ページ履歴

@@ -8,7 +8,7 @@
parameters below control V5+ auto-registration support.
+    Those desiring complete control over sameall namedof beansthese insteps previouscan files. -->
disable them
+    but <context-param>
this is not generally recommended, apart from toggling  <param-name>contextConfigLocation</param-name>
-the optional
+    servlets that may not be needed.
+    -->
+
+    <!-- Registers Spring support. -->
     <context-param>
-        <param-name>contextConfigLocation</param-name>
-        <param-value>classpath*:/META-INF/net.shibboleth.idp/preconfig.xml,${idp.home}/system/classpath:/net/shibboleth/idp/conf/global-system.xml,classpath*:/META-INF/net.shibboleth.idp/postconfig.xml</param-value>
+        <param-value>classpath*:/META-INF/netname>net.shibboleth.idp/preconfig.xml,classpath:/net/shibboleth/idp/conf/global-system.xml,classpath*:/META-INF/net.shibboleth.idp/postconfig.xml</.registerSpringConfig</param-name>
+        <param-value>true</param-value>
     </context-param>
-     
+
+     <context-param>
@@ -126,7 +126,7 @@
         <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class><!-- Auto-registers Java filter chain required by IdP. -->
         <init<context-param>
    -         <param-name>contextConfigLocation<name>contextClass</param-name>
-            <param-value>${idp.home}/system/conf/mvc-beans.xml, ${idp.home}/system/conf/webflow-config.xml<value>net.shibboleth.ext.spring.context.DelimiterAwareApplicationContext</param-value>
+        <param-name>net.shibboleth.idp.registerFilterChain</param-name>
+    <param-value>classpath*:/META-INF/net/shibboleth/idp/mvc/preconfig.xml,classpath:/net/shibboleth/idp/conf/mvc-beans.xml,classpath:/net/shibboleth/idp/conf/webflow-config.xml,classpath*:/META-INF/net/shibboleth/idp/mvc/postconfig.xml</    <param-value>true</param-value>
         </initcontext-param>
-    
+
+     <init-param><!-- Auto-registers IdP dispatcher servlet. -->
     <context-param>
-        <param-name>contextClass<name>contextInitializerClasses</param-name>
@@ -209,7 +209,7 @@
      <param-value>net.shibboleth.idp.spring.IdPPropertiesApplicationContextInitializer</param-value>
+        <http-method-omission>OPTIONS</http-method-omission>
<param-name>net.shibboleth.idp.registerIdPServlet</param-name>
+             <http-method-omission>POST</http-method-omission><param-value>true</param-value>
     </context-param>
-
-    </web-resource-collection>
!-- Spring listener used to load up the configuration <authn--constraint/>
+-    <listener>
-        <auth-constraint/>
 <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
-    </security-constraint>listener>
     
-     <!-- AllowFilters anyand HTTPfilter methods to the API flows. -->

@@ -186,17 +186,30 @@
         <tracking-mode>COOKIE</tracking-mode>
     </session-config>
 
