[jira] [Created] (SLING-10864) Update Sling CMS Quickstart Docs
Cris Rockwell created SLING-10864: - Summary: Update Sling CMS Quickstart Docs Key: SLING-10864 URL: https://issues.apache.org/jira/browse/SLING-10864 Project: Sling Issue Type: Task Components: App CMS Affects Versions: App CMS 1.0.4 Reporter: Cris Rockwell Attachments: Screen Shot 2021-10-11 at 12.36.05 PM.png In the cms quickstart docs, [https://github.com/apache/sling-org-apache-sling-app-cms/blob/master/docs/quickstart.md] it says to download the org.apache.sling.cms jar from [https://search.maven.org/search?q=org.apache.sling.cms] The jar does not appear at this location (see attached) I would recommend updating the link to point at Github releases instead https://github.com/apache/sling-org-apache-sling-app-cms/releases -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (SLING-10857) Review and Update Maven Archetype Page
Cris Rockwell created SLING-10857: - Summary: Review and Update Maven Archetype Page Key: SLING-10857 URL: https://issues.apache.org/jira/browse/SLING-10857 Project: Sling Issue Type: Task Components: Documentation Reporter: Cris Rockwell Assignee: Cris Rockwell The sling-site maven-archetypes page could be improved https://sling.apache.org/documentation/development/maven-archetypes.html [ ] Add missing sling-project-archetype [ ] Add link to each referenced archetype readme -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-9882) Add more information about the project in the README
[ https://issues.apache.org/jira/browse/SLING-9882?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17425551#comment-17425551 ] Cris Rockwell commented on SLING-9882: -- Ok got it. I see now sling-content-package-archetype does need some documentation. https://github.com/apache/sling-content-package-archetype > Add more information about the project in the README > > > Key: SLING-9882 > URL: https://issues.apache.org/jira/browse/SLING-9882 > Project: Sling > Issue Type: Task > Components: Maven Plugins and Archetypes >Reporter: Robert Munteanu >Assignee: Cris Rockwell >Priority: Major > Fix For: Content Package Archetype 1.0.2 > > > [~reusr1] points out that we could use some more documentation in > sling-content-package-archetype, see for example > https://github.com/apache/sling-project-archetype/blob/master/README.md . -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Assigned] (SLING-9882) Add more information about the project in the README
[ https://issues.apache.org/jira/browse/SLING-9882?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Cris Rockwell reassigned SLING-9882: Assignee: Cris Rockwell > Add more information about the project in the README > > > Key: SLING-9882 > URL: https://issues.apache.org/jira/browse/SLING-9882 > Project: Sling > Issue Type: Task > Components: Maven Plugins and Archetypes >Reporter: Robert Munteanu >Assignee: Cris Rockwell >Priority: Major > Fix For: Content Package Archetype 1.0.2 > > > [~reusr1] points out that we could use some more documentation in > sling-content-package-archetype, see for example > https://github.com/apache/sling-project-archetype/blob/master/README.md . -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-9882) Add more information about the project in the README
[ https://issues.apache.org/jira/browse/SLING-9882?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17425215#comment-17425215 ] Cris Rockwell commented on SLING-9882: -- I'm not sure what information is missing from the Sling Project Archetype README.md. I found the current state sufficiently informative. However, sling-project-archetype is missing from the list of maven-archetypes on the page below. https://sling.apache.org/documentation/development/maven-archetypes.html Is this is a good ticket to reference when making that change? > Add more information about the project in the README > > > Key: SLING-9882 > URL: https://issues.apache.org/jira/browse/SLING-9882 > Project: Sling > Issue Type: Task > Components: Maven Plugins and Archetypes >Reporter: Robert Munteanu >Priority: Major > Fix For: Content Package Archetype 1.0.2 > > > [~reusr1] points out that we could use some more documentation in > sling-content-package-archetype, see for example > https://github.com/apache/sling-project-archetype/blob/master/README.md . -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Resolved] (SLING-10843) Referrer Filter allowance for app://
[
https://issues.apache.org/jira/browse/SLING-10843?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Cris Rockwell resolved SLING-10843.
---
Resolution: Fixed
PR3 was merged
> Referrer Filter allowance for app://
>
>
> Key: SLING-10843
> URL: https://issues.apache.org/jira/browse/SLING-10843
> Project: Sling
> Issue Type: Improvement
> Components: Sling Security
>Affects Versions: Security 1.1.20
>Reporter: Cris Rockwell
>Assignee: Cris Rockwell
>Priority: Major
> Fix For: Security 1.1.22
>
>
> Sling's ReferrerFilter has this code in the isValidRequest method.
> // check for air referrer - which is always allowedif (
> referrer.startsWith("app:/") ) { return true;
> }
> [Sling
> ReferrerFilter|https://github.com/apache/sling-org-apache-sling-security/blob/master/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java]
> There's no need to have app:// as a hard-coded allowance around the Referrer
> Filter, because applications can configure allow.hosts.regexp to allow AIR
> referrer if needed.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Updated] (SLING-10843) Referrer Filter allowance for app://
[
https://issues.apache.org/jira/browse/SLING-10843?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Cris Rockwell updated SLING-10843:
--
Fix Version/s: Security 1.1.22
> Referrer Filter allowance for app://
>
>
> Key: SLING-10843
> URL: https://issues.apache.org/jira/browse/SLING-10843
> Project: Sling
> Issue Type: Improvement
> Components: Sling Security
>Affects Versions: Security 1.1.20
>Reporter: Cris Rockwell
>Assignee: Cris Rockwell
>Priority: Major
> Fix For: Security 1.1.22
>
>
> Sling's ReferrerFilter has this code in the isValidRequest method.
> // check for air referrer - which is always allowedif (
> referrer.startsWith("app:/") ) { return true;
> }
> [Sling
> ReferrerFilter|https://github.com/apache/sling-org-apache-sling-security/blob/master/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java]
> There's no need to have app:// as a hard-coded allowance around the Referrer
> Filter, because applications can configure allow.hosts.regexp to allow AIR
> referrer if needed.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (SLING-10843) Referrer Filter allowance for app://
[
https://issues.apache.org/jira/browse/SLING-10843?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17421439#comment-17421439
]
Cris Rockwell commented on SLING-10843:
---
Maybe there was an issue configuring allowedUriReferrers configuration
with an app URI. But I don't see the issue configuring
allowedRegexReferrers with the pattern shown in the
[test|https://github.com/apache/sling-org-apache-sling-security/pull/3/files].
It may also be nice to know if such an allowance for AIR/SWF is still needed
given the state of those technologies.
> Referrer Filter allowance for app://
>
>
> Key: SLING-10843
> URL: https://issues.apache.org/jira/browse/SLING-10843
> Project: Sling
> Issue Type: Improvement
> Components: Sling Security
>Affects Versions: Security 1.1.20
>Reporter: Cris Rockwell
>Assignee: Cris Rockwell
>Priority: Major
>
> Sling's ReferrerFilter has this code in the isValidRequest method.
> // check for air referrer - which is always allowedif (
> referrer.startsWith("app:/") ) { return true;
> }
> [Sling
> ReferrerFilter|https://github.com/apache/sling-org-apache-sling-security/blob/master/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java]
> There's no need to have app:// as a hard-coded allowance around the Referrer
> Filter, because applications can configure allow.hosts.regexp to allow AIR
> referrer if needed.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Created] (SLING-10843) Referrer Filter allowance for app://
Cris Rockwell created SLING-10843:
-
Summary: Referrer Filter allowance for app://
Key: SLING-10843
URL: https://issues.apache.org/jira/browse/SLING-10843
Project: Sling
Issue Type: Improvement
Components: Sling Security
Affects Versions: Security 1.1.20
Reporter: Cris Rockwell
Assignee: Cris Rockwell
Sling's ReferrerFilter has this code in the isValidRequest method.
// check for air referrer - which is always allowedif (
referrer.startsWith("app:/") ) { return true;
}
[Sling
ReferrerFilter|https://github.com/apache/sling-org-apache-sling-security/blob/master/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java]
There's no need to have app:// as a hard-coded allowance around the Referrer
Filter, because applications can configure allow.hosts.regexp to allow AIR
referrer if needed.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Comment Edited] (SLING-3469) Provide out of the box CSRF protection
[ https://issues.apache.org/jira/browse/SLING-3469?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17408867#comment-17408867 ] Cris Rockwell edited comment on SLING-3469 at 9/2/21, 2:15 PM: --- After reviewing a few posts about Adobe Integrated Runtime * [https://tracker.adobe.com/#/view/AIR-2945647] * [https://community.adobe.com/t5/air-discussions/htmlloader-and-quot-referer-quot-request-header/td-p/3614351#3841814] I recommend removing the code above that allows SWF apps (and others) that bypass the ReferrerFilter using the app:// exception. was (Author: cris): After reviewing a few posts about Adobe Integrated Runtime * [https://tracker.adobe.com/#/view/AIR-2945647] * [https://community.adobe.com/t5/air-discussions/htmlloader-and-quot-referer-quot-request-header/td-p/3614351#3841814] I recommend removing the code above that allows SWF apps (and others) that bypass the ReferrerFilter using the app:// exception. > Provide out of the box CSRF protection > -- > > Key: SLING-3469 > URL: https://issues.apache.org/jira/browse/SLING-3469 > Project: Sling > Issue Type: Improvement >Reporter: Raviteja Lokineni >Priority: Critical > > One such vulnerability can found on the default login form for > FormBasedAuthenticationHandler. > Grails framework has implemented this protection using custom tag library and > filters. Ref: http://grails.org/doc/2.2.1/ref/Tags/form.html -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-3469) Provide out of the box CSRF protection
[ https://issues.apache.org/jira/browse/SLING-3469?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17408867#comment-17408867 ] Cris Rockwell commented on SLING-3469: -- After reviewing a few posts about Adobe Integrated Runtime * [https://tracker.adobe.com/#/view/AIR-2945647] * [https://community.adobe.com/t5/air-discussions/htmlloader-and-quot-referer-quot-request-header/td-p/3614351#3841814] I recommend removing the code above that allows SWF apps (and others) that bypass the ReferrerFilter using the app:// exception. > Provide out of the box CSRF protection > -- > > Key: SLING-3469 > URL: https://issues.apache.org/jira/browse/SLING-3469 > Project: Sling > Issue Type: Improvement >Reporter: Raviteja Lokineni >Priority: Critical > > One such vulnerability can found on the default login form for > FormBasedAuthenticationHandler. > Grails framework has implemented this protection using custom tag library and > filters. Ref: http://grails.org/doc/2.2.1/ref/Tags/form.html -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-3469) Provide out of the box CSRF protection
[
https://issues.apache.org/jira/browse/SLING-3469?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17407656#comment-17407656
]
Cris Rockwell commented on SLING-3469:
--
I have a few questions about this...
* The OWASP CSRF Cheatsheet (linked below) mentions a process of checking the
'Origin' header and comparing to the 'Referrer' header. Sling's Referrer Filter
compares the host name (obtained by parsing the referrer header) to
`request.getServerName()` It seems equivalent, but is it? any advantage either
way?
* Does the JEE Reference CSRFValidationFilter (linked below)demonstrate any
mitigation techniques that Sling should consider adopting?
* Sling's ReferrerFilter has this code in the isValidRequest method. It seems
odd and my internet searches did not return an obvious answer about why this is
done. Ideas?
{code:java}
// check for air referrer - which is always allowed
if ( referrer.startsWith("app:/") ) {
return true;
}
{code}
[Sling
ReferrerFilter|https://github.com/apache/sling-org-apache-sling-security/blob/master/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java]
[Cross-Site Request Forgery Prevention Cheat
Sheet|https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#java-reference-example]
[JEE Reference
CSRFValidationFilter|https://github.com/righettod/poc-csrf/blob/master/src/main/java/eu/righettod/poccsrf/filter/CSRFValidationFilter.java]
> Provide out of the box CSRF protection
> --
>
> Key: SLING-3469
> URL: https://issues.apache.org/jira/browse/SLING-3469
> Project: Sling
> Issue Type: Improvement
>Reporter: Raviteja Lokineni
>Priority: Critical
>
> One such vulnerability can found on the default login form for
> FormBasedAuthenticationHandler.
> Grails framework has implemented this protection using custom tag library and
> filters. Ref: http://grails.org/doc/2.2.1/ref/Tags/form.html
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Resolved] (SLING-10193) SAML Auth Handler Initial Release
[ https://issues.apache.org/jira/browse/SLING-10193?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Cris Rockwell resolved SLING-10193. --- Resolution: Done > SAML Auth Handler Initial Release > - > > Key: SLING-10193 > URL: https://issues.apache.org/jira/browse/SLING-10193 > Project: Sling > Issue Type: Task > Components: Authentication >Reporter: Cris Rockwell >Assignee: Cris Rockwell >Priority: Major > Fix For: SAML2 Service Provider 0.2.4 > > Attachments: Screen Shot 2021-04-06 at 3.11.46 PM.png, Screen Shot > 2021-04-06 at 3.11.55 PM.png, Screen Shot 2021-04-06 at 3.12.23 PM.png > > > Tasks for initial release > [done] Test Coverage >80% > [done] JAAS configuration programmatically added within activator start, and > removed JAAS config within stop method > [ok] Conduct security scanning and input fuzz testing > [done] Improve mapping for attribute sync'ing. Currently it only takes the > attribute Assertion. It saves the property (if exists in the assertion) as > the friendlyName (if exists in the assertion) and makes no provision for > relative path or control naming of the property. Instead utilize a mapping > nomenclature > `[attributeName:profile/anyName,urn:oid:1.2.840.113549.1.9.1:profile/email]` > [done] Move project from sling-whiteboard to separate github repository -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Resolved] (SLING-10315) Onboard new project for SonarCloud Analysis
[ https://issues.apache.org/jira/browse/SLING-10315?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Cris Rockwell resolved SLING-10315. --- Resolution: Done > Onboard new project for SonarCloud Analysis > --- > > Key: SLING-10315 > URL: https://issues.apache.org/jira/browse/SLING-10315 > Project: Sling > Issue Type: Task > Components: Authentication >Reporter: Cris Rockwell >Assignee: Fabrice Bellingard >Priority: Major > Fix For: SAML2 Service Provider 0.2.4 > > > As per documentation for new Sling repositories, a Jira ticket is required > for on-boarding new projects for SonarCloud analysis > The Jenkins Build is here > https://ci-builds.apache.org/job/Sling/job/modules/job/sling-org-apache-sling-auth-saml2/job/master/ > The Sling github repository is here > https://github.com/apache/sling-org-apache-sling-auth-saml2 > Let me know if you need anything else from me. > Thanks! -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (SLING-10193) SAML Auth Handler Initial Release
[ https://issues.apache.org/jira/browse/SLING-10193?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Cris Rockwell updated SLING-10193: -- Description: Tasks for initial release [done] Test Coverage >80% [done] JAAS configuration programmatically added within activator start, and removed JAAS config within stop method [ok] Conduct security scanning and input fuzz testing [done] Improve mapping for attribute sync'ing. Currently it only takes the attribute Assertion. It saves the property (if exists in the assertion) as the friendlyName (if exists in the assertion) and makes no provision for relative path or control naming of the property. Instead utilize a mapping nomenclature `[attributeName:profile/anyName,urn:oid:1.2.840.113549.1.9.1:profile/email]` [done] Move project from sling-whiteboard to separate github repository was: Tasks for initial release [done] Test Coverage >80% [done] JAAS configuration programmatically added within activator start, and removed JAAS config within stop method [ok] Conduct security scanning and input fuzz testing [done] Improve mapping for attribute sync'ing. Currently it only takes the attribute Assertion. It saves the property (if exists in the assertion) as the friendlyName (if exists in the assertion) and makes no provision for relative path or control naming of the property. Instead utilize a mapping nomenclature `[attributeName:profile/anyName,urn:oid:1.2.840.113549.1.9.1:profile/email]` [ ] Move project from sling-whiteboard to separate github repository > SAML Auth Handler Initial Release > - > > Key: SLING-10193 > URL: https://issues.apache.org/jira/browse/SLING-10193 > Project: Sling > Issue Type: Task > Components: Authentication >Reporter: Cris Rockwell >Assignee: Cris Rockwell >Priority: Major > Fix For: SAML2 Service Provider 0.2.4 > > Attachments: Screen Shot 2021-04-06 at 3.11.46 PM.png, Screen Shot > 2021-04-06 at 3.11.55 PM.png, Screen Shot 2021-04-06 at 3.12.23 PM.png > > > Tasks for initial release > [done] Test Coverage >80% > [done] JAAS configuration programmatically added within activator start, and > removed JAAS config within stop method > [ok] Conduct security scanning and input fuzz testing > [done] Improve mapping for attribute sync'ing. Currently it only takes the > attribute Assertion. It saves the property (if exists in the assertion) as > the friendlyName (if exists in the assertion) and makes no provision for > relative path or control naming of the property. Instead utilize a mapping > nomenclature > `[attributeName:profile/anyName,urn:oid:1.2.840.113549.1.9.1:profile/email]` > [done] Move project from sling-whiteboard to separate github repository -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (SLING-9397) SAML2 Authentication Handler [initial submission]
[
https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Cris Rockwell updated SLING-9397:
-
Description:
Here is a pull request which adds an authentication handler for a SAML2 Service
Provider via the embedded OpenSAML V3 dependencies
[https://github.com/apache/sling-whiteboard/pull/51]
*TODO Before Initial*
[X] Sync attributes released by the IDP
[X] Confirm license and attribution
"As the code is ASL2 and does not require a notice or anything else, we don't
need to mention in. But I think its usually good style to do so and have a
single sentence in our NOTICE that we include (modified) code from ... which
has ASL2 as the license"
*TODO After Initial*
[X] Get confirmation the project builds and operates as expected
[X] Ensure that the NOTICE file is the correct one
[X] Testing setup ( documentation, local SAML provider, etc )
[X] Clarify whether we can depend on artifacts not deployed on Maven Central
[X] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects
* [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf]
[X] Decide whether to make signing and encryption optional. Currently it is
required
[X] Get feedback whether README instructions are too much, too little,
unclear, etc
[X] Consider whether use of {{SAML2ConfigService}} and
{{SAML2ConfigServiceImpl}} is a good design or not.
[ok] Find and fix any bugs.
was:
Here is a pull request which adds an authentication handler for a SAML2 Service
Provider via the embedded OpenSAML V3 dependencies
[https://github.com/apache/sling-whiteboard/pull/51]
*TODO Before Initial*
[X] Sync attributes released by the IDP
[X] Confirm license and attribution
"As the code is ASL2 and does not require a notice or anything else, we don't
need to mention in. But I think its usually good style to do so and have a
single sentence in our NOTICE that we include (modified) code from ... which
has ASL2 as the license"
*TODO After Initial*
[X] Get confirmation the project builds and operates as expected
[X] Ensure that the NOTICE file is the correct one
[X] Testing setup ( documentation, local SAML provider, etc )
[X] Clarify whether we can depend on artifacts not deployed on Maven Central
[X] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects
* [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf]
[X] Decide whether to make signing and encryption optional. Currently it is
required
[X] Get feedback whether README instructions are too much, too little,
unclear, etc
[X] Consider whether use of {{SAML2ConfigService}} and
{{SAML2ConfigServiceImpl}} is a good design or not.
[ ] Find and fix any bugs.
> SAML2 Authentication Handler [initial submission]
> -
>
> Key: SLING-9397
> URL: https://issues.apache.org/jira/browse/SLING-9397
> Project: Sling
> Issue Type: New Feature
> Components: Authentication
> Environment: localhost
>Reporter: Cris Rockwell
>Assignee: Cris Rockwell
>Priority: Major
> Labels: SAML, authentification, security, user_management
> Fix For: SAML2 Service Provider 0.2.4
>
> Original Estimate: 168h
> Time Spent: 1h 20m
> Remaining Estimate: 166h 40m
>
> Here is a pull request which adds an authentication handler for a SAML2
> Service Provider via the embedded OpenSAML V3 dependencies
> [https://github.com/apache/sling-whiteboard/pull/51]
>
> *TODO Before Initial*
> [X] Sync attributes released by the IDP
> [X] Confirm license and attribution
> "As the code is ASL2 and does not require a notice or anything else, we don't
> need to mention in. But I think its usually good style to do so and have a
> single sentence in our NOTICE that we include (modified) code from ... which
> has ASL2 as the license"
>
> *TODO After Initial*
> [X] Get confirmation the project builds and operates as expected
> [X] Ensure that the NOTICE file is the correct one
> [X] Testing setup ( documentation, local SAML provider, etc )
> [X] Clarify whether we can depend on artifacts not deployed on Maven Central
> [X] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects
> * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf]
> [X] Decide whether to make signing and encryption optional. Currently it is
> required
> [X] Get feedback whether README instructions are too much, too little,
> unclear, etc
> [X] Consider whether use of {{SAML2ConfigService}} and
> {{SAML2ConfigServiceImpl}} is a good design or not.
