Skip to end of metadata
Go to start of metadata

4.1.0→4.1.2

@@ -179,6 +179,7 @@
     </error-page>
 
     <session-config>
+        <session-timeout>15</session-timeout>
         <cookie-config>
             <http-only>true</http-only>
             <secure>true</secure>


4.0.1→4.1.0

@@ -8,7 +8,7 @@
         same named beans in previous files. -->
     <context-param>
         <param-name>contextConfigLocation</param-name>
-        <param-value>classpath*:/META-INF/net.shibboleth.idp/preconfig.xml,${idp.home}/system/conf/global-system.xml,classpath*:/META-INF/net.shibboleth.idp/postconfig.xml</param-value>
+        <param-value>classpath*:/META-INF/net.shibboleth.idp/preconfig.xml,classpath:/net/shibboleth/idp/conf/global-system.xml,classpath*:/META-INF/net.shibboleth.idp/postconfig.xml</param-value>
     </context-param>
     
     <context-param>
@@ -126,7 +126,7 @@
         <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
         <init-param>
             <param-name>contextConfigLocation</param-name>
-            <param-value>${idp.home}/system/conf/mvc-beans.xml, ${idp.home}/system/conf/webflow-config.xml</param-value>
+            <param-value>classpath*:/META-INF/net/shibboleth/idp/mvc/preconfig.xml,classpath:/net/shibboleth/idp/conf/mvc-beans.xml,classpath:/net/shibboleth/idp/conf/webflow-config.xml,classpath*:/META-INF/net/shibboleth/idp/mvc/postconfig.xml</param-value>
         </init-param>
         <init-param>
             <param-name>contextClass</param-name>
@@ -209,7 +209,7 @@
             <http-method-omission>OPTIONS</http-method-omission>
             <http-method-omission>POST</http-method-omission>
         </web-resource-collection>
-        <authn-constraint/>
+        <auth-constraint/>
     </security-constraint>
 
     <!-- Allow any HTTP methods to the API flows. -->


4.0.0→4.0.1

@@ -186,17 +186,30 @@
         <tracking-mode>COOKIE</tracking-mode>
     </session-config>
 
-    <!-- Block commonly flagged methods by using an empty auth-constraint. -->
+    <!-- Allow intended methods by using an absent auth-constraint. -->
     <security-constraint>
         <web-resource-collection>
             <web-resource-name>Non-API Content</web-resource-name>
             <url-pattern>/*</url-pattern>
-            <http-method>PUT</http-method>
-            <http-method>PATCH</http-method>
-            <http-method>DELETE</http-method>
-            <http-method>TRACE</http-method>
+            <http-method>GET</http-method>
+            <http-method>HEAD</http-method>
+            <http-method>OPTIONS</http-method>
+            <http-method>POST</http-method>
         </web-resource-collection>
-        <auth-constraint/>
+        <!-- no auth-constraint tag here -->
+    </security-constraint>
+
+    <!-- Disallow other methods by using an empty auth-constraint. -->
+    <security-constraint>
+        <web-resource-collection>
+            <web-resource-name>Non-API Content</web-resource-name>
+            <url-pattern>/*</url-pattern>
+            <http-method-omission>GET</http-method-omission>
+            <http-method-omission>HEAD</http-method-omission>
+            <http-method-omission>OPTIONS</http-method-omission>
+            <http-method-omission>POST</http-method-omission>
+        </web-resource-collection>
+        <authn-constraint/>
     </security-constraint>
 
     <!-- Allow any HTTP methods to the API flows. -->


3.4.8→4.0.0

@@ -8,7 +8,7 @@
         same named beans in previous files. -->
     <context-param>
         <param-name>contextConfigLocation</param-name>
-        <param-value>classpath*:/META-INF/net.shibboleth.idp/preconfig.xml,${idp.home}/system/conf/global-system.xml,classpath*:/META-INF/net.shibboleth.idp/config.xml,classpath*:/META-INF/net.shibboleth.idp/postconfig.xml</param-value>
+        <param-value>classpath*:/META-INF/net.shibboleth.idp/preconfig.xml,${idp.home}/system/conf/global-system.xml,classpath*:/META-INF/net.shibboleth.idp/postconfig.xml</param-value>
     </context-param>
     