-    <!-- Block commonly flagged methods by using an empty auth-constraint. -->
+    <!-- Allow intended methods by using an absent auth-constraint. -->
     <security-constraint>
mappings -->
-    
-    <!-- Try and force I18N, probably won't help much. -->
-    <filter>
-        <filter-name>CharacterEncodingFilter</filter-name>
-        <filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
-        <init-param>
-              <web-resource-collection>
<param-name>encoding</param-name>
-             <web<param-resource-name>Non-API Content</web-resource-name>
value>UTF-8</param-value>
-        </init-param>
-        <url-pattern>/*</url-pattern><init-param>
-            <http<param-method>PUT<name>forceEncoding</httpparam-method>name>
-            <http<param-method>PATCH<value>true</httpparam-method>value>
-        </init-param>
-    <http-method>DELETE</http-method></filter>
-    <!-- Automates SameSite handling until Java API catches <http-method>TRACE</http-method>
+up. -->
-    <filter>
-        <http<filter-method>GET<name>SameSiteCookieFilter</httpfilter-method>name>
+-            <http-method>HEAD</http-method>
+<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
-        <init-param>
-    <http-method>OPTIONS</http-method>
+        <param-name>targetBeanName</param-name>
-            <http<param-method>POST<value>shibboleth.SameSiteCookieFilter</httpparam-method>value>
 -        </webinit-resource-collection>param>
-    </filter>
-    <auth-constraint/>
+        <!-- no auth-constraint tag here<!-- Lets us lump repeated Set-Cookie headers into one, something containers rarely support. -->
+-    </security-constraint>
+
+<filter>
-    <!-- Disallow other methods by using an empty auth-constraint. -->
+    <security-constraint>
+        <web-resource-collection>
+            <web-resource-name>Non-API Content</web-resource-name>
+    <filter-name>CookieBufferingFilter</filter-name>
-        <filter-class>net.shibboleth.utilities.java.support.net.CookieBufferingFilter</filter-class>
-    </filter>
-    <!-- Allows control of response headers from within Spring beans. -->
-    <filter>
-         <url<filter-pattern>/*</url-pattern>
+name>DynamicResponseHeaderFilter</filter-name>
-            <http-method-omission>GET</http-method-omission>
+<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
-            <http-method-omission>HEAD</http-method-omission>
+<init-param>
-            <http<param-method-omission>OPTIONS<name>targetBeanName</httpparam-methodname>
-omission>
+            <http-method-omission>POST</http-method-omission>
+<param-value>shibboleth.ResponseHeaderFilter</param-value>
-        </webinit-resource-collection>
+        <authn-constraint/>
param>
-     </security-constraint>
 
filter>
-     <!-- AllowAutomates anyTLS-based HTTPpropagation methodsof toHttpServletRequest/Response theinto API flowsbeans. -->

@@ -8,7 +8,7 @@

-    <filter>
-         same named beans in previous files. -->
<filter-name>RequestResponseContextFilter</filter-name>
-        <filter-class>net.shibboleth.utilities.java.support.net.RequestResponseContextFilter</filter-class>
-    </filter>
-     <context-param>
 <!-- Manages logging MDC. -->
-    <filter>
-        <param<filter-name>contextConfigLocation<name>SLF4JMDCServletFilter</paramfilter-name>
-        <param-value>classpath*:/META-INF/net<filter-class>net.shibboleth.idp/preconfig.xml,${idp.home}/system/conf/global-system.xml,classpath*:/META-INF/net.shibboleth.idp/config.xml,classpath*:/META-INF/net.shibboleth.idp/postconfig.xml</param-value>.log.SLF4JMDCServletFilter</filter-class>
-    </filter>
+    <!-- Registers optional servlets used for RemoteUser and X509 login flows. -->
+    <context-param>
+        <param-value>classpath*:/META-INF/netname>net.shibboleth.idp.registerRemoteUserServlet</param-name>
+        <param-value>true</param-value>
+    </context-param>
+    <context-param>
+        <param-name>net.shibboleth.idp.registerX509Servlet</param-name>
+        <param-value>true</param-value>
+    </context-param>
     
