目次 |
---|
4.
...
3.
...
1→5.
...
0.
...
0
コード ブロック | ||
---|---|---|
| ||
@@ -1794,6173 +1794,746 @@ <display-name>Shibboleth Identity <Provider</errordisplay-page>name> - <session-config> + <session-timeout>15</session-timeout> <cookie-config> <!-- Spring application context files. Files are loaded in the order they appear with subsequent files overwriting - same named beans in previous <http-only>true</http-only> files. --> + <!-- + The context <secure>true</secure> |
4.0.1→4.1.0
コード ブロック | ||
---|---|---|
| ||
@@ -8,7 +8,7 @@ parameters below control V5+ auto-registration support. + Those desiring complete control over sameall namedof beansthese insteps previouscan files. --> disable them + but <context-param> this is not generally recommended, apart from toggling <param-name>contextConfigLocation</param-name> -the optional + servlets that may not be needed. + --> + + <!-- Registers Spring support. --> <context-param> - <param-name>contextConfigLocation</param-name> - <param-value>classpath*:/META-INF/net.shibboleth.idp/preconfig.xml,${idp.home}/system/classpath:/net/shibboleth/idp/conf/global-system.xml,classpath*:/META-INF/net.shibboleth.idp/postconfig.xml</param-value> + <param-value>classpath*:/META-INF/netname>net.shibboleth.idp/preconfig.xml,classpath:/net/shibboleth/idp/conf/global-system.xml,classpath*:/META-INF/net.shibboleth.idp/postconfig.xml</.registerSpringConfig</param-name> + <param-value>true</param-value> </context-param> - + + <context-param> @@ -126,7 +126,7 @@ <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class><!-- Auto-registers Java filter chain required by IdP. --> <init<context-param> - <param-name>contextConfigLocation<name>contextClass</param-name> - <param-value>${idp.home}/system/conf/mvc-beans.xml, ${idp.home}/system/conf/webflow-config.xml<value>net.shibboleth.ext.spring.context.DelimiterAwareApplicationContext</param-value> + <param-name>net.shibboleth.idp.registerFilterChain</param-name> + <param-value>classpath*:/META-INF/net/shibboleth/idp/mvc/preconfig.xml,classpath:/net/shibboleth/idp/conf/mvc-beans.xml,classpath:/net/shibboleth/idp/conf/webflow-config.xml,classpath*:/META-INF/net/shibboleth/idp/mvc/postconfig.xml</ <param-value>true</param-value> </initcontext-param> - + + <init-param><!-- Auto-registers IdP dispatcher servlet. --> <context-param> - <param-name>contextClass<name>contextInitializerClasses</param-name> @@ -209,7 +209,7 @@ <param-value>net.shibboleth.idp.spring.IdPPropertiesApplicationContextInitializer</param-value> + <http-method-omission>OPTIONS</http-method-omission> <param-name>net.shibboleth.idp.registerIdPServlet</param-name> + <http-method-omission>POST</http-method-omission><param-value>true</param-value> </context-param> - - </web-resource-collection> !-- Spring listener used to load up the configuration <authn--constraint/> +- <listener> - <auth-constraint/> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> - </security-constraint>listener> - <!-- AllowFilters anyand HTTPfilter methods to the API flows. --> |
4.0.0→4.0.1
コード ブロック | ||
---|---|---|
| ||
@@ -186,17 +186,30 @@ <tracking-mode>COOKIE</tracking-mode> </session-config> - <!-- Block commonly flagged methods by using an empty auth-constraint. --> + <!-- Allow intended methods by using an absent auth-constraint. --> <security-constraint> mappings --> - - <!-- Try and force I18N, probably won't help much. --> - <filter> - <filter-name>CharacterEncodingFilter</filter-name> - <filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class> - <init-param> - <web-resource-collection> <param-name>encoding</param-name> - <web<param-resource-name>Non-API Content</web-resource-name> value>UTF-8</param-value> - </init-param> - <url-pattern>/*</url-pattern><init-param> - <http<param-method>PUT<name>forceEncoding</httpparam-method>name> - <http<param-method>PATCH<value>true</httpparam-method>value> - </init-param> - <http-method>DELETE</http-method></filter> - <!