     <context-param>
@@ -27,6 +27,7 @@
     </listener>
     
     <!-- Filters and filter mappings -->
+    
     <!-- Try and force I18N, probably won't help much. -->
     <filter>
         <filter-name>CharacterEncodingFilter</filter-name>
@@ -40,6 +41,15 @@
             <param-value>true</param-value>
         </init-param>
     </filter>
+    <!-- Automates SameSite handling until Java API catches up. -->
+    <filter>
+        <filter-name>SameSiteCookieFilter</filter-name>
+        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
+        <init-param>
+            <param-name>targetBeanName</param-name>
+            <param-value>shibboleth.SameSiteCookieFilter</param-value>
+        </init-param>
+    </filter>
     <!-- Lets us lump repeated Set-Cookie headers into one, something containers rarely support. -->
     <filter>
         <filter-name>CookieBufferingFilter</filter-name>
@@ -64,6 +74,11 @@
         <filter-name>SLF4JMDCServletFilter</filter-name>
         <filter-class>net.shibboleth.idp.log.SLF4JMDCServletFilter</filter-class>
     </filter>
+    
+    <filter-mapping>
+        <filter-name>SameSiteCookieFilter</filter-name>
+        <url-pattern>/*</url-pattern>
+    </filter-mapping>
     <filter-mapping>
         <filter-name>CookieBufferingFilter</filter-name>
         <url-pattern>/profile/admin/*</url-pattern>


3.4.0→3.4.8

@@ -73,9 +73,11 @@
         <url-pattern>/profile/SAML2/Redirect/SSO</url-pattern>
         <url-pattern>/profile/SAML2/POST/SSO</url-pattern>
         <url-pattern>/profile/SAML2/POST-SimpleSign/SSO</url-pattern>
+        <url-pattern>/profile/SAML2/Artifact/SSO</url-pattern>
         <url-pattern>/profile/SAML2/Redirect/SLO</url-pattern>
         <url-pattern>/profile/SAML2/POST/SLO</url-pattern>
         <url-pattern>/profile/SAML2/POST-SimpleSign/SLO</url-pattern>
+        <url-pattern>/profile/SAML2/Artifact/SLO</url-pattern>
         <url-pattern>/profile/cas/login</url-pattern>
     </filter-mapping>
     <filter-mapping>
@@ -86,6 +88,7 @@
         <url-pattern>/profile/SAML2/Redirect/SSO</url-pattern>
         <url-pattern>/profile/SAML2/POST/SSO</url-pattern>
         <url-pattern>/profile/SAML2/POST-SimpleSign/SSO</url-pattern>
+        <url-pattern>/profile/SAML2/Artifact/SSO</url-pattern>
         <url-pattern>/profile/cas/login</url-pattern>
         <url-pattern>/Authn/*</url-pattern>
     </filter-mapping>
@@ -176,7 +179,6 @@
             <http-method>PUT</http-method>
             <http-method>PATCH</http-method>
             <http-method>DELETE</http-method>
-            <http-method>OPTIONS</http-method>
             <http-method>TRACE</http-method>
         </web-resource-collection>
         <auth-constraint/>


3.3.0→3.4.0

@@ -45,6 +45,15 @@
         <filter-name>CookieBufferingFilter</filter-name>
         <filter-class>net.shibboleth.utilities.java.support.net.CookieBufferingFilter</filter-class>
     </filter>
+    <!-- Allows control of response headers from within Spring beans. -->
+    <filter>
+        <filter-name>DynamicResponseHeaderFilter</filter-name>
+        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
+        <init-param>
+            <param-name>targetBeanName</param-name>
+            <param-value>shibboleth.ResponseHeaderFilter</param-value>
+        </init-param>
+    </filter>
     <!-- Automates TLS-based propagation of HttpServletRequest/Response into beans. -->
     <filter>
         <filter-name>RequestResponseContextFilter</filter-name>
@@ -57,6 +66,7 @@
     </filter>
     <filter-mapping>
         <filter-name>CookieBufferingFilter</filter-name>
+        <url-pattern>/profile/admin/*</url-pattern>
         <url-pattern>/profile/Logout</url-pattern>
         <url-pattern>/profile/Shibboleth/SSO</url-pattern>
         <url-pattern>/profile/SAML2/Unsolicited/SSO</url-pattern>
@@ -69,6 +79,17 @@
         <url-pattern>/profile/cas/login</url-pattern>
     </filter-mapping>
     <filter-mapping>
+        <filter-name>DynamicResponseHeaderFilter</filter-name>
+        <url-pattern>/profile/admin/*</url-pattern>
+        <url-pattern>/profile/Shibboleth/SSO</url-pattern>
+        <url-pattern>/profile/SAML2/Unsolicited/SSO</url-pattern>
+        <url-pattern>/profile/SAML2/Redirect/SSO</url-pattern>
+        <url-pattern>/profile/SAML2/POST/SSO</url-pattern>
+        <url-pattern>/profile/SAML2/POST-SimpleSign/SSO</url-pattern>
+        <url-pattern>/profile/cas/login</url-pattern>
+        <url-pattern>/Authn/*</url-pattern>
+    </filter-mapping>
+    <filter-mapping>
         <filter-name>CharacterEncodingFilter</filter-name>
         <url-pattern>/*</url-pattern>
     </filter-mapping>
@@ -139,6 +160,14 @@
         <location>/profile/RaiseError</location>
     </error-page>
 
