https://bugs.internet2.edu/jira
+Known Issues
+====================
+There is an issue that is causing old metadata to be kept in memory (i.e. a memory leak). This is being
+looked in to, but while present, no site has yet reported this to be a cause of an error (i.e out of
+memory exceptions). Therefore, given the need to release a fix in order to address the security
+vulnerability found in 2.0.0 it was decided to make this release even with this known bug. Sites can
+mitigate this by using Entity Role White List metadata filter to ensure that at least the IdP isn't caching
+information (IdP entity descriptors) that it doesn't need. And, while less than optimal, this can be
+addressed by periodic restarts of the IdP.
+
Upgrading
====================
Changes in Release 2.1.0
=============================================
-
[SIDP-20] - Cannot deploy on Windows. Spring and DOS device names?
[SIDP-164] - Option to make session cookie secure
[SIDP-165] - Support for SessionNotOnOrAfter
</MetadataProvider>
<!-- Example metadata provider. -->
- <!-- Reads metadata from a URL and store a backup copy on the file system. Caches data for a max of 8 hours -->
+ <!-- Reads metadata from a URL and store a backup copy on the file system. -->
<!-- Validates the signature of the metadata and filters out all by SP entities in order to save memory -->
- <!-- ------------- -->
- <!-- To use: fill in 'url' and 'file' properties on MetadataResource element -->
+ <!-- To use: fill in 'metadataURL' and 'backingFile' properties on MetadataResource element -->
<!--
- <MetadataProvider id="IdPMD" xsi:type="ResourceBackedMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
- maxCacheDuration="28800">
- <MetadataFilter xsi:type="ChainingFilter" xmlns="urn:mace:shibboleth:2.0:metadata">
- <MetadataFilter xsi:type="SignatureValidation" xmlns="urn:mace:shibboleth:2.0:metadata"
- trustEngineRef="shibboleth.MetadataTrustEngine"
- requireSignedMetadata="true" />
+ <MetadataProvider id="URLMD" xsi:type="FileBackedHTTPMetadataProvider" xmlns="urn:mace:shibboleth:2.0:metadata"
+ metadataURL="http://example.org/metadata.xml"
+ backingFile="/tmp/idp-metadata.xml">
+ <MetadataFilter xsi:type="ChainingFilter" xmlns="urn:mace:shibboleth:2.0:metadata">
+ <MetadataFilter xsi:type="SignatureValidation" xmlns="urn:mace:shibboleth:2.0:metadata"
+ trustEngineRef="shibboleth.MetadataTrustEngine"
+ requireSignedMetadata="true" />
<MetadataFilter xsi:type="EntityRoleWhiteList" xmlns="urn:mace:shibboleth:2.0:metadata">
- <RetainedRole>samlmd:SPSSODescriptor</RetainedRole>
- </MetadataFilter>
- </MetadataFilter>
-
- <MetadataResource xsi:type="FileBackedHttpResource"
- url="http://example.org/my/metadata/file.xml"
- file="$IDP_HOME$/metadata/some-file.xml" />
+ <RetainedRole>samlmd:SPSSODescriptor</RetainedRole>
+ </MetadataFilter>
+ </MetadataFilter>
</MetadataProvider>
- -->
+ -->
</MetadataProvider>
import javax.xml.namespace.QName;
+import org.opensaml.xml.util.DatatypeHelper;
import org.springframework.beans.factory.support.BeanDefinitionBuilder;
+import org.springframework.beans.factory.xml.ParserContext;
import org.w3c.dom.Element;
import edu.internet2.middleware.shibboleth.common.config.profile.AbstractRequestURIMappedProfileHandlerBeanDefinitionParser;
}
/** {@inheritDoc} */
- protected void doParse(Element config, BeanDefinitionBuilder builder) {
+ protected void doParse(Element config, ParserContext parserContext, BeanDefinitionBuilder builder) {
super.doParse(config, builder);
builder.addConstructorArgValue(config.getAttributeNS(null, "metadataFile"));
- builder.addConstructorArgReference(config.getAttributeNS(null, "parserPoolRef"));
+
+ String parserPoolRef = DatatypeHelper.safeTrimOrNullString(config.getAttributeNS(null, "parserPoolRef"));
+ if (parserPoolRef == null) {
+ parserPoolRef = "shibboleth.ParserPool";
+ }
+ builder.addConstructorArgReference(parserPoolRef);
}
/** {@inheritDoc} */
package edu.internet2.middleware.shibboleth.idp.profile;
+import java.io.File;
import java.io.OutputStreamWriter;
import org.opensaml.Configuration;
-import org.opensaml.saml2.metadata.provider.ResourceBackedMetadataProvider;
-import org.opensaml.util.resource.FilesystemResource;
+import org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider;
import org.opensaml.ws.transport.InTransport;
import org.opensaml.ws.transport.OutTransport;
import org.opensaml.ws.transport.http.HttpServletRequestAdapter;
private final Logger log = LoggerFactory.getLogger(SAMLMetadataProfileHandler.class);
/** Metadata provider. */
- private ResourceBackedMetadataProvider metadataProvider;
+ private FilesystemMetadataProvider metadataProvider;
/**
* Constructor.
*/
public SAMLMetadataProfileHandler(String metadataFile, ParserPool pool) {
try {
- metadataProvider = new ResourceBackedMetadataProvider(new FilesystemResource(metadataFile));
+ metadataProvider = new FilesystemMetadataProvider(new File(metadataFile));
metadataProvider.setParserPool(pool);
metadataProvider.setMaintainExpiredMetadata(true);
metadataProvider.initialize();