-- Automates SameSite handling until Java API catches <http-method>TRACE</http-method> +up. --> - <filter> - <http<filter-method>GET<name>SameSiteCookieFilter</httpfilter-method>name> +- <http-method>HEAD</http-method> +<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> - <init-param> - <http-method>OPTIONS</http-method> + <param-name>targetBeanName</param-name> - <http<param-method>POST<value>shibboleth.SameSiteCookieFilter</httpparam-method>value> - </webinit-resource-collection>param> - </filter> - <auth-constraint/> + <!-- no auth-constraint tag here<!-- Lets us lump repeated Set-Cookie headers into one, something containers rarely support. --> +- </security-constraint> + +<filter> - <!-- Disallow other methods by using an empty auth-constraint. --> + <security-constraint> + <web-resource-collection> + <web-resource-name>Non-API Content</web-resource-name> + <filter-name>CookieBufferingFilter</filter-name> - <filter-class>net.shibboleth.utilities.java.support.net.CookieBufferingFilter</filter-class> - </filter> - <!-- Allows control of response headers from within Spring beans. --> - <filter> - <url<filter-pattern>/*</url-pattern> +name>DynamicResponseHeaderFilter</filter-name> - <http-method-omission>GET</http-method-omission> +<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> - <http-method-omission>HEAD</http-method-omission> +<init-param> - <http<param-method-omission>OPTIONS<name>targetBeanName</httpparam-methodname> -omission> + <http-method-omission>POST</http-method-omission> +<param-value>shibboleth.ResponseHeaderFilter</param-value> - </webinit-resource-collection> + <authn-constraint/> param> - </security-constraint> filter> - <!-- AllowAutomates anyTLS-based HTTPpropagation methodsof toHttpServletRequest/Response theinto API flowsbeans. --> |
3.4.8→4.0.0
コード ブロック | ||
---|---|---|
| ||
@@ -8,7 +8,7 @@ - <filter> - same named beans in previous files. --> <filter-name>RequestResponseContextFilter</filter-name> - <filter-class>net.shibboleth.utilities.java.support.net.RequestResponseContextFilter</filter-class> - </filter> - <context-param> <!-- Manages logging MDC. --> - <filter> - <param<filter-name>contextConfigLocation<name>SLF4JMDCServletFilter</paramfilter-name> - <param-value>classpath*:/META-INF/net<filter-class>net.shibboleth.idp/preconfig.xml,${idp.home}/system/conf/global-system.xml,classpath*:/META-INF/net.shibboleth.idp/config.xml,classpath*:/META-INF/net.shibboleth.idp/postconfig.xml</param-value>.log.SLF4JMDCServletFilter</filter-class> - </filter> + <!-- Registers optional servlets used for RemoteUser and X509 login flows. --> + <context-param> + <param-value>classpath*:/META-INF/netname>net.shibboleth.idp.registerRemoteUserServlet</param-name> + <param-value>true</param-value> + </context-param> + <context-param> + <param-name>net.shibboleth.idp.registerX509Servlet</param-name> + <param-value>true</param-value> + </context-param> - <filter-mapping> - <filter-name>SameSiteCookieFilter</filter-name> - <url-pattern>/*</url-pattern> - </filter-mapping> - <filter-mapping> - <filter-name>CookieBufferingFilter</filter-name> - <url-pattern>/profile/admin/*</url-pattern> - <url-pattern>/profile/Logout</url-pattern> - <url-pattern>/profile/Shibboleth/SSO</url-pattern> - <url-pattern>/profile/SAML2/Unsolicited/SSO</url-pattern> - <url-pattern>/profile/SAML2/Redirect/SSO</url-pattern> - <url-pattern>/profile/SAML2/POST/SSO</url-pattern> - <url-pattern>/profile/SAML2/POST-SimpleSign/SSO</url-pattern> - <url-pattern>/profile/SAML2/Artifact/SSO</url-pattern> - <url-pattern>/profile/SAML2/Redirect/SLO</url-pattern> - <url-pattern>/profile/SAML2/POST/SLO</url-pattern> - <url-pattern>/profile/SAML2/POST-SimpleSign/SLO</url-pattern> - <url-pattern>/profile/SAML2/Artifact/SLO</url-pattern> - <url-pattern>/profile/cas/login</url-pattern> - </filter-mapping> - <filter-mapping> - <filter-name>DynamicResponseHeaderFilter</filter-name> - <url-pattern>/profile/admin/*</url-pattern> - <url-pattern>/profile/Shibboleth/SSO</url-pattern> - <url-pattern>/profile/SAML2/Unsolicited/SSO</url-pattern> - <url-pattern>/profile/SAML2/Redirect/SSO</url-pattern> - <url-pattern>/profile/SAML2/POST/SSO</url-pattern> - <url-pattern>/profile/SAML2/POST-SimpleSign/SSO</url-pattern> - <url-pattern>/profile/SAML2/Artifact/SSO</url-pattern> - <url-pattern>/profile/cas/login</url-pattern> - <url-pattern>/Authn/*</url-pattern> - </filter-mapping> - <filter-mapping> - <filter-name>CharacterEncodingFilter</filter-name> - <url-pattern>/*</url-pattern> - </filter-mapping> - <filter-mapping> - <filter-name>RequestResponseContextFilter</filter-name> - <url-pattern>/*</url-pattern> - </filter-mapping> - <filter-mapping> - <filter-name>SLF4JMDCServletFilter</filter-name> - <url-pattern>/*</url-pattern> - </filter-mapping> - - <!