> [ok] Find and fix any bugs.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Updated] (SLING-9397) SAML2 Authentication Handler [initial submission]
[
https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Cris Rockwell updated SLING-9397:
-
Fix Version/s: SAML2 Service Provider 0.2.4
> SAML2 Authentication Handler [initial submission]
> -
>
> Key: SLING-9397
> URL: https://issues.apache.org/jira/browse/SLING-9397
> Project: Sling
> Issue Type: New Feature
> Components: Authentication
> Environment: localhost
>Reporter: Cris Rockwell
>Assignee: Cris Rockwell
>Priority: Major
> Labels: SAML, authentification, security, user_management
> Fix For: SAML2 Service Provider 0.2.4
>
> Original Estimate: 168h
> Time Spent: 1h 20m
> Remaining Estimate: 166h 40m
>
> Here is a pull request which adds an authentication handler for a SAML2
> Service Provider via the embedded OpenSAML V3 dependencies
> [https://github.com/apache/sling-whiteboard/pull/51]
>
> *TODO Before Initial*
> [X] Sync attributes released by the IDP
> [X] Confirm license and attribution
> "As the code is ASL2 and does not require a notice or anything else, we don't
> need to mention in. But I think its usually good style to do so and have a
> single sentence in our NOTICE that we include (modified) code from ... which
> has ASL2 as the license"
>
> *TODO After Initial*
> [X] Get confirmation the project builds and operates as expected
> [X] Ensure that the NOTICE file is the correct one
> [X] Testing setup ( documentation, local SAML provider, etc )
> [X] Clarify whether we can depend on artifacts not deployed on Maven Central
> [X] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects
> * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf]
> [X] Decide whether to make signing and encryption optional. Currently it is
> required
> [X] Get feedback whether README instructions are too much, too little,
> unclear, etc
> [X] Consider whether use of {{SAML2ConfigService}} and
> {{SAML2ConfigServiceImpl}} is a good design or not.
> [ ] Find and fix any bugs.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Updated] (SLING-10193) SAML Auth Handler Initial Release
[ https://issues.apache.org/jira/browse/SLING-10193?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Cris Rockwell updated SLING-10193: -- Fix Version/s: SAML2 Service Provider 0.2.4 > SAML Auth Handler Initial Release > - > > Key: SLING-10193 > URL: https://issues.apache.org/jira/browse/SLING-10193 > Project: Sling > Issue Type: Task > Components: Authentication >Reporter: Cris Rockwell >Assignee: Cris Rockwell >Priority: Major > Fix For: SAML2 Service Provider 0.2.4 > > Attachments: Screen Shot 2021-04-06 at 3.11.46 PM.png, Screen Shot > 2021-04-06 at 3.11.55 PM.png, Screen Shot 2021-04-06 at 3.12.23 PM.png > > > Tasks for initial release > [done] Test Coverage >80% > [done] JAAS configuration programmatically added within activator start, and > removed JAAS config within stop method > [ok] Conduct security scanning and input fuzz testing > [done] Improve mapping for attribute sync'ing. Currently it only takes the > attribute Assertion. It saves the property (if exists in the assertion) as > the friendlyName (if exists in the assertion) and makes no provision for > relative path or control naming of the property. Instead utilize a mapping > nomenclature > `[attributeName:profile/anyName,urn:oid:1.2.840.113549.1.9.1:profile/email]` > [ ] Move project from sling-whiteboard to separate github repository -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-10290) Every request renews sling.formauth token
[ https://issues.apache.org/jira/browse/SLING-10290?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17339308#comment-17339308 ] Cris Rockwell commented on SLING-10290: --- Thanks for the suggestion Eric. I created a new ticket as you suggest in SLING-10350 relating to the weak algorithm. > Every request renews sling.formauth token > - > > Key: SLING-10290 > URL: https://issues.apache.org/jira/browse/SLING-10290 > Project: Sling > Issue Type: Bug > Components: Authentication >Affects Versions: Form Based Authentication 1.0.20 >Reporter: Cris Rockwell >Assignee: Eric Norman >Priority: Critical > Attachments: image-2021-04-09-14-19-17-509.png > > > When using Apache Sling Form Based Authentication Handler > Every request and subrequest sets a new value for `sling.formauth` > Analyzing the code indicates that it not the intended behavior, > and the cookie value of `sling.formauth` should be consistent for 30 minutes > according to the default value of form.auth.timeout > Debugging shows that the method > [getCookieAuthData|https://github.com/apache/sling-org-apache-sling-auth-form/blob/master/src/main/java/org/apache/sling/auth/form/impl/FormAuthenticationHandler.java#L514-L519] > always returns null AuthenticationInfo properties are > user.jcr.credentials, sling.authType and user.name. But this is not a > property called sling.formauth -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (SLING-10350) Use a stronger algorithm in TokenStore
Cris Rockwell created SLING-10350: - Summary: Use a stronger algorithm in TokenStore Key: SLING-10350 URL: https://issues.apache.org/jira/browse/SLING-10350 Project: Sling Issue Type: Improvement Components: Authentication Affects Versions: Form Based Authentication 1.0.20 Reporter: Cris Rockwell The TokenStore in Forms uses SHA-1 final Mac m = Mac.getInstance(HMAC_SHA1); https://github.com/apache/sling-org-apache-sling-auth-form/blob/e7cfa7827c9ce39d5f686556bb2555c83c335c3f/src/main/java/org/apache/sling/auth/form/impl/TokenStore.java#L143 Cryptographic hash algorithms such as MD2, MD4, MD5, MD6, HAVAL-128, HMAC-MD5, DSA (which uses SHA-1), RIPEMD, RIPEMD-128, RIPEMD-160, HMACRIPEMD160 and SHA-1 are no longer considered secure, because it is possible to have collisions (little computational effort is enough to find two or more different inputs that produce the same hash). The provisioning of weak security tokens for every request could be considered a security vulnerability. Also in a production environment with many active users, the risk of accidental collision is not impossible. I don't recommend doing this before SLING-10290, because constant provisioning of the tokens is performance drain, and will be more so with a stronger algorithm. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (SLING-10290) Every request renews sling.formauth token
[ https://issues.apache.org/jira/browse/SLING-10290?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Cris Rockwell updated SLING-10290: -- Priority: Critical (was: Major) > Every request renews sling.formauth token > - > > Key: SLING-10290 > URL: https://issues.apache.org/jira/browse/SLING-10290 > Project: Sling > Issue Type: Bug > Components: Authentication >Affects Versions: Form Based Authentication 1.0.20 >Reporter: Cris Rockwell >Priority: Critical > Attachments: image-2021-04-09-14-19-17-509.png > > > When using Apache Sling Form Based Authentication Handler > Every request and subrequest sets a new value for `sling.formauth` > Analyzing the code indicates that it not the intended behavior, > and the cookie value of `sling.formauth` should be consistent for 30 minutes > according to the default value of form.auth.timeout > Debugging shows that the method > [getCookieAuthData|https://github.com/apache/sling-org-apache-sling-auth-form/blob/master/src/main/java/org/apache/sling/auth/form/impl/FormAuthenticationHandler.java#L514-L519] > always returns null AuthenticationInfo properties are > user.jcr.credentials, sling.authType and user.name. But this is not a > property called sling.formauth -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-10290) Every request renews sling.formauth token
[
https://issues.apache.org/jira/browse/SLING-10290?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17325824#comment-17325824
]
Cris Rockwell commented on SLING-10290:
---
Suggest upgrade this ticket to Critical.
The TokenStore in Forms uses SHA-1
{{final Mac m = Mac.getInstance(HMAC_SHA1);}}
https://github.com/apache/sling-org-apache-sling-auth-form/blob/e7cfa7827c9ce39d5f686556bb2555c83c335c3f/src/main/java/org/apache/sling/auth/form/impl/TokenStore.java#L143
Cryptographic hash algorithms such as MD2, MD4, MD5, MD6, HAVAL-128, HMAC-MD5,
DSA (which uses SHA-1), RIPEMD, RIPEMD-128, RIPEMD-160, HMACRIPEMD160 and SHA-1
are no longer considered secure, because it is possible to have collisions
(little computational effort is enough to find two or more different inputs
that produce the same hash).
The provisioning of weak security tokens for every request could be considered
a security vulnerability. Also in a production environment with many active
users, the risk of accidental collision is not impossible.
> Every request renews sling.formauth token
> -
>
> Key: SLING-10290
> URL: https://issues.apache.org/jira/browse/SLING-10290
> Project: Sling
> Issue Type: Bug
> Components: Authentication
>Affects Versions: Form Based Authentication 1.0.20
>Reporter: Cris Rockwell
>Priority: Major
> Attachments: image-2021-04-09-14-19-17-509.png
>
>
> When using Apache Sling Form Based Authentication Handler
> Every request and subrequest sets a new value for `sling.formauth`
> Analyzing the code indicates that it not the intended behavior,
> and the cookie value of `sling.formauth` should be consistent for 30 minutes
> according to the default value of form.auth.timeout
> Debugging shows that the method
> [getCookieAuthData|https://github.com/apache/sling-org-apache-sling-auth-form/blob/master/src/main/java/org/apache/sling/auth/form/impl/FormAuthenticationHandler.java#L514-L519]
> always returns null AuthenticationInfo properties are
> user.jcr.credentials, sling.authType and user.name. But this is not a
> property called sling.formauth
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Created] (SLING-10315) Onboard new project for SonarCloud Analysis
Cris Rockwell created SLING-10315: - Summary: Onboard new project for SonarCloud Analysis Key: SLING-10315 URL: https://issues.apache.org/jira/browse/SLING-10315 Project: Sling Issue Type: Task Components: Authentication Reporter: Cris Rockwell Assignee: Fabrice Bellingard Fix For: Auth SAML2 0.2.0 As per documentation for new Sling repositories, a Jira ticket is required for on-boarding new projects for SonarCloud analysis The Jenkins Build is here https://ci-builds.apache.org/job/Sling/job/modules/job/sling-org-apache-sling-auth-saml2/job/master/ The Sling github repository is here https://github.com/apache/sling-org-apache-sling-auth-saml2 Let me know if you need anything else from me. Thanks! -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (SLING-10290) Every request renews sling.formauth token
[ https://issues.apache.org/jira/browse/SLING-10290?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Cris Rockwell updated SLING-10290: -- Description: When using Apache Sling Form Based Authentication Handler Every request and subrequest sets a new value for `sling.formauth` Analyzing the code indicates that it not the intended behavior, and the cookie value of `sling.formauth` should be consistent for 30 minutes according to the default value of form.auth.timeout Debugging shows that the method [getCookieAuthData|https://github.com/apache/sling-org-apache-sling-auth-form/blob/master/src/main/java/org/apache/sling/auth/form/impl/FormAuthenticationHandler.java#L514-L519] always returns null AuthenticationInfo properties are user.jcr.credentials, sling.authType and user.name. But this is not a property called sling.formauth was: When using Apache Sling Form Based Authentication Handler Every request and subrequest sets a new value for `sling.formauth` Analyzing the code indicates that it not the intended behavior, and the cookie value of `sling.formauth` should be consistent for 30 minutes according to the default value of form.auth.timeout Debugging shows that the method [getCookieAuthData|https://github.com/apache/sling-org-apache-sling-auth-form/blob/master/src/main/java/org/apache/sling/auth/form/impl/FormAuthenticationHandler.java#L514-L519] always returns null AuthenticationInfo properties are user.jcr.credentials, sling.authType and user.name. But not a property called sling.formauth (e.g. the default key name of attrCookieAuthData) > Every request renews sling.formauth token > - > > Key: SLING-10290 > URL: https://issues.apache.org/jira/browse/SLING-10290 > Project: Sling > Issue Type: Bug > Components: Authentication >Affects Versions: Form Based Authentication 1.0.20 >Reporter: Cris Rockwell >Priority: Major > Attachments: image-2021-04-09-14-19-17-509.png > > > When using Apache Sling Form Based Authentication Handler > Every request and subrequest sets a new value for `sling.formauth` > Analyzing the code indicates that it not the intended behavior, > and the cookie value of `sling.formauth` should be consistent for 30 minutes > according to the default value of form.auth.timeout > Debugging shows that the method > [getCookieAuthData|https://github.com/apache/sling-org-apache-sling-auth-form/blob/master/src/main/java/org/apache/sling/auth/form/impl/FormAuthenticationHandler.java#L514-L519] > always returns null AuthenticationInfo properties are > user.jcr.credentials, sling.authType and user.name. But this is not a > property called sling.formauth -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (SLING-10290) Every request renews sling.formauth token
[ https://issues.apache.org/jira/browse/SLING-10290?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Cris Rockwell updated SLING-10290: -- Description: When using Apache Sling Form Based Authentication Handler Every request and subrequest sets a new value for `sling.formauth` Analyzing the code indicates that it not the intended behavior, and the cookie value of `sling.formauth` should be consistent for 30 minutes according to the default value of form.auth.timeout Debugging shows that the method [getCookieAuthData|https://github.com/apache/sling-org-apache-sling-auth-form/blob/master/src/main/java/org/apache/sling/auth/form/impl/FormAuthenticationHandler.java#L514-L519] always returns null AuthenticationInfo properties are user.jcr.credentials, sling.authType and user.name. But not a property called sling.formauth (e.g. the default key name of attrCookieAuthData) was: When using Apache Sling Form Based Authentication Handler Every request and subrequest sets a new value for `sling.formauth` Analyzing the code indicates that it not the intended behavior, and the cookie value of `sling.formauth` should be consistent for 30 minutes according to the default value of form.auth.timeout Debugging shows that the method [getCookieAuthData|https://github.com/apache/sling-org-apache-sling-auth-form/blob/master/src/main/java/org/apache/sling/auth/form/impl/FormAuthenticationHandler.java#L514-L519] always returns null AuthenticationInfo properties are user.jcr.credentials, sling.authType and user.name. But not a property called sling.formauth (e.g. the default key name of attrCookieAuthData) !image-2021-04-09-14-19-17-509.png! > Every request renews sling.formauth token > - > > Key: SLING-10290 > URL: https://issues.apache.org/jira/browse/SLING-10290 > Project: Sling > Issue Type: Bug > Components: Authentication >Affects Versions: Form Based Authentication 1.0.20 >Reporter: Cris Rockwell >Priority: Major > Attachments: image-2021-04-09-14-19-17-509.png > > > When using Apache Sling Form Based Authentication Handler > Every request and subrequest sets a new value for `sling.formauth` > Analyzing the code indicates that it not the intended behavior, > and the cookie value of `sling.formauth` should be consistent for 30 minutes > according to the default value of form.auth.timeout > Debugging shows that the method > [getCookieAuthData|https://github.com/apache/sling-org-apache-sling-auth-form/blob/master/src/main/java/org/apache/sling/auth/form/impl/FormAuthenticationHandler.java#L514-L519] > always returns null AuthenticationInfo properties are > user.jcr.credentials, sling.authType and user.name. But not a property called > sling.formauth (e.g. the default key name of attrCookieAuthData) -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (SLING-10290) Every request renews sling.formauth token
Cris Rockwell created SLING-10290: - Summary: Every request renews sling.formauth token Key: SLING-10290 URL: https://issues.apache.org/jira/browse/SLING-10290 Project: Sling Issue Type: Bug Components: Authentication Affects Versions: Form Based Authentication 1.0.20 Reporter: Cris Rockwell Attachments: image-2021-04-09-14-19-17-509.png When using Apache Sling Form Based Authentication Handler Every request and subrequest sets a new value for `sling.formauth` Analyzing the code indicates that it not the intended behavior, and the cookie value of `sling.formauth` should be consistent for 30 minutes according to the default value of form.auth.timeout Debugging shows that the method [getCookieAuthData|https://github.com/apache/sling-org-apache-sling-auth-form/blob/master/src/main/java/org/apache/sling/auth/form/impl/FormAuthenticationHandler.java#L514-L519] always returns null AuthenticationInfo properties are user.jcr.credentials, sling.authType and user.name. But not a property called sling.formauth (e.g. the default key name of attrCookieAuthData) !image-2021-04-09-14-19-17-509.png! -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (SLING-10193) SAML Auth Handler Initial Release
[ https://issues.apache.org/jira/browse/SLING-10193?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Cris Rockwell updated SLING-10193: -- Description: Tasks for initial release [done] Test Coverage >80% [done] JAAS configuration programmatically added within activator start, and removed JAAS config within stop method [ok] Conduct security scanning and input fuzz testing [done] Improve mapping for attribute sync'ing. Currently it only takes the attribute Assertion. It saves the property (if exists in the assertion) as the friendlyName (if exists in the assertion) and makes no provision for relative path or control naming of the property. Instead utilize a mapping nomenclature `[attributeName:profile/anyName,urn:oid:1.2.840.113549.1.9.1:profile/email]` [ ] Move project from sling-whiteboard to separate github repository was: Tasks for initial release [done] Test Coverage >80% [done] JAAS configuration programmatically added within activator start, and removed JAAS config within stop method [ ] Conduct security scanning and input fuzz testing [done] Improve mapping for attribute sync'ing. Currently it only takes the attribute Assertion. It saves the property (if exists in the assertion) as the friendlyName (if exists in the assertion) and makes no provision for relative path or control naming of the property. Instead utilize a mapping nomenclature `[attributeName:profile/anyName,urn:oid:1.2.840.113549.1.9.1:profile/email]` [ ] Move project from sling-whiteboard to separate github repository > SAML Auth Handler Initial Release > - > > Key: SLING-10193 > URL: https://issues.apache.org/jira/browse/SLING-10193 > Project: Sling > Issue Type: Task > Components: Authentication >Reporter: Cris Rockwell >Assignee: Cris Rockwell >Priority: Major > Attachments: Screen Shot 2021-04-06 at 3.11.46 PM.png, Screen Shot > 2021-04-06 at 3.11.55 PM.png, Screen Shot 2021-04-06 at 3.12.23 PM.png > > > Tasks for initial release > [done] Test Coverage >80% > [done] JAAS configuration programmatically added within activator start, and > removed JAAS config within stop method > [ok] Conduct security scanning and input fuzz testing > [done] Improve mapping for attribute sync'ing. Currently it only takes the > attribute Assertion. It saves the property (if exists in the assertion) as > the friendlyName (if exists in the assertion) and makes no provision for > relative path or control naming of the property. Instead utilize a mapping > nomenclature > `[attributeName:profile/anyName,urn:oid:1.2.840.113549.1.9.1:profile/email]` > [ ] Move project from sling-whiteboard to separate github repository -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (SLING-10193) SAML Auth Handler Initial Release
[ https://issues.apache.org/jira/browse/SLING-10193?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Cris Rockwell updated SLING-10193: -- Description: Tasks for initial release [done] Test Coverage >80% [done] JAAS configuration programmatically added within activator start, and removed JAAS config within stop method [ ] Conduct security scanning and input fuzz testing [done] Improve mapping for attribute sync'ing. Currently it only takes the attribute Assertion. It saves the property (if exists in the assertion) as the friendlyName (if exists in the assertion) and makes no provision for relative path or control naming of the property. Instead utilize a mapping nomenclature `[attributeName:profile/anyName,urn:oid:1.2.840.113549.1.9.1:profile/email]` [ ] Move project from sling-whiteboard to separate github repository was: Tasks for initial release [done] Test Coverage >80% [done] JAAS configuration programmatically added within activator start, and removed JAAS config within stop method [ ] Conduct security scanning and input fuzz testing [ ] Improve mapping for attribute sync'ing. Currently it only takes the attribute Assertion. It saves the property (if exists in the assertion) as the friendlyName (if exists in the assertion) and makes no provision for relative path or control naming of the property. Instead utilize a mapping nomenclature `[attributeName:profile/anyName,urn:oid:1.2.840.113549.1.9.1:profile/email]` [ ] Move project from sling-whiteboard to separate github repository > SAML Auth Handler Initial Release > - > > Key: SLING-10193 > URL: https://issues.apache.org/jira/browse/SLING-10193 > Project: Sling > Issue Type: Task > Components: Authentication >Reporter: Cris Rockwell >Assignee: Cris Rockwell >Priority: Major > Attachments: Screen Shot 2021-04-06 at 3.11.46 PM.png, Screen Shot > 2021-04-06 at 3.11.55 PM.png, Screen Shot 2021-04-06 at 3.12.23 PM.png > > > Tasks for initial release > [done] Test Coverage >80% > [done] JAAS configuration programmatically added within activator start, and > removed JAAS config within stop method > [ ] Conduct security scanning and input fuzz testing > [done] Improve mapping for attribute sync'ing. Currently it only takes the > attribute Assertion. It saves the property (if exists in the assertion) as > the friendlyName (if exists in the assertion) and makes no provision for > relative path or control naming of the property. Instead utilize a mapping > nomenclature > `[attributeName:profile/anyName,urn:oid:1.2.840.113549.1.9.1:profile/email]` > [ ] Move project from sling-whiteboard to separate github repository -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (SLING-10193) SAML Auth Handler Initial Release
