Internet2 by hedongchenchen

VIEWS: 0 PAGES: 56

									Internet2
Displaying 26 issues at 25/Mar/13 12:48 AM.
          Project           Key                  Summary                 Issue Type Status Priority Resolution   Assignee
Shibboleth IdP 2 - Java SIDP-324 Add additional information to Status   Improvement Closed Minor    Fixed      Chad La Joie
                                   handler




                                                                                                                              1 of 56
Shibboleth IdP 2 - Java   SIDP-322 Exception thrown when SP requests a        Bug   Closed Minor   Fixed   Chad La Joie
                                   particular authentication method that is
                                   not configured




                                                                                                                          2 of 56
Shibboleth IdP 2 - Java   SIDP-321 IdP metadata generator appear to be    Bug   Closed Major   Fixed   Chad La Joie
                                   adding extraneous name spaces to the
                                   metadata




                                                                                                                      3 of 56
Shibboleth IdP 2 - Java   SIDP-318 IdP erroneously logs many normal      Bug           Closed Minor     Fixed   Chad La Joie
                                   events as errors.




Shibboleth IdP 2 - Java   SIDP-310 Change default relying-party.xml settings Improvement Closed Minor   Fixed   Brent Putman
                                   for SAML 2 profiles' encryptNameIds
                                   parameter from "conditional" to "never"


Shibboleth IdP 2 - Java   SIDP-306 Remove ClientCertAuth rule from SAML Improvement Closed Minor        Fixed   Brent Putman
                                   2 SSO SecurityPolicy in relying-party.xml




Shibboleth IdP 2 - Java   SIDP-296 Make LoginContext / IdP Session       Improvement Closed Minor       Fixed   Chad La Joie
                                   availabe through the public API




                                                                                                                               4 of 56
Shibboleth IdP 2 - Java   SIDP-295 If no cookies are supported/enabled in     Improvement Closed Minor   Fixed   Chad La Joie
                                   user agent (browser), display better error
                                   message




                                                                                                                                5 of 56
Shibboleth IdP 2 - Java   SIDP-294 Loglevel of                   Improvement Closed Minor   Fixed   Chad La Joie
                                   AbstractSAML1ProfileHandler




                                                                                                                   6 of 56
Shibboleth IdP 2 - Java   SIDP-292 login.jsp: wrong using of the attribute   Bug         Closed Trivial   Fixed   Chad La Joie
                                   rawspan within the tag <td>




Shibboleth IdP 2 - Java   SIDP-291 Update libs for 2.1.3 release             Improvement Closed Minor     Fixed   Chad La Joie
Shibboleth IdP 2 - Java   SIDP-285 Use $IDP_SCOPE$ to populate IdP           Improvement Closed Minor     Fixed   Chad La Joie
                                   scope in conf-tmpl\attribute-resolver.xml




Shibboleth IdP 2 - Java   SIDP-282 Make AuthenticationEngine part of the     Improvement Closed Minor     Fixed   Chad La Joie
                                   public API




                                                                                                                                 7 of 56
Shibboleth IdP 2 - Java   SIDP-281 Customize login.jsp appearance based   New Feature   Closed Minor   Fixed   Chad La Joie
                                   on relying party




Shibboleth IdP 2 - Java   SIDP-279 IdP should log NameID for auditing     Bug           Closed Major   Fixed   Chad La Joie




                                                                                                                              8 of 56
Shibboleth IdP 2 - Java   SIDP-277 Incorrect null check for request context in Bug   Closed Minor   Fixed   Chad La Joie
                                   UsernamePasswordServlet




                                                                                                                           9 of 56
Shibboleth IdP 2 - Java   SIDP-276 Example RDB Connector, quote principal Bug   Closed Trivial   Fixed   Chad La Joie




Shibboleth IdP 2 - Java   SIDP-274 Log Exception in UP LoginHandler      Bug    Closed Trivial   Fixed   Chad La Joie
                                   Servlet