-- Servlets and servlet mappings --> - <servlet> - <servlet-name>idp</servlet-name> - <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> - <init-param> - <param-name>contextConfigLocation</param-name> - <param-value>classpath*:/META-INF/net/shibboleth/idp/mvc/preconfig.xml,classpath:/net/shibboleth/idp/conf/mvc-beans.xml,classpath:/net/shibboleth/idp/conf/webflow-config.xml,classpath*:/META-INF/net/shibboleth/idp/mvc/postconfig.xml</param-value> - </init-param> - <init-param> - <param-name>contextClass</param-name> - <param-value>net.shibboleth.ext.spring.context.DelimiterAwareApplicationContext</param-value> - </init-param> - <load-on-startup>1</load-on-startup> - </servlet> - <servlet-mapping> - <servlet-name>idp</servlet-name> - <url-pattern>/status</url-pattern> - <url-pattern>/profile/*</url-pattern> - </servlet-mapping> - - <!-- Servlet protected by container used for RemoteUser authentication --> - <servlet> - <servlet-name>RemoteUserAuthHandler</servlet-name> - <servlet-class>net.shibboleth.idp.authn.impl.RemoteUserAuthServlet</servlet-class> - <load-on-startup>2</load-on-startup> - </servlet> - <servlet-mapping> - <servlet-name>RemoteUserAuthHandler</servlet-name> - <url-pattern>/Authn/RemoteUser</url-pattern> - </servlet-mapping> - - <!-- Servlet protected by container used for X.509 authentication --> - <servlet> - <servlet-name>X509AuthHandler</servlet-name> - <servlet-class>net.shibboleth.idp.authn.impl.X509AuthServlet</servlet-class> - <load-on-startup>3</load-on-startup> - </servlet> - <servlet-mapping> - <servlet-name>X509AuthHandler</servlet-name> - <url-pattern>/Authn/X509</url-pattern> - </servlet-mapping> - - <!-- Send request for the EntityID to the SAML metadata echoing JSP. --> - <servlet> - <servlet-name>shibboleth_jsp</servlet-name> - <jsp-file>/WEB-INF/jsp/metadata.jsp</jsp-file> - </servlet> - <servlet-mapping> - <servlet-name>shibboleth_jsp</servlet-name> - <url-pattern>/shibboleth</url-pattern> - </servlet-mapping> + <!-- Registers /shibboleth to return metadata file. --> + <context-param> + <param-name>net.shibboleth.idp.registerMetadataServlet</param-name> + <param-value>true</param-value> + </context-param> <!-- Send servlet errors through the IdP's MVC error handling. --> <error-page> @@ -181,11 +54,9 @@ <session-config> <session-timeout>15</session-timeout> <cookie-config> - <!-- Uncomment to add __Host- protection. --> - <!-- + <!-- Comment name and path to revert __Host- protection. --> <name>__Host-JSESSIONID</name> <path>/</path> - --> <secure>true</secure> <http-only>true</http-only> </cookie-config> |
4.2.1→4.3.1
変更なし
4.1.7→4.2.1
コード ブロック | ||
---|---|---|
| ||
@@ -181,8 +181,13 @@
<session-config>
<session-timeout>15</session-timeout>
<cookie-config>
- <http-only>true</http-only>
+ <!-- Uncomment to add __Host- protection. -->
+ <!--
+ <name>__Host-JSESSIONID</name>
+ <path>/</path>
+ -->
<secure>true</secure>
+ <http-only>true</http-only>
</cookie-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config> |
4.1.2→4.1.7
変更なし
4.1.0→4.1.2
コード ブロック | ||
---|---|---|
| ||
@@ -179,6 +179,7 @@
</error-page>
<session-config>
+ <session-timeout>15</session-timeout>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure> |
4.0.1→4.1.0
コード ブロック | ||
---|---|---|
| ||
@@ -8,7 +8,7 @@
same named beans in previous files. -->
<context-param>
<param-name>contextConfigLocation</param-name>
- <param-value>classpath*:/META-INF/net.shibboleth.idp/preconfig.xml,${idp.home}/system/conf/global-system.xml,classpath*:/META-INF/net.shibboleth.idp/postconfig.xml</param-value>
+ <param-value>classpath*:/META-INF/net.shibboleth.idp/preconfig.xml,classpath:/net/shibboleth/idp/conf/global-system.xml,classpath*:/META-INF/net.shibboleth.idp/postconfig.xml</param-value>