+    <session-config>
+        <cookie-config>
+            <http-only>true</http-only>
+            <secure>true</secure>
+        </cookie-config>
+        <tracking-mode>COOKIE</tracking-mode>
+    </session-config>
+
     <!-- Block commonly flagged methods by using an empty auth-constraint. -->
     <security-constraint>
         <web-resource-collection>


3.2.1→3.3.0

@@ -8,7 +8,7 @@
         same named beans in previous files. -->
     <context-param>
         <param-name>contextConfigLocation</param-name>
-        <param-value>${idp.home}/system/conf/global-system.xml,classpath*:/META-INF/net.shibboleth.idp/config.xml</param-value>
+        <param-value>classpath*:/META-INF/net.shibboleth.idp/preconfig.xml,${idp.home}/system/conf/global-system.xml,classpath*:/META-INF/net.shibboleth.idp/config.xml,classpath*:/META-INF/net.shibboleth.idp/postconfig.xml</param-value>
     </context-param>
     
     <context-param>
@@ -52,7 +52,7 @@
     </filter>
     <!-- Manages logging MDC. -->
     <filter>
-        <filter-name>SL4JMDCServletFilter</filter-name>
+        <filter-name>SLF4JMDCServletFilter</filter-name>
         <filter-class>net.shibboleth.idp.log.SLF4JMDCServletFilter</filter-class>
     </filter>
     <filter-mapping>
@@ -77,14 +77,10 @@
         <url-pattern>/*</url-pattern>
     </filter-mapping>
     <filter-mapping>
-        <filter-name>SL4JMDCServletFilter</filter-name>
+        <filter-name>SLF4JMDCServletFilter</filter-name>
         <url-pattern>/*</url-pattern>
     </filter-mapping>
 
-    <!-- HTTP headers to every response in order to prevent response caching -->
-    <!-- <filter> <filter-name>IdPNoCacheFilter</filter-name> <filter-class>edu.internet2.middleware.shibboleth.idp.util.NoCacheFilter</filter-class> 
-        </filter> <filter-mapping> <filter-name>IdPNoCacheFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> -->
-
     <!-- Servlets and servlet mappings -->    
     <servlet>
         <servlet-name>idp</servlet-name>
@@ -136,6 +132,35 @@
         <servlet-name>shibboleth_jsp</servlet-name>
         <url-pattern>/shibboleth</url-pattern>
     </servlet-mapping>
+    
+    <!-- Send servlet errors through the IdP's MVC error handling. -->
+    <error-page>
+        <exception-type>net.shibboleth.idp.authn.ExternalAuthenticationException</exception-type>
+        <location>/profile/RaiseError</location>
+    </error-page>
+
+    <!-- Block commonly flagged methods by using an empty auth-constraint. -->
+    <security-constraint>
+        <web-resource-collection>
+            <web-resource-name>Non-API Content</web-resource-name>
+            <url-pattern>/*</url-pattern>
+            <http-method>PUT</http-method>
+            <http-method>PATCH</http-method>
+            <http-method>DELETE</http-method>
+            <http-method>OPTIONS</http-method>
+            <http-method>TRACE</http-method>
+        </web-resource-collection>
+        <auth-constraint/>
+    </security-constraint>
+
+    <!-- Allow any HTTP methods to the API flows. -->
+    <security-constraint>
+        <web-resource-collection>
+            <web-resource-name>Administrative APIs</web-resource-name>
+            <url-pattern>/profile/admin/*</url-pattern>
+        </web-resource-collection>
+        <!-- no auth-constraint tag here -->
+    </security-constraint>
 
     <!--
     Uncomment to use container managed authentication. The new servlet spec (3.1)
@@ -150,7 +175,6 @@
             <web-resource-name>user authentication</web-resource-name>
             <url-pattern>/Authn/RemoteUser</url-pattern>
             <url-pattern>/profile/SAML2/SOAP/ECP</url-pattern>
-            <http-method>GET</http-method>
             <http-method>POST</http-method> 
         </web-resource-collection>
         <auth-constraint>


