Page tree

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


  • MDA-166: The ItemSerializer and ItemCollectionSerializer interfaces now allow serializers to throw IOException when appropriate. The provided DOMItemSerializer will throw an IOException wrapping a TransformerException if the latter is thrown during XML serialization. Previously, this condition would only have resulted in logging at ERROR level.
  • MDA-167: The ItemIdTransformStage now transforms identifiers using a collection of Function objects rather than of the similar Converter provided by the Spring framework. This also affects the type of the MDQueryMD5ItemIdTransformer and MDQuerySHA1ItemIdTransformer classes. This change will not affect existing configurations if only those classes are in use. This matches the use of Function elsewhere in the API, and allows the use of Guava's Functions helper class.
  • MDA-169: The SAMLMetadataSupport.getDescriptorExtensions method has been renamed to getDescriptorExtension to reflect the fact that it returns a single result.
  • MDA-171: The SAMLMetadataSupport.getDescriptorExtension method's parameters must now be non-null; their annotations have been changed to @Nonnull to correspond with this. In previous releases, they were annotated as @Nullable and passing null would result in the method returning null.
  • MDA-175: The ItemOrderingStrategy interface defined by the EntitiesDescriptorAssemblerStage now allows the ordering strategy to throw a StageProcessingException if, for example, the items presented are invalid in some way and can not be ordered. Such an exception will be propagated upwards to the caller of the stage's execute method.
  • MDA-179: The Version class's getMicroVersion method has been renamed to getPatchVersion to align with current (semantic versioning) terminology.
  • MDA-182: Several classes exposed as part of the API for building custom stages have been reworked to simplify implementation of other stages and to correspond to current naming conventions:
    • BaseStage has been renamed to AbstractStage
    • BaseIteratingStage has been renamed to AbstractFilteringStage
    • A new AbstractIteratingStage allows the simpler construction of stages which process each Item independently
  • MDA-188: The AbstractDOMTraversalStage framework has been generalised to allow the use of custom context objects specific to the particular traversal, rather than relying on sometimes tortured uses of the ClassToInstanceMultiMap to carry everything. This is a breaking change, but will only affect writers of stages derived from AbstractDOMTraversalStage:
    • Context objects must implement the DOMTraversalContext interface. This no longer includes the getStash method (returning a ClassToInstanceMultiMap but does add a new end() method to be called at the end of the traversal.
    • A basic implementation of SimpleDOMTraversalContext is provided without any data fields. This can be used in many cases where custom storage is not required in the context; for an example, see AbstractElementVisitingStage.
    • More complex cases can extend SimpleDOMTraversalContext to include additional fields and method. For a very straightforward example, see CRDetectionStage. A more complex example, including use of the end() method from DOMTraversalContext, can be found in ElementsStrippingStage.
  • MDA-192: The ancestorEntity method has been removed from AbstractDOMTraversalStage; a protected errorPrefix method has replaced it in order to allow sub-classes to replicate this or similar behaviour. A new AbstractSAMLTraversalStage class has been added to incorporate the specific old behaviour.
  • MDA-198: In previous releases, the three X.509 validation component (X509RSAExponentValidatorX509RSAKeyLengthValidator and X509RSAOpenSSLBlacklistValidator) all set a default ID related to their names (e.g., RSAKeyLength). This default ID setting behaviour has been removed. This may have two effects on configurations which do not explicitly set the component ID:
    • If a configuration did not set the component ID, initializing the component will now fail with a ComponentInitializationException.
    • Configurations that implicitly set the component ID to a defaulted Spring component ID using IdentifiableBeanPostProcessor may give different results, as the Spring component ID may now appear in status objects replacing the previous default.
  • MDA-206: The PipelineDemultiplexerStage's waitingForPipelines property previously defaulted to false, which could result in unexpected behaviour if the stage was invoked a second time without arranging to synchronise execution with the called pipelines. As a result, most deployments set waitingForPipelines to true so that the called pipelines will all complete before control is passed on from the PipelineDemultiplexerStage; this behaviour is now the default.
  • JSE-28: This release bundles a new version of the Shibboleth spring-extensions project, which removes support for SVN-based resources.
  • MDA-191: The stages PullUpCacheDurationStage, PullUpValidUntilStage, SetCacheDurationStage, SetValidUntilStage and ValidateValidUntilStage now use the Instant and Duration classes (introduced in Java 8) in their APIs rather than using long values representing milliseconds as in previous releases.
    • This aligns the metadata aggregator with other Shibboleth projects based on the Java 11 platform. If you use the Java language to configure these stages, you will need to re-code appropriately; in most cases, this can be done quickly using Instant.fromEpochMilli() and Duration.ofMillis(), but we recommend adopting the modern java.time classes throughout.
    • The DurationToLongConverter is no longer included as part of the java-support dependency. If you were using it as part of an XML configuration to specify durations in ISO 8601 format (e.g., "PT15M") then you should replace references to DurationToLongConverter with references to the new StringToDurationConverter.
  • MDA-222: The contract for bean properties representing collections has changed:
    • Property setters for collection properties are now annotated as @Nonnull @NonnullElements @Unmodifiable.
      • Previously, some setters allowed a null value to act in place of an empty collection. This usage will now result in most cases in a NullPointerException.
      • Previously, some setters filtered null values out of provided collections. Again, this usage will now result in most cases in a NullPointerException.
      • Setters now guarantee not to modify the passed collection. This was previously true in practice in most cases, but is now guaranteed.
    • Most property getters for collection properties are also now annotated as @Nonnull @NonnullElements @Unmodifiable.
      • In exceptional cases, getters may be annotated as @NonnullAfterInit instead of @Nonnull. This is only done when an "empty collection" default is inappropriate for the property and would normally be accompanied by @NotEmpty on both the setter and the getter.


  • MDA-183: the compromised-1024.txt and compromised-2048.txt resources have been extended with keys shipped with some releases of the Jetty container.