</context-param>
<context-param>
@@ -126,7 +126,7 @@
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
- <param-value>${idp.home}/system/conf/mvc-beans.xml, ${idp.home}/system/conf/webflow-config.xml</param-value>
+ <param-value>classpath*:/META-INF/net/shibboleth/idp/mvc/preconfig.xml,classpath:/net/shibboleth/idp/conf/mvc-beans.xml,classpath:/net/shibboleth/idp/conf/webflow-config.xml,classpath*:/META-INF/net/shibboleth/idp/mvc/postconfig.xml</param-value>
</init-param>
<init-param>
<param-name>contextClass</param-name>
@@ -209,7 +209,7 @@
<http-method-omission>OPTIONS</http-method-omission>
<http-method-omission>POST</http-method-omission>
</web-resource-collection>
- <authn-constraint/>
+ <auth-constraint/>
</security-constraint>
<!-- Allow any HTTP methods to the API flows. --> |
4.0.0→4.0.1
コード ブロック | ||
---|---|---|
| ||
@@ -186,17 +186,30 @@
<tracking-mode>COOKIE</tracking-mode>
</session-config>
- <!-- Block commonly flagged methods by using an empty auth-constraint. -->
+ <!-- Allow intended methods by using an absent auth-constraint. -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Non-API Content</web-resource-name>
<url-pattern>/*</url-pattern>
- <http-method>PUT</http-method>
- <http-method>PATCH</http-method>
- <http-method>DELETE</http-method>
- <http-method>TRACE</http-method>
+ <http-method>GET</http-method>
+ <http-method>HEAD</http-method>
+ <http-method>OPTIONS</http-method>
+ <http-method>POST</http-method>
</web-resource-collection>
- <auth-constraint/>
+ <!-- no auth-constraint tag here -->
+ </security-constraint>
+
+ <!-- Disallow other methods by using an empty auth-constraint. -->
+ <security-constraint>
+ <web-resource-collection>
+ <web-resource-name>Non-API Content</web-resource-name>
+ <url-pattern>/*</url-pattern>
+ <http-method-omission>GET</http-method-omission>
+ <http-method-omission>HEAD</http-method-omission>
+ <http-method-omission>OPTIONS</http-method-omission>
+ <http-method-omission>POST</http-method-omission>
+ </web-resource-collection>
+ <authn-constraint/>
</security-constraint>
<!-- Allow any HTTP methods to the API flows. --> |
3.4.8→4.0.0
コード ブロック | ||
---|---|---|
| ||
@@ -8,7 +8,7 @@
same named beans in previous files. -->
<context-param>
<param-name>contextConfigLocation</param-name>
- <param-value>classpath*:/META-INF/net.shibboleth.idp/preconfig.xml,${idp.home}/system/conf/global-system.xml,classpath*:/META-INF/net.shibboleth.idp/config.xml,classpath*:/META-INF/net.shibboleth.idp/postconfig.xml</param-value>
+ <param-value>classpath*:/META-INF/net.shibboleth.idp/preconfig.xml,${idp.home}/system/conf/global-system.xml,classpath*:/META-INF/net.shibboleth.idp/postconfig.xml</param-value>
</context-param>
<context-param>
@@ -27,6 +27,7 @@
</listener>
<!-- Filters and filter mappings -->
+
<!-- Try and force I18N, probably won't help much. -->
<filter>
<filter-name>CharacterEncodingFilter</filter-name>
@@ -40,6 +41,15 @@
<param-value>true</param-value>
</init-param>
</filter>
+ <!-- Automates SameSite handling until Java API catches up. -->
+ <filter>
+ <filter-name>SameSiteCookieFilter</filter-name>
+ <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
+ <init-param>
+ <param-name>targetBeanName</param-name>
+ <param-value>shibboleth.SameSiteCookieFilter</param-value>
+ </init-param>
+ </filter>
<!-- Lets us lump repeated Set-Cookie headers into one, something containers rarely support. -->
<filter>
<filter-name>CookieBufferingFilter</filter-name>
@@ -64,6 +74,11 @@
<filter-name>SLF4JMDCServletFilter</filter-name>
<filter-class>net.shibboleth.idp.log.SLF4JMDCServletFilter</filter-class>
</filter>
+
+ <filter-mapping>
+ <filter-name>SameSiteCookieFilter</filter-name>
+ <url-pattern>/*</url-pattern>
+ </filter-mapping>
<filter-mapping>
<filter-name>CookieBufferingFilter</filter-name>
<url-pattern>/profile/admin/*</url-pattern> |
3.4.0→3.4.8
コード ブロック | ||
---|---|---|
| ||
@@ -73,9 +73,11 @@
<url-pattern>/profile/SAML2/Redirect/SSO</url-pattern>
<url-pattern>/profile/SAML2/POST/SSO</url-pattern>
<url-pattern>/profile/SAML2/POST-SimpleSign/SSO</url-pattern>
+ <url-pattern>/profile/SAML2/Artifact/SSO</url-pattern>