                                                                                                                        10 of 56
Shibboleth IdP 2 - Java   SIDP-271 AuthenticationEngine doesn't correctly     Bug          Closed Minor    Fixed   Chad La Joie
                                   handle passive return from login servlet




Shibboleth IdP 2 - Java   SIDP-266 General errors triggers error-404.jsp      Bug          Closed Minor    Fixed   Chad La Joie
                                   instead of error.jsp




Shibboleth IdP 2 - Java   SIDP-265 Distinguish requested AuthMethod and       Improvement Closed Minor     Fixed   Chad La Joie
                                   default AuthMethod
Shibboleth IdP 2 - Java   SIDP-263 Suggest adding                             Improvement Closed Trivial   Fixed   Chad La Joie
                                   defaultSigningCredentialRef to the
                                   AnonymousRelyingParty element in the
                                   default config




                                                                                                                                  11 of 56
Shibboleth IdP 2 - Java   SIDP-258 Authentication Engine does not check to Bug         Closed Minor   Fixed   Chad La Joie
                                   ensure returned authenticaiton
                                   mechanism from Login Handler is
                                   acceptable to the SP




Shibboleth IdP 2 - Java   SIDP-244 Error message on invalid ACS could be   Improvement Closed Minor   Fixed   Chad La Joie
                                   improved




                                                                                                                             12 of 56
Shibboleth IdP 2 - Java   SIDP-195 Exception with SAML1 Artifact         Bug   Closed Major   Fixed   Chad La Joie
                                   Resolution serving simultaneous
                                   requests




Shibboleth IdP 2 - Java   SIDP-187 SAML 2 AuthnContext classes used as   Bug   Closed Minor   Fixed   Chad La Joie
                                   1.1 auth methods and 2.0 decl refs




                                                                                                                     13 of 56
Generated at Mon Mar 25 00:48:42 EDT 2013 using JIRA 5.1.2#773-sha1:b805b97c2eed2baa5997fa1c50acb25abc775300.




                                                                                                                14 of 56
    Reporter      Created         Updated          Resolved          Affects Version/s         Fix Version/s   Component/s
Chad La Joie   6/30/2009 12:29   7/2/2009 14:33   7/2/2009 14:33 2.0.0, 2.1.0, 2.1.1, 2.1.2   2.1.3




                                                                                                                             15 of 56
Chad La Joie   6/25/2009 6:18   6/30/2009 7:09   6/30/2009 7:09 2.0.0, 2.1.0, 2.1.1, 2.1.2   2.1.3   Authentication




                                                                                                                      16 of 56
Rod Widdowson   6/24/2009 6:21   8/19/2009 8:36   8/19/2009 8:36 2.1.2   2.1.3




                                                                                 17 of 56
Jim Fox        6/19/2009 12:27    6/30/2009 5:17   6/30/2009 5:17         2.1.3




Brent Putman   5/14/2009 16:39   5/14/2009 16:41 5/14/2009 16:41 2.1.2    2.1.3   SAML 2




Brent Putman   4/30/2009 18:33   4/30/2009 18:50 4/30/2009 18:50 2.1.2    2.1.3   Authentication, SAML 2




Halm Reusser    3/11/2009 8:13     7/3/2009 5:29    7/3/2009 5:29 2.1.2   2.1.3   Authentication




                                                                                                      18 of 56
Halm Reusser   3/11/2009 8:07   7/16/2009 6:40   7/16/2009 6:40 2.1.2   2.1.3   Authentication




                                                                                                 19 of 56
Halm Reusser   3/10/2009 11:33   7/1/2009 4:39   7/1/2009 4:39 2.1.2   2.1.3   SAML 1




                                                                                        20 of 56
Franck Borel     3/6/2009 5:18    7/1/2009 2:54    7/1/2009 2:54 2.1.2   2.1.3   Authentication