[ https://issues.apache.org/jira/browse/SLING-10193?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Cris Rockwell updated SLING-10193: -- Description: Tasks for initial release [done] Test Coverage >80% [done] JAAS configuration programmatically added within activator start, and removed JAAS config within stop method [ ] Conduct security scanning and input fuzz testing [ ] Improve mapping for attribute sync'ing. Currently it only takes the attribute Assertion. It saves the property (if exists in the assertion) as the friendlyName (if exists in the assertion) and makes no provision for relative path or control naming of the property. Instead utilize a mapping nomenclature `[attributeName:profile/anyName,urn:oid:1.2.840.113549.1.9.1:profile/email]` [ ] Move project from sling-whiteboard to separate github repository was: Tasks for initial release [done] Test Coverage >80% [ ] JAAS configuration programmatically added within activator start, and removed JAAS config within stop method [ ] Conduct security scanning and input fuzz testing [ ] Improve mapping for attribute sync'ing. Currently it only takes the attribute Assertion. It saves the property (if exists in the assertion) as the friendlyName (if exists in the assertion) and makes no provision for relative path or control naming of the property. Instead utilize a mapping nomenclature `[attributeName:profile/anyName,urn:oid:1.2.840.113549.1.9.1:profile/email]` [ ] Move project from sling-whiteboard to separate github repository > SAML Auth Handler Initial Release > - > > Key: SLING-10193 > URL: https://issues.apache.org/jira/browse/SLING-10193 > Project: Sling > Issue Type: Task > Components: Authentication >Reporter: Cris Rockwell >Assignee: Cris Rockwell >Priority: Major > Attachments: Screen Shot 2021-04-06 at 3.11.46 PM.png, Screen Shot > 2021-04-06 at 3.11.55 PM.png, Screen Shot 2021-04-06 at 3.12.23 PM.png > > > Tasks for initial release > [done] Test Coverage >80% > [done] JAAS configuration programmatically added within activator start, and > removed JAAS config within stop method > [ ] Conduct security scanning and input fuzz testing > [ ] Improve mapping for attribute sync'ing. Currently it only takes the > attribute Assertion. It saves the property (if exists in the assertion) as > the friendlyName (if exists in the assertion) and makes no provision for > relative path or control naming of the property. Instead utilize a mapping > nomenclature > `[attributeName:profile/anyName,urn:oid:1.2.840.113549.1.9.1:profile/email]` > [ ] Move project from sling-whiteboard to separate github repository -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (SLING-10193) SAML Auth Handler Initial Release
[ https://issues.apache.org/jira/browse/SLING-10193?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Cris Rockwell updated SLING-10193: -- Attachment: Screen Shot 2021-04-06 at 3.12.23 PM.png Screen Shot 2021-04-06 at 3.11.55 PM.png Screen Shot 2021-04-06 at 3.11.46 PM.png > SAML Auth Handler Initial Release > - > > Key: SLING-10193 > URL: https://issues.apache.org/jira/browse/SLING-10193 > Project: Sling > Issue Type: Task > Components: Authentication >Reporter: Cris Rockwell >Assignee: Cris Rockwell >Priority: Major > Attachments: Screen Shot 2021-04-06 at 3.11.46 PM.png, Screen Shot > 2021-04-06 at 3.11.55 PM.png, Screen Shot 2021-04-06 at 3.12.23 PM.png > > > Tasks for initial release > [done] Test Coverage >80% > [ ] JAAS configuration programmatically added within activator start, and > removed JAAS config within stop method > [ ] Conduct security scanning and input fuzz testing > [ ] Improve mapping for attribute sync'ing. Currently it only takes the > attribute Assertion. It saves the property (if exists in the assertion) as > the friendlyName (if exists in the assertion) and makes no provision for > relative path or control naming of the property. Instead utilize a mapping > nomenclature > `[attributeName:profile/anyName,urn:oid:1.2.840.113549.1.9.1:profile/email]` > [ ] Move project from sling-whiteboard to separate github repository -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (SLING-10193) SAML Auth Handler Initial Release
[ https://issues.apache.org/jira/browse/SLING-10193?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Cris Rockwell updated SLING-10193: -- Description: Tasks for initial release [done] Test Coverage >80% [ ] JAAS configuration programmatically added within activator start, and removed JAAS config within stop method [ ] Conduct security scanning and input fuzz testing [ ] Improve mapping for attribute sync'ing. Currently it only takes the attribute Assertion. It saves the property (if exists in the assertion) as the friendlyName (if exists in the assertion) and makes no provision for relative path or control naming of the property. Instead utilize a mapping nomenclature `[attributeName:profile/anyName,urn:oid:1.2.840.113549.1.9.1:profile/email]` [ ] Move project from sling-whiteboard to separate github repository was: Tasks for initial release [ ] Test Coverage >80% [ ] JAAS configuration programmatically added within activator start, and removed JAAS config within stop method [ ] Conduct security scanning and input fuzz testing [ ] Improve mapping for attribute sync'ing. Currently it only takes the attribute Assertion. It saves the property (if exists in the assertion) as the friendlyName (if exists in the assertion) and makes no provision for relative path or control naming of the property. Instead utilize a mapping nomenclature `[attributeName:profile/anyName,urn:oid:1.2.840.113549.1.9.1:profile/email]` [ ] Move project from sling-whiteboard to separate github repository > SAML Auth Handler Initial Release > - > > Key: SLING-10193 > URL: https://issues.apache.org/jira/browse/SLING-10193 > Project: Sling > Issue Type: Task > Components: Authentication >Reporter: Cris Rockwell >Assignee: Cris Rockwell >Priority: Major > Attachments: Screen Shot 2021-04-06 at 3.11.46 PM.png, Screen Shot > 2021-04-06 at 3.11.55 PM.png, Screen Shot 2021-04-06 at 3.12.23 PM.png > > > Tasks for initial release > [done] Test Coverage >80% > [ ] JAAS configuration programmatically added within activator start, and > removed JAAS config within stop method > [ ] Conduct security scanning and input fuzz testing > [ ] Improve mapping for attribute sync'ing. Currently it only takes the > attribute Assertion. It saves the property (if exists in the assertion) as > the friendlyName (if exists in the assertion) and makes no provision for > relative path or control naming of the property. Instead utilize a mapping > nomenclature > `[attributeName:profile/anyName,urn:oid:1.2.840.113549.1.9.1:profile/email]` > [ ] Move project from sling-whiteboard to separate github repository -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (SLING-10193) SAML Auth Handler Initial Release
[ https://issues.apache.org/jira/browse/SLING-10193?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Cris Rockwell updated SLING-10193: -- Description: Tasks for initial release [ ] Test Coverage >80% [ ] JAAS configuration programmatically added within activator start, and removed JAAS config within stop method [ ] Conduct security scanning and input fuzz testing [ ] Improve mapping for attribute sync'ing. Currently it only takes the attribute Assertion. It saves the property (if exists in the assertion) as the friendlyName (if exists in the assertion) and makes no provision for relative path or control naming of the property. Instead utilize a mapping nomenclature `[attributeName:profile/anyName,urn:oid:1.2.840.113549.1.9.1:profile/email]` [ ] Move project from sling-whiteboard to separate github repository was: Continuation of SLING-9397 Tasks [ ] Test Coverage >80% [ ] JAAS configuration programmatically added within activator start, and removed JAAS config within stop method [ ] Conduct security scanning and input fuzz testing [ ] Move project from sling-whiteboard to separate github repository > SAML Auth Handler Initial Release > - > > Key: SLING-10193 > URL: https://issues.apache.org/jira/browse/SLING-10193 > Project: Sling > Issue Type: Task > Components: Authentication >Reporter: Cris Rockwell >Assignee: Cris Rockwell >Priority: Major > > Tasks for initial release > [ ] Test Coverage >80% > [ ] JAAS configuration programmatically added within activator start, and > removed JAAS config within stop method > [ ] Conduct security scanning and input fuzz testing > [ ] Improve mapping for attribute sync'ing. Currently it only takes the > attribute Assertion. It saves the property (if exists in the assertion) as > the friendlyName (if exists in the assertion) and makes no provision for > relative path or control naming of the property. Instead utilize a mapping > nomenclature > `[attributeName:profile/anyName,urn:oid:1.2.840.113549.1.9.1:profile/email]` > [ ] Move project from sling-whiteboard to separate github repository -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Resolved] (SLING-9397) SAML2 Authentication Handler [initial submission]
[
https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Cris Rockwell resolved SLING-9397.
--
Resolution: Done
Initial submission to sling-whiteboard was done a while ago. There are a few
follow tasks to track for initial release within SLING-10193
> SAML2 Authentication Handler [initial submission]
> -
>
> Key: SLING-9397
> URL: https://issues.apache.org/jira/browse/SLING-9397
> Project: Sling
> Issue Type: New Feature
> Components: Authentication
> Environment: localhost
>Reporter: Cris Rockwell
>Assignee: Cris Rockwell
>Priority: Major
> Labels: SAML, authentification, security, user_management
> Original Estimate: 168h
> Time Spent: 1h 20m
> Remaining Estimate: 166h 40m
>
> Here is a pull request which adds an authentication handler for a SAML2
> Service Provider via the embedded OpenSAML V3 dependencies
> [https://github.com/apache/sling-whiteboard/pull/51]
>
> *TODO Before Initial*
> [X] Sync attributes released by the IDP
> [X] Confirm license and attribution
> "As the code is ASL2 and does not require a notice or anything else, we don't
> need to mention in. But I think its usually good style to do so and have a
> single sentence in our NOTICE that we include (modified) code from ... which
> has ASL2 as the license"
>
> *TODO After Initial*
> [X] Get confirmation the project builds and operates as expected
> [X] Ensure that the NOTICE file is the correct one
> [X] Testing setup ( documentation, local SAML provider, etc )
> [X] Clarify whether we can depend on artifacts not deployed on Maven Central
> [X] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects
> * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf]
> [X] Decide whether to make signing and encryption optional. Currently it is
> required
> [X] Get feedback whether README instructions are too much, too little,
> unclear, etc
> [X] Consider whether use of {{SAML2ConfigService}} and
> {{SAML2ConfigServiceImpl}} is a good design or not.
> [ ] Find and fix any bugs.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Created] (SLING-10193) SAML Auth Handler Initial Release
Cris Rockwell created SLING-10193: - Summary: SAML Auth Handler Initial Release Key: SLING-10193 URL: https://issues.apache.org/jira/browse/SLING-10193 Project: Sling Issue Type: Task Components: Authentication Reporter: Cris Rockwell Assignee: Cris Rockwell Continuation of SLING-9397 Tasks [ ] Test Coverage >80% [ ] JAAS configuration programmatically added within activator start, and removed JAAS config within stop method [ ] Conduct security scanning and input fuzz testing [ ] Move project from sling-whiteboard to separate github repository -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (SLING-9980) Junit Core ITs fail with jdk11
[
https://issues.apache.org/jira/browse/SLING-9980?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Cris Rockwell updated SLING-9980:
-
Component/s: JUnit Core
> Junit Core ITs fail with jdk11
> --
>
> Key: SLING-9980
> URL: https://issues.apache.org/jira/browse/SLING-9980
> Project: Sling
> Issue Type: Improvement
> Components: JUnit Core
>Reporter: Bertrand Delacretaz
>Assignee: Bertrand Delacretaz
>Priority: Minor
>
> The integration tests under {{src/it/annotations-it}} fail with jdk11 as
> follows:
> {code}
> INFO] [INFO] Running org.apache.sling.junit.annotations.ReferenceIT
> [INFO] [main] INFO org.ops4j.pax.exam.spi.DefaultExamSystem - Pax Exam System
> (Version: 4.13.4) created.
> ...
> [INFO] WARNING: An illegal reflective access operation has occurred
> [INFO] WARNING: Illegal reflective access by
> org.apache.felix.framework.ext.ClassPathExtenderFactory$DefaultClassLoaderExtender
>
> (file:/Users/bert/workspace/apache/sling/sling-org-apache-sling-junit-core/target/it-repo/org/apache/felix/org.apache.felix.framework/6.0.3/org.apache.felix.framework-6.0.3.jar)
> to method java.net.URLClassLoader.addURL(java.net.URL)
> [INFO] WARNING: Please consider reporting this to the maintainers of
> org.apache.felix.framework.ext.ClassPathExtenderFactory$DefaultClassLoaderExtender
> [INFO] WARNING: Use --illegal-access=warn to enable warnings of further
> illegal reflective access operations
> ...
> [INFO] [ERROR] Tests run: 1, Failures: 0, Errors: 1, Skipped: 0, Time
> elapsed: 89.29 s <<< FAILURE! - in
> org.apache.sling.junit.annotations.ReferenceIT
> [INFO] [ERROR] org.apache.sling.junit.annotations.ReferenceIT Time elapsed:
> 89.27 s <<< ERROR!
> [INFO] org.ops4j.pax.exam.TestContainerException:
> org.osgi.framework.BundleException: Could not create bundle object.
> [INFO]at
> org.ops4j.pax.exam.forked.ForkedTestContainer.start(ForkedTestContainer.java:168)
> [INFO]at
> org.ops4j.pax.exam.junit.PaxExamServer.before(PaxExamServer.java:87)
> [INFO]at
> org.apache.sling.junit.annotations.it@1.0.0/org.apache.sling.junit.annotations.ReferenceIT$1.before(ReferenceIT.java:61)
> ...
> [INFO] Caused by: org.osgi.framework.BundleException: Could not create bundle
> object.
> [INFO]at
> org.apache.felix.framework.Felix.installBundle(Felix.java:3312)
> [INFO]at
> org.apache.felix.framework.BundleContextImpl.installBundle(BundleContextImpl.java:147)
> [INFO]at
> org.apache.felix.framework.BundleContextImpl.installBundle(BundleContextImpl.java:120)
> [INFO]at
> org.ops4j.pax.swissbox.framework.RemoteFrameworkImpl.installBundle(RemoteFrameworkImpl.java:132)
> ...
> [INFO] Caused by: java.lang.UnsupportedOperationException: Unable to add
> extension bundle.
> [INFO]at
> org.apache.felix.framework.ExtensionManager.addExtensionBundle(ExtensionManager.java:430)
> [INFO]at
> org.apache.felix.framework.Felix.installBundle(Felix.java:3279)
> [INFO]at
> org.apache.felix.framework.BundleContextImpl.installBundle(BundleContextImpl.java:147)
> [INFO]at
> org.apache.felix.framework.BundleContextImpl.installBundle(BundleContextImpl.java:120)
> [INFO]at
> org.ops4j.pax.swissbox.framework.RemoteFrameworkImpl.installBundle(RemoteFrameworkImpl.java:132)
> {code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Updated] (SLING-9397) SAML2 Authentication Handler [initial submission]
[
https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Cris Rockwell updated SLING-9397:
-
Description:
Here is a pull request which adds an authentication handler for a SAML2 Service
Provider via the embedded OpenSAML V3 dependencies
[https://github.com/apache/sling-whiteboard/pull/51]
*TODO Before Initial*
[X] Sync attributes released by the IDP
[X] Confirm license and attribution
"As the code is ASL2 and does not require a notice or anything else, we don't
need to mention in. But I think its usually good style to do so and have a
single sentence in our NOTICE that we include (modified) code from ... which
has ASL2 as the license"
*TODO After Initial*
[X] Get confirmation the project builds and operates as expected
[X] Ensure that the NOTICE file is the correct one
[X] Testing setup ( documentation, local SAML provider, etc )
[X] Clarify whether we can depend on artifacts not deployed on Maven Central
[X] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects
* [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf]
[X] Decide whether to make signing and encryption optional. Currently it is
required
[X] Get feedback whether README instructions are too much, too little,
unclear, etc
[X] Consider whether use of {{SAML2ConfigService}} and
{{SAML2ConfigServiceImpl}} is a good design or not.
[ ] Find and fix any bugs.
was:
Here is a pull request which adds an authentication handler for a SAML2 Service
Provider via the embedded OpenSAML V3 dependencies
[https://github.com/apache/sling-whiteboard/pull/51]
*TODO Before Initial*
[X] Sync attributes released by the IDP
[X] Confirm license and attribution
"As the code is ASL2 and does not require a notice or anything else, we don't
need to mention in. But I think its usually good style to do so and have a
single sentence in our NOTICE that we include (modified) code from ... which
has ASL2 as the license"
*TODO After Initial*
[X] Get confirmation the project builds and operates as expected
[X] Ensure that the NOTICE file is the correct one
[X] Testing setup ( documentation, local SAML provider, etc )
[X] Clarify whether we can depend on artifacts not deployed on Maven Central
[X] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects
* [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf]
[X] Decide whether to make signing and encryption optional. Currently it is
required
[X] Get feedback whether README instructions are too much, too little, unclear,
etc
[ ] Consider whether use of {{SAML2ConfigService}} and
{{SAML2ConfigServiceImpl}} is a good design or not.
[ ] Find and fix any bugs.
> SAML2 Authentication Handler [initial submission]
> -
>
> Key: SLING-9397
> URL: https://issues.apache.org/jira/browse/SLING-9397
> Project: Sling
> Issue Type: New Feature
> Components: Authentication
> Environment: localhost
>Reporter: Cris Rockwell
>Assignee: Cris Rockwell
>Priority: Major
> Labels: SAML, authentification, security, user_management
> Original Estimate: 168h
> Time Spent: 1h 20m
> Remaining Estimate: 166h 40m
>
> Here is a pull request which adds an authentication handler for a SAML2
> Service Provider via the embedded OpenSAML V3 dependencies
> [https://github.com/apache/sling-whiteboard/pull/51]
>
> *TODO Before Initial*
> [X] Sync attributes released by the IDP
> [X] Confirm license and attribution
> "As the code is ASL2 and does not require a notice or anything else, we don't
> need to mention in. But I think its usually good style to do so and have a
> single sentence in our NOTICE that we include (modified) code from ... which
> has ASL2 as the license"
>
> *TODO After Initial*
> [X] Get confirmation the project builds and operates as expected
> [X] Ensure that the NOTICE file is the correct one
> [X] Testing setup ( documentation, local SAML provider, etc )
> [X] Clarify whether we can depend on artifacts not deployed on Maven Central
> [X] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects
> * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf]
> [X] Decide whether to make signing and encryption optional. Currently it is
> required
> [X] Get feedback whether README instructions are too much, too little,
> unclear, etc
> [X] Consider whether use of {{SAML2ConfigService}} and
> {{SAML2ConfigServiceImpl}} is a good design or not.
> [ ] Find and fix any bugs.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (SLING-9397) SAML2 Authentication Handler [initial submission]
[
https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17281415#comment-17281415
]
Cris Rockwell commented on SLING-9397:
--
Nope. Prefer to keep it on the ticket. Thanks
> SAML2 Authentication Handler [initial submission]
> -
>
> Key: SLING-9397
> URL: https://issues.apache.org/jira/browse/SLING-9397
> Project: Sling
> Issue Type: New Feature
> Components: Authentication
> Environment: localhost
>Reporter: Cris Rockwell
>Assignee: Cris Rockwell
>Priority: Major
> Labels: SAML, authentification, security, user_management
> Original Estimate: 168h
> Time Spent: 1h 20m
> Remaining Estimate: 166h 40m
>
> Here is a pull request which adds an authentication handler for a SAML2
> Service Provider via the embedded OpenSAML V3 dependencies
> [https://github.com/apache/sling-whiteboard/pull/51]
>
> *TODO Before Initial*
> [X] Sync attributes released by the IDP
> [X] Confirm license and attribution
> "As the code is ASL2 and does not require a notice or anything else, we don't
> need to mention in. But I think its usually good style to do so and have a
> single sentence in our NOTICE that we include (modified) code from ... which
> has ASL2 as the license"
>
> *TODO After Initial*
> [X] Get confirmation the project builds and operates as expected
> [X] Ensure that the NOTICE file is the correct one
> [X] Testing setup ( documentation, local SAML provider, etc )
> [X] Clarify whether we can depend on artifacts not deployed on Maven Central
> [X] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects
> * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf]
> [X] Decide whether to make signing and encryption optional. Currently it is
> required
> [X] Get feedback whether README instructions are too much, too little,
> unclear, etc
> [ ] Consider whether use of {{SAML2ConfigService}} and
> {{SAML2ConfigServiceImpl}} is a good design or not.
> [ ] Find and fix any bugs.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (SLING-9397) SAML2 Authentication Handler [initial submission]
[
https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17281261#comment-17281261
]
Cris Rockwell commented on SLING-9397:
--
{quote}Who are you trying to protect the sensitive data from? As far as I can
tell Sling is mostly being run in a single-tenant manner and there is
no effort to make it multi-tenant.{quote}
{quote}If you're trying to make it safe from malicious code deployed in the
same JVM, I'd say that all bets are off already.{quote}
Yes. My concern is making it harder in case of RCE or malicious Java bundles. I
get the idea that ‘all bets are off’ in those scenarios. Security training
instructs us to think in terms of layers. In keeping with the principle of
least privilege; if these data aren't needed by other services and those
services aren't fully trusted, then I should consider access control more
carefully. That's why I'm considering simplifying the project structure to
eliminate the config service and placing all the component and services within
the same package, and using package private scope.
> SAML2 Authentication Handler [initial submission]
> -
>
> Key: SLING-9397
> URL: https://issues.apache.org/jira/browse/SLING-9397
> Project: Sling
> Issue Type: New Feature
> Components: Authentication
> Environment: localhost
>Reporter: Cris Rockwell
>Assignee: Cris Rockwell
>Priority: Major
> Labels: SAML, authentification, security, user_management
> Original Estimate: 168h
> Time Spent: 1h 20m
> Remaining Estimate: 166h 40m
>
> Here is a pull request which adds an authentication handler for a SAML2
> Service Provider via the embedded OpenSAML V3 dependencies
> [https://github.com/apache/sling-whiteboard/pull/51]
>
> *TODO Before Initial*
> [X] Sync attributes released by the IDP
> [X] Confirm license and attribution
> "As the code is ASL2 and does not require a notice or anything else, we don't
> need to mention in. But I think its usually good style to do so and have a
> single sentence in our NOTICE that we include (modified) code from ... which
> has ASL2 as the license"
>
> *TODO After Initial*
> [X] Get confirmation the project builds and operates as expected
> [X] Ensure that the NOTICE file is the correct one
> [X] Testing setup ( documentation, local SAML provider, etc )
> [X] Clarify whether we can depend on artifacts not deployed on Maven Central
> [X] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects
> * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf]
> [X] Decide whether to make signing and encryption optional. Currently it is
> required
> [X] Get feedback whether README instructions are too much, too little,
> unclear, etc
> [ ] Consider whether use of {{SAML2ConfigService}} and
> {{SAML2ConfigServiceImpl}} is a good design or not.
