Shibboleth Developer's Meeting, 2019-03-15
09:00 Central US / 10:00 Eastern US / 14:00 UK / 16:00 FI
Calls are normally the 1st and 3rd Fridays of each month. Next call would be Friday 2019-04-05. Any reason to deviate from this?
60 to 90 minute call window.
This week's call will use the ZoomGU for access info.system at GU, see
- Duration (or Instant/DateTime) parsing - JAXP vs. java.time
OSJ-265Getting issue details...
- Unless we (really) bind our rules, tentative plan would be to do a new minor release of java-support 7.5.0, and a patch release of java-opensaml (and possibly java-identity-provider). Concerns?
OSJ-269Getting issue details...
- Fighting with standing up MySQL for testing
IDP-1357Getting issue details...
- Testing system properties
- Guiding some development for ldaptive 2.0
- Finishing OIDC flow-tests, polishing, ...
- Aiming at releasing the first official OIDC plugin version before end of March
- Maven version now enforced:
JPAR-118Getting issue details...
- Replaces older
prerequisiteselement, so enforcing version 3.3.1
- 3.3.1 was 2015-03-18, so five years ago.
- I'd like to enforce something newer in the interests of consistent builds.
- Maven versions: https://maven.apache.org/docs/history.html
- Replaces older
- Work on IDP-1191.
- Since servlet spec 3.0 (session tracking config is a bit more standardised since 3.0), setting session tracking mode to COOKIE (and only that) in web.xml, should not expose jsessionid unless bug. This is already being set by the IdP.
- Not sure the impact of stolen JSESSIONID, ship_idp_session is more a form of ambient authority. Although is used by webflow for conversation state and shib session manager internals (needs more looking into)
- Will look at anti-csrf token - and or the impact of session surfing, as not sure how useful that is.
- Will write something small up unless somebody tells me I am wasting time.
- Out for much of last week.
- Working through deprecations in custom schemas
- LDAP test behavior works under Maven now, still get failures during "whole package" testing under Eclipse
JSPT-79Getting issue details...
- Most uses of @Duration now gone, some long APIs left to clean up
- Possible future work item: a standardized Spring context for tests to match runtime environment
- Next up is ProfileConfig API consistency/cleanup
- Wrangling Jenkins, Java. Still having trouble with Java 11 and Windows