Chad La Joie     3/3/2009 1:45    3/3/2009 3:27    3/3/2009 3:27         2.1.3
Rod Widdowson   2/18/2009 6:50    3/3/2009 1:20    3/3/2009 1:20 2.1.2   2.1.3   Build




Chad La Joie     2/6/2009 2:42   2/11/2010 9:55   2/11/2010 9:55         2.1.3   Authentication




                                                                                                  21 of 56
Nate Klingenstein    1/30/2009 0:28    7/2/2009 14:39   7/2/2009 14:39 2.0.0, 2.1.0, 2.1.1, 2.1.2   2.1.3   Authentication




Kristof Bajnok      1/23/2009 11:09   9/20/2010 10:12    3/3/2009 3:36 2.1.2                        2.1.3




                                                                                                                             22 of 56
Jon Stockdill   1/15/2009 10:25   3/3/2009 1:11   3/3/2009 1:11 2.1.2   2.1.3   Authentication




                                                                                                 23 of 56
Halm Reusser   1/14/2009 3:19   3/2/2009 13:22   3/2/2009 13:22 2.1.2   2.1.3   Attribute Resolution




Halm Reusser   1/13/2009 8:01   1/13/2009 8:57   1/13/2009 8:57 2.1.2   2.1.3   Authentication




                                                                                                       24 of 56
Jim Fox        12/29/2008 15:40    7/1/2009 5:25    7/1/2009 5:25 2.1.2                 2.1.3   Authentication




Halm Reusser    12/16/2008 7:31   7/16/2009 6:41   7/16/2009 6:41 2.1.2                 2.1.3




Halm Reusser     12/4/2008 3:06    7/1/2009 4:58    7/1/2009 4:58 2.1.1                 2.1.3   Authentication, SAML 2

Scott Cantor    12/3/2008 14:17    3/3/2009 1:16    3/3/2009 1:16 2.0.0, 2.1.0, 2.1.1   2.1.3




                                                                                                                    25 of 56
Chad La Joie   11/30/2008 13:39   7/3/2009 1:37   7/3/2009 1:37 2.0.0, 2.1.0   2.1.3   Authentication




Scott Cantor    11/3/2008 16:27   7/1/2009 7:51   7/1/2009 7:51 2.1.0          2.1.3   SAML 1, SAML 2




                                                                                                        26 of 56
André Cruz     5/29/2008 11:47     3/2/2009 13:29   3/2/2009 13:29 2.0.0   2.1.3   SAML 1




Scott Cantor   5/12/2008 19:41   10/18/2009 20:27    3/3/2009 3:47 2.0.0   2.1.3   SAML 1, SAML 2




                                                                                                    27 of 56
28 of 56
Votes Watchers Images Work Ratio Sub-Tasks   Linked Issues                   Description                     Security Level   Labels Flagged
    0        0                                               Add the following information to the
                                                             status handler:
                                                             OS info: jdk version, total CPUs, total
                                                             memory used, max memory available,
                                                             current time in UTC
                                                             IdP version, start time, # of current
                                                             sessions
                                                             *entity info: entity ID, public key,
                                                             configured profiles
                                                             *session info: session ID, principals,
                                                             active authentication method, services to
                                                             which authenticated

                                                             There would be two options:
                                                             - Basic/Full view (full view includes the '*'
                                                             items)
                                                             - Relying party view which gives the
                                                             entity info for the given relying party

                                                             The Status handler would also become
                                                             IP protected in a similar fashion to the
                                                             SP's Session view page.




                                                                                                                                       29 of 56
0   0   If an SP requests a specific mechanism
        and the IdP is not configured for that
        mechanism an exception is throw. This
        caused AuthenticationEngine line 319
        does not check to see if there are
        methods remaining after filtering.
        Attached is a trace.

