Back out changed related to resource backed metadata provider
authorlajoie <lajoie@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Mon, 6 Oct 2008 07:13:03 +0000 (07:13 +0000)
committerlajoie <lajoie@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Mon, 6 Oct 2008 07:13:03 +0000 (07:13 +0000)
Update README to note known metadata provider memory leak issue

git-svn-id: https://subversion.switch.ch/svn/shibboleth/java-idp/branches/REL_2@2777 ab3bd59b-922f-494d-bb5f-6f0a3c29deca

doc/README.txt
doc/RELEASE-NOTES.txt
src/installer/resources/conf-tmpl/relying-party.xml
src/main/java/edu/internet2/middleware/shibboleth/idp/config/profile/SAMLMetadataHandlerBeanDefinitionParser.java
src/main/java/edu/internet2/middleware/shibboleth/idp/profile/SAMLMetadataProfileHandler.java

index 365ea0b..ecd43e5 100644 (file)
@@ -19,6 +19,16 @@ Bug Tracker:
 https://bugs.internet2.edu/jira
 
 
+Known Issues
+====================
+There is an issue that is causing old metadata to be kept in memory (i.e. a memory leak).  This is being 
+looked in to, but while present, no site has yet reported this to be a cause of an error (i.e out of 
+memory exceptions).  Therefore, given the need to release a fix in order to address the security
+vulnerability found in 2.0.0 it was decided to make this release even with this known bug.  Sites can 
+mitigate this by using Entity Role White List metadata filter to ensure that at least the IdP isn't caching 
+information (IdP entity descriptors) that it doesn't need.  And, while less than optimal, this can be 
+addressed by periodic restarts of the IdP.
+
 
 Upgrading 
 ====================
index 191f2bc..2f8d189 100644 (file)
@@ -1,6 +1,5 @@
 Changes in Release 2.1.0
 =============================================
-
 [SIDP-20] - Cannot deploy on Windows. Spring and DOS device names?
 [SIDP-164] - Option to make session cookie secure
 [SIDP-165] - Support for SessionNotOnOrAfter
index f84dabe..565bacf 100644 (file)
         </MetadataProvider>
         
         <!-- Example metadata provider. -->
-        <!-- Reads metadata from a URL and store a backup copy on the file system.  Caches data for a max of 8 hours -->
+        <!-- Reads metadata from a URL and store a backup copy on the file system. -->
         <!-- Validates the signature of the metadata and filters out all by SP entities in order to save memory -->
-        <!-- ------------- -->
-        <!-- To use: fill in 'url' and 'file' properties on MetadataResource element -->
+        <!-- To use: fill in 'metadataURL' and 'backingFile' properties on MetadataResource element -->
         <!--
-        <MetadataProvider id="IdPMD" xsi:type="ResourceBackedMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata" 
-                          maxCacheDuration="28800">
-               <MetadataFilter xsi:type="ChainingFilter" xmlns="urn:mace:shibboleth:2.0:metadata">
-                               <MetadataFilter xsi:type="SignatureValidation" xmlns="urn:mace:shibboleth:2.0:metadata"
-                                               trustEngineRef="shibboleth.MetadataTrustEngine"
-                                               requireSignedMetadata="true" />
+        <MetadataProvider id="URLMD" xsi:type="FileBackedHTTPMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata" 
+                          metadataURL="http://example.org/metadata.xml"
+                          backingFile="/tmp/idp-metadata.xml">
+            <MetadataFilter xsi:type="ChainingFilter" xmlns="urn:mace:shibboleth:2.0:metadata">
+                <MetadataFilter xsi:type="SignatureValidation" xmlns="urn:mace:shibboleth:2.0:metadata"
+                                trustEngineRef="shibboleth.MetadataTrustEngine"
+                                requireSignedMetadata="true" />
                    <MetadataFilter xsi:type="EntityRoleWhiteList" xmlns="urn:mace:shibboleth:2.0:metadata">
-                                       <RetainedRole>samlmd:SPSSODescriptor</RetainedRole>
-                               </MetadataFilter>
-                       </MetadataFilter>
-                       
-            <MetadataResource xsi:type="FileBackedHttpResource"
-                              url="http://example.org/my/metadata/file.xml"
-                              file="$IDP_HOME$/metadata/some-file.xml" />
+                    <RetainedRole>samlmd:SPSSODescriptor</RetainedRole>
+                </MetadataFilter>
+            </MetadataFilter>
         </MetadataProvider>
-               -->
+        -->
         
     </MetadataProvider>
 
index e8dc91d..7c0c451 100644 (file)
@@ -18,7 +18,9 @@ package edu.internet2.middleware.shibboleth.idp.config.profile;
 
 import javax.xml.namespace.QName;
 
+import org.opensaml.xml.util.DatatypeHelper;
 import org.springframework.beans.factory.support.BeanDefinitionBuilder;
+import org.springframework.beans.factory.xml.ParserContext;
 import org.w3c.dom.Element;
 
 import edu.internet2.middleware.shibboleth.common.config.profile.AbstractRequestURIMappedProfileHandlerBeanDefinitionParser;
@@ -36,11 +38,16 @@ public class SAMLMetadataHandlerBeanDefinitionParser extends AbstractRequestURIM
     }
 
     /** {@inheritDoc} */
-    protected void doParse(Element config, BeanDefinitionBuilder builder) {
+    protected void doParse(Element config, ParserContext parserContext, BeanDefinitionBuilder builder) {
         super.doParse(config, builder);
 
         builder.addConstructorArgValue(config.getAttributeNS(null, "metadataFile"));
-        builder.addConstructorArgReference(config.getAttributeNS(null, "parserPoolRef"));
+
+        String parserPoolRef = DatatypeHelper.safeTrimOrNullString(config.getAttributeNS(null, "parserPoolRef"));
+        if (parserPoolRef == null) {
+            parserPoolRef = "shibboleth.ParserPool";
+        }
+        builder.addConstructorArgReference(parserPoolRef);
     }
 
     /** {@inheritDoc} */
index b6001bb..070caff 100644 (file)
 
 package edu.internet2.middleware.shibboleth.idp.profile;
 
+import java.io.File;
 import java.io.OutputStreamWriter;
 
 import org.opensaml.Configuration;
-import org.opensaml.saml2.metadata.provider.ResourceBackedMetadataProvider;
-import org.opensaml.util.resource.FilesystemResource;
+import org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider;
 import org.opensaml.ws.transport.InTransport;
 import org.opensaml.ws.transport.OutTransport;
 import org.opensaml.ws.transport.http.HttpServletRequestAdapter;
@@ -45,7 +45,7 @@ public class SAMLMetadataProfileHandler extends AbstractRequestURIMappedProfileH
     private final Logger log = LoggerFactory.getLogger(SAMLMetadataProfileHandler.class);
 
     /** Metadata provider. */
-    private ResourceBackedMetadataProvider metadataProvider;
+    private FilesystemMetadataProvider metadataProvider;
 
     /**
      * Constructor.
@@ -55,7 +55,7 @@ public class SAMLMetadataProfileHandler extends AbstractRequestURIMappedProfileH
      */
     public SAMLMetadataProfileHandler(String metadataFile, ParserPool pool) {
         try {
-            metadataProvider = new ResourceBackedMetadataProvider(new FilesystemResource(metadataFile));
+            metadataProvider = new FilesystemMetadataProvider(new File(metadataFile));
             metadataProvider.setParserPool(pool);
             metadataProvider.setMaintainExpiredMetadata(true);
             metadataProvider.initialize();