name>contextConfigLocation</param-name> - <param-value>${idp.home}/system/conf/global-system.xml</param-value> + <param-value>${idp.home}/system/conf/global-system.xml,classpath*:/META-INF/net.shibboleth.idp/config.xml</param-value> </context-param> <context-param> <param-name>contextClass</param-name> - <param-value>net.shibboleth.ext.spring.context.DeferPlaceholderFileSystemXmlWebApplicationContext</param-value> + <param-value>net.shibboleth.ext.spring.context.DelimiterAwareApplicationContext</param-value> </context-param> <context-param> @@ -45,24 +45,6 @@ <filter-name>CookieBufferingFilter</filter-name> <filter-class>net.shibboleth.utilities.java.support.net.CookieBufferingFilter</filter-class> </filter> - <!-- Automates the unpack and pack of the cookie-based storage model. --> - <filter> - <filter-name>ClientSessionStorageServiceFilter</filter-name> - <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> - <init-param> - <param-name>targetBeanName</param-name> - <param-value>shibboleth.ClientSessionStorageService</param-value> - </init-param> - </filter> - <!-- Automates the unpack and pack of the cookie-based storage model. --> - <filter> - <filter-name>ClientPersistentStorageServiceFilter</filter-name> - <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> - <init-param> - <param-name>targetBeanName</param-name> - <param-value>shibboleth.ClientPersistentStorageService</param-value> - </init-param> - </filter> <!-- Automates TLS-based propagation of HttpServletRequest/Response into beans. --> <filter> <filter-name>RequestResponseContextFilter</filter-name> @@ -87,28 +69,6 @@ <url-pattern>/profile/cas/login</url-pattern> </filter-mapping> <filter-mapping> - <filter-name>ClientSessionStorageServiceFilter</filter-name> - <url-pattern>/profile/Logout</url-pattern> - <url-pattern>/profile/Shibboleth/SSO</url-pattern> - <url-pattern>/profile/SAML2/Unsolicited/SSO</url-pattern> - <url-pattern>/profile/SAML2/Redirect/SSO</url-pattern> - <url-pattern>/profile/SAML2/POST/SSO</url-pattern> - <url-pattern>/profile/SAML2/POST-SimpleSign/SSO</url-pattern> - <url-pattern>/profile/SAML2/Redirect/SLO</url-pattern> - <url-pattern>/profile/SAML2/POST/SLO</url-pattern> - <url-pattern>/profile/SAML2/POST-SimpleSign/SLO</url-pattern> - <url-pattern>/profile/cas/login</url-pattern> - </filter-mapping> - <filter-mapping> - <filter-name>ClientPersistentStorageServiceFilter</filter-name> - <url-pattern>/profile/Shibboleth/SSO</url-pattern> - <url-pattern>/profile/SAML2/Unsolicited/SSO</url-pattern> - <url-pattern>/profile/SAML2/Redirect/SSO</url-pattern> - <url-pattern>/profile/SAML2/POST/SSO</url-pattern> - <url-pattern>/profile/SAML2/POST-SimpleSign/SSO</url-pattern> - <url-pattern>/profile/cas/login</url-pattern> - </filter-mapping> - <filter-mapping> <filter-name>CharacterEncodingFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> @@ -131,11 +91,11 @@ <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> /preconfig.xml,${idp.home}/system/conf/global-system.xml,classpath*:/META-INF/net.shibboleth.idp/config.xml,classpath*:/META-INF/net.shibboleth.idp/postconfig.xml</param-value> + <param-value>classpath*:/META-INF/net.shibboleth.idp/preconfig.xml,${idp.home}/system/conf/global-system.xml,classpath*:/META-INF/net.shibboleth.idp/postconfig.xml</param-value> </context-param> <context-param> @@ -27,6 +27,7 @@ </listener> <!-- Filters and filter mappings --> + <!-- Try and force I18N, probably won't help much. --> <filter> <filter-name>CharacterEncodingFilter</filter-name> @@ -40,6 +41,15 @@ <param-value>true</param-value> </init-param> </filter> + <!-- Automates SameSite handling until Java API catches up. --> + <filter> + <filter-name>SameSiteCookieFilter</filter-name> + <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> + <init-param> + <param-name>contextConfigLocation</param-name> - <param-name>targetBeanName<value>${idp.home}/system/conf/mvc-beans.xml ${idp.home}/system/conf/webflow-config.xml</param-name>value> + <param-value>shibboleth.SameSiteCookieFilter</param-value> + </init-param> + </filter> <!-- Lets us lump repeated Set-Cookie headers into one, something containers rarely support. --> <filter>value>${idp.home}/system/conf/mvc-beans.xml, ${idp.home}/system/conf/webflow-config.xml</param-value> </init-param> <filter-name>CookieBufferingFilter</filter-name> @@ -64,6 +74,11 @@ <init-param> <filter<param-name>SLF4JMDCServletFilter<name>contextClass</filterparam-name> - <filter-class>net <param-value>net.shibboleth.ext.idpspring.logcontext.SLF4JMDCServletFilter<DeferPlaceholderFileSystemXmlWebApplicationContext</filter-class> </filter> + param-value> + <filter-mapping> + <filter-name>SameSiteCookieFilter</filter-name> +<param-value>net.shibboleth.ext.spring.context.DelimiterAwareApplicationContext</param-value> <url-pattern>/*</urlinit-pattern>param> + </filter-mapping> <filter-mapping> <filter-name>CookieBufferingFilter</filter-name> <load-on-startup>1</load-on-startup> <url-pattern>/profile/admin/*</url-pattern>servlet> |