> [ ] Find and fix any bugs.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (SLING-9397) SAML2 Authentication Handler [initial submission]
[
https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17279771#comment-17279771
]
Cris Rockwell commented on SLING-9397:
--
One of the open items identified in the ticket description regards
*SAML2ConfigService* and the implementation *SAML2ConfigServiceImpl*. This
service provides SAML configurations to *AuthenticationHandlerSAML2* and
*Saml2UserMgtServiceImpl*.
Because SAML2ConfigService has keystore information, I find it uncomfortable
making it generally available as an OSGI whiteboard service. I would like some
feedback about the appropriate way to provide sensitive configurations only to
the required services.
> SAML2 Authentication Handler [initial submission]
> -
>
> Key: SLING-9397
> URL: https://issues.apache.org/jira/browse/SLING-9397
> Project: Sling
> Issue Type: New Feature
> Components: Authentication
> Environment: localhost
>Reporter: Cris Rockwell
>Assignee: Cris Rockwell
>Priority: Major
> Labels: SAML, authentification, security, user_management
> Original Estimate: 168h
> Time Spent: 1h 20m
> Remaining Estimate: 166h 40m
>
> Here is a pull request which adds an authentication handler for a SAML2
> Service Provider via the embedded OpenSAML V3 dependencies
> [https://github.com/apache/sling-whiteboard/pull/51]
>
> *TODO Before Initial*
> [X] Sync attributes released by the IDP
> [X] Confirm license and attribution
> "As the code is ASL2 and does not require a notice or anything else, we don't
> need to mention in. But I think its usually good style to do so and have a
> single sentence in our NOTICE that we include (modified) code from ... which
> has ASL2 as the license"
>
> *TODO After Initial*
> [X] Get confirmation the project builds and operates as expected
> [X] Ensure that the NOTICE file is the correct one
> [X] Testing setup ( documentation, local SAML provider, etc )
> [X] Clarify whether we can depend on artifacts not deployed on Maven Central
> [X] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects
> * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf]
> [X] Decide whether to make signing and encryption optional. Currently it is
> required
> [X] Get feedback whether README instructions are too much, too little,
> unclear, etc
> [ ] Consider whether use of {{SAML2ConfigService}} and
> {{SAML2ConfigServiceImpl}} is a good design or not.
> [ ] Find and fix any bugs.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Assigned] (SLING-9397) SAML2 Authentication Handler [initial submission]
[
https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Cris Rockwell reassigned SLING-9397:
Assignee: Cris Rockwell
> SAML2 Authentication Handler [initial submission]
> -
>
> Key: SLING-9397
> URL: https://issues.apache.org/jira/browse/SLING-9397
> Project: Sling
> Issue Type: New Feature
> Components: Authentication
> Environment: localhost
>Reporter: Cris Rockwell
>Assignee: Cris Rockwell
>Priority: Major
> Labels: SAML, authentification, security, user_management
> Original Estimate: 168h
> Time Spent: 1h 20m
> Remaining Estimate: 166h 40m
>
> Here is a pull request which adds an authentication handler for a SAML2
> Service Provider via the embedded OpenSAML V3 dependencies
> [https://github.com/apache/sling-whiteboard/pull/51]
>
> *TODO Before Initial*
> [X] Sync attributes released by the IDP
> [X] Confirm license and attribution
> "As the code is ASL2 and does not require a notice or anything else, we don't
> need to mention in. But I think its usually good style to do so and have a
> single sentence in our NOTICE that we include (modified) code from ... which
> has ASL2 as the license"
>
> *TODO After Initial*
> [X] Get confirmation the project builds and operates as expected
> [X] Ensure that the NOTICE file is the correct one
> [X] Testing setup ( documentation, local SAML provider, etc )
> [X] Clarify whether we can depend on artifacts not deployed on Maven Central
> [X] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects
> * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf]
> [X] Decide whether to make signing and encryption optional. Currently it is
> required
> [X] Get feedback whether README instructions are too much, too little,
> unclear, etc
> [ ] Consider whether use of {{SAML2ConfigService}} and
> {{SAML2ConfigServiceImpl}} is a good design or not.
> [ ] Find and fix any bugs.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Resolved] (SLING-9915) Remove deprecated flags for SlingAnnotationsTestRunner and TestReference
[ https://issues.apache.org/jira/browse/SLING-9915?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Cris Rockwell resolved SLING-9915. -- Fix Version/s: JUnit Core 1.1.2 Resolution: Fixed > Remove deprecated flags for SlingAnnotationsTestRunner and TestReference > > > Key: SLING-9915 > URL: https://issues.apache.org/jira/browse/SLING-9915 > Project: Sling > Issue Type: Task > Components: JUnit Core >Affects Versions: JUnit Core 1.1.0 >Reporter: Cris Rockwell >Assignee: Cris Rockwell >Priority: Minor > Labels: test, tools > Fix For: JUnit Core 1.1.2 > > > As per discussion thread > https://www.mail-archive.com/dev@sling.apache.org/msg100097.html > Revert this commit > https://github.com/apache/sling-org-apache-sling-junit-core/commit/c7f98b1172126f1e5f961ec9d17d12b239c34e0d > Reviving annotations > @TestReference > @SlingAnnotationsTestRunner > Review docs and suggest updates > https://sling.apache.org/documentation/development/sling-testing-tools.html > https://sling.apache.org/documentation/bundles/org-apache-sling-junit-bundles.html -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-9980) Junit Core ITs fail with jdk11
[
https://issues.apache.org/jira/browse/SLING-9980?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17245362#comment-17245362
]
Cris Rockwell commented on SLING-9980:
--
Thanks for creating this ticket.
One question about the reference to
sling-org-apache-sling-servlets-annotations, does it build with Java 11?
Locally, I get a build error and the CI might have the same trouble...
[https://ci-builds.apache.org/blue/organizations/jenkins/Sling%2Fmodules%2Fsling-org-apache-sling-servlets-annotations/detail/master/44/pipeline/32]
> Junit Core ITs fail with jdk11
> --
>
> Key: SLING-9980
> URL: https://issues.apache.org/jira/browse/SLING-9980
> Project: Sling
> Issue Type: Improvement
>Reporter: Bertrand Delacretaz
>Assignee: Bertrand Delacretaz
>Priority: Minor
>
> The integration tests under {{src/it/annotations-it}} fail with jdk11 as
> follows:
> {code}
> INFO] [INFO] Running org.apache.sling.junit.annotations.ReferenceIT
> [INFO] [main] INFO org.ops4j.pax.exam.spi.DefaultExamSystem - Pax Exam System
> (Version: 4.13.4) created.
> ...
> [INFO] WARNING: An illegal reflective access operation has occurred
> [INFO] WARNING: Illegal reflective access by
> org.apache.felix.framework.ext.ClassPathExtenderFactory$DefaultClassLoaderExtender
>
> (file:/Users/bert/workspace/apache/sling/sling-org-apache-sling-junit-core/target/it-repo/org/apache/felix/org.apache.felix.framework/6.0.3/org.apache.felix.framework-6.0.3.jar)
> to method java.net.URLClassLoader.addURL(java.net.URL)
> [INFO] WARNING: Please consider reporting this to the maintainers of
> org.apache.felix.framework.ext.ClassPathExtenderFactory$DefaultClassLoaderExtender
> [INFO] WARNING: Use --illegal-access=warn to enable warnings of further
> illegal reflective access operations
> ...
> [INFO] [ERROR] Tests run: 1, Failures: 0, Errors: 1, Skipped: 0, Time
> elapsed: 89.29 s <<< FAILURE! - in
> org.apache.sling.junit.annotations.ReferenceIT
> [INFO] [ERROR] org.apache.sling.junit.annotations.ReferenceIT Time elapsed:
> 89.27 s <<< ERROR!
> [INFO] org.ops4j.pax.exam.TestContainerException:
> org.osgi.framework.BundleException: Could not create bundle object.
> [INFO]at
> org.ops4j.pax.exam.forked.ForkedTestContainer.start(ForkedTestContainer.java:168)
> [INFO]at
> org.ops4j.pax.exam.junit.PaxExamServer.before(PaxExamServer.java:87)
> [INFO]at
> org.apache.sling.junit.annotations.it@1.0.0/org.apache.sling.junit.annotations.ReferenceIT$1.before(ReferenceIT.java:61)
> ...
> [INFO] Caused by: org.osgi.framework.BundleException: Could not create bundle
> object.
> [INFO]at
> org.apache.felix.framework.Felix.installBundle(Felix.java:3312)
> [INFO]at
> org.apache.felix.framework.BundleContextImpl.installBundle(BundleContextImpl.java:147)
> [INFO]at
> org.apache.felix.framework.BundleContextImpl.installBundle(BundleContextImpl.java:120)
> [INFO]at
> org.ops4j.pax.swissbox.framework.RemoteFrameworkImpl.installBundle(RemoteFrameworkImpl.java:132)
> ...
> [INFO] Caused by: java.lang.UnsupportedOperationException: Unable to add
> extension bundle.
> [INFO]at
> org.apache.felix.framework.ExtensionManager.addExtensionBundle(ExtensionManager.java:430)
> [INFO]at
> org.apache.felix.framework.Felix.installBundle(Felix.java:3279)
> [INFO]at
> org.apache.felix.framework.BundleContextImpl.installBundle(BundleContextImpl.java:147)
> [INFO]at
> org.apache.felix.framework.BundleContextImpl.installBundle(BundleContextImpl.java:120)
> [INFO]at
> org.ops4j.pax.swissbox.framework.RemoteFrameworkImpl.installBundle(RemoteFrameworkImpl.java:132)
> {code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (SLING-9935) NoClassDefFoundError org/junit/platform/engine/TestEngine
[ https://issues.apache.org/jira/browse/SLING-9935?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17244233#comment-17244233 ] Cris Rockwell commented on SLING-9935: -- If I understand the questions properly, no JUnit bundles are not installed. Yes Junit 4 seems to work fine. Image shows many Junit 4 bundles !Screen Shot 2020-12-04 at 1.49.06 PM.png|width=654,height=535! Here it shows Junit Tests after executing !Screen Shot 2020-12-04 at 1.49.45 PM.png|width=584,height=281! > NoClassDefFoundError org/junit/platform/engine/TestEngine > - > > Key: SLING-9935 > URL: https://issues.apache.org/jira/browse/SLING-9935 > Project: Sling > Issue Type: Bug > Components: JUnit Core >Affects Versions: JUnit Core 1.1.2 >Reporter: Cris Rockwell >Assignee: Julian Sedding >Priority: Minor > Attachments: Screen Shot 2020-12-04 at 1.49.06 PM.png, Screen Shot > 2020-12-04 at 1.49.45 PM.png > > Time Spent: 0.5h > Remaining Estimate: 0h > > When starting Sling with org.apache.sling.junit.core v 1.1.1-SNAPSHOT, > standard output shows many exceptions related to an optional import upon > startup. > > ERROR: Bundle org.apache.sling.junit.core [189] EventDispatcher: Error during > dispatch. (java.lang.NoClassDefFoundError: > org/junit/platform/engine/TestEngine) > ERROR: Bundle org.apache.sling.junit.core [189] EventDispatcher: Error during > dispatch. (java.lang.NoClassDefFoundError: > org/junit/platform/engine/TestEngine)java.lang.NoClassDefFoundError: > org/junit/platform/engine/TestEngine at > org.apache.sling.junit.impl.servlet.junit5.TestEngineTracker$Customizer.getTestEnginesForBundle(TestEngineTracker.java:83) > at > org.apache.sling.junit.impl.servlet.junit5.TestEngineTracker$Customizer.addingBundle(TestEngineTracker.java:67) > at > org.apache.sling.junit.impl.servlet.junit5.TestEngineTracker$Customizer.addingBundle(TestEngineTracker.java:63) > at > org.osgi.util.tracker.BundleTracker$Tracked.customizerAdding(BundleTracker.java:475) > at > org.osgi.util.tracker.BundleTracker$Tracked.customizerAdding(BundleTracker.java:420) > at > org.osgi.util.tracker.AbstractTracked.trackAdding(AbstractTracked.java:256) > at org.osgi.util.tracker.AbstractTracked.track(AbstractTracked.java:229) at > org.osgi.util.tracker.BundleTracker$Tracked.bundleChanged(BundleTracker.java:450) > at > org.apache.felix.framework.EventDispatcher.invokeBundleListenerCallback(EventDispatcher.java:915) > at > org.apache.felix.framework.EventDispatcher.fireEventImmediately(EventDispatcher.java:834) > at > org.apache.felix.framework.EventDispatcher.fireBundleEvent(EventDispatcher.java:516) > at org.apache.felix.framework.Felix.fireBundleEvent(Felix.java:4817) at > org.apache.felix.framework.Felix.startBundle(Felix.java:2336) at > org.apache.felix.framework.Felix.setActiveStartLevel(Felix.java:1539) at > org.apache.felix.framework.FrameworkStartLevelImpl.run(FrameworkStartLevelImpl.java:308) > at java.base/java.lang.Thread.run(Thread.java:834) > ERROR: Bundle org.apache.sling.junit.core [189] EventDispatcher: Error during > dispatch. (java.lang.NoClassDefFoundError: > org/junit/platform/engine/TestEngine)java.lang.NoClassDefFoundError: > org/junit/platform/engine/TestEngine at > org.apache.sling.junit.impl.servlet.junit5.TestEngineTracker$Customizer.getTestEnginesForBundle(TestEngineTracker.java:83) > at > org.apache.sling.junit.impl.servlet.junit5.TestEngineTracker$Customizer.addingBundle(TestEngineTracker.java:67) > at > org.apache.sling.junit.impl.servlet.junit5.TestEngineTracker$Customizer.addingBundle(TestEngineTracker.java:63) > at > org.osgi.util.tracker.BundleTracker$Tracked.customizerAdding(BundleTracker.java:475) > at > org.osgi.util.tracker.BundleTracker$Tracked.customizerAdding(BundleTracker.java:420) > at > org.osgi.util.tracker.AbstractTracked.trackAdding(AbstractTracked.java:256) > at org.osgi.util.tracker.AbstractTracked.track(AbstractTracked.java:229) at > org.osgi.util.tracker.BundleTracker$Tracked.bundleChanged(BundleTracker.java:450) > at > org.apache.felix.framework.EventDispatcher.invokeBundleListenerCallback(EventDispatcher.java:915) > at > org.apache.felix.framework.EventDispatcher.fireEventImmediately(EventDispatcher.java:834) > at > org.apache.felix.framework.EventDispatcher.fireBundleEvent(EventDispatcher.java:516) > at org.apache.felix.framework.Felix.fireBundleEvent(Felix.java:4817) at > org.apache.felix.framework.Felix.startBundle(Felix.java:2336) at > org.apache.felix.framework.Felix.setActiveStartLevel(Felix.java:1539) at > org.apache.felix.framework.FrameworkStartLevelImpl.run(FrameworkStartLevelImpl.java:308) > at java.base/java.lang.Thread.run(Thread.java:834) > ERROR: Bundle org.apache.sling.junit.core [189]
[jira] [Comment Edited] (SLING-9935) NoClassDefFoundError org/junit/platform/engine/TestEngine
[ https://issues.apache.org/jira/browse/SLING-9935?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17244233#comment-17244233 ] Cris Rockwell edited comment on SLING-9935 at 12/4/20, 6:55 PM: If I understand the questions properly, no JUnit 5 bundles are not installed. Yes Junit 4 seems to work fine. Image shows many Junit 4 bundles !Screen Shot 2020-12-04 at 1.49.06 PM.png|width=654,height=535! Here it shows Junit Tests after executing !Screen Shot 2020-12-04 at 1.49.45 PM.png|width=584,height=281! was (Author: cris): If I understand the questions properly, no JUnit bundles are not installed. Yes Junit 4 seems to work fine. Image shows many Junit 4 bundles !Screen Shot 2020-12-04 at 1.49.06 PM.png|width=654,height=535! Here it shows Junit Tests after executing !Screen Shot 2020-12-04 at 1.49.45 PM.png|width=584,height=281! > NoClassDefFoundError org/junit/platform/engine/TestEngine > - > > Key: SLING-9935 > URL: https://issues.apache.org/jira/browse/SLING-9935 > Project: Sling > Issue Type: Bug > Components: JUnit Core >Affects Versions: JUnit Core 1.1.2 >Reporter: Cris Rockwell >Assignee: Julian Sedding >Priority: Minor > Attachments: Screen Shot 2020-12-04 at 1.49.06 PM.png, Screen Shot > 2020-12-04 at 1.49.45 PM.png > > Time Spent: 0.5h > Remaining Estimate: 0h > > When starting Sling with org.apache.sling.junit.core v 1.1.1-SNAPSHOT, > standard output shows many exceptions related to an optional import upon > startup. > > ERROR: Bundle org.apache.sling.junit.core [189] EventDispatcher: Error during > dispatch. (java.lang.NoClassDefFoundError: > org/junit/platform/engine/TestEngine) > ERROR: Bundle org.apache.sling.junit.core [189] EventDispatcher: Error during > dispatch. (java.lang.NoClassDefFoundError: > org/junit/platform/engine/TestEngine)java.lang.NoClassDefFoundError: > org/junit/platform/engine/TestEngine at > org.apache.sling.junit.impl.servlet.junit5.TestEngineTracker$Customizer.getTestEnginesForBundle(TestEngineTracker.java:83) > at > org.apache.sling.junit.impl.servlet.junit5.TestEngineTracker$Customizer.addingBundle(TestEngineTracker.java:67) > at > org.apache.sling.junit.impl.servlet.junit5.TestEngineTracker$Customizer.addingBundle(TestEngineTracker.java:63) > at > org.osgi.util.tracker.BundleTracker$Tracked.customizerAdding(BundleTracker.java:475) > at > org.osgi.util.tracker.BundleTracker$Tracked.customizerAdding(BundleTracker.java:420) > at > org.osgi.util.tracker.AbstractTracked.trackAdding(AbstractTracked.java:256) > at org.osgi.util.tracker.AbstractTracked.track(AbstractTracked.java:229) at > org.osgi.util.tracker.BundleTracker$Tracked.bundleChanged(BundleTracker.java:450) > at > org.apache.felix.framework.EventDispatcher.invokeBundleListenerCallback(EventDispatcher.java:915) > at > org.apache.felix.framework.EventDispatcher.fireEventImmediately(EventDispatcher.java:834) > at > org.apache.felix.framework.EventDispatcher.fireBundleEvent(EventDispatcher.java:516) > at org.apache.felix.framework.Felix.fireBundleEvent(Felix.java:4817) at > org.apache.felix.framework.Felix.startBundle(Felix.java:2336) at > org.apache.felix.framework.Felix.setActiveStartLevel(Felix.java:1539) at > org.apache.felix.framework.FrameworkStartLevelImpl.run(FrameworkStartLevelImpl.java:308) > at java.base/java.lang.Thread.run(Thread.java:834) > ERROR: Bundle org.apache.sling.junit.core [189] EventDispatcher: Error during > dispatch. (java.lang.NoClassDefFoundError: > org/junit/platform/engine/TestEngine)java.lang.NoClassDefFoundError: > org/junit/platform/engine/TestEngine at > org.apache.sling.junit.impl.servlet.junit5.TestEngineTracker$Customizer.getTestEnginesForBundle(TestEngineTracker.java:83) > at > org.apache.sling.junit.impl.servlet.junit5.TestEngineTracker$Customizer.addingBundle(TestEngineTracker.java:67) > at > org.apache.sling.junit.impl.servlet.junit5.TestEngineTracker$Customizer.addingBundle(TestEngineTracker.java:63) > at > org.osgi.util.tracker.BundleTracker$Tracked.customizerAdding(BundleTracker.java:475) > at > org.osgi.util.tracker.BundleTracker$Tracked.customizerAdding(BundleTracker.java:420) > at > org.osgi.util.tracker.AbstractTracked.trackAdding(AbstractTracked.java:256) > at org.osgi.util.tracker.AbstractTracked.track(AbstractTracked.java:229) at > org.osgi.util.tracker.BundleTracker$Tracked.bundleChanged(BundleTracker.java:450) > at > org.apache.felix.framework.EventDispatcher.invokeBundleListenerCallback(EventDispatcher.java:915) > at > org.apache.felix.framework.EventDispatcher.fireEventImmediately(EventDispatcher.java:834) > at > org.apache.felix.framework.EventDispatcher.fireBundleEvent(EventDispatcher.java:516) > at
[jira] [Updated] (SLING-9935) NoClassDefFoundError org/junit/platform/engine/TestEngine
[ https://issues.apache.org/jira/browse/SLING-9935?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Cris Rockwell updated SLING-9935: - Attachment: Screen Shot 2020-12-04 at 1.49.45 PM.png > NoClassDefFoundError org/junit/platform/engine/TestEngine > - > > Key: SLING-9935 > URL: https://issues.apache.org/jira/browse/SLING-9935 > Project: Sling > Issue Type: Bug > Components: JUnit Core >Affects Versions: JUnit Core 1.1.2 >Reporter: Cris Rockwell >Assignee: Julian Sedding >Priority: Minor > Attachments: Screen Shot 2020-12-04 at 1.49.06 PM.png, Screen Shot > 2020-12-04 at 1.49.45 PM.png > > Time Spent: 0.5h > Remaining Estimate: 0h > > When starting Sling with org.apache.sling.junit.core v 1.1.1-SNAPSHOT, > standard output shows many exceptions related to an optional import upon > startup. > > ERROR: Bundle org.apache.sling.junit.core [189] EventDispatcher: Error during > dispatch. (java.lang.NoClassDefFoundError: > org/junit/platform/engine/TestEngine) > ERROR: Bundle org.apache.sling.junit.core [189] EventDispatcher: Error during > dispatch. (java.lang.NoClassDefFoundError: > org/junit/platform/engine/TestEngine)java.lang.NoClassDefFoundError: > org/junit/platform/engine/TestEngine at > org.apache.sling.junit.impl.servlet.junit5.TestEngineTracker$Customizer.getTestEnginesForBundle(TestEngineTracker.java:83) > at > org.apache.sling.junit.impl.servlet.junit5.TestEngineTracker$Customizer.addingBundle(TestEngineTracker.java:67) > at > org.apache.sling.junit.impl.servlet.junit5.TestEngineTracker$Customizer.addingBundle(TestEngineTracker.java:63) > at > org.osgi.util.tracker.BundleTracker$Tracked.customizerAdding(BundleTracker.java:475) > at > org.osgi.util.tracker.BundleTracker$Tracked.customizerAdding(BundleTracker.java:420) > at > org.osgi.util.tracker.AbstractTracked.trackAdding(AbstractTracked.java:256) > at org.osgi.util.tracker.AbstractTracked.track(AbstractTracked.java:229) at > org.osgi.util.tracker.BundleTracker$Tracked.bundleChanged(BundleTracker.java:450) > at > org.apache.felix.framework.EventDispatcher.invokeBundleListenerCallback(EventDispatcher.java:915) > at > org.apache.felix.framework.EventDispatcher.fireEventImmediately(EventDispatcher.java:834) > at > org.apache.felix.framework.EventDispatcher.fireBundleEvent(EventDispatcher.java:516) > at org.apache.felix.framework.Felix.fireBundleEvent(Felix.java:4817) at > org.apache.felix.framework.Felix.startBundle(Felix.java:2336) at > org.apache.felix.framework.Felix.setActiveStartLevel(Felix.java:1539) at > org.apache.felix.framework.FrameworkStartLevelImpl.run(FrameworkStartLevelImpl.java:308) > at java.base/java.lang.Thread.run(Thread.java:834) > ERROR: Bundle org.apache.sling.junit.core [189] EventDispatcher: Error during > dispatch. (java.lang.NoClassDefFoundError: > org/junit/platform/engine/TestEngine)java.lang.NoClassDefFoundError: > org/junit/platform/engine/TestEngine at > org.apache.sling.junit.impl.servlet.junit5.TestEngineTracker$Customizer.getTestEnginesForBundle(TestEngineTracker.java:83) > at > org.apache.sling.junit.impl.servlet.junit5.TestEngineTracker$Customizer.addingBundle(TestEngineTracker.java:67) > at > org.apache.sling.junit.impl.servlet.junit5.TestEngineTracker$Customizer.addingBundle(TestEngineTracker.java:63) > at > org.osgi.util.tracker.BundleTracker$Tracked.customizerAdding(BundleTracker.java:475) > at > org.osgi.util.tracker.BundleTracker$Tracked.customizerAdding(BundleTracker.java:420) > at > org.osgi.util.tracker.AbstractTracked.trackAdding(AbstractTracked.java:256) > at org.osgi.util.tracker.AbstractTracked.track(AbstractTracked.java:229) at > org.osgi.util.tracker.BundleTracker$Tracked.bundleChanged(BundleTracker.java:450) > at > org.apache.felix.framework.EventDispatcher.invokeBundleListenerCallback(EventDispatcher.java:915) > at > org.apache.felix.framework.EventDispatcher.fireEventImmediately(EventDispatcher.java:834) > at > org.apache.felix.framework.EventDispatcher.fireBundleEvent(EventDispatcher.java:516) > at org.apache.felix.framework.Felix.fireBundleEvent(Felix.java:4817) at > org.apache.felix.framework.Felix.startBundle(Felix.java:2336) at > org.apache.felix.framework.Felix.setActiveStartLevel(Felix.java:1539) at > org.apache.felix.framework.FrameworkStartLevelImpl.run(FrameworkStartLevelImpl.java:308) > at java.base/java.lang.Thread.run(Thread.java:834) > ERROR: Bundle org.apache.sling.junit.core [189] EventDispatcher: Error during > dispatch. (java.lang.NoClassDefFoundError: > org/junit/platform/engine/TestEngine)java.lang.NoClassDefFoundError: > org/junit/platform/engine/TestEngine at >