<url-pattern>/profile/SAML2/Redirect/SLO</url-pattern>
<url-pattern>/profile/SAML2/POST/SLO</url-pattern>
<url-pattern>/profile/SAML2/POST-SimpleSign/SLO</url-pattern>
+ <url-pattern>/profile/SAML2/Artifact/SLO</url-pattern>
<url-pattern>/profile/cas/login</url-pattern>
</filter-mapping>
<filter-mapping>
@@ -86,6 +88,7 @@
<url-pattern>/profile/SAML2/Redirect/SSO</url-pattern>
<url-pattern>/profile/SAML2/POST/SSO</url-pattern>
<url-pattern>/profile/SAML2/POST-SimpleSign/SSO</url-pattern>
+ <url-pattern>/profile/SAML2/Artifact/SSO</url-pattern>
<url-pattern>/profile/cas/login</url-pattern>
<url-pattern>/Authn/*</url-pattern>
</filter-mapping>
@@ -176,7 +179,6 @@
<http-method>PUT</http-method>
<http-method>PATCH</http-method>
<http-method>DELETE</http-method>
- <http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint/> |
3.3.0→3.4.0
コード ブロック | ||
---|---|---|
| ||
@@ -45,6 +45,15 @@ <filter-name>CookieBufferingFilter</filter-name> <filter-class>net.shibboleth.utilities.java.support.net.CookieBufferingFilter</filter-class> </filter> + <!-- Allows control of response headers from within Spring beans. --> + <filter> + <filter-name>DynamicResponseHeaderFilter</filter-name> + <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> + <init-param> + <param-name>targetBeanName</param-name> + <param-value>shibboleth.ResponseHeaderFilter</param-value> + </init-param> + </filter> <!-- Automates TLS-based propagation of HttpServletRequest/Response into beans. --> <filter> <filter-name>RequestResponseContextFilter</filter-name> @@ -57,6 +66,7 @@ </filter> <filter-mapping> <filter-name>CookieBufferingFilter</filter-name> + <url-pattern>/profile/admin/*</url-pattern> <url-pattern>/profile/Logout</url-pattern> <url-pattern>/profile/Shibboleth/SSO</url-pattern> <url-pattern>/profile/SAML2/Unsolicited/SSO</url-pattern> @@ -69,6 +79,17 @@ <url-pattern>/profile/cas/login</url-pattern> </filter-mapping> <filter-mapping> + <filter-name>DynamicResponseHeaderFilter</filter-name> + <url-pattern>/profile/admin/*</url-pattern> + <url-pattern>/profile/Shibboleth/SSO</url-pattern> + <url-pattern>/profile/SAML2/Unsolicited/SSO</url-pattern> + <url-pattern>/profile/SAML2/Redirect/SSO</url-pattern> + <url-pattern>/profile/SAML2/POST/SSO</url-pattern>/preconfig.xml,${idp.home}/system/conf/global-system.xml,classpath*:/META-INF/net.shibboleth.idp/postconfig.xml</param-value> </context-param> <context-param> @@ -27,6 +27,7 @@ </listener> <!-- Filters and filter mappings --> + <!-- Try and force I18N, probably won't help much. --> <filter> <filter-name>CharacterEncodingFilter</filter-name> @@ -40,6 +41,15 @@ <param-value>true</param-value> </init-param> </filter> + <!-- Automates SameSite handling until Java API catches up. --> + <filter> + <filter-name>SameSiteCookieFilter</filter-name><url-pattern>/profile/SAML2/POST-SimpleSign/SSO</url-pattern> + <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class><url-pattern>/profile/cas/login</url-pattern> + <init-param><url-pattern>/Authn/*</url-pattern> + <param-name>targetBeanName</param-name></filter-mapping> + <filter-mapping> <param<filter-value>shibboleth.SameSiteCookieFilter<name>CharacterEncodingFilter</paramfilter-value>name> + <url-pattern>/*</initurl-param>pattern> + </filter>filter-mapping> @@ -139,6 +160,14 @@ <!-- Lets us lump repeated Set-Cookie headers into one, something containers rarely support. --> <location>/profile/RaiseError</location> </error-page> + <filter><session-config> + <filter-name>CookieBufferingFilter</filter-name> @@ -64,6 +74,11 @@ <cookie-config> + <filter<http-name>SLF4JMDCServletFilter<only>true</filterhttp-name>only> + <filter-class>net.shibboleth.idp.log.SLF4JMDCServletFilter</filter-class> <<secure>true</filter>secure> + + <filter</cookie-mapping>config> + <filter<tracking-name>SameSiteCookieFilter<mode>COOKIE</filtertracking-name>mode> + <url-pattern>/*</urlsession-pattern>config> + </filter-mapping> <filter-mapping> !-- Block commonly flagged methods by using an empty auth-constraint. --> <filter-name>CookieBufferingFilter</filter-name><security-constraint> <url-pattern>/profile/admin/*</url-pattern><web-resource-collection> |
3.
...
2.
...
1→3.
