meatwiki メンテナンスのお知らせ

システムメンテナンスのため、7/20(土) 09:00-17:00 は、本Wikiをご利用いただけません。ご不便をおかけいたしますが、ご理解の程、よろしくお願いいたします。

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

目次

4.3.1→5.0.0

コード ブロック
languagediff
@@ -4,173 +4,46 @@
  
     <display-name>Shibboleth Identity Provider</display-name>
 
-    <!-- Spring application context files. Files are loaded in the order they appear with subsequent files overwriting 
-        same named beans in previous files. -->
+    <!--
+    The context parameters below control V5+ auto-registration support.
+    Those desiring complete control over all of these steps can disable them
+    but this is not generally recommended, apart from toggling the optional
+    servlets that may not be needed.
+    -->
+
+    <!-- Registers Spring support. -->
     <context-param>
-        <param-name>contextConfigLocation</param-name>
-        <param-value>classpath*:/META-INF/net.shibboleth.idp/preconfig.xml,classpath:/net/shibboleth/idp/conf/global-system.xml,classpath*:/META-INF/net.shibboleth.idp/postconfig.xml</param-value>
+        <param-name>net.shibboleth.idp.registerSpringConfig</param-name>
+        <param-value>true</param-value>
     </context-param>
-    
+
+    <!-- Auto-registers Java filter chain required by IdP. -->
     <context-param>
-        <param-name>contextClass</param-name>
-        <param-value>net.shibboleth.ext.spring.context.DelimiterAwareApplicationContext</param-value>
+        <param-name>net.shibboleth.idp.registerFilterChain</param-name>
+        <param-value>true</param-value>
     </context-param>
-    
+
+    <!-- Auto-registers IdP dispatcher servlet. -->
     <context-param>
-        <param-name>contextInitializerClasses</param-name>
-        <param-value>net.shibboleth.idp.spring.IdPPropertiesApplicationContextInitializer</param-value>
+        <param-name>net.shibboleth.idp.registerIdPServlet</param-name>
+        <param-value>true</param-value>
     </context-param>
-
-    <!-- Spring listener used to load up the configuration -->
-    <listener>
-        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
-    </listener>
     
-    <!-- Filters and filter mappings -->
-    
-    <!-- Try and force I18N, probably won't help much. -->
-    <filter>
-        <filter-name>CharacterEncodingFilter</filter-name>
-        <filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
-        <init-param>
-            <param-name>encoding</param-name>
-            <param-value>UTF-8</param-value>
-        </init-param>
-        <init-param>
-            <param-name>forceEncoding</param-name>
-            <param-value>true</param-value>
-        </init-param>
-    </filter>
-    <!-- Automates SameSite handling until Java API catches up. -->
-    <filter>
-        <filter-name>SameSiteCookieFilter</filter-name>
-        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
-        <init-param>
-            <param-name>targetBeanName</param-name>
-            <param-value>shibboleth.SameSiteCookieFilter</param-value>
-        </init-param>
-    </filter>
-    <!-- Lets us lump repeated Set-Cookie headers into one, something containers rarely support. -->
-    <filter>
-        <filter-name>CookieBufferingFilter</filter-name>
-        <filter-class>net.shibboleth.utilities.java.support.net.CookieBufferingFilter</filter-class>
-    </filter>
-    <!-- Allows control of response headers from within Spring beans. -->
-    <filter>
-        <filter-name>DynamicResponseHeaderFilter</filter-name>
-        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
-        <init-param>
-            <param-name>targetBeanName</param-name>
-            <param-value>shibboleth.ResponseHeaderFilter</param-value>
-        </init-param>
-    </filter>
-    <!-- Automates TLS-based propagation of HttpServletRequest/Response into beans. -->
-    <filter>
-        <filter-name>RequestResponseContextFilter</filter-name>
-        <filter-class>net.shibboleth.utilities.java.support.net.RequestResponseContextFilter</filter-class>
-    </filter>
-    <!-- Manages logging MDC. -->
-    <filter>
-        <filter-name>SLF4JMDCServletFilter</filter-name>
-        <filter-class>net.shibboleth.idp.log.SLF4JMDCServletFilter</filter-class>
-    </filter>
+    <!-- Registers optional servlets used for RemoteUser and X509 login flows. -->
+    <context-param>
+        <param-name>net.shibboleth.idp.registerRemoteUserServlet</param-name>
+        <param-value>true</param-value>
+    </context-param>
+    <context-param>
+        <param-name>net.shibboleth.idp.registerX509Servlet</param-name>
+        <param-value>true</param-value>
+    </context-param>
     