[jira] [Updated] (SLING-9935) NoClassDefFoundError org/junit/platform/engine/TestEngine
[ https://issues.apache.org/jira/browse/SLING-9935?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Cris Rockwell updated SLING-9935: - Attachment: Screen Shot 2020-12-04 at 1.49.06 PM.png > NoClassDefFoundError org/junit/platform/engine/TestEngine > - > > Key: SLING-9935 > URL: https://issues.apache.org/jira/browse/SLING-9935 > Project: Sling > Issue Type: Bug > Components: JUnit Core >Affects Versions: JUnit Core 1.1.2 >Reporter: Cris Rockwell >Assignee: Julian Sedding >Priority: Minor > Attachments: Screen Shot 2020-12-04 at 1.49.06 PM.png > > Time Spent: 0.5h > Remaining Estimate: 0h > > When starting Sling with org.apache.sling.junit.core v 1.1.1-SNAPSHOT, > standard output shows many exceptions related to an optional import upon > startup. > > ERROR: Bundle org.apache.sling.junit.core [189] EventDispatcher: Error during > dispatch. (java.lang.NoClassDefFoundError: > org/junit/platform/engine/TestEngine) > ERROR: Bundle org.apache.sling.junit.core [189] EventDispatcher: Error during > dispatch. (java.lang.NoClassDefFoundError: > org/junit/platform/engine/TestEngine)java.lang.NoClassDefFoundError: > org/junit/platform/engine/TestEngine at > org.apache.sling.junit.impl.servlet.junit5.TestEngineTracker$Customizer.getTestEnginesForBundle(TestEngineTracker.java:83) > at > org.apache.sling.junit.impl.servlet.junit5.TestEngineTracker$Customizer.addingBundle(TestEngineTracker.java:67) > at > org.apache.sling.junit.impl.servlet.junit5.TestEngineTracker$Customizer.addingBundle(TestEngineTracker.java:63) > at > org.osgi.util.tracker.BundleTracker$Tracked.customizerAdding(BundleTracker.java:475) > at > org.osgi.util.tracker.BundleTracker$Tracked.customizerAdding(BundleTracker.java:420) > at > org.osgi.util.tracker.AbstractTracked.trackAdding(AbstractTracked.java:256) > at org.osgi.util.tracker.AbstractTracked.track(AbstractTracked.java:229) at > org.osgi.util.tracker.BundleTracker$Tracked.bundleChanged(BundleTracker.java:450) > at > org.apache.felix.framework.EventDispatcher.invokeBundleListenerCallback(EventDispatcher.java:915) > at > org.apache.felix.framework.EventDispatcher.fireEventImmediately(EventDispatcher.java:834) > at > org.apache.felix.framework.EventDispatcher.fireBundleEvent(EventDispatcher.java:516) > at org.apache.felix.framework.Felix.fireBundleEvent(Felix.java:4817) at > org.apache.felix.framework.Felix.startBundle(Felix.java:2336) at > org.apache.felix.framework.Felix.setActiveStartLevel(Felix.java:1539) at > org.apache.felix.framework.FrameworkStartLevelImpl.run(FrameworkStartLevelImpl.java:308) > at java.base/java.lang.Thread.run(Thread.java:834) > ERROR: Bundle org.apache.sling.junit.core [189] EventDispatcher: Error during > dispatch. (java.lang.NoClassDefFoundError: > org/junit/platform/engine/TestEngine)java.lang.NoClassDefFoundError: > org/junit/platform/engine/TestEngine at > org.apache.sling.junit.impl.servlet.junit5.TestEngineTracker$Customizer.getTestEnginesForBundle(TestEngineTracker.java:83) > at > org.apache.sling.junit.impl.servlet.junit5.TestEngineTracker$Customizer.addingBundle(TestEngineTracker.java:67) > at > org.apache.sling.junit.impl.servlet.junit5.TestEngineTracker$Customizer.addingBundle(TestEngineTracker.java:63) > at > org.osgi.util.tracker.BundleTracker$Tracked.customizerAdding(BundleTracker.java:475) > at > org.osgi.util.tracker.BundleTracker$Tracked.customizerAdding(BundleTracker.java:420) > at > org.osgi.util.tracker.AbstractTracked.trackAdding(AbstractTracked.java:256) > at org.osgi.util.tracker.AbstractTracked.track(AbstractTracked.java:229) at > org.osgi.util.tracker.BundleTracker$Tracked.bundleChanged(BundleTracker.java:450) > at > org.apache.felix.framework.EventDispatcher.invokeBundleListenerCallback(EventDispatcher.java:915) > at > org.apache.felix.framework.EventDispatcher.fireEventImmediately(EventDispatcher.java:834) > at > org.apache.felix.framework.EventDispatcher.fireBundleEvent(EventDispatcher.java:516) > at org.apache.felix.framework.Felix.fireBundleEvent(Felix.java:4817) at > org.apache.felix.framework.Felix.startBundle(Felix.java:2336) at > org.apache.felix.framework.Felix.setActiveStartLevel(Felix.java:1539) at > org.apache.felix.framework.FrameworkStartLevelImpl.run(FrameworkStartLevelImpl.java:308) > at java.base/java.lang.Thread.run(Thread.java:834) > ERROR: Bundle org.apache.sling.junit.core [189] EventDispatcher: Error during > dispatch. (java.lang.NoClassDefFoundError: > org/junit/platform/engine/TestEngine)java.lang.NoClassDefFoundError: > org/junit/platform/engine/TestEngine at > org.apache.sling.junit.impl.servlet.junit5.TestEngineTracker$Customizer.getTestEnginesForBundle(TestEngineTracker.java:83) > at >
[jira] [Commented] (SLING-9695) Sling Starter datastore
[ https://issues.apache.org/jira/browse/SLING-9695?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17242551#comment-17242551 ] Cris Rockwell commented on SLING-9695: -- I closed the PR I created for this without merging. Starter is only an example, and the closed PR provides that. [https://github.com/apache/sling-org-apache-sling-starter/pull/13] > Sling Starter datastore > --- > > Key: SLING-9695 > URL: https://issues.apache.org/jira/browse/SLING-9695 > Project: Sling > Issue Type: Improvement > Components: Starter >Affects Versions: Starter 12 >Reporter: Cris Rockwell >Priority: Minor > Labels: datastore, default > Time Spent: 3h 10m > Remaining Estimate: 0h > > Sling Starter jar should use a file datastore by default. In my experience, a > datastore provides a noticeable performance boost. It took too long to figure > out how to get Sling working with a file datastore. > https://jackrabbit.apache.org/oak/docs/osgi_config.html#config-sling > https://stackoverflow.com/questions/62030664/aem-filedatastore-missing-parameter-options/62032775 > https://stackoverflow.com/questions/63569028/add-new-datastore-during-upgrade > Proposed change > [configurations runModes=oak_tar] > org.apache.jackrabbit.oak.segment.SegmentNodeStoreService > name="Default\ NodeStore" > org.apache.jackrabbit.oak.plugins.blob.datastore.FileDataStore > minRecordLength=I"4096" > path="sling/repository/datastore" > cacheSizeInMB=I"128" > org.apache.jackrabbit.oak.segment.SegmentNodeStoreService > customBlobStore=B"true" -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Resolved] (SLING-9695) Sling Starter datastore
[ https://issues.apache.org/jira/browse/SLING-9695?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Cris Rockwell resolved SLING-9695. -- Assignee: Cris Rockwell Resolution: Abandoned > Sling Starter datastore > --- > > Key: SLING-9695 > URL: https://issues.apache.org/jira/browse/SLING-9695 > Project: Sling > Issue Type: Improvement > Components: Starter >Affects Versions: Starter 12 >Reporter: Cris Rockwell >Assignee: Cris Rockwell >Priority: Minor > Labels: datastore, default > Time Spent: 3h 10m > Remaining Estimate: 0h > > Sling Starter jar should use a file datastore by default. In my experience, a > datastore provides a noticeable performance boost. It took too long to figure > out how to get Sling working with a file datastore. > https://jackrabbit.apache.org/oak/docs/osgi_config.html#config-sling > https://stackoverflow.com/questions/62030664/aem-filedatastore-missing-parameter-options/62032775 > https://stackoverflow.com/questions/63569028/add-new-datastore-during-upgrade > Proposed change > [configurations runModes=oak_tar] > org.apache.jackrabbit.oak.segment.SegmentNodeStoreService > name="Default\ NodeStore" > org.apache.jackrabbit.oak.plugins.blob.datastore.FileDataStore > minRecordLength=I"4096" > path="sling/repository/datastore" > cacheSizeInMB=I"128" > org.apache.jackrabbit.oak.segment.SegmentNodeStoreService > customBlobStore=B"true" -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-9915) Remove deprecated flags for SlingAnnotationsTestRunner and TestReference
[
https://issues.apache.org/jira/browse/SLING-9915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17240865#comment-17240865
]
Cris Rockwell commented on SLING-9915:
--
Thanks [~bdelacretaz] for the tips. After reviewing the maven-failsafe-plugin
instructions (1) debugging access to the test worked. Debugging the actual test
Sling instance also worked with a separate debugger configured in
{{pax.vm.options}} as suggested in the pom properties, and while running both
debuggers. It may be useful to add a few comments in the project about these
debugging procedures.
{code:java}
-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5015
{code}
Thank you for fixing the tests with your commit
[https://github.com/apache/sling-org-apache-sling-junit-core/commit/4aa41bcb60c64eb0de795e54774e8f45c7e4f1aa
|https://github.com/apache/sling-org-apache-sling-junit-core/commit/4aa41bcb60c64eb0de795e54774e8f45c7e4f1aa.]I've
reviewed the changes. Seems two fixes were needed: * Properly installing the
org.apache.sling.junit.core bundle (and not embedding it)
{code:java}
mavenBundle().groupId("org.apache.sling").artifactId("org.apache.sling.junit.core").versionAsInProject(){code}
* Properly satisfying the {{osgi.contract=JavaJSONP}} the capability (not
setting Provide-Capability in the annotation-it testing bundle)
{code:java}
SlingOptions.versionResolver.setVersion("org.apache.sling",
"org.apache.sling.commons.johnzon", "1.2.6");
{code}
(1)
[https://maven.apache.org/surefire/maven-failsafe-plugin/examples/debugging.html]
> Remove deprecated flags for SlingAnnotationsTestRunner and TestReference
>
>
> Key: SLING-9915
> URL: https://issues.apache.org/jira/browse/SLING-9915
> Project: Sling
> Issue Type: Task
> Components: JUnit Core
>Affects Versions: JUnit Core 1.1.0
>Reporter: Cris Rockwell
>Assignee: Cris Rockwell
>Priority: Minor
> Labels: test, tools
>
> As per discussion thread
> https://www.mail-archive.com/dev@sling.apache.org/msg100097.html
> Revert this commit
> https://github.com/apache/sling-org-apache-sling-junit-core/commit/c7f98b1172126f1e5f961ec9d17d12b239c34e0d
> Reviving annotations
> @TestReference
> @SlingAnnotationsTestRunner
> Review docs and suggest updates
> https://sling.apache.org/documentation/development/sling-testing-tools.html
> https://sling.apache.org/documentation/bundles/org-apache-sling-junit-bundles.html
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Created] (SLING-9935) NoClassDefFoundError org/junit/platform/engine/TestEngine
Cris Rockwell created SLING-9935: Summary: NoClassDefFoundError org/junit/platform/engine/TestEngine Key: SLING-9935 URL: https://issues.apache.org/jira/browse/SLING-9935 Project: Sling Issue Type: Bug Components: JUnit Core Affects Versions: JUnit Core 1.1.2 Reporter: Cris Rockwell When starting Sling with org.apache.sling.junit.core v 1.1.1-SNAPSHOT, standard output shows many exceptions related to an optional import upon startup. ERROR: Bundle org.apache.sling.junit.core [189] EventDispatcher: Error during dispatch. (java.lang.NoClassDefFoundError: org/junit/platform/engine/TestEngine) ERROR: Bundle org.apache.sling.junit.core [189] EventDispatcher: Error during dispatch. (java.lang.NoClassDefFoundError: org/junit/platform/engine/TestEngine)java.lang.NoClassDefFoundError: org/junit/platform/engine/TestEngine at org.apache.sling.junit.impl.servlet.junit5.TestEngineTracker$Customizer.getTestEnginesForBundle(TestEngineTracker.java:83) at org.apache.sling.junit.impl.servlet.junit5.TestEngineTracker$Customizer.addingBundle(TestEngineTracker.java:67) at org.apache.sling.junit.impl.servlet.junit5.TestEngineTracker$Customizer.addingBundle(TestEngineTracker.java:63) at org.osgi.util.tracker.BundleTracker$Tracked.customizerAdding(BundleTracker.java:475) at org.osgi.util.tracker.BundleTracker$Tracked.customizerAdding(BundleTracker.java:420) at org.osgi.util.tracker.AbstractTracked.trackAdding(AbstractTracked.java:256) at org.osgi.util.tracker.AbstractTracked.track(AbstractTracked.java:229) at org.osgi.util.tracker.BundleTracker$Tracked.bundleChanged(BundleTracker.java:450) at org.apache.felix.framework.EventDispatcher.invokeBundleListenerCallback(EventDispatcher.java:915) at org.apache.felix.framework.EventDispatcher.fireEventImmediately(EventDispatcher.java:834) at org.apache.felix.framework.EventDispatcher.fireBundleEvent(EventDispatcher.java:516) at org.apache.felix.framework.Felix.fireBundleEvent(Felix.java:4817) at org.apache.felix.framework.Felix.startBundle(Felix.java:2336) at org.apache.felix.framework.Felix.setActiveStartLevel(Felix.java:1539) at org.apache.felix.framework.FrameworkStartLevelImpl.run(FrameworkStartLevelImpl.java:308) at java.base/java.lang.Thread.run(Thread.java:834) ERROR: Bundle org.apache.sling.junit.core [189] EventDispatcher: Error during dispatch. (java.lang.NoClassDefFoundError: org/junit/platform/engine/TestEngine)java.lang.NoClassDefFoundError: org/junit/platform/engine/TestEngine at org.apache.sling.junit.impl.servlet.junit5.TestEngineTracker$Customizer.getTestEnginesForBundle(TestEngineTracker.java:83) at org.apache.sling.junit.impl.servlet.junit5.TestEngineTracker$Customizer.addingBundle(TestEngineTracker.java:67) at org.apache.sling.junit.impl.servlet.junit5.TestEngineTracker$Customizer.addingBundle(TestEngineTracker.java:63) at org.osgi.util.tracker.BundleTracker$Tracked.customizerAdding(BundleTracker.java:475) at org.osgi.util.tracker.BundleTracker$Tracked.customizerAdding(BundleTracker.java:420) at org.osgi.util.tracker.AbstractTracked.trackAdding(AbstractTracked.java:256) at org.osgi.util.tracker.AbstractTracked.track(AbstractTracked.java:229) at org.osgi.util.tracker.BundleTracker$Tracked.bundleChanged(BundleTracker.java:450) at org.apache.felix.framework.EventDispatcher.invokeBundleListenerCallback(EventDispatcher.java:915) at org.apache.felix.framework.EventDispatcher.fireEventImmediately(EventDispatcher.java:834) at org.apache.felix.framework.EventDispatcher.fireBundleEvent(EventDispatcher.java:516) at org.apache.felix.framework.Felix.fireBundleEvent(Felix.java:4817) at org.apache.felix.framework.Felix.startBundle(Felix.java:2336) at org.apache.felix.framework.Felix.setActiveStartLevel(Felix.java:1539) at org.apache.felix.framework.FrameworkStartLevelImpl.run(FrameworkStartLevelImpl.java:308) at java.base/java.lang.Thread.run(Thread.java:834) ERROR: Bundle org.apache.sling.junit.core [189] EventDispatcher: Error during dispatch. (java.lang.NoClassDefFoundError: org/junit/platform/engine/TestEngine)java.lang.NoClassDefFoundError: org/junit/platform/engine/TestEngine at org.apache.sling.junit.impl.servlet.junit5.TestEngineTracker$Customizer.getTestEnginesForBundle(TestEngineTracker.java:83) at org.apache.sling.junit.impl.servlet.junit5.TestEngineTracker$Customizer.addingBundle(TestEngineTracker.java:67) at org.apache.sling.junit.impl.servlet.junit5.TestEngineTracker$Customizer.addingBundle(TestEngineTracker.java:63) at org.osgi.util.tracker.BundleTracker$Tracked.customizerAdding(BundleTracker.java:475) at org.osgi.util.tracker.BundleTracker$Tracked.customizerAdding(BundleTracker.java:420) at org.osgi.util.tracker.AbstractTracked.trackAdding(AbstractTracked.java:256) at org.osgi.util.tracker.AbstractTracked.track(AbstractTracked.java:229) at
[jira] [Commented] (SLING-9915) Remove deprecated flags for SlingAnnotationsTestRunner and TestReference
[ https://issues.apache.org/jira/browse/SLING-9915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17236530#comment-17236530 ] Cris Rockwell commented on SLING-9915: -- https://github.com/apache/sling-org-apache-sling-junit-core/pull/5 > Remove deprecated flags for SlingAnnotationsTestRunner and TestReference > > > Key: SLING-9915 > URL: https://issues.apache.org/jira/browse/SLING-9915 > Project: Sling > Issue Type: Task > Components: JUnit Core >Affects Versions: JUnit Core 1.1.0 >Reporter: Cris Rockwell >Assignee: Cris Rockwell >Priority: Minor > Labels: test, tools > > As per discussion thread > https://www.mail-archive.com/dev@sling.apache.org/msg100097.html > Revert this commit > https://github.com/apache/sling-org-apache-sling-junit-core/commit/c7f98b1172126f1e5f961ec9d17d12b239c34e0d > Reviving annotations > @TestReference > @SlingAnnotationsTestRunner > Review docs and suggest updates > https://sling.apache.org/documentation/development/sling-testing-tools.html > https://sling.apache.org/documentation/bundles/org-apache-sling-junit-bundles.html -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Assigned] (SLING-9915) Remove deprecated flags for SlingAnnotationsTestRunner and TestReference
[ https://issues.apache.org/jira/browse/SLING-9915?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Cris Rockwell reassigned SLING-9915: Assignee: Cris Rockwell > Remove deprecated flags for SlingAnnotationsTestRunner and TestReference > > > Key: SLING-9915 > URL: https://issues.apache.org/jira/browse/SLING-9915 > Project: Sling > Issue Type: Task > Components: JUnit Core >Affects Versions: JUnit Core 1.1.0 >Reporter: Cris Rockwell >Assignee: Cris Rockwell >Priority: Minor > Labels: test, tools > > As per discussion thread > https://www.mail-archive.com/dev@sling.apache.org/msg100097.html > Revert this commit > https://github.com/apache/sling-org-apache-sling-junit-core/commit/c7f98b1172126f1e5f961ec9d17d12b239c34e0d > Reviving annotations > @TestReference > @SlingAnnotationsTestRunner > Review docs and suggest updates > https://sling.apache.org/documentation/development/sling-testing-tools.html > https://sling.apache.org/documentation/bundles/org-apache-sling-junit-bundles.html -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (SLING-9915) Remove deprecated flags for SlingAnnotationsTestRunner and TestReference
Cris Rockwell created SLING-9915: Summary: Remove deprecated flags for SlingAnnotationsTestRunner and TestReference Key: SLING-9915 URL: https://issues.apache.org/jira/browse/SLING-9915 Project: Sling Issue Type: Task Components: JUnit Core Affects Versions: JUnit Core 1.1.0 Reporter: Cris Rockwell As per discussion thread https://www.mail-archive.com/dev@sling.apache.org/msg100097.html Revert this commit https://github.com/apache/sling-org-apache-sling-junit-core/commit/c7f98b1172126f1e5f961ec9d17d12b239c34e0d Reviving annotations @TestReference @SlingAnnotationsTestRunner Review docs and suggest updates https://sling.apache.org/documentation/development/sling-testing-tools.html https://sling.apache.org/documentation/bundles/org-apache-sling-junit-bundles.html -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Comment Edited] (SLING-9397) SAML2 Authentication Handler [initial submission]
[
https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17118977#comment-17118977
]
Cris Rockwell edited comment on SLING-9397 at 11/16/20, 5:11 PM:
-
Question about local testing using "docker or some sort of JUnit setup:" I
assume this means one step that installs and configures an external IDP
(running locally), installs the related configurations for SAML2 module in
Sling; perhaps a mvn profile, and runs integration JUnit tests. Let me know if
I misunderstood.