        ----

        8:08:33.557 - DEBUG
        [edu.internet2.middleware.shibboleth.idp.
        authn.AuthenticationEngine:352] -
        Configured LoginHandlers:
        {urn:oasis:names:tc:SAML:2.0:ac:classes
        :unspecified=edu.internet2.middleware.s
        hibboleth.idp.authn.provider.RemoteUser
        LoginHandler@ef7d74,
        urn:oasis:names:tc:SAML:2.0:ac:classes:
        PreviousSession=edu.internet2.middlewa
        re.shibboleth.idp.authn.provider.Previous
        SessionLoginHandler@1157f77}
        18:08:33.557 - DEBUG
        [edu.internet2.middleware.shibboleth.idp.
        authn.AuthenticationEngine:353] -
        Requested authentication methods:
        org.opensaml.xml.util.LazyList@1bca486
        18:08:33.557 - DEBUG
        [edu.internet2.middleware.shibboleth.idp.




                                                    30 of 56
0   0   *NOTE* I want to do some more analysis
        of this case and so I will asign it to
        myself. However I am OOF for the next 3
        days and I need to capture it now.

        I have an IdP which comes from a
        QuickInstall. The installation process is
        pretty standard (the MSI grabs some
        properties and then falls into the ant
        script. However I am not 100% sure that
        the Quick installer isn't the core of the
        problems.

        The QI starts with a slightly different
        template for the self metadata but the
        first few lines look like this:

        <EntityDescriptor
        entityID="$IDP_ENTITY_ID$"
        xmlns="urn:oasis:names:tc:SAML:2.0:me
        tadata"
        xmlns:ds="http://www.w3.org/2000/09/xm
        ldsig#"
        xmlns:shibmd="urn:mace:shibboleth:met
        adata:1.0"
        xmlns:xsi="http://www.w3.org/2001/XML
        Schema-instance">

        <IDPSSODescriptor




                                                    31 of 56
0   0   The IdP inappropriately logs many
        events -- expired requests, unknown
        nameidentifiers, etc. -- as ERRORs. An
        ERROR ought to mean the IdP itself has
        failed in some way, not just that some
        user has failed to get what she wants. I'd
        like to monitor the process log for errors,
        and maybe alert someone, but I can't do
        that if I get an ERROR log every time
        someone hits the back button on an old
        page.

        In addition several of these put stack
        traces in the process log.




0   0   This is redundant with the default config
        of conditionally encrypting the Assertion,
        which contains the NameID. The extra
        crypto operation is unnecessary
        overhead.
0   0   For the standard cases, this security
        policy applies to a profile handler which
        is always a front-channel binding,
        therefore no SP client TLS cert will ever
        be present. This rule causes request
        failure when a user browser client cert is
        presented, for example when authN to
        the IdP with client cert is desired.

0   0   You told me that my access method to
        the LoginContext in uApprove is not
        relaiable on clustererd setups...




                                                      32 of 56
0   0   If the user agent (browser) do not send
        cookies in the log file following appears:

        ERROR
        [edu.internet2.middleware.shibboleth.idp.
        authn.AuthenticationEngine:211] - No
        login context available, unable to return
        to authentication engine
        Improvement: Add information, that no
        cookies are sent

        On the error.jsp following is printed
        (/idp/Authn/UserPassword):

        Error Message: Invalid IdP URL (HTTP
        404)
        Improvement: Your Browser has not
        enabled cookies, or similar




                                                     33 of 56
0   0   When an SP queries the IdP for new
        attribtutes, using an handle which is
        unknown for the IdP, following ERROR
        incl. Stacktrace is logged:

        ERROR
        [edu.internet2.middleware.shibboleth.idp.
        profile.saml1.AbstractSAML1ProfileHandl
        er:558] - Error resolving attributes for
        SAML request from relying party
        https://www.switch.ch/shibboleth
        edu.internet2.middleware.shibboleth.com
        mon.attribute.resolver.AttributeResolutio
        nException: No information associated
        with transient identifier:
        _70da14e771da5d275a1a8af6f2164c4f

        This happens a lot. In my Opinion
        'unusal' operation which are not
        disturbing the service (end user has no
        affects), messages of this kind should
        not be logged as ERROR. WARN would
        be appropiate. (Also for backbutton
        issues...)