-    <filter-mapping>
-        <filter-name>SameSiteCookieFilter</filter-name>
-        <url-pattern>/*</url-pattern>
-    </filter-mapping>
-    <filter-mapping>
-        <filter-name>CookieBufferingFilter</filter-name>
-        <url-pattern>/profile/admin/*</url-pattern>
-        <url-pattern>/profile/Logout</url-pattern>
-        <url-pattern>/profile/Shibboleth/SSO</url-pattern>
-        <url-pattern>/profile/SAML2/Unsolicited/SSO</url-pattern>
-        <url-pattern>/profile/SAML2/Redirect/SSO</url-pattern>
-        <url-pattern>/profile/SAML2/POST/SSO</url-pattern>
-        <url-pattern>/profile/SAML2/POST-SimpleSign/SSO</url-pattern>
-        <url-pattern>/profile/SAML2/Artifact/SSO</url-pattern>
-        <url-pattern>/profile/SAML2/Redirect/SLO</url-pattern>
-        <url-pattern>/profile/SAML2/POST/SLO</url-pattern>
-        <url-pattern>/profile/SAML2/POST-SimpleSign/SLO</url-pattern>
-        <url-pattern>/profile/SAML2/Artifact/SLO</url-pattern>
-        <url-pattern>/profile/cas/login</url-pattern>
-    </filter-mapping>
-    <filter-mapping>
-        <filter-name>DynamicResponseHeaderFilter</filter-name>
-        <url-pattern>/profile/admin/*</url-pattern>
-        <url-pattern>/profile/Shibboleth/SSO</url-pattern>
-        <url-pattern>/profile/SAML2/Unsolicited/SSO</url-pattern>
-        <url-pattern>/profile/SAML2/Redirect/SSO</url-pattern>
-        <url-pattern>/profile/SAML2/POST/SSO</url-pattern>
-        <url-pattern>/profile/SAML2/POST-SimpleSign/SSO</url-pattern>
-        <url-pattern>/profile/SAML2/Artifact/SSO</url-pattern>
-        <url-pattern>/profile/cas/login</url-pattern>
-        <url-pattern>/Authn/*</url-pattern>
-    </filter-mapping>
-    <filter-mapping>
-        <filter-name>CharacterEncodingFilter</filter-name>
-        <url-pattern>/*</url-pattern>
-    </filter-mapping>
-    <filter-mapping>
-        <filter-name>RequestResponseContextFilter</filter-name>
-        <url-pattern>/*</url-pattern>
-    </filter-mapping>
-    <filter-mapping>
-        <filter-name>SLF4JMDCServletFilter</filter-name>
-        <url-pattern>/*</url-pattern>
-    </filter-mapping>
-
-    <!-- Servlets and servlet mappings -->    
-    <servlet>
-        <servlet-name>idp</servlet-name>
-        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
-        <init-param>
-            <param-name>contextConfigLocation</param-name>
-            <param-value>classpath*:/META-INF/net/shibboleth/idp/mvc/preconfig.xml,classpath:/net/shibboleth/idp/conf/mvc-beans.xml,classpath:/net/shibboleth/idp/conf/webflow-config.xml,classpath*:/META-INF/net/shibboleth/idp/mvc/postconfig.xml</param-value>
-        </init-param>
-        <init-param>
-            <param-name>contextClass</param-name>
-            <param-value>net.shibboleth.ext.spring.context.DelimiterAwareApplicationContext</param-value>
-        </init-param>
-        <load-on-startup>1</load-on-startup>
-    </servlet>
-    <servlet-mapping>
-        <servlet-name>idp</servlet-name>
-        <url-pattern>/status</url-pattern>
-        <url-pattern>/profile/*</url-pattern>
-    </servlet-mapping>
-
-    <!-- Servlet protected by container used for RemoteUser authentication -->
-    <servlet>
-        <servlet-name>RemoteUserAuthHandler</servlet-name>
-        <servlet-class>net.shibboleth.idp.authn.impl.RemoteUserAuthServlet</servlet-class>
-        <load-on-startup>2</load-on-startup>
-    </servlet>
-    <servlet-mapping>
-        <servlet-name>RemoteUserAuthHandler</servlet-name>
-        <url-pattern>/Authn/RemoteUser</url-pattern>
-    </servlet-mapping>
-
-    <!-- Servlet protected by container used for X.509 authentication -->
-    <servlet>
-        <servlet-name>X509AuthHandler</servlet-name>
-        <servlet-class>net.shibboleth.idp.authn.impl.X509AuthServlet</servlet-class>
-        <load-on-startup>3</load-on-startup>
-    </servlet>
-    <servlet-mapping>
-        <servlet-name>X509AuthHandler</servlet-name>
-        <url-pattern>/Authn/X509</url-pattern>
-    </servlet-mapping>
-
-    <!-- Send request for the EntityID to the SAML metadata echoing JSP. -->
-    <servlet>
-        <servlet-name>shibboleth_jsp</servlet-name>
-        <jsp-file>/WEB-INF/jsp/metadata.jsp</jsp-file>
-    </servlet>
-    <servlet-mapping>
-        <servlet-name>shibboleth_jsp</servlet-name>
-        <url-pattern>/shibboleth</url-pattern>
-    </servlet-mapping>
+    <!-- Registers /shibboleth to return metadata file. -->
+    <context-param>
+        <param-name>net.shibboleth.idp.registerMetadataServlet</param-name>
+        <param-value>true</param-value>
+    </context-param>
     