It could take me a while for that. My knowledge and experience using docker is
(shall we say) just now emerging. For example, I had Keycloak IDP running via
docker and a week later it wouldn't start at all. Since I'm novice at docker
and had this trouble, I had revised the instructions to download and install
Keycloak the old fashioned way.
Nevertheless, I can take another pass...
[X] Change signing and encryption to optional. This will simplify localhost
testing.
[X] One step process to launch a preconfigured localhost IDP external to Sling
[X] Maven profile to rollout OSGI SAML2 settings for localhost IDP above (moved
to example package)
Any kind of direct help or advice would be most appreciated. Otherwise, I'll
chip away this localhost testing.
was (Author: cris_rockwell):
Question about local testing using "docker or some sort of JUnit setup:" I
assume this means one step that installs and configures an external IDP
(running locally), installs the related configurations for SAML2 module in
Sling; perhaps a mvn profile, and runs integration JUnit tests. Let me know if
I misunderstood.
It could take me a while for that. My knowledge and experience using docker is
(shall we say) just now emerging. For example, I had Keycloak IDP running via
docker and a week later it wouldn't start at all. Since I'm novice at docker
and had this trouble, I had revised the instructions to download and install
Keycloak the old fashioned way.
Nevertheless, I can take another pass...
[ ] Change signing and encryption to optional. This will simplify localhost
testing.
[ ] One step process to launch a preconfigured localhost IDP external to Sling
[ ] Maven profile to rollout OSGI SAML2 settings for localhost IDP above
Any kind of direct help or advice would be most appreciated. Otherwise, I'll
chip away this localhost testing.
> SAML2 Authentication Handler [initial submission]
> -
>
> Key: SLING-9397
> URL: https://issues.apache.org/jira/browse/SLING-9397
> Project: Sling
> Issue Type: New Feature
> Components: Authentication
> Environment: localhost
>Reporter: Cris Rockwell
>Priority: Major
> Labels: SAML, authentification, security, user_management
> Original Estimate: 168h
> Time Spent: 1h 20m
> Remaining Estimate: 166h 40m
>
> Here is a pull request which adds an authentication handler for a SAML2
> Service Provider via the embedded OpenSAML V3 dependencies
> [https://github.com/apache/sling-whiteboard/pull/51]
>
> *TODO Before Initial*
> [X] Sync attributes released by the IDP
> [X] Confirm license and attribution
> "As the code is ASL2 and does not require a notice or anything else, we don't
> need to mention in. But I think its usually good style to do so and have a
> single sentence in our NOTICE that we include (modified) code from ... which
> has ASL2 as the license"
>
> *TODO After Initial*
> [X] Get confirmation the project builds and operates as expected
> [X] Ensure that the NOTICE file is the correct one
> [X] Testing setup ( documentation, local SAML provider, etc )
> [X] Clarify whether we can depend on artifacts not deployed on Maven Central
> [X] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects
> * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf]
> [X] Decide whether to make signing and encryption optional. Currently it is
> required
> [X] Get feedback whether README instructions are too much, too little,
> unclear, etc
> [ ] Consider whether use of {{SAML2ConfigService}} and
> {{SAML2ConfigServiceImpl}} is a good design or not.
> [ ] Find and fix any bugs.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Updated] (SLING-9397) SAML2 Authentication Handler [initial submission]
[
https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Cris Rockwell updated SLING-9397:
-
Description:
Here is a pull request which adds an authentication handler for a SAML2 Service
Provider via the embedded OpenSAML V3 dependencies
[https://github.com/apache/sling-whiteboard/pull/51]
*TODO Before Initial*
[X] Sync attributes released by the IDP
[X] Confirm license and attribution
"As the code is ASL2 and does not require a notice or anything else, we don't
need to mention in. But I think its usually good style to do so and have a
single sentence in our NOTICE that we include (modified) code from ... which
has ASL2 as the license"
*TODO After Initial*
[X] Get confirmation the project builds and operates as expected
[X] Ensure that the NOTICE file is the correct one
[X] Testing setup ( documentation, local SAML provider, etc )
[X] Clarify whether we can depend on artifacts not deployed on Maven Central
[X] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects
* [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf]
[X] Decide whether to make signing and encryption optional. Currently it is
required
[X] Get feedback whether README instructions are too much, too little, unclear,
etc
[ ] Consider whether use of {{SAML2ConfigService}} and
{{SAML2ConfigServiceImpl}} is a good design or not.
[ ] Find and fix any bugs.
was:
Here is a pull request which adds an authentication handler for a SAML2 Service
Provider via the embedded OpenSAML V3 dependencies
[https://github.com/apache/sling-whiteboard/pull/51]
*TODO Before Initial*
[X] Sync attributes released by the IDP
[X] Confirm license and attribution
"As the code is ASL2 and does not require a notice or anything else, we don't
need to mention in. But I think its usually good style to do so and have a
single sentence in our NOTICE that we include (modified) code from ... which
has ASL2 as the license"
*TODO After Initial*
[ ] Get confirmation the project builds and operates as expected
[X] Ensure that the NOTICE file is the correct one
[ ] Testing setup ( documentation, local SAML provider, etc )
[ ] Clarify whether we can depend on artifacts not deployed on Maven Central
[ ] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects
* [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf]
[ ] Consider whether use of {{SAML2ConfigService}} and
{{SAML2ConfigServiceImpl}} is a good design or not.
[ ] Get feedback whether README instructions are too much, too little, unclear,
etc
[ ] Decide whether to make signing and encryption optional. Currently it is
required
[ ] Find and fix any bugs
> SAML2 Authentication Handler [initial submission]
> -
>
> Key: SLING-9397
> URL: https://issues.apache.org/jira/browse/SLING-9397
> Project: Sling
> Issue Type: New Feature
> Components: Authentication
> Environment: localhost
>Reporter: Cris Rockwell
>Priority: Major
> Labels: SAML, authentification, security, user_management
> Original Estimate: 168h
> Time Spent: 1h 20m
> Remaining Estimate: 166h 40m
>
> Here is a pull request which adds an authentication handler for a SAML2
> Service Provider via the embedded OpenSAML V3 dependencies
> [https://github.com/apache/sling-whiteboard/pull/51]
>
> *TODO Before Initial*
> [X] Sync attributes released by the IDP
> [X] Confirm license and attribution
> "As the code is ASL2 and does not require a notice or anything else, we don't
> need to mention in. But I think its usually good style to do so and have a
> single sentence in our NOTICE that we include (modified) code from ... which
> has ASL2 as the license"
>
> *TODO After Initial*
> [X] Get confirmation the project builds and operates as expected
> [X] Ensure that the NOTICE file is the correct one
> [X] Testing setup ( documentation, local SAML provider, etc )
> [X] Clarify whether we can depend on artifacts not deployed on Maven Central
> [X] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects
> * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf]
> [X] Decide whether to make signing and encryption optional. Currently it is
> required
> [X] Get feedback whether README instructions are too much, too little,
> unclear, etc
> [ ] Consider whether use of {{SAML2ConfigService}} and
> {{SAML2ConfigServiceImpl}} is a good design or not.
> [ ] Find and fix any bugs.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (SLING-9648) SlingPropertiesPrinter fails to activate: No bundle context property 'sling.properties.url' provided
[
https://issues.apache.org/jira/browse/SLING-9648?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17215414#comment-17215414
]
Cris Rockwell commented on SLING-9648:
--
It's been some time. Any sense when 1.4.2 will appear in Maven Central?
https://mvnrepository.com/artifact/org.apache.sling/org.apache.sling.settings
> SlingPropertiesPrinter fails to activate: No bundle context property
> 'sling.properties.url' provided
>
>
> Key: SLING-9648
> URL: https://issues.apache.org/jira/browse/SLING-9648
> Project: Sling
> Issue Type: Bug
>Reporter: Robert Munteanu
>Assignee: Konrad Windszus
>Priority: Major
> Fix For: Settings 1.4.2
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> When starting up the Sling Starter I see the following error printed on the
> console:
> {noformat}ERROR: bundle org.apache.sling.settings:1.4.0
> (22)[org.apache.sling.settings.impl.SlingPropertiesPrinter(1)] : Error
> during instantiation of the implementation object
> java.lang.reflect.InvocationTargetException
> at
> java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native
> Method)
> at
> java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
> at
> java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
> at
> java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:490)
> at
> org.apache.felix.scr.impl.inject.internal.ComponentConstructorImpl.newInstance(ComponentConstructorImpl.java:312)
> at
> org.apache.felix.scr.impl.manager.SingleComponentManager.createImplementationObject(SingleComponentManager.java:279)
> at
> org.apache.felix.scr.impl.manager.SingleComponentManager.createComponent(SingleComponentManager.java:115)
> at
> org.apache.felix.scr.impl.manager.SingleComponentManager.getService(SingleComponentManager.java:984)
> at
> org.apache.felix.scr.impl.manager.SingleComponentManager.getServiceInternal(SingleComponentManager.java:957)
> at
> org.apache.felix.scr.impl.manager.SingleComponentManager.getService(SingleComponentManager.java:902)
> at
> org.apache.felix.framework.ServiceRegistrationImpl.getFactoryUnchecked(ServiceRegistrationImpl.java:348)
> at
> org.apache.felix.framework.ServiceRegistrationImpl.getService(ServiceRegistrationImpl.java:248)
> at
> org.apache.felix.framework.ServiceRegistry.getService(ServiceRegistry.java:350)
> at org.apache.felix.framework.Felix.getService(Felix.java:3954)
> at
> org.apache.felix.framework.BundleContextImpl.getService(BundleContextImpl.java:450)
> at
> org.apache.felix.inventory.impl.webconsole.WebConsoleAdapter.addingService(WebConsoleAdapter.java:152)
> at
> org.osgi.util.tracker.ServiceTracker$Tracked.customizerAdding(ServiceTracker.java:943)
> at
> org.osgi.util.tracker.ServiceTracker$Tracked.customizerAdding(ServiceTracker.java:871)
> at
> org.osgi.util.tracker.AbstractTracked.trackAdding(AbstractTracked.java:256)
> at
> org.osgi.util.tracker.AbstractTracked.trackInitial(AbstractTracked.java:183)
> at org.osgi.util.tracker.ServiceTracker.open(ServiceTracker.java:321)
> at org.osgi.util.tracker.ServiceTracker.open(ServiceTracker.java:264)
> at
> org.apache.felix.inventory.impl.webconsole.WebConsoleAdapter.(WebConsoleAdapter.java:68)
> at org.apache.felix.inventory.impl.Activator.start(Activator.java:63)
> at
> org.apache.felix.framework.util.SecureAction.startActivator(SecureAction.java:698)
> at org.apache.felix.framework.Felix.activateBundle(Felix.java:2402)
> at org.apache.felix.framework.Felix.startBundle(Felix.java:2308)
> at org.apache.felix.framework.Felix.setActiveStartLevel(Felix.java:1539)
> at
> org.apache.felix.framework.FrameworkStartLevelImpl.run(FrameworkStartLevelImpl.java:308)
> at java.base/java.lang.Thread.run(Thread.java:834)
> Caused by: java.lang.IllegalStateException: No bundle context property
> 'sling.properties.url' provided
> at
> org.apache.sling.settings.impl.SlingPropertiesPrinter.(SlingPropertiesPrinter.java:64)
> ... 30 more
> {noformat}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (SLING-9707) Variable ${sling.home} not replaced in configuration values
[
https://issues.apache.org/jira/browse/SLING-9707?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17190816#comment-17190816
]
Cris Rockwell commented on SLING-9707:
--
Looks good now. Thanks all!
> Variable ${sling.home} not replaced in configuration values
> ---
>
> Key: SLING-9707
> URL: https://issues.apache.org/jira/browse/SLING-9707
> Project: Sling
> Issue Type: Bug
> Components: Feature Model, Starter
>Affects Versions: Starter 12
>Reporter: Cris Rockwell
>Assignee: Robert Munteanu
>Priority: Major
> Fix For: Starter 12
>
>
> When configuring a file datastore, the variable ${sling.home} would be useful
> as showed in the following feature.json and in the Starter Pull Request
> ([https://github.com/apache/sling-org-apache-sling-starter/pull/13])
> {
> "bundles":[
> {
> "id":"org.apache.jackrabbit:oak-segment-tar:${oak.version}",
> "start-order":"15"
> }
> ],
> "configurations":{
> "org.apache.jackrabbit.oak.segment.SegmentNodeStoreService":
> { "name":"Default NodeStore", "customBlobStore":true }
> ,
> "org.apache.jackrabbit.oak.plugins.blob.datastore.FileDataStore": {
> "minRecordLength":4096,
> "path":"${sling.home}/repository/datastore",
> "cacheSizeInMB":128
> }
> }
> }
> Running java -jar dependency/org.apache.sling.feature.launcher.jar -f
> slingfeature-tmp/feature-oak_tar.json -p sling
> Results in a folder called ${sling.home}
> {{➜ $ ls target}}
> {{${sling.home} maven-archiver
> org.apache.sling.starter-12-SNAPSHOT-oak_tar_far.far sling}}
> {{classes maven-shared-archive-resources
> org.apache.sling.starter-12-SNAPSHOT-sources.jar
> sling-slingfeature-maven-plugin-fmtmp}}
> {{dependency maven-status org.apache.sling.starter-12-SNAPSHOT.jar
> slingfeature-tmp}}
> {{generated-test-sources
> org.apache.sling.starter-12-SNAPSHOT-oak_mongo_far.far rat.txt test-classes}}
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Updated] (SLING-9707) Variable ${sling.home}
[
https://issues.apache.org/jira/browse/SLING-9707?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Cris Rockwell updated SLING-9707:
-
Description:
When configuring a file datastore, the variable ${sling.home} would be useful
as showed in the following feature.json and in the Starter Pull Request
([https://github.com/apache/sling-org-apache-sling-starter/pull/13])
{
"bundles":[
{
"id":"org.apache.jackrabbit:oak-segment-tar:${oak.version}",
"start-order":"15"
}
],
"configurations":{
"org.apache.jackrabbit.oak.segment.SegmentNodeStoreService":
{ "name":"Default NodeStore", "customBlobStore":true }
,
"org.apache.jackrabbit.oak.plugins.blob.datastore.FileDataStore": {
"minRecordLength":4096,
"path":"${sling.home}/repository/datastore",
"cacheSizeInMB":128
}
}
}
Running java -jar dependency/org.apache.sling.feature.launcher.jar -f
slingfeature-tmp/feature-oak_tar.json -p sling
Results in a folder called ${sling.home}
{{➜ $ ls target}}
{{${sling.home} maven-archiver
org.apache.sling.starter-12-SNAPSHOT-oak_tar_far.far sling}}
{{classes maven-shared-archive-resources
org.apache.sling.starter-12-SNAPSHOT-sources.jar
sling-slingfeature-maven-plugin-fmtmp}}
{{dependency maven-status org.apache.sling.starter-12-SNAPSHOT.jar
slingfeature-tmp}}
{{generated-test-sources
org.apache.sling.starter-12-SNAPSHOT-oak_mongo_far.far rat.txt test-classes}}
was:
When configuring a file datastore, the variable ${sling.home} would be useful
as showing in the following feature.json and in the Starter Pull Request
([https://github.com/apache/sling-org-apache-sling-starter/pull/13])
{
"bundles":[
{
"id":"org.apache.jackrabbit:oak-segment-tar:${oak.version}",
"start-order":"15"
}
],
"configurations":{
"org.apache.jackrabbit.oak.segment.SegmentNodeStoreService":
{ "name":"Default NodeStore", "customBlobStore":true }
,
"org.apache.jackrabbit.oak.plugins.blob.datastore.FileDataStore": {
"minRecordLength":4096,
"path":"${sling.home}/repository/datastore",
"cacheSizeInMB":128
}
}
}
Running java -jar dependency/org.apache.sling.feature.launcher.jar -f
slingfeature-tmp/feature-oak_tar.json -p sling
Results in a folder called ${sling.home}
{{➜ $ ls target}}
{{${sling.home} maven-archiver
org.apache.sling.starter-12-SNAPSHOT-oak_tar_far.far sling}}
{{classes maven-shared-archive-resources
org.apache.sling.starter-12-SNAPSHOT-sources.jar
sling-slingfeature-maven-plugin-fmtmp}}
{{dependency maven-status org.apache.sling.starter-12-SNAPSHOT.jar
slingfeature-tmp}}
{{generated-test-sources org.apache.sling.starter-12-SNAPSHOT-oak_mongo_far.far
rat.txt test-classes}}
> Variable ${sling.home}
> --
>
> Key: SLING-9707
> URL: https://issues.apache.org/jira/browse/SLING-9707
> Project: Sling
> Issue Type: Bug
> Components: Feature Model, Starter
>Affects Versions: Starter 12
>Reporter: Cris Rockwell
>Priority: Major
>
> When configuring a file datastore, the variable ${sling.home} would be useful
> as showed in the following feature.json and in the Starter Pull Request
> ([https://github.com/apache/sling-org-apache-sling-starter/pull/13])
> {
> "bundles":[
> {
> "id":"org.apache.jackrabbit:oak-segment-tar:${oak.version}",
> "start-order":"15"
> }
> ],
> "configurations":{
> "org.apache.jackrabbit.oak.segment.SegmentNodeStoreService":
> { "name":"Default NodeStore", "customBlobStore":true }
> ,
> "org.apache.jackrabbit.oak.plugins.blob.datastore.FileDataStore": {
> "minRecordLength":4096,
> "path":"${sling.home}/repository/datastore",
> "cacheSizeInMB":128
> }
> }
> }
> Running java -jar dependency/org.apache.sling.feature.launcher.jar -f
> slingfeature-tmp/feature-oak_tar.json -p sling
> Results in a folder called ${sling.home}
> {{➜ $ ls target}}
> {{${sling.home} maven-archiver
> org.apache.sling.starter-12-SNAPSHOT-oak_tar_far.far sling}}
> {{classes maven-shared-archive-resources
> org.apache.sling.starter-12-SNAPSHOT-sources.jar
> sling-slingfeature-maven-plugin-fmtmp}}
> {{dependency maven-status org.apache.sling.starter-12-SNAPSHOT.jar
> slingfeature-tmp}}
> {{generated-test-sources
> org.apache.sling.starter-12-SNAPSHOT-oak_mongo_far.far rat.txt test-classes}}
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Created] (SLING-9707) Variable ${sling.home}
Cris Rockwell created SLING-9707:
Summary: Variable ${sling.home}
Key: SLING-9707
URL: https://issues.apache.org/jira/browse/SLING-9707
Project: Sling
Issue Type: Bug
Components: Feature Model, Starter
Affects Versions: Starter 12
Reporter: Cris Rockwell
When configuring a file datastore, the variable ${sling.home} would be useful
as showing in the following feature.json and in the Starter Pull Request
([https://github.com/apache/sling-org-apache-sling-starter/pull/13])
{
"bundles":[
{
"id":"org.apache.jackrabbit:oak-segment-tar:${oak.version}",
"start-order":"15"
}
],
"configurations":{
"org.apache.jackrabbit.oak.segment.SegmentNodeStoreService":
{ "name":"Default NodeStore", "customBlobStore":true }
,
"org.apache.jackrabbit.oak.plugins.blob.datastore.FileDataStore": {
"minRecordLength":4096,
"path":"${sling.home}/repository/datastore",
"cacheSizeInMB":128
}
}
}
Running java -jar dependency/org.apache.sling.feature.launcher.jar -f
slingfeature-tmp/feature-oak_tar.json -p sling
Results in a folder called ${sling.home}
{{➜ $ ls target}}
{{${sling.home} maven-archiver
org.apache.sling.starter-12-SNAPSHOT-oak_tar_far.far sling}}
{{classes maven-shared-archive-resources
org.apache.sling.starter-12-SNAPSHOT-sources.jar
sling-slingfeature-maven-plugin-fmtmp}}
{{dependency maven-status org.apache.sling.starter-12-SNAPSHOT.jar
slingfeature-tmp}}
{{generated-test-sources org.apache.sling.starter-12-SNAPSHOT-oak_mongo_far.far
rat.txt test-classes}}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Created] (SLING-9695) Sling Starter datastore
Cris Rockwell created SLING-9695: Summary: Sling Starter datastore Key: SLING-9695 URL: https://issues.apache.org/jira/browse/SLING-9695 Project: Sling Issue Type: Improvement Components: Starter Affects Versions: Starter 12 Reporter: Cris Rockwell Sling Starter jar should use a file datastore by default. In my experience, a datastore provides a noticeable performance boost. It took too long to figure out how to get Sling working with a file datastore. https://jackrabbit.apache.org/oak/docs/osgi_config.html#config-sling https://stackoverflow.com/questions/62030664/aem-filedatastore-missing-parameter-options/62032775 https://stackoverflow.com/questions/63569028/add-new-datastore-during-upgrade Proposed change [configurations runModes=oak_tar] org.apache.jackrabbit.oak.segment.SegmentNodeStoreService name="Default\ NodeStore" org.apache.jackrabbit.oak.plugins.blob.datastore.FileDataStore minRecordLength=I"4096" path="sling/repository/datastore" cacheSizeInMB=I"128" org.apache.jackrabbit.oak.segment.SegmentNodeStoreService customBlobStore=B"true" -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (SLING-9600) Sling Query won't install on Sling12 Launcher Instance
Cris Rockwell created SLING-9600:
Summary: Sling Query won't install on Sling12 Launcher Instance
Key: SLING-9600
URL: https://issues.apache.org/jira/browse/SLING-9600
Project: Sling
Issue Type: Bug
Components: Sling Query
Affects Versions: Sling Query 4.0.2
Reporter: Cris Rockwell
Logs show this error commons-lang is missing...