        In other way, monitoring idp-process.log
        makes no sense, cause lot of false
        positives.




                                                    34 of 56
0   0   Wrong using of the attribute rawspan
        within the tag <td> at the last line of the
        block table:

        <td rawspan="2"><input type="submit"
        value="login" tabindex="3"/></td>

        should be changed to

        <td colspan="2"><input type="submit"
        value="login" tabindex="3"/></td>


0   0   shib-common from 1.1.2 to 1.1.3
0   0   I am playing with the installation for the
        Windoze thing. I just spotted that the
        metadata has $IDP_SCOPE$ which is
        updated, but the attribute resolver just
        has "example.org" hardwired.

        Is there any reason why we don't change
        the attribute resolver so that the selected
        scope goes in?

        I'm in the area and I can make thing
        change if you want, but I know that there
        are major changes proposed for 2.2....

        R


0   1   Currently the AuthenticationEngine is not
        part of the public API
        (https://spaces.internet2.edu/display/SHI
        B2/IdPAPI) but LoginHandlers are and
        they are required to call the currently
        static methods of the Engine. So, at least
        part of the Engine API needs to be
        public.

                                                      35 of 56
1   2   Many sites would like to rebrand the
        login.jsp page according to the SP that
        has issued the AuthnRequest. In order to
        support that, it would be nice to provide
        an entityID variable to the JSP page that
        is persistent through a failed login
        attempt.

        Documentation would have to point out
        to deployers the increased probability of
        phishing that may result, and the entityID
        might need to be sanitized for XSS
        attacks.
0   2   Without NameID logged, it's hard (or
        even impossible) to track back for which
        user belonged a certain SP session.
        Actually haven't checked this with
        SAML1 NameIdentifiers.

        Feel free to reject it there's some other
        way to do this. Shib-users:
        http://marc.info/?t=123271285500002&r=
        1&w=2




                                                     36 of 56
1   1   In the following code, should (request ==
        null) be (requestContext ==
        null) ?

        requestContext +
        request.getServletPath() seems to be
        being set to:
        null/Authn/UserPassword

        I also think the requestContext = "/"
        should be replaced w/ "". See the patch
        below.

        I haven't used the trunk code, which has
        changed significantly, but it looks like it
        needs the same fix.

        --jon


        protected void
        redirectToLoginPage(HttpServletRequest
        request,
        HttpServletResponse response,
        List<Pair<String, String>> queryParams)
        {

        String requestContext =
        DatatypeHelper.safeTrimOrNullString(re




                                                      37 of 56
0   0   <!-- Example Relational Database
        Connector -->
        <resolver:DataConnector id="mySIS"
        xsi:type="RelationalDatabase"
        xmlns="urn:mace:shibboleth:2.0:resolver:
        dc">
        ....
        <QueryTemplate>
        <![CDATA[
        SELECT * FROM student WHERE
        gzbtpid =
        $requestContext.principalName
        ]]>
        </QueryTemplate>


        --> SELECT * FROM student WHERE
        gzbtpid =
        '$requestContext.principalName'
0   0   edu.internet2.middleware.shibboleth.idp.
        authn.provider.UsernamePasswordLogin
        Servlet
        protected boolean
        authenticateUser(HttpServletRequest
        request)
        ...
        } catch (Throwable e) {
        log.debug("User authentication for {}
        failed", new Object[] {username}, e);
        ...

