Release date: TBA
For a complete list of issues addressed in this release, see https://issues.shibboleth.net/jira/issues/?filter=12070
This is a major pre-1.0 feature release.
aggregator-pipelineartifact, these resources have now been moved into a separate
aggregator-blacklistsartifact. The resource names have not changed. This means that if your application does not use these resources, it may decrease in size by around 13MB. Applications making use of the blacklist resources may need to add a dependency on
MDA-181: A Maven BOM (Bill Of Materials) artifact has been made available. This makes it easier for projects using the Shibboleth MDA as a dependency to acquire a consistent set of managed dependencies without using the Shibboleth parent POM. You can include the MDA BOM in your Maven project like this:
<dependencyManagement> <dependencies> <dependency> <groupId>net.shibboleth.metadata</groupId> <artifactId>aggregator-bom</artifactId> <version>0.10.0</version> <type>pom</type> <scope>import</scope> </dependency> </dependencies> </dependencyManagement>
aggregator-module JAR files, as well as a number of underlying library JARs have been given automatic module names as described in Java Modularity, for future use on the Java module path under Java 9 and later releases. Note that this version of the Shibboleth Metadata Aggregator has not been tested on, and is therefore not guaranteed to work on, the Java module path.
EntitiesStrippingStagehas been added to allow stripping a number of different elements (all from the same namespace) from a DOM document. The stage may be operated in a blacklisting or whitelisting mode, with blacklisting the default. Like
elementNamespaceproperty determines the namespace in question, and all elements in other namespaces are ignored.
EntityAttributeAddingStagehas been added to add entity attributes to the metadata for SAML entities. This is configured using
attributeNameFormatdefaulting to the values required to add an entity category attribute. The stage is based on a new
Containerframework which attempts to generate reasonably well formatted XML for nested container elements, and handles the insertion of the required parent containers (
Attribute) when they are not already present.
EntityAttributesFilteringStagehas been extended with a new
recordingRemovalsproperty, defaulting to false. If
recordingRemovalsis set to
true, each removed entity attribute is recorded as a
WarningStatusin the item's item metadata, indicating the name and value of the entity attribute removed. This can then be processed by subsequent stages, such as a
AssuranceCertificationMatcherhas been added to allow simpler matching of entity attributes containing assurance certifications, such as that used by the SIRTFI framework.
<import resource="classpath:net/shibboleth/metadata/beans.xml"/>. One abstract bean is defined for each available bean class, named after the class's simple name prefixed by "
mda.". After including this resource, for example,
class="net.shibboleth.metadata.dom.XMLSignatureValidationStage"can be replaced by
parent="mda.XMLSignatureValidationStage"; this definition will also include the
destroy-methodproperties for the bean when appropriate.
--versionoption to request the printing of the framework version number.
RegexFileFilterhas been added to support one of the common use cases of the
DOMFilesystemSourceStage, where only certain files should be processed from a directory, based on their names.
Validatorframework more straightforward, the new
ValidatorSequenceclass abstracts the concept of a sequence of
Validatorswhich can be maintained and applied as a group. Existing classes requiring this behaviour have been refactored to take advantage of
X509ROCAValidatorcomponent allows RSA public keys in X.509 certificates to be checked for vulnerability to ROCA (the Return of Coppersmith's Attack, also known as CVE-2017-15361).
BaseValidatorabstract class has been extended to add an
addErrorMessagemethod and a
messageproperty, which acts as a format string for
ErrorStatusitem metadata generated through
RejectAllValidatorcomponents have been added. Both always return
Action.DONEso that they can be used to terminate a sequence of validators.
AcceptAllValidatorhas no other functionality;
messageproperty to format an appropriate
Itemon which validation is being performed.
RejectStringRegexValidator)have been added to match
Stringvalues. All four return
Action.DONEif the match occurs and will therefore terminate a sequence of validators;
Action.CONTINUEis returned otherwise. The
Rejectforms also add a formatted
java-supportpackage, which implements a new
FixedStringIdentifierGenerationStrategyfor use when it is not necessary to use different
IDattribute values for different documents.
X509DSADetectorcomponent allows DSA keys in metadata to be rejected, or merely warned about.
ItemCollectionSerializerinterfaces now allow serializers to throw
IOExceptionwhen appropriate. The provided
DOMItemSerializerwill throw an
TransformerExceptionif the latter is thrown during XML serialization. Previously, this condition would only have resulted in logging at ERROR level.
ItemIdTransformStagenow transforms identifiers using a collection of
Functionobjects rather than of the similar
Converterprovided by the Spring framework. This also affects the type of the
MDQuerySHA1ItemIdTransformerclasses. This change will not affect existing configurations if only those classes are in use. This matches the use of
Functionelsewhere in the API, and allows the use of Guava's
SAMLMetadataSupport.getDescriptorExtensionsmethod has been renamed to
getDescriptorExtensionto reflect the fact that it returns a single result.