     <!-- Send servlet errors through the IdP's MVC error handling. -->
     <error-page>
@@ -181,11 +54,9 @@
     <session-config>
         <session-timeout>15</session-timeout>
         <cookie-config>
-            <!-- Uncomment to add __Host- protection. -->
-            <!--
+            <!-- Comment name and path to revert __Host- protection. -->
             <name>__Host-JSESSIONID</name>
             <path>/</path>
-            -->
             <secure>true</secure>
             <http-only>true</http-only>
         </cookie-config>

@@ -45,6 +45,15 @@<servlet>
         <filter<servlet-name>CookieBufferingFilter<name>idp</filterservlet-name>
@@         <filter-class>net.shibboleth.utilities.java.support.net.CookieBufferingFilter</filter-class>-136,6 +132,35 @@
     </filter>
+    <!-- Allows control of response headers from within Spring beans. -->
+    <filter><servlet-name>shibboleth_jsp</servlet-name>
         <url-pattern>/shibboleth</url-pattern>
     </servlet-mapping>
+    
+    <filter<!-name>DynamicResponseHeaderFilter</filter-name>
+ Send servlet errors through    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
+        <init-param>the IdP's MVC error handling. -->
+    <error-page>
+        <param-name>targetBeanName</param-name><exception-type>net.shibboleth.idp.authn.ExternalAuthenticationException</exception-type>
+        <location>/profile/RaiseError</location>
+    <param-value>shibboleth.ResponseHeaderFilter</param-value></error-page>
+
+    <!-- Block commonly  </init-param>
+    </filter>
flagged methods by using an empty auth-constraint. -->
+     <!-- Automates TLS-based propagation of HttpServletRequest/Response into beans. -->
<security-constraint>
+        <web-resource-collection>
+     <filter>
         <filter-name>RequestResponseContextFilter</filter<web-resource-name>Non-API Content</web-resource-name>
@@ -57,6 +66,7 @@
+            <url-pattern>/*</filter>url-pattern>
+     <filter-mapping>
         <filter<http-name>CookieBufferingFilter<method>PUT</filterhttp-name>method>
+        <url-pattern>/profile/admin/*</url-pattern>
    <http-method>PATCH</http-method>
+            <url<http-pattern>/profile/Logout</url-pattern>
method>DELETE</http-method>
+            <url<http-pattern>/profile/Shibboleth/SSO</url-pattern>
method>OPTIONS</http-method>
+          <url  <http-pattern>/profile/SAML2/Unsolicited/SSO</url-pattern>
@@ -69,6 +79,17 @@
method>TRACE</http-method>
+        </web-resource-collection>
+         <url-pattern>/profile/cas/login</url-pattern>
 <auth-constraint/>
+    </filtersecurity-mapping>constraint>
+
+     <filter-mapping>
+        <filter-name>DynamicResponseHeaderFilter</filter-name><!-- Allow any HTTP methods to the API flows. -->
+        <url-pattern>/profile/admin/*</url-pattern><security-constraint>
+        <url-pattern>/profile/Shibboleth/SSO</url-pattern>
+<web-resource-collection>
+          <url-pattern>/profile/SAML2/Unsolicited/SSO</url-pattern>
+  <web-resource-name>Administrative APIs</web-resource-name>
+            <url-pattern>/profile/SAML2/Redirect/SSO<admin/*</url-pattern>
+        <url-pattern>/profile/SAML2/POST/SSO</url-pattern></web-resource-collection>
+        <url-pattern>/profile/SAML2/POST-SimpleSign/SSO</url-pattern><!-- no auth-constraint tag here -->
+    </security-constraint>
 