        --> log.debug("User authentication for " +
        username + " failed", e);




                                                     38 of 56
0   2   The completeAuthentication method of
        AuthenticationEngine does not correctly
        handle a case where a login servlet has
        processed a passive login request and
        declined to handle it - due to no
        established session. The combination of
        passive login request and no remote
        user should throw a
        PassiveAuthenticationException, not a
        AuthenticationException.
0   0   If some general error occurs, the wrong
        error page (404) is displayed.
        Examples:
        - Back Button
        - No Login cotext/session found
0   2

0   0   It's easy to forget to add the
        defaultSigningCredentialRef to the
        Anonymous element if you try to enable
        SSO by adding a profile handler, since
        the entityID is already set, so I'd suggest
        we just add it in the default config.




                                                      39 of 56
0   2   The Authentication Engine chooses a
        Login Handler based on information from
        the SP, if it's provided. If the AuthN
        Engine can't meet the requirement an
        error is returned. However, Login
        Handlers can override their default
        authentication method and return a
        different one. The engine does not
        currently check, after the actual
        authentication method is determined if
        that method is acceptable to the SP.

        For example, a LoginHandler does
        username/password and OTP
        authentication and it's registered under
        username/password. The SP requests
        username/password (and only
        username/password). The engine selects
        the appropriate handler but the user
        does something to trigger and use OTP.
        The LoginHandler return the OTP
        authentication method.

        The correct behavior should be that the
        engine returns the same error message
        that would be returned if no
        LoginHandler was found to meet the
        SP's criteria.

0   0   The old IdP reports an "invalid ACS"
        error when the request asks for an
        endpoint that isn't allowed for an SP (not
        in metadata). The new IdP bundles this
        into the larger set of "no peer endpoint"
        errors, which is somewhat more
        confusing.



                                                     40 of 56
0   0   During the tests I'm encountering more
        exceptions. These ones occur when
        there are multiple simultaneous requests
        for SAML1 Artifact Resolution (I manage
        to trigger this with 10 users).

        16:58:20.870 DEBUG
        [edu.internet2.middleware.shibboleth.idp.
        profile.IdPProfileHandlerManager:93] -
        shibboleth.HandlerManager: Located
        profile handler of the fo
        llowing type for the request path:
        edu.internet2.middleware.shibboleth.idp.
        profile.saml1.ArtifactResolution
        16:58:20.870 DEBUG
        [edu.internet2.middleware.shibboleth.idp.
        profile.saml1.ArtifactResolution:139] -
        Decoding message with decoder binding
        urn:oasis:names:tc:SA
        ML:1.0:bindings:SOAP-binding
        16:58:20.871 ERROR
        [org.opensaml.ws.message.decoder.Bas
        eMessageDecoder:165] - Encountered
        error parsing message into its DOM
        representation
        org.opensaml.xml.parse.XMLParserExce
        ption: Invalid XML
        at
        org.opensaml.xml.parse.BasicParserPool
0   0   Technically we shouldn't use the SAML 2
        class strings as 1.1 auth methods. We
        definitely shouldn't use them as decl refs.

        Better choice for now might be to just
        hardcode them as class refs and not
        support decls.

        Longer term a more complex config may
        be needed.


                                                      41 of 56
42 of 56
Epic/Theme   Servlet Container   Java Version




                                                43 of 56
Apache Tomcat 5.5   Sun 1.5




                              44 of 56
Apache Tomcat 6.0   Sun 1.6




                              45 of 56
Apache Tomcat 6.0   Sun 1.6




                              46 of 56
47 of 56
48 of 56
Apache Tomcat 5.5   Sun 1.5




                              49 of 56
Apache Tomcat 6.0   Sun 1.6




                              50 of 56
Apache Tomcat 5.5   Sun 1.5




                              51 of 56
Apache Tomcat 5.5   Sun 1.6




Apache Tomcat 5.5   Sun 1.6




                              52 of 56
Apache Tomcat 6.0   Sun 1.6




Apache Tomcat 5.5   Sun 1.6




                              53 of 56
Apache Tomcat 5.5   Sun 1.5




                              54 of 56
Apache Tomcat 5.5   Sun 1.5




Apache Tomcat 5.5   Sun 1.5




                              55 of 56
56 of 56

								
To top