SAMLMetadataSupport.getDescriptorExtensionmethod's parameters must now be non-
null; their annotations have been changed to
@Nonnullto correspond with this. In previous releases, they were annotated as
nullwould result in the method returning
ItemOrderingStrategyinterface defined by the
EntitiesDescriptorAssemblerStagenow allows the ordering strategy to throw a
StageProcessingExceptionif, for example, the items presented are invalid in some way and can not be ordered. Such an exception will be propagated upwards to the caller of the stage's
getMicroVersionmethod has been renamed to
getPatchVersionto align with current (semantic versioning) terminology.
BaseStagehas been renamed to
BaseIteratingStagehas been renamed to
AbstractIteratingStageallows the simpler construction of stages which process each Item independently
AbstractDOMTraversalStageframework has been generalised to allow the use of custom context objects specific to the particular traversal, rather than relying on sometimes tortured uses of the
ClassToInstanceMultiMapto carry everything. This is a breaking change, but will only affect writers of stages derived from
DOMTraversalContextinterface. This no longer includes the
getStashmethod (returning a
ClassToInstanceMultiMapbut does add a new
end()method to be called at the end of the traversal.
SimpleDOMTraversalContextis provided without any data fields. This can be used in many cases where custom storage is not required in the context; for an example, see
SimpleDOMTraversalContextto include additional fields and method. For a very straightforward example, see
CRDetectionStage. A more complex example, including use of the
DOMTraversalContext, can be found in
ancestorEntitymethod has been removed from
AbstractDOMTraversalStage; a protected
errorPrefixmethod has replaced it in order to allow sub-classes to replicate this or similar behaviour. A new
AbstractSAMLTraversalStageclass has been added to incorporate the specific old behaviour.
X509RSAOpenSSLBlacklistValidator) all set a default ID related to their names (e.g.,
RSAKeyLength). This default ID setting behaviour has been removed. This may have two effects on configurations which do not explicitly set the component ID:
IdentifiableBeanPostProcessormay give different results, as the Spring component ID may now appear in status objects replacing the previous default.
waitingForPipelinesproperty previously defaulted to
false, which could result in unexpected behaviour if the stage was invoked a second time without arranging to synchronise execution with the called pipelines. As a result, most deployments set
trueso that the called pipelines will all complete before control is passed on from the
PipelineDemultiplexerStage; this behaviour is now the default.
spring-extensionsproject, which removes support for SVN-based resources.
ValidateValidUntilStagenow use the
Durationclasses (introduced in Java 8) in their APIs rather than using
longvalues representing milliseconds as in previous releases.
Duration.ofMillis(), but we recommend adopting the modern
DurationToLongConverteris no longer included as part of the
java-supportdependency. If you were using it as part of an XML configuration to specify durations in ISO 8601 format (e.g., "PT15M") then you should replace references to
DurationToLongConverterwith references to the new
@Nonnull. This is only done when an "empty collection" default is inappropriate for the property and would normally be accompanied by
@NotEmptyon both the setter and the getter.
XMLDSIGSupportclasses and therefore the API, as they are now part of the base Java API. For example,
XMLSignatureSigningStage.ALGO_ID_SIGNATURE_RSA_SHA256is replaced by Java's
compromised-2048.txtresources have been extended with keys shipped with some releases of the Jetty container.
Versionclass is now functional, rather than throwing a
ClassCastException. It now behaves as intended, resulting in an
<X509SubjectName>element being added to the signature's
XMLSignatureSigningStageunder Java 11 are now consistent with signatures generated under earlier versions of Java.
EntityFilterStagehandled the case of whitelisting incorrectly when the collection of entity IDs to whitelist was empty. The stage now correctly removes all items from the collection, rather than removing none of them.
XMLSignatureSigningStagethrew an IndexOutOfBoundsException if the
includeKeyValueproperty was set to
truewithout either setting the
certificatesproperties; the stage now just omits the
KeyValuefrom the signature as if
includeKeyValuehad been set to
Release date: 19th October 2016
This release adds some minor new features:
MultiOutputSerializationStagewhich can be provided with a
OutputStrategyto allow each
Itemin a collection to be serialized to a different location. This is intended for use cases such as per-entity metadata generation. A
FilesInDirectoryMultiOutputStrategyis provided for this use case; its properties include a destination directory within which individual files are created based on a prefix and suffix string, and a transformed version of each item's first
ItemId. Transformer classes
PathSegmentStringTransformerhave been added to cover the most common current use cases. An example of the use of these new classes are available in this example.
PKCS11PrivateKeyFactoryBeanto allow a PKCS#11 token (such as a smart card or HSM) to be used to sign documents. An example of its use can be found in this example. Note that this class is deprecated and will not appear in version 0.10.0. In that release, the same functionality will be available from the spring-extensions project, see JSE-20.
The following bug fix is included:
EntityAttributeFilteringStagemishandles multiple containers
EntityAttributeFilteringStageonly processed the first
EntityAttributescontainer in an entity descriptor's
Extensions. Although the specification requires that at most one such container be present, this is not a schema constraint and cannot be relied on in security-sensitive applications.
EntityAttributeFilteringStagenow processes all
EntityAttributescontainers in an entity.