...
3.
...
0
コード ブロック | ||
---|---|---|
| ||
@@ -738,97 +738,11 @@ <url-pattern>/profile/SAML2/Redirect/SSO</url-pattern> <url-pattern>/profile/SAML2/POST/SSO</url-pattern> 7 @@ same named beans in <url-pattern>/profile/SAML2/POST-SimpleSign/SSO</url-pattern> +previous files. --> <context-param> <url<param-pattern>/profile/SAML2/Artifact/SSO</url-pattern> name>contextConfigLocation</param-name> - <url-pattern>/profile/SAML2/Redirect/SLO</url-pattern> <param-value>${idp.home}/system/conf/global-system.xml,classpath*:/META-INF/net.shibboleth.idp/config.xml</param-value> + <url-pattern>/profile/SAML2/POST/SLO</url-pattern> <url-pattern>/profile/SAML2/POST-SimpleSign/SLO</url-pattern> + <url-pattern>/profile/SAML2/Artifact/SLO</url-pattern> <url-pattern>/profile/cas/login</url-pattern><param-value>classpath*:/META-INF/net.shibboleth.idp/preconfig.xml,${idp.home}/system/conf/global-system.xml,classpath*:/META-INF/net.shibboleth.idp/config.xml,classpath*:/META-INF/net.shibboleth.idp/postconfig.xml</param-value> </context-param> <context-param> @@ -52,7 +52,7 @@ </filter-mapping>filter> <filter-mapping> @@ -86,6 +88,7 @@ <!-- Manages logging MDC. --> <filter> - <url<filter-pattern>/profile/SAML2/Redirect/SSO</url-pattern> name>SL4JMDCServletFilter</filter-name> + <url<filter-pattern>/profile/SAML2/POST/SSO</url-pattern>name>SLF4JMDCServletFilter</filter-name> <url-pattern>/profile/SAML2/POST-SimpleSign/SSO</url-pattern> +<filter-class>net.shibboleth.idp.log.SLF4JMDCServletFilter</filter-class> </filter> <url-pattern>/profile/SAML2/Artifact/SSO</url-pattern> <filter-mapping> @@ -77,14 +77,10 @@ <url-pattern>/profile/cas/login</*</url-pattern> <url-pattern>/Authn/*</urlfilter-pattern>mapping> </filter<filter-mapping> @@ -176,7 +179,6 @@ <filter-name>SL4JMDCServletFilter</filter-name> + <http<filter-method>PUT<name>SLF4JMDCServletFilter</httpfilter-method>name> <url-pattern>/*</url-pattern> <http-method>PATCH<</httpfilter-method> <http-method>DELETE</http-method>mapping> - <!-- HTTP headers to every response in order to prevent response caching --> - <!-- <filter> <http-method>OPTIONS</http-method> <filter-name>IdPNoCacheFilter</filter-name> <filter-class>edu.internet2.middleware.shibboleth.idp.util.NoCacheFilter</filter-class> - </filter> <filter-mapping> <filter-name>IdPNoCacheFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <http-method>TRACE</http-method> --> - <!-- Servlets and servlet mappings </web-resource-collection> > <auth-constraint/> |
3.3.0→3.4.0
コード ブロック | ||
---|---|---|
| ||
@@ -45,6 +45,15 @@<servlet> <filter<servlet-name>CookieBufferingFilter<name>idp</filterservlet-name> @@ <filter-class>net.shibboleth.utilities.java.support.net.CookieBufferingFilter</filter-class>-136,6 +132,35 @@ </filter> + <!-- Allows control of response headers from within Spring beans. --> + <filter><servlet-name>shibboleth_jsp</servlet-name> <url-pattern>/shibboleth</url-pattern> </servlet-mapping> + + <filter<!-name>DynamicResponseHeaderFilter</filter-name> + Send servlet errors through <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> + <init-param>the IdP's MVC error handling. --> + <error-page> + <param-name>targetBeanName</param-name><exception-type>net.shibboleth.idp.authn.ExternalAuthenticationException</exception-type> + <location>/profile/RaiseError</location> + <param-value>shibboleth.ResponseHeaderFilter</param-value></error-page> + + <!-- Block commonly </init-param> + </filter> flagged methods by using an empty auth-constraint. --> + <!-- Automates TLS-based propagation of HttpServletRequest/Response into beans. --> <security-constraint> + <web-resource-collection> + <filter> <filter-name>RequestResponseContextFilter</filter<web-resource-name>Non-API Content</web-resource-name> @@ -57,6 +66,7 @@ + <url-pattern>/*</filter>url-pattern> + <filter-mapping> <filter<http-name>CookieBufferingFilter<method>PUT</filterhttp-name>method> + <url-pattern>/profile/admin/*</url-pattern> <http-method>PATCH</http-method> + <url<http-pattern>/profile/Logout</url-pattern> method>DELETE</http-method> + <url<http-pattern>/profile/Shibboleth/SSO</url-pattern> method>OPTIONS</http-method> + <url <http-pattern>/profile/SAML2/Unsolicited/SSO</url-pattern> @@ -69,6 +79,17 @@ method>TRACE</http-method> + </web-resource-collection> + <url-pattern>/profile/cas/login</url-pattern> <auth-constraint/> + </filtersecurity-mapping>constraint> + + <filter-mapping> + <filter-name>DynamicResponseHeaderFilter</filter-name><!