{quote}23.07.2020 11:16:28.973 *INFO* [OsgiInstallerImpl]
org.apache.sling.installer.core.impl.tasks.BundleStartTask Could not start
bundle org.apache.sling.query [218]. Reason: {}. Will retry.
org.osgi.framework.BundleException: Unable to resolve org.apache.sling.query
[218](R 218.0): missing requirement [org.apache.sling.query [218](R 218.0)]
osgi.wiring.package;
(&(osgi.wiring.package=org.apache.commons.lang)(version>=2.5.0)(!(version>=3.0.0)))
Unresolved requirements: [[org.apache.sling.query [218](R 218.0)]
osgi.wiring.package;
(&(osgi.wiring.package=org.apache.commons.lang)(version>=2.5.0)(!(version>=3.0.0)))]
at
org.apache.felix.framework.Felix.resolveBundleRevision(Felix.java:4368)
at org.apache.felix.framework.Felix.startBundle(Felix.java:2281)
at org.apache.felix.framework.BundleImpl.start(BundleImpl.java:998)
at org.apache.felix.framework.BundleImpl.start(BundleImpl.java:984)
at
org.apache.sling.installer.core.impl.tasks.BundleStartTask.execute(BundleStartTask.java:97)
[org.apache.sling.installer.core:3.11.2]
at
org.apache.sling.installer.core.impl.OsgiInstallerImpl.doExecuteTasks(OsgiInstallerImpl.java:918)
[org.apache.sling.installer.core:3.11.2]
at
org.apache.sling.installer.core.impl.OsgiInstallerImpl.executeTasks(OsgiInstallerImpl.java:755)
[org.apache.sling.installer.core:3.11.2]
at
org.apache.sling.installer.core.impl.OsgiInstallerImpl.run(OsgiInstallerImpl.java:304)
[org.apache.sling.installer.core:3.11.2]
at java.base/java.lang.Thread.run(Thread.java:834)
23.07.2020 11:16:28.978 *INFO* [OsgiInstallerImpl]
org.apache.sling.installer.core.impl.tasks.BundleStartTask Could not start
bundle org.apache.sling.query [218]. Reason: {}. Will retry.
org.osgi.framework.BundleException: Unable to resolve org.apache.sling.query
[218](R 218.0): missing requirement [org.apache.sling.query [218](R 218.0)]
osgi.wiring.package;
(&(osgi.wiring.package=org.apache.commons.lang)(version>=2.5.0)(!(version>=3.0.0)))
Unresolved requirements: [[org.apache.sling.query [218](R 218.0)]
osgi.wiring.package;
(&(osgi.wiring.package=org.apache.commons.lang)(version>=2.5.0)(!(version>=3.0.0)))]
at
org.apache.felix.framework.Felix.resolveBundleRevision(Felix.java:4368)
at org.apache.felix.framework.Felix.startBundle(Felix.java:2281)
at org.apache.felix.framework.BundleImpl.start(BundleImpl.java:998)
at org.apache.felix.framework.BundleImpl.start(BundleImpl.java:984)
at
org.apache.sling.installer.core.impl.tasks.BundleStartTask.execute(BundleStartTask.java:97)
[org.apache.sling.installer.core:3.11.2]
at
org.apache.sling.installer.core.impl.OsgiInstallerImpl.doExecuteTasks(OsgiInstallerImpl.java:918)
[org.apache.sling.installer.core:3.11.2]
at
org.apache.sling.installer.core.impl.OsgiInstallerImpl.executeTasks(OsgiInstallerImpl.java:755)
[org.apache.sling.installer.core:3.11.2]
at
org.apache.sling.installer.core.impl.OsgiInstallerImpl.run(OsgiInstallerImpl.java:304)
[org.apache.sling.installer.core:3.11.2]
at java.base/java.lang.Thread.run(Thread.java:834){quote}
*After updating the pom dependency and various import statements, the bundle
builds and installs. *
Removed
Added
org.apache.commons
commons-lang3
3.9
}}
Based on the migration guide, most use cases should be fine just updating the
import statements. I think that's the case for Sling Query as well.
http://commons.apache.org/proper/commons-lang/article3_0.html
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (SLING-9545) Distribution Core bundle with Java 11
[
https://issues.apache.org/jira/browse/SLING-9545?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17143843#comment-17143843
]
Cris Rockwell commented on SLING-9545:
--
Ah ok! I was missing the distribution.api bundle. Thank you very much.
> Distribution Core bundle with Java 11
> -
>
> Key: SLING-9545
> URL: https://issues.apache.org/jira/browse/SLING-9545
> Project: Sling
> Issue Type: Bug
> Components: Content Distribution
>Affects Versions: Content Distribution Core 0.3.4, Content Distribution
> Core 0.4.2
>Reporter: Cris Rockwell
>Priority: Major
> Attachments: Screen Shot 2020-06-24 at 8.09.38 AM.png, Screen Shot
> 2020-06-24 at 8.38.26 AM.png
>
>
> Apache Sling Distribution Core (org.apache.sling.distribution.core) bundle
> does not activate on Sling12 using Java 11
> https://github.com/apache/sling-org-apache-sling-distribution-core
> {{mvn clean install}} results in the error below
> [ERROR] Failed to execute goal
> org.apache.maven.plugins:maven-antrun-plugin:1.8:run
> (set-bundle-required-execution-environment) on project
> org.apache.sling.distribution.core: An Ant BuildException has occured: Unable
> to create javax script engine for javascript
> [ERROR] around Ant part
[jira] [Commented] (SLING-9545) Distribution Core bundle with Java 11
[
https://issues.apache.org/jira/browse/SLING-9545?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17143812#comment-17143812
]
Cris Rockwell commented on SLING-9545:
--
When you docs
https://cwiki.apache.org/confluence/display/SLING/Java+version+support has the
statement, but the bundle only works with Java 8.
"Sling currently supports the following releases of Java
8, as it is a version that many are currently using as a basline
11, as it is the most recent version for which Oracle provides Long-Term
Support"
> Distribution Core bundle with Java 11
> -
>
> Key: SLING-9545
> URL: https://issues.apache.org/jira/browse/SLING-9545
> Project: Sling
> Issue Type: Bug
> Components: Content Distribution
>Affects Versions: Content Distribution Core 0.3.4, Content Distribution
> Core 0.4.2
>Reporter: Cris Rockwell
>Priority: Major
> Attachments: Screen Shot 2020-06-24 at 8.09.38 AM.png, Screen Shot
> 2020-06-24 at 8.38.26 AM.png
>
>
> Apache Sling Distribution Core (org.apache.sling.distribution.core) bundle
> does not activate on Sling12 using Java 11
> https://github.com/apache/sling-org-apache-sling-distribution-core
> {{mvn clean install}} results in the error below
> [ERROR] Failed to execute goal
> org.apache.maven.plugins:maven-antrun-plugin:1.8:run
> (set-bundle-required-execution-environment) on project
> org.apache.sling.distribution.core: An Ant BuildException has occured: Unable
> to create javax script engine for javascript
> [ERROR] around Ant part
[jira] [Comment Edited] (SLING-9545) Distribution Core bundle with Java 11
[
https://issues.apache.org/jira/browse/SLING-9545?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17143803#comment-17143803
]
Cris Rockwell edited comment on SLING-9545 at 6/24/20, 12:39 PM:
-
Do you think even it is not required (optional import)? Usually there is an
osgi wiring error in the logs, which I could not find. I'll try your suggestion.
--
After resolving the optional dependency, org.apache.sling.distribution.core
bundle still not Active.
!Screen Shot 2020-06-24 at 8.38.26 AM.png!
was (Author: cris_rockwell):
Do you think even it is not required (optional import)? Usually there is an
osgi wiring error in the logs, which I could not find. I'll try your suggestion.
> Distribution Core bundle with Java 11
> -
>
> Key: SLING-9545
> URL: https://issues.apache.org/jira/browse/SLING-9545
> Project: Sling
> Issue Type: Bug
> Components: Content Distribution
>Affects Versions: Content Distribution Core 0.3.4, Content Distribution
> Core 0.4.2
>Reporter: Cris Rockwell
>Priority: Major
> Attachments: Screen Shot 2020-06-24 at 8.09.38 AM.png, Screen Shot
> 2020-06-24 at 8.38.26 AM.png
>
>
> Apache Sling Distribution Core (org.apache.sling.distribution.core) bundle
> does not activate on Sling12 using Java 11
> https://github.com/apache/sling-org-apache-sling-distribution-core
> {{mvn clean install}} results in the error below
> [ERROR] Failed to execute goal
> org.apache.maven.plugins:maven-antrun-plugin:1.8:run
> (set-bundle-required-execution-environment) on project
> org.apache.sling.distribution.core: An Ant BuildException has occured: Unable
> to create javax script engine for javascript
> [ERROR] around Ant part
[jira] [Reopened] (SLING-9545) Distribution Core bundle with Java 11
[
https://issues.apache.org/jira/browse/SLING-9545?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Cris Rockwell reopened SLING-9545:
--
Unless you actually got this bundle Active, do not mark as resolved please.
> Distribution Core bundle with Java 11
> -
>
> Key: SLING-9545
> URL: https://issues.apache.org/jira/browse/SLING-9545
> Project: Sling
> Issue Type: Bug
> Components: Content Distribution
>Affects Versions: Content Distribution Core 0.3.4, Content Distribution
> Core 0.4.2
>Reporter: Cris Rockwell
>Priority: Major
> Attachments: Screen Shot 2020-06-24 at 8.09.38 AM.png
>
>
> Apache Sling Distribution Core (org.apache.sling.distribution.core) bundle
> does not activate on Sling12 using Java 11
> https://github.com/apache/sling-org-apache-sling-distribution-core
> {{mvn clean install}} results in the error below
> [ERROR] Failed to execute goal
> org.apache.maven.plugins:maven-antrun-plugin:1.8:run
> (set-bundle-required-execution-environment) on project
> org.apache.sling.distribution.core: An Ant BuildException has occured: Unable
> to create javax script engine for javascript
> [ERROR] around Ant part
[jira] [Comment Edited] (SLING-9545) Distribution Core bundle with Java 11
[
https://issues.apache.org/jira/browse/SLING-9545?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17143803#comment-17143803
]
Cris Rockwell edited comment on SLING-9545 at 6/24/20, 12:32 PM:
-
Do you think even it is not required (optional import)? Usually there is an
osgi wiring error in the logs, which I could not find. I'll try your suggestion.
was (Author: cris_rockwell):
Do you think even it is not required (optional import)? Usually there is an
osgi wiring error in the logs, which I could not find.
> Distribution Core bundle with Java 11
> -
>
> Key: SLING-9545
> URL: https://issues.apache.org/jira/browse/SLING-9545
> Project: Sling
> Issue Type: Bug
> Components: Content Distribution
>Affects Versions: Content Distribution Core 0.3.4, Content Distribution
> Core 0.4.2
>Reporter: Cris Rockwell
>Priority: Major
> Attachments: Screen Shot 2020-06-24 at 8.09.38 AM.png
>
>
> Apache Sling Distribution Core (org.apache.sling.distribution.core) bundle
> does not activate on Sling12 using Java 11
> https://github.com/apache/sling-org-apache-sling-distribution-core
> {{mvn clean install}} results in the error below
> [ERROR] Failed to execute goal
> org.apache.maven.plugins:maven-antrun-plugin:1.8:run
> (set-bundle-required-execution-environment) on project
> org.apache.sling.distribution.core: An Ant BuildException has occured: Unable
> to create javax script engine for javascript
> [ERROR] around Ant part
[jira] [Commented] (SLING-9545) Distribution Core bundle with Java 11
[
https://issues.apache.org/jira/browse/SLING-9545?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17143803#comment-17143803
]
Cris Rockwell commented on SLING-9545:
--
Do you think even it is not required (optional import)? Usually there is an
osgi wiring error in the logs, which I could not find.
> Distribution Core bundle with Java 11
> -
>
> Key: SLING-9545
> URL: https://issues.apache.org/jira/browse/SLING-9545
> Project: Sling
> Issue Type: Bug
> Components: Content Distribution
>Affects Versions: Content Distribution Core 0.3.4, Content Distribution
> Core 0.4.2
>Reporter: Cris Rockwell
>Priority: Major
> Attachments: Screen Shot 2020-06-24 at 8.09.38 AM.png
>
>
> Apache Sling Distribution Core (org.apache.sling.distribution.core) bundle
> does not activate on Sling12 using Java 11
> https://github.com/apache/sling-org-apache-sling-distribution-core
> {{mvn clean install}} results in the error below
> [ERROR] Failed to execute goal
> org.apache.maven.plugins:maven-antrun-plugin:1.8:run
> (set-bundle-required-execution-environment) on project
> org.apache.sling.distribution.core: An Ant BuildException has occured: Unable
> to create javax script engine for javascript
> [ERROR] around Ant part
[jira] [Commented] (SLING-9545) Distribution Core bundle with Java 11
[
https://issues.apache.org/jira/browse/SLING-9545?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17143787#comment-17143787
]
Cris Rockwell commented on SLING-9545:
--
No. I don't think so. I downloaded the bundle at 0.3.4 and 0.4.2 from maven
central and tried uploading and installing to /system/console/bundles. The
bundle state is Installed and not active. Maybe the Java 11 build issue is
separate. I thought maybe it's related to the header
Bundle-RequiredExecutionEnvironment: JavaSE-1.8
https://mvnrepository.com/artifact/org.apache.sling/org.apache.sling.distribution.core/0.3.4
https://mvnrepository.com/artifact/org.apache.sling/org.apache.sling.distribution.core/0.4.2
!Screen Shot 2020-06-24 at 8.09.38 AM.png!
> Distribution Core bundle with Java 11
> -
>
> Key: SLING-9545
> URL: https://issues.apache.org/jira/browse/SLING-9545
> Project: Sling
> Issue Type: Bug
> Components: Content Distribution
>Affects Versions: Content Distribution Core 0.3.4, Content Distribution
> Core 0.4.2
>Reporter: Cris Rockwell
>Priority: Major
> Attachments: Screen Shot 2020-06-24 at 8.09.38 AM.png
>
>
> Apache Sling Distribution Core (org.apache.sling.distribution.core) bundle
> does not activate on Sling12 using Java 11
> https://github.com/apache/sling-org-apache-sling-distribution-core
> {{mvn clean install}} results in the error below
> [ERROR] Failed to execute goal
> org.apache.maven.plugins:maven-antrun-plugin:1.8:run
> (set-bundle-required-execution-environment) on project
> org.apache.sling.distribution.core: An Ant BuildException has occured: Unable
> to create javax script engine for javascript
> [ERROR] around Ant part
[jira] [Updated] (SLING-9545) Distribution Core bundle with Java 11
[
https://issues.apache.org/jira/browse/SLING-9545?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Cris Rockwell updated SLING-9545:
-
Attachment: Screen Shot 2020-06-24 at 8.09.38 AM.png
> Distribution Core bundle with Java 11
> -
>
> Key: SLING-9545
> URL: https://issues.apache.org/jira/browse/SLING-9545
> Project: Sling
> Issue Type: Bug
> Components: Content Distribution
>Affects Versions: Content Distribution Core 0.3.4, Content Distribution
> Core 0.4.2
>Reporter: Cris Rockwell
>Priority: Major
> Attachments: Screen Shot 2020-06-24 at 8.09.38 AM.png
>
>
> Apache Sling Distribution Core (org.apache.sling.distribution.core) bundle
> does not activate on Sling12 using Java 11
> https://github.com/apache/sling-org-apache-sling-distribution-core
> {{mvn clean install}} results in the error below
> [ERROR] Failed to execute goal
> org.apache.maven.plugins:maven-antrun-plugin:1.8:run
> (set-bundle-required-execution-environment) on project
> org.apache.sling.distribution.core: An Ant BuildException has occured: Unable
> to create javax script engine for javascript
> [ERROR] around Ant part
[jira] [Created] (SLING-9545) Distribution Core bundle with Java 11
Cris Rockwell created SLING-9545:
Summary: Distribution Core bundle with Java 11
Key: SLING-9545
URL: https://issues.apache.org/jira/browse/SLING-9545
Project: Sling
Issue Type: Bug
Components: Content Distribution
Affects Versions: Content Distribution Core 0.4.2, Content Distribution
Core 0.3.4
Reporter: Cris Rockwell
Apache Sling Distribution Core (org.apache.sling.distribution.core) bundle does
not activate on Sling12 using Java 11
https://github.com/apache/sling-org-apache-sling-distribution-core
{{mvn clean install}} results in the error below
[ERROR] Failed to execute goal
org.apache.maven.plugins:maven-antrun-plugin:1.8:run
(set-bundle-required-execution-environment) on project
org.apache.sling.distribution.core: An Ant BuildException has occured: Unable
to create javax script engine for javascript
[ERROR] around Ant part
[jira] [Comment Edited] (SLING-9397) SAML2 Authentication Handler [initial submission]
[
https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17140558#comment-17140558
]
Cris Rockwell edited comment on SLING-9397 at 6/19/20, 1:43 PM:
[~rombert] I've started some updates on this bundle: Switch build source and
target to Java 11, Updated OpenSAML to V4, and Clarified processes the README
for local testing. I'm in the process of making SSL, encryption and signing
optional. Keycloak Server has an option to do partial realm imports and
exports, which contain the realm "clients" and groups, but does not include
users (I assume for security reasons).