     <url-pattern>/profile/cas/login</url-pattern>
+        <url-pattern>/Authn/*</url-pattern>
+    </filter-mapping>
+    <filter-mapping>
<!--
     Uncomment to use container managed authentication. The new servlet spec (3.1)
@@ -150,7 +175,6 @@
             <filter-name>CharacterEncodingFilter</filter<web-resource-name>user authentication</web-resource-name>
             <url-pattern>/*<Authn/RemoteUser</url-pattern>
     </filter-mapping>
@@ -139,6 +160,14 @@
         <location><url-pattern>/profile/SAML2/SOAP/RaiseError<ECP</location>
url-pattern>
-            <<http-method>GET</errorhttp-page>method>
 
+    <session-config>
+        <cookie-config>
+<http-method>POST</http-method> 
         </web-resource-collection>
    <http-only>true</http-only>
+          <auth-constraint>

@@ -8,7 +8,7 @@<param-value>${idp.home}/system/conf/global-system.xml,classpath*:/META-INF/net.shibboleth.idp/config.xml</param-value>
         same named beans in previous files. --></context-param>
     
     <context-param>
         <param-name>contextConfigLocation<name>contextClass</param-name>
-        <param-value>${idp.home}/system/conf/global-system.xml,classpath*:/META-INF/net.shibboleth.idp/config.xml</param-value>
+value>net.shibboleth.ext.spring.context.DeferPlaceholderFileSystemXmlWebApplicationContext</param-value>
+        <param-value>net.shibboleth.ext.spring.context.DelimiterAwareApplicationContext</param-value>
     </context-param>
     
     <context-param>
@@ -45,24 +45,6 @@
         <param<filter-value>classpath*:name>CookieBufferingFilter</META-INF/net.shibboleth.idp/preconfig.xml,${idp.home}/system/conf/global-system.xml,classpath*:/META-INF/net.shibboleth.idp/config.xml,classpath*:/META-INF/net.shibboleth.idp/postconfig.xml</param-value>filter-name>
         <filter-class>net.shibboleth.utilities.java.support.net.CookieBufferingFilter</filter-class>
     </context-param>
     
     <context-param>
@@ -52,7 +52,7 @@
filter>
-    <!-- Automates the unpack and pack of the cookie-based storage model. -->
-    <filter>
-        </filter>
<filter-name>ClientSessionStorageServiceFilter</filter-name>
-     <!-- Manages logging MDC. -->
   <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
-        <init-param>
-     <filter>
-        <filter<param-name>SL4JMDCServletFilter<name>targetBeanName</filterparam-name>
+-            <filter<param-name>SLF4JMDCServletFilter<value>shibboleth.ClientSessionStorageService</filterparam-name>value>
-         <filter-class>net.shibboleth.idp.log.SLF4JMDCServletFilter</filter-class>
</init-param>
-     </filter>
-     <filter-mapping>
@@ -77,14 +77,10 @@
         <url-pattern>/*</url-pattern>
     </filter-mapping>
     <filter-mapping><!-- Automates the unpack and pack of the cookie-based storage model. -->
-    <filter>
-        <filter-name>SL4JMDCServletFilter<name>ClientPersistentStorageServiceFilter</filter-name>
+-        <filter-name>SLF4JMDCServletFilter<class>org.springframework.web.filter.DelegatingFilterProxy</filter-name>class>
-         <url-pattern>/*</url-pattern>
     </filter-mapping>
 