3.1.2→3.2.1

@@ -8,12 +8,12 @@
         same named beans in previous files. -->
     <context-param>
         <param-name>contextConfigLocation</param-name>
-        <param-value>${idp.home}/system/conf/global-system.xml</param-value>
+        <param-value>${idp.home}/system/conf/global-system.xml,classpath*:/META-INF/net.shibboleth.idp/config.xml</param-value>
     </context-param>
     
     <context-param>
         <param-name>contextClass</param-name>
-        <param-value>net.shibboleth.ext.spring.context.DeferPlaceholderFileSystemXmlWebApplicationContext</param-value>
+        <param-value>net.shibboleth.ext.spring.context.DelimiterAwareApplicationContext</param-value>
     </context-param>
     
     <context-param>
@@ -45,24 +45,6 @@
         <filter-name>CookieBufferingFilter</filter-name>
         <filter-class>net.shibboleth.utilities.java.support.net.CookieBufferingFilter</filter-class>
     </filter>
-    <!-- Automates the unpack and pack of the cookie-based storage model. -->
-    <filter>
-        <filter-name>ClientSessionStorageServiceFilter</filter-name>
-        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
-        <init-param>
-            <param-name>targetBeanName</param-name>
-            <param-value>shibboleth.ClientSessionStorageService</param-value>
-        </init-param>
-    </filter>
-    <!-- Automates the unpack and pack of the cookie-based storage model. -->
-    <filter>
-        <filter-name>ClientPersistentStorageServiceFilter</filter-name>
-        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
-        <init-param>
-            <param-name>targetBeanName</param-name>
-            <param-value>shibboleth.ClientPersistentStorageService</param-value>
-        </init-param>
-    </filter>
     <!-- Automates TLS-based propagation of HttpServletRequest/Response into beans. -->
     <filter>
         <filter-name>RequestResponseContextFilter</filter-name>
@@ -87,28 +69,6 @@
         <url-pattern>/profile/cas/login</url-pattern>
     </filter-mapping>
     <filter-mapping>
-        <filter-name>ClientSessionStorageServiceFilter</filter-name>
-        <url-pattern>/profile/Logout</url-pattern>
-        <url-pattern>/profile/Shibboleth/SSO</url-pattern>
-        <url-pattern>/profile/SAML2/Unsolicited/SSO</url-pattern>
-        <url-pattern>/profile/SAML2/Redirect/SSO</url-pattern>
-        <url-pattern>/profile/SAML2/POST/SSO</url-pattern>
-        <url-pattern>/profile/SAML2/POST-SimpleSign/SSO</url-pattern>
-        <url-pattern>/profile/SAML2/Redirect/SLO</url-pattern>
-        <url-pattern>/profile/SAML2/POST/SLO</url-pattern>
-        <url-pattern>/profile/SAML2/POST-SimpleSign/SLO</url-pattern>
-        <url-pattern>/profile/cas/login</url-pattern>
-    </filter-mapping>
-    <filter-mapping>
-        <filter-name>ClientPersistentStorageServiceFilter</filter-name>
-        <url-pattern>/profile/Shibboleth/SSO</url-pattern>
-        <url-pattern>/profile/SAML2/Unsolicited/SSO</url-pattern>
-        <url-pattern>/profile/SAML2/Redirect/SSO</url-pattern>
-        <url-pattern>/profile/SAML2/POST/SSO</url-pattern>
-        <url-pattern>/profile/SAML2/POST-SimpleSign/SSO</url-pattern>
-        <url-pattern>/profile/cas/login</url-pattern>
-    </filter-mapping>
-    <filter-mapping>
         <filter-name>CharacterEncodingFilter</filter-name>
         <url-pattern>/*</url-pattern>
     </filter-mapping>
@@ -131,11 +91,11 @@
         <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
         <init-param>
             <param-name>contextConfigLocation</param-name>
-            <param-value>${idp.home}/system/conf/mvc-beans.xml ${idp.home}/system/conf/webflow-config.xml</param-value>
+            <param-value>${idp.home}/system/conf/mvc-beans.xml, ${idp.home}/system/conf/webflow-config.xml</param-value>
         </init-param>
         <init-param>
             <param-name>contextClass</param-name>
-            <param-value>net.shibboleth.ext.spring.context.DeferPlaceholderFileSystemXmlWebApplicationContext</param-value>
+            <param-value>net.shibboleth.ext.spring.context.DelimiterAwareApplicationContext</param-value>
         </init-param>
         <load-on-startup>1</load-on-startup>
     </servlet>
  • No labels