-- Allow any HTTP methods to the API flows. --> + <url-pattern>/profile/admin/*</url-pattern><security-constraint> + <url-pattern>/profile/Shibboleth/SSO</url-pattern> +<web-resource-collection> + <url-pattern>/profile/SAML2/Unsolicited/SSO</url-pattern> + <web-resource-name>Administrative APIs</web-resource-name> + <url-pattern>/profile/SAML2/Redirect/SSO<admin/*</url-pattern> + <url-pattern>/profile/SAML2/POST/SSO</url-pattern></web-resource-collection> + <url-pattern>/profile/SAML2/POST-SimpleSign/SSO</url-pattern><!-- no auth-constraint tag here --> + </security-constraint> <url-pattern>/profile/cas/login</url-pattern> + <url-pattern>/Authn/*</url-pattern> + </filter-mapping> + <filter-mapping> <!-- Uncomment to use container managed authentication. The new servlet spec (3.1) @@ -150,7 +175,6 @@ <filter-name>CharacterEncodingFilter</filter<web-resource-name>user authentication</web-resource-name> <url-pattern>/*<Authn/RemoteUser</url-pattern> </filter-mapping> @@ -139,6 +160,14 @@ <location><url-pattern>/profile/SAML2/SOAP/RaiseError<ECP</location> url-pattern> - <<http-method>GET</errorhttp-page>method> + <session-config> + <cookie-config> +<http-method>POST</http-method> </web-resource-collection> <http-only>true</http-only> + <auth-constraint> |
3.1.2→3.2.1
コード ブロック | ||
---|---|---|
| ||
@@ -8,12 +8,12 @@ <secure>true</secure> + same named beans in previous files. </cookie--config>> + <tracking-mode>COOKIE</tracking-mode> +<context-param> </session-config> + <!-<param-name>contextConfigLocation</param-name> - Block commonly flagged methods by using an empty auth-constraint. --> <security-constraint> <param-value>${idp.home}/system/conf/global-system.xml</param-value> + <web-resource-collection> |
3.2.1→3.3.0
コード ブロック | ||
---|---|---|
| ||
@@ -8,7 +8,7 @@<param-value>${idp.home}/system/conf/global-system.xml,classpath*:/META-INF/net.shibboleth.idp/config.xml</param-value> same named beans in previous files. --></context-param> <context-param> <param-name>contextConfigLocation<name>contextClass</param-name> - <param-value>${idp.home}/system/conf/global-system.xml,classpath*:/META-INF/net.shibboleth.idp/config.xml</param-value> +value>net.shibboleth.ext.spring.context.DeferPlaceholderFileSystemXmlWebApplicationContext</param-value> + <param-value>net.shibboleth.ext.spring.context.DelimiterAwareApplicationContext</param-value> </context-param> <context-param> @@ -45,24 +45,6 @@ <param<filter-value>classpath*:name>CookieBufferingFilter</META-INF/net.shibboleth.idp/preconfig.xml,${idp.home}/system/conf/global-system.xml,classpath*:/META-INF/net.shibboleth.idp/config.xml,classpath*:/META-INF/net.shibboleth.idp/postconfig.xml</param-value>filter-name> <filter-class>net.shibboleth.utilities.java.support.net.CookieBufferingFilter</filter-class> </context-param> <context-param> @@ -52,7 +52,7 @@ filter> - <!-- Automates the unpack and pack of the cookie-based storage model. --> - <filter> - </filter> <filter-name>ClientSessionStorageServiceFilter</filter-name> - <!-- Manages logging MDC. --> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> - <init-param> - <filter> - <filter<param-name>SL4JMDCServletFilter<name>targetBeanName</filterparam-name> +- <filter<param-name>SLF4JMDCServletFilter<value>shibboleth.ClientSessionStorageService</filterparam-name>value> - <filter-class>net.shibboleth.idp.log.SLF4JMDCServletFilter</filter-class> </init-param> - </filter> - <filter-mapping> @@ -77,14 +77,10 @@ <url-pattern>/*</url-pattern> </filter-mapping> <filter-mapping><!-- Automates the unpack and pack of the cookie-based storage model. --> - <filter> - <filter-name>SL4JMDCServletFilter<name>ClientPersistentStorageServiceFilter</filter-name> +- <filter-name>SLF4JMDCServletFilter<class>org.springframework.web.filter.DelegatingFilterProxy</filter-name>class> - <url-pattern>/*</url-pattern> </filter-mapping> -<init-param> - <!