-    <filter-mapping>
-        <filter-name>SameSiteCookieFilter</filter-name>
-        <url-pattern>/*</url-pattern>
-    </filter-mapping>
-    <filter-mapping>
-        <filter-name>CookieBufferingFilter</filter-name>
-        <url-pattern>/profile/admin/*</url-pattern>
-        <url-pattern>/profile/Logout</url-pattern>
-        <url-pattern>/profile/Shibboleth/SSO</url-pattern>
-        <url-pattern>/profile/SAML2/Unsolicited/SSO</url-pattern>
-        <url-pattern>/profile/SAML2/Redirect/SSO</url-pattern>
-        <url-pattern>/profile/SAML2/POST/SSO</url-pattern>
-        <url-pattern>/profile/SAML2/POST-SimpleSign/SSO</url-pattern>
-        <url-pattern>/profile/SAML2/Artifact/SSO</url-pattern>
-        <url-pattern>/profile/SAML2/Redirect/SLO</url-pattern>
-        <url-pattern>/profile/SAML2/POST/SLO</url-pattern>
-        <url-pattern>/profile/SAML2/POST-SimpleSign/SLO</url-pattern>
-        <url-pattern>/profile/SAML2/Artifact/SLO</url-pattern>
-        <url-pattern>/profile/cas/login</url-pattern>
-    </filter-mapping>
-    <filter-mapping>
-        <filter-name>DynamicResponseHeaderFilter</filter-name>
-        <url-pattern>/profile/admin/*</url-pattern>
-        <url-pattern>/profile/Shibboleth/SSO</url-pattern>
-        <url-pattern>/profile/SAML2/Unsolicited/SSO</url-pattern>
-        <url-pattern>/profile/SAML2/Redirect/SSO</url-pattern>
-        <url-pattern>/profile/SAML2/POST/SSO</url-pattern>
-        <url-pattern>/profile/SAML2/POST-SimpleSign/SSO</url-pattern>
-        <url-pattern>/profile/SAML2/Artifact/SSO</url-pattern>
-        <url-pattern>/profile/cas/login</url-pattern>
-        <url-pattern>/Authn/*</url-pattern>
-    </filter-mapping>
-    <filter-mapping>
-        <filter-name>CharacterEncodingFilter</filter-name>
-        <url-pattern>/*</url-pattern>
-    </filter-mapping>
-    <filter-mapping>
-        <filter-name>RequestResponseContextFilter</filter-name>
-        <url-pattern>/*</url-pattern>
-    </filter-mapping>
-    <filter-mapping>
-        <filter-name>SLF4JMDCServletFilter</filter-name>
-        <url-pattern>/*</url-pattern>
-    </filter-mapping>
-
-    <!-- Servlets and servlet mappings -->    
-    <servlet>
-        <servlet-name>idp</servlet-name>
-        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
-        <init-param>
-            <param-name>contextConfigLocation</param-name>
-            <param-value>classpath*:/META-INF/net/shibboleth/idp/mvc/preconfig.xml,classpath:/net/shibboleth/idp/conf/mvc-beans.xml,classpath:/net/shibboleth/idp/conf/webflow-config.xml,classpath*:/META-INF/net/shibboleth/idp/mvc/postconfig.xml</param-value>
-        </init-param>
-        <init-param>
-            <param-name>contextClass</param-name>
-            <param-value>net.shibboleth.ext.spring.context.DelimiterAwareApplicationContext</param-value>
-        </init-param>
-        <load-on-startup>1</load-on-startup>
-    </servlet>
-    <servlet-mapping>
-        <servlet-name>idp</servlet-name>
-        <url-pattern>/status</url-pattern>
-        <url-pattern>/profile/*</url-pattern>
-    </servlet-mapping>
-
-    <!-- Servlet protected by container used for RemoteUser authentication -->
-    <servlet>
-        <servlet-name>RemoteUserAuthHandler</servlet-name>
-        <servlet-class>net.shibboleth.idp.authn.impl.RemoteUserAuthServlet</servlet-class>
-        <load-on-startup>2</load-on-startup>
-    </servlet>
-    <servlet-mapping>
-        <servlet-name>RemoteUserAuthHandler</servlet-name>
-        <url-pattern>/Authn/RemoteUser</url-pattern>
-    </servlet-mapping>
-
-    <!-- Servlet protected by container used for X.509 authentication -->
-    <servlet>
-        <servlet-name>X509AuthHandler</servlet-name>
-        <servlet-class>net.shibboleth.idp.authn.impl.X509AuthServlet</servlet-class>
-        <load-on-startup>3</load-on-startup>
-    </servlet>
-    <servlet-mapping>
-        <servlet-name>X509AuthHandler</servlet-name>
-        <url-pattern>/Authn/X509</url-pattern>
-    </servlet-mapping>
-
-    <!-- Send request for the EntityID to the SAML metadata echoing JSP. -->
-    <servlet>
-        <servlet-name>shibboleth_jsp</servlet-name>
-        <jsp-file>/WEB-INF/jsp/metadata.jsp</jsp-file>
-    </servlet>
-    <servlet-mapping>
-        <servlet-name>shibboleth_jsp</servlet-name>
-        <url-pattern>/shibboleth</url-pattern>
-    </servlet-mapping>
+    <!-- Registers /shibboleth to return metadata file. -->
+    <context-param>
+        <param-name>net.shibboleth.idp.registerMetadataServlet</param-name>
+        <param-value>true</param-value>
+    </context-param>
     
     <!-- Send servlet errors through the IdP's MVC error handling. -->
     <error-page>
@@ -181,11 +54,9 @@
     <session-config>
         <session-timeout>15</session-timeout>
         <cookie-config>
-            <!-- Uncomment to add __Host- protection. -->
-            <!--
+            <!-- Comment name and path to revert __Host- protection. -->
             <name>__Host-JSESSIONID</name>
             <path>/</path>
-            -->
             <secure>true</secure>
             <http-only>true</http-only>
         </cookie-config>


4.2.1→4.3.1

変更なし


4.1.7→4.2.1

コード ブロック
languagediff
@@ -181,8 +181,13 @@
     <session-config>
         <session-timeout>15</session-timeout>
         <cookie-config>
-            <http-only>true</http-only>
+            <!-- Uncomment to add __Host- protection. -->
+            <!--
+            <name>__Host-JSESSIONID</name>
+            <path>/</path>
+            -->
             <secure>true</secure>
+            <http-only>true</http-only>
         </cookie-config>
         <tracking-mode>COOKIE</tracking-mode>
     </session-config>

...