-<init-param>
-     <!-- HTTP headers to every response in order to prevent response caching -->
- <param-name>targetBeanName</param-name>
-         <!-- <filter> <filter-name>IdPNoCacheFilter</filter-name> <filter-class>edu.internet2.middleware.shibboleth.idp.util.NoCacheFilter</filter-class>  <param-value>shibboleth.ClientPersistentStorageService</param-value>
-        </filter> <filter-mapping> <filter-name>IdPNoCacheFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> -->
-
init-param>
-    </filter>
     <!-- ServletsAutomates andTLS-based servletpropagation mappings -->    of HttpServletRequest/Response into beans. -->
     <servlet><filter>
         <servlet<filter-name>idp<name>RequestResponseContextFilter</servletfilter-name>
@@ -13687,628 +13269,356 @@
         <servlet-name>shibboleth_jsp</servlet-name><url-pattern>/profile/cas/login</url-pattern>
         <url-pattern>/shibboleth</url-pattern></filter-mapping>
     </servlet<filter-mapping>
+-    
+    <!-<filter-name>ClientSessionStorageServiceFilter</filter-name>
- Send  servlet errors through the IdP's MVC error handling. -->
+ <url-pattern>/profile/Logout</url-pattern>
-        <error-page>
+<url-pattern>/profile/Shibboleth/SSO</url-pattern>
-        <exception-type>net.shibboleth.idp.authn.ExternalAuthenticationException</exception-type>
+<url-pattern>/profile/SAML2/Unsolicited/SSO</url-pattern>
-        <location><url-pattern>/profile/SAML2/Redirect/RaiseError<SSO</location>url-pattern>
+-    </error-page>
+
+    <!-- Block commonly flagged methods by using an empty auth-constraint. -->
+    <security-constraint>
+<url-pattern>/profile/SAML2/POST/SSO</url-pattern>
-        <url-pattern>/profile/SAML2/POST-SimpleSign/SSO</url-pattern>
-        <url-pattern>/profile/SAML2/Redirect/SLO</url-pattern>
-        <web-resource-collection>
+<url-pattern>/profile/SAML2/POST/SLO</url-pattern>
-            <web-resource-name>Non-API Content</web-resource-name>
+  <url-pattern>/profile/SAML2/POST-SimpleSign/SLO</url-pattern>
-          <url-pattern>/*<profile/cas/login</url-pattern>
+
-    </filter-mapping>
-    <filter-mapping>
-        <http<filter-method>PUT<name>ClientPersistentStorageServiceFilter</httpfilter-method>name>
+-            <http-method>PATCH</http-method>
+<url-pattern>/profile/Shibboleth/SSO</url-pattern>
-            <http-method>DELETE</http-method>
+   <url-pattern>/profile/SAML2/Unsolicited/SSO</url-pattern>
-         <http-method>OPTIONS</http-method>
+<url-pattern>/profile/SAML2/Redirect/SSO</url-pattern>
-            <http-method>TRACE</http-method>
+<url-pattern>/profile/SAML2/POST/SSO</url-pattern>
-        </web-resource-collection>
+<url-pattern>/profile/SAML2/POST-SimpleSign/SSO</url-pattern>
-        <auth-constraint/>
+    </security-constraint>
+
+    <!-- Allow any HTTP methods to the API flows. -->
+<url-pattern>/profile/cas/login</url-pattern>
-    </filter-mapping>
-    <security<filter-constraint>mapping>
+         <web<filter-resourcename>CharacterEncodingFilter</filter-collection>name>
+         <url-pattern>/*</url-pattern>
    <web-resource-name>Administrative APIs<</webfilter-resource-name>mapping>
+@@ -131,11 +91,11 @@
         <url-pattern>/profile/admin/*</url-pattern>
+<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
         </web-resource-collection>
+<init-param>
        <!-- no auth-constraint tag here <param-name>contextConfigLocation</param->
+name>
-       </security-constraint>
 
     <!--
     Uncomment to use container managed authentication. The new servlet spec (3.1)
@@ -150,7 +175,6 @@<param-value>${idp.home}/system/conf/mvc-beans.xml ${idp.home}/system/conf/webflow-config.xml</param-value>
+            <param-value>${idp.home}/system/conf/mvc-beans.xml, ${idp.home}/system/conf/webflow-config.xml</param-value>
             <web-resource-name>user authentication</web-resource-name>
    </init-param>
         <url-pattern>/Authn/RemoteUser</url-pattern>  <init-param>
             <url<param-pattern>/profile/SAML2/SOAP/ECP</url-pattern>name>contextClass</param-name>
-            <http-method>GET</http-method>
<param-value>net.shibboleth.ext.spring.context.DeferPlaceholderFileSystemXmlWebApplicationContext</param-value>
+             <http-method>POST</http-method> <param-value>net.shibboleth.ext.spring.context.DelimiterAwareApplicationContext</param-value>
         </webinit-resource-collection>param>
         <auth-constraint><load-on-startup>1</load-on-startup>
     </servlet>