-- HTTP headers to every response in order to prevent response caching --> - <param-name>targetBeanName</param-name> - <!-- <filter> <filter-name>IdPNoCacheFilter</filter-name> <filter-class>edu.internet2.middleware.shibboleth.idp.util.NoCacheFilter</filter-class> <param-value>shibboleth.ClientPersistentStorageService</param-value> - </filter> <filter-mapping> <filter-name>IdPNoCacheFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> --> - init-param> - </filter> <!-- ServletsAutomates andTLS-based servletpropagation mappings --> of HttpServletRequest/Response into beans. --> <servlet><filter> <servlet<filter-name>idp<name>RequestResponseContextFilter</servletfilter-name> @@ -13687,628 +13269,356 @@ <servlet-name>shibboleth_jsp</servlet-name><url-pattern>/profile/cas/login</url-pattern> <url-pattern>/shibboleth</url-pattern></filter-mapping> </servlet<filter-mapping> +- + <!-<filter-name>ClientSessionStorageServiceFilter</filter-name> - Send servlet errors through the IdP's MVC error handling. --> + <url-pattern>/profile/Logout</url-pattern> - <error-page> +<url-pattern>/profile/Shibboleth/SSO</url-pattern> - <exception-type>net.shibboleth.idp.authn.ExternalAuthenticationException</exception-type> +<url-pattern>/profile/SAML2/Unsolicited/SSO</url-pattern> - <location><url-pattern>/profile/SAML2/Redirect/RaiseError<SSO</location>url-pattern> +- </error-page> + + <!-- Block commonly flagged methods by using an empty auth-constraint. --> + <security-constraint> +<url-pattern>/profile/SAML2/POST/SSO</url-pattern> - <url-pattern>/profile/SAML2/POST-SimpleSign/SSO</url-pattern> - <url-pattern>/profile/SAML2/Redirect/SLO</url-pattern> - <web-resource-collection> +<url-pattern>/profile/SAML2/POST/SLO</url-pattern> - <web-resource-name>Non-API Content</web-resource-name> + <url-pattern>/profile/SAML2/POST-SimpleSign/SLO</url-pattern> - <url-pattern>/*<profile/cas/login</url-pattern> + - </filter-mapping> - <filter-mapping> - <http<filter-method>PUT<name>ClientPersistentStorageServiceFilter</httpfilter-method>name> +- <http-method>PATCH</http-method> +<url-pattern>/profile/Shibboleth/SSO</url-pattern> - <http-method>DELETE</http-method> + <url-pattern>/profile/SAML2/Unsolicited/SSO</url-pattern> - <http-method>OPTIONS</http-method> +<url-pattern>/profile/SAML2/Redirect/SSO</url-pattern> - <http-method>TRACE</http-method> +<url-pattern>/profile/SAML2/POST/SSO</url-pattern> - </web-resource-collection> +<url-pattern>/profile/SAML2/POST-SimpleSign/SSO</url-pattern> - <auth-constraint/> + </security-constraint> + + <!-- Allow any HTTP methods to the API flows. --> +<url-pattern>/profile/cas/login</url-pattern> - </filter-mapping> - <security<filter-constraint>mapping> + <web<filter-resourcename>CharacterEncodingFilter</filter-collection>name> + <url-pattern>/*</url-pattern> <web-resource-name>Administrative APIs<</webfilter-resource-name>mapping> +@@ -131,11 +91,11 @@ <url-pattern>/profile/admin/*</url-pattern> +<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> </web-resource-collection> +<init-param> <!-- no auth-constraint tag here <param-name>contextConfigLocation</param-> +name> - </security-constraint> <!-- Uncomment to use container managed authentication. The new servlet spec (3.1) @@ -150,7 +175,6 @@<param-value>${idp.home}/system/conf/mvc-beans.xml ${idp.home}/system/conf/webflow-config.xml</param-value> + <param-value>${idp.home}/system/conf/mvc-beans.xml, ${idp.home}/system/conf/webflow-config.xml</param-value> <web-resource-name>user authentication</web-resource-name> </init-param> <url-pattern>/Authn/RemoteUser</url-pattern> <init-param> <url<param-pattern>/profile/SAML2/SOAP/ECP</url-pattern>name>contextClass</param-name> - <http-method>GET</http-method> <param-value>net.shibboleth.ext.spring.context.DeferPlaceholderFileSystemXmlWebApplicationContext</param-value> + <http-method>POST</http-method> <param-value>net.shibboleth.ext.spring.context.DelimiterAwareApplicationContext</param-value> </webinit-resource-collection>param> <auth-constraint><load-on-startup>1</load-on-startup> </servlet> |