Here is a draft of the new README
https://github.com/cmrockwell/sling-whiteboard-saml/tree/saml2-auth-handler/Upgrade-Sling12-OpenSAMLV4-Java11/saml-handler
As you can see some things are configured manually.
* JAAS OSGI
* SAML2 OSGI
* Service User
** Service User Mapping
** Service User Creation
** Service User ACL
A Composum package could be used to package the Service User and Service User
ACL's. I don't know how include include OSGI configs in a Composum. I may be
wrong but the UI doesn't seem to allow it.
was (Author: cris_rockwell):
[~rombert] I've started some updates on this bundle: Switch build source and
target to Java 11, Updated OpenSAML to V4, and Clarified processes the README
for local testing. I'm in the process of making SSL, encryption and signing
optional. Keycloak Server has an option to do partial realm imports and
exports, which contain the realm "clients" and groups, but does not include
users (I assume for security reasons).
Here is a draft of the new README
https://github.com/cmrockwell/sling-whiteboard-saml/tree/saml2-auth-handler/Upgrade-Sling12-OpenSAMLV4-Java11/saml-handler
As you can see some things are configured manually.
* JAAS OSGI
* SAML2 OSGI
* Service User
** Service User Mapping
** Service User Creation
** Service User ACL
A Composum package could be used to package the Service User and Service User
ACL's. I don't know how include include a OSGI configs in a Composum. I may be
wrong but the UI doesn't seem to allow it.
> SAML2 Authentication Handler [initial submission]
> -
>
> Key: SLING-9397
> URL: https://issues.apache.org/jira/browse/SLING-9397
> Project: Sling
> Issue Type: New Feature
> Components: Authentication
> Environment: localhost
>Reporter: Cris Rockwell
>Priority: Major
> Labels: SAML, authentification, security, user_management
> Original Estimate: 168h
> Time Spent: 1h
> Remaining Estimate: 167h
>
> Here is a pull request which adds an authentication handler for a SAML2
> Service Provider via the embedded OpenSAML V3 dependencies
> [https://github.com/apache/sling-whiteboard/pull/51]
>
> *TODO Before Initial*
> [X] Sync attributes released by the IDP
> [X] Confirm license and attribution
> "As the code is ASL2 and does not require a notice or anything else, we don't
> need to mention in. But I think its usually good style to do so and have a
> single sentence in our NOTICE that we include (modified) code from ... which
> has ASL2 as the license"
>
> *TODO After Initial*
> [ ] Get confirmation the project builds and operates as expected
> [X] Ensure that the NOTICE file is the correct one
> [ ] Testing setup ( documentation, local SAML provider, etc )
> [ ] Clarify whether we can depend on artifacts not deployed on Maven Central
> [ ] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects
> * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf]
> [ ] Consider whether use of {{SAML2ConfigService}} and
> {{SAML2ConfigServiceImpl}} is a good design or not.
> [ ] Get feedback whether README instructions are too much, too little,
> unclear, etc
> [ ] Decide whether to make signing and encryption optional. Currently it is
> required
> [ ] Find and fix any bugs
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (SLING-9397) SAML2 Authentication Handler [initial submission]
[
https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17140558#comment-17140558
]
Cris Rockwell commented on SLING-9397:
--
[~rombert] I've started some updates on this bundle: Switch build source and
target to Java 11, Updated OpenSAML to V4, and Clarified processes the README
for local testing. I'm in the process of making SSL, encryption and signing
optional. Keycloak Server has an option to do partial realm imports and
exports, which contain the realm "clients" and groups, but does not include
users (I assume for security reasons).
Here is a draft of the new README
https://github.com/cmrockwell/sling-whiteboard-saml/tree/saml2-auth-handler/Upgrade-Sling12-OpenSAMLV4-Java11/saml-handler
As you can see some things are configured manually.
* JAAS OSGI
* SAML2 OSGI
* Service User
** Service User Mapping
** Service User Creation
** Service User ACL
A Composum package could be used to package the Service User and Service User
ACL's. I don't know how include include a OSGI configs in a Composum. I may be
wrong but the UI doesn't seem to allow it.
> SAML2 Authentication Handler [initial submission]
> -
>
> Key: SLING-9397
> URL: https://issues.apache.org/jira/browse/SLING-9397
> Project: Sling
> Issue Type: New Feature
> Components: Authentication
> Environment: localhost
>Reporter: Cris Rockwell
>Priority: Major
> Labels: SAML, authentification, security, user_management
> Original Estimate: 168h
> Time Spent: 1h
> Remaining Estimate: 167h
>
> Here is a pull request which adds an authentication handler for a SAML2
> Service Provider via the embedded OpenSAML V3 dependencies
> [https://github.com/apache/sling-whiteboard/pull/51]
>
> *TODO Before Initial*
> [X] Sync attributes released by the IDP
> [X] Confirm license and attribution
> "As the code is ASL2 and does not require a notice or anything else, we don't
> need to mention in. But I think its usually good style to do so and have a
> single sentence in our NOTICE that we include (modified) code from ... which
> has ASL2 as the license"
>
> *TODO After Initial*
> [ ] Get confirmation the project builds and operates as expected
> [X] Ensure that the NOTICE file is the correct one
> [ ] Testing setup ( documentation, local SAML provider, etc )
> [ ] Clarify whether we can depend on artifacts not deployed on Maven Central
> [ ] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects
> * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf]
> [ ] Consider whether use of {{SAML2ConfigService}} and
> {{SAML2ConfigServiceImpl}} is a good design or not.
> [ ] Get feedback whether README instructions are too much, too little,
> unclear, etc
> [ ] Decide whether to make signing and encryption optional. Currently it is
> required
> [ ] Find and fix any bugs
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (SLING-9397) SAML2 Authentication Handler [initial submission]
[
https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17118977#comment-17118977
]
Cris Rockwell commented on SLING-9397:
--
Question about local testing using "docker or some sort of JUnit setup:" I
assume this means one step that installs and configures an external IDP
(running locally), installs the related configurations for SAML2 module in
Sling; perhaps a mvn profile, and runs integration JUnit tests. Let me know if
I misunderstood.
It could take me a while for that. My knowledge and experience using docker is
(shall we say) just now emerging. For example, I had Keycloak IDP running via
docker and a week later it wouldn't start at all. Since I'm novice at docker
and had this trouble, I had revised the instructions to download and install
Keycloak the old fashioned way.
Nevertheless, I can take another pass...
[ ] Change signing and encryption to optional. This will simplify localhost
testing.
[ ] One step process to launch a preconfigured localhost IDP external to Sling
[ ] Maven profile to rollout OSGI SAML2 settings for localhost IDP above
Any kind of direct help or advice would be most appreciated. Otherwise, I'll
chip away this localhost testing.
> SAML2 Authentication Handler [initial submission]
> -
>
> Key: SLING-9397
> URL: https://issues.apache.org/jira/browse/SLING-9397
> Project: Sling
> Issue Type: New Feature
> Components: Authentication
> Environment: localhost
>Reporter: Cris Rockwell
>Priority: Major
> Labels: SAML, authentification, security, user_management
> Original Estimate: 168h
> Time Spent: 1h
> Remaining Estimate: 167h
>
> Here is a pull request which adds an authentication handler for a SAML2
> Service Provider via the embedded OpenSAML V3 dependencies
> [https://github.com/apache/sling-whiteboard/pull/51]
>
> *TODO Before Initial*
> [X] Sync attributes released by the IDP
> [X] Confirm license and attribution
> "As the code is ASL2 and does not require a notice or anything else, we don't
> need to mention in. But I think its usually good style to do so and have a
> single sentence in our NOTICE that we include (modified) code from ... which
> has ASL2 as the license"
>
> *TODO After Initial*
> [ ] Get confirmation the project builds and operates as expected
> [X] Ensure that the NOTICE file is the correct one
> [ ] Testing setup ( documentation, local SAML provider, etc )
> [ ] Clarify whether we can depend on artifacts not deployed on Maven Central
> [ ] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects
> * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf]
> [ ] Consider whether use of {{SAML2ConfigService}} and
> {{SAML2ConfigServiceImpl}} is a good design or not.
> [ ] Get feedback whether README instructions are too much, too little,
> unclear, etc
> [ ] Decide whether to make signing and encryption optional. Currently it is
> required
> [ ] Find and fix any bugs
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Updated] (SLING-9397) SAML2 Authentication Handler [initial submission]
[
https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Cris Rockwell updated SLING-9397:
-
Description:
Here is a pull request which adds an authentication handler for a SAML2 Service
Provider via the embedded OpenSAML V3 dependencies
[https://github.com/apache/sling-whiteboard/pull/51]
*TODO Before Initial*
[X] Sync attributes released by the IDP
[X] Confirm license and attribution
"As the code is ASL2 and does not require a notice or anything else, we don't
need to mention in. But I think its usually good style to do so and have a
single sentence in our NOTICE that we include (modified) code from ... which
has ASL2 as the license"
*TODO After Initial*
[ ] Get confirmation the project builds and operates as expected
[X] Ensure that the NOTICE file is the correct one
[ ] Clarify whether we can depend on artifacts not deployed on Maven Central
[ ] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects
* [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf]
[ ] Consider whether use of {{SAML2ConfigService}} and
{{SAML2ConfigServiceImpl}} is a good design or not.
[ ] Get feedback whether README instructions are too much, too little, unclear,
etc
[ ] Decide whether to make signing and encryption optional. Currently it is
required
[ ] Find and fix any bugs
was:
Here is a pull request which adds an authentication handler for a SAML2 Service
Provider via the embedded OpenSAML V3 dependencies
[https://github.com/apache/sling-whiteboard/pull/51]
*TODO Before Initial*
[X] Sync attributes released by the IDP
[X] Confirm license and attribution
"As the code is ASL2 and does not require a notice or anything else, we don't
need to mention in. But I think its usually good style to do so and have a
single sentence in our NOTICE that we include (modified) code from ... which
has ASL2 as the license"
*TODO After Initial*
[ ] Get confirmation the project builds and operates as expected
[ ] Ensure that the NOTICE file is the correct one
[ ] Clarify whether we can depend on artifacts not deployed on Maven Central
[ ] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects
* [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf]
[ ] Consider whether use of {{SAML2ConfigService}} and
{{SAML2ConfigServiceImpl}} is a good design or not.
[ ] Get feedback whether README instructions are too much, too little, unclear,
etc
[ ] Decide whether to make signing and encryption optional. Currently it is
required
[ ] Find and fix any bugs
> SAML2 Authentication Handler [initial submission]
> -
>
> Key: SLING-9397
> URL: https://issues.apache.org/jira/browse/SLING-9397
> Project: Sling
> Issue Type: New Feature
> Components: Authentication
> Environment: localhost
>Reporter: Cris Rockwell
>Priority: Major
> Labels: SAML, authentification, security, user_management
> Original Estimate: 168h
> Time Spent: 1h
> Remaining Estimate: 167h
>
> Here is a pull request which adds an authentication handler for a SAML2
> Service Provider via the embedded OpenSAML V3 dependencies
> [https://github.com/apache/sling-whiteboard/pull/51]
>
> *TODO Before Initial*
> [X] Sync attributes released by the IDP
> [X] Confirm license and attribution
> "As the code is ASL2 and does not require a notice or anything else, we don't
> need to mention in. But I think its usually good style to do so and have a
> single sentence in our NOTICE that we include (modified) code from ... which
> has ASL2 as the license"
>
> *TODO After Initial*
> [ ] Get confirmation the project builds and operates as expected
> [X] Ensure that the NOTICE file is the correct one
> [ ] Clarify whether we can depend on artifacts not deployed on Maven Central
> [ ] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects
> * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf]
> [ ] Consider whether use of {{SAML2ConfigService}} and
> {{SAML2ConfigServiceImpl}} is a good design or not.
> [ ] Get feedback whether README instructions are too much, too little,
> unclear, etc
> [ ] Decide whether to make signing and encryption optional. Currently it is
> required
> [ ] Find and fix any bugs
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (SLING-9397) SAML2 Authentication Handler [initial submission]
[
https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17107330#comment-17107330
]
Cris Rockwell commented on SLING-9397:
--
Looks good. I've pulled the latest, built and confirmed the NOTICE has the
statement by using the command below and inspecting the file. I've marked that
as done in the description above.
{{jar xf org.apache.sling.auth.saml2-0.1.0-SNAPSHOT.jar META-INF/NOTICE}}
Let me know what is next.
Thanks!
> SAML2 Authentication Handler [initial submission]
> -
>
> Key: SLING-9397
> URL: https://issues.apache.org/jira/browse/SLING-9397
> Project: Sling
> Issue Type: New Feature
> Components: Authentication
> Environment: localhost
>Reporter: Cris Rockwell
>Priority: Major
> Labels: SAML, authentification, security, user_management
> Original Estimate: 168h
> Time Spent: 1h
> Remaining Estimate: 167h
>
> Here is a pull request which adds an authentication handler for a SAML2
> Service Provider via the embedded OpenSAML V3 dependencies
> [https://github.com/apache/sling-whiteboard/pull/51]
>
> *TODO Before Initial*
> [X] Sync attributes released by the IDP
> [X] Confirm license and attribution
> "As the code is ASL2 and does not require a notice or anything else, we don't
> need to mention in. But I think its usually good style to do so and have a
> single sentence in our NOTICE that we include (modified) code from ... which
> has ASL2 as the license"
>
> *TODO After Initial*
> [ ] Get confirmation the project builds and operates as expected
> [X] Ensure that the NOTICE file is the correct one
> [ ] Clarify whether we can depend on artifacts not deployed on Maven Central
> [ ] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects
> * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf]
> [ ] Consider whether use of {{SAML2ConfigService}} and
> {{SAML2ConfigServiceImpl}} is a good design or not.
> [ ] Get feedback whether README instructions are too much, too little,
> unclear, etc
> [ ] Decide whether to make signing and encryption optional. Currently it is
> required
> [ ] Find and fix any bugs
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (SLING-9397) SAML2 Authentication Handler [initial submission]
[
https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17104475#comment-17104475
]
Cris Rockwell commented on SLING-9397:
--
Sounds great. Thanks [~rombert]!
> SAML2 Authentication Handler [initial submission]
> -
>
> Key: SLING-9397
> URL: https://issues.apache.org/jira/browse/SLING-9397
> Project: Sling
> Issue Type: New Feature
> Components: Authentication
> Environment: localhost
>Reporter: Cris Rockwell
>Priority: Major
> Labels: SAML, authentification, security, user_management
> Original Estimate: 168h
> Time Spent: 1h
> Remaining Estimate: 167h
>
> Here is a pull request which adds an authentication handler for a SAML2
> Service Provider via the embedded OpenSAML V3 dependencies
> [https://github.com/apache/sling-whiteboard/pull/51]
>
> *TODO Before Initial*
> [X] Sync attributes released by the IDP
> [X] Confirm license and attribution
> "As the code is ASL2 and does not require a notice or anything else, we don't
> need to mention in. But I think its usually good style to do so and have a
> single sentence in our NOTICE that we include (modified) code from ... which
> has ASL2 as the license"
>
> *TODO After Initial*
> [ ] Get confirmation the project builds and operates as expected
> [ ] Ensure that the NOTICE file is the correct one
> [ ] Clarify whether we can depend on artifacts not deployed on Maven Central
> [ ] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects
> * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf]
> [ ] Consider whether use of {{SAML2ConfigService}} and
> {{SAML2ConfigServiceImpl}} is a good design or not.
> [ ] Get feedback whether README instructions are too much, too little,
> unclear, etc
> [ ] Decide whether to make signing and encryption optional. Currently it is
> required
> [ ] Find and fix any bugs
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Created] (SLING-9436) Append reactor module Notice Statement
Cris Rockwell created SLING-9436:
Summary: Append reactor module Notice Statement
Key: SLING-9436
URL: https://issues.apache.org/jira/browse/SLING-9436
Project: Sling
Issue Type: Improvement
Components: Build and Source Control
Affects Versions: Jar Resource Bundle 1.0.2
Reporter: Cris Rockwell
As discussed in SLING-9397 ...
The NOTICE is built from a Velocity template. The template needs an update such
that reactor module's can append a notice statement into this aggregated NOTICE
*
[https://github.com/apache/sling-apache-sling-jar-resource-bundle/blob/master/src/main/resources/META-INF/NOTICE.vm]
* [https://github.com/apache/sling-apache-sling-jar-resource-bundle/pull/1]
Current version is 1.0.0, updating to 1.0.1. Once that occurs, line 209 from
the sling-parent would also need to increment the version to 1.0.1
* [https://github.com/apache/sling-parent/blob/master/sling-parent/pom.xml]
This would allow notice statement from the project pom.xml properties to append
into a combined NOTICE file
{{ }}{{}}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Comment Edited] (SLING-9397) SAML2 Authentication Handler [initial submission]
[
https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17101911#comment-17101911
]
Cris Rockwell edited comment on SLING-9397 at 5/7/20, 5:44 PM:
---
Regarding NOTICE, it's building from the Velocity template below. The template
would need to be updated to place a module notice statement into this, and I
made a PR to do that.
*
[https://github.com/apache/sling-apache-sling-jar-resource-bundle/blob/master/src/main/resources/META-INF/NOTICE.vm]
* [https://github.com/apache/sling-apache-sling-jar-resource-bundle/pull/1]
Changing the version of sling-apache-sling-jar-resource-bundle from 1.0.0 to
1.0.1-SNAPSHOT. If that actually happens, then line 209 from the sling-parent
would also need to increment the version to 1.0.1
* [https://github.com/apache/sling-parent/blob/master/sling-parent/pom.xml]
After which, modules can place a notice statement in the pom.xml properties
{{ }}{{}}
And then the NOTICE will be built using the updated template and also have
whatever noticeStatement is needed by the module.
SAML2 Service Provider
This module includes modified code from webprofile-ref-project-v3 [1],
which has ASL2 as the license.
[1]: [https://bitbucket.org/srasmusson/webprofile-ref-project-v3]
Copyright 2007-2020 The Apache Software Foundation
Apache Sling is based on source code originally developed
by Day Software ([http://www.day.com/]).
This product includes software developed at
The Apache Software Foundation ([http://www.apache.org/]).
was (Author: cris_rockwell):
Regarding NOTICE, it's building from the Velocity template below. The template
would need to be updated to place a module notice statement into this, and I
made a PR to do that.
*
[https://github.com/apache/sling-apache-sling-jar-resource-bundle/blob/master/src/main/resources/META-INF/NOTICE.vm]
* [https://github.com/apache/sling-apache-sling-jar-resource-bundle/pull/1]
Changing the version of sling-apache-sling-jar-resource-bundle from 1.0.0 to
1.0.1-SNAPSHOT. If that actually happens, then line 209 from the sling-parent
would also need to increment the version to 1.0.1
* [https://github.com/apache/sling-parent/blob/master/sling-parent/pom.xml]
After which, modules can place a notice statement in the pom.xml properties
{{}}{{ }}{{}}
{{ This module includes modified code from webprofile-ref-project-v3 [1], which
has ASL2 as the license.}}
{{ [1]: https://bitbucket.org/srasmusson/webprofile-ref-project-v3}}
{{}}
And then the NOTICE will be built using the updated template and also have
whatever noticeStatement is needed by the module.
SAML2 Service Provider
This module includes modified code from webprofile-ref-project-v3 [1],
which has ASL2 as the license.
[1]: [https://bitbucket.org/srasmusson/webprofile-ref-project-v3]
Copyright 2007-2020 The Apache Software Foundation
Apache Sling is based on source code originally developed
by Day Software (http://www.day.com/).
This product includes software developed at
The Apache Software Foundation (http://www.apache.org/).
> SAML2 Authentication Handler [initial submission]
> -
>
> Key: SLING-9397
> URL: https://issues.apache.org/jira/browse/SLING-9397
> Project: Sling
> Issue Type: New Feature
> Components: Authentication
> Environment: localhost
>Reporter: Cris Rockwell
>Priority: Major
> Labels: SAML, authentification, security, user_management
> Original Estimate: 168h
> Remaining Estimate: 168h
>
> Here is a pull request which adds an authentication handler for a SAML2
> Service Provider via the embedded OpenSAML V3 dependencies
> [https://github.com/apache/sling-whiteboard/pull/51]
>
> *TODO Before Initial*
> [X] Sync attributes released by the IDP
> [X] Confirm license and attribution
> "As the code is ASL2 and does not require a notice or anything else, we don't
> need to mention in. But I think its usually good style to do so and have a
> single sentence in our NOTICE that we include (modified) code from ... which
> has ASL2 as the license"
>
> *TODO After Initial*
> [ ] Get confirmation the project builds and operates as expected
> [ ] Ensure that the NOTICE file is the correct one
> [ ] Clarify whether we can depend on artifacts not deployed on Maven Central
> [ ] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects
> * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf]
> [ ] Consider whether use of {{SAML2ConfigService}} and
> {{SAML2ConfigServiceImpl}} is a good design or not.
> [ ] Get feedback whether README instructions are too much, too little,
> unclear, etc
> [ ] Decide whether to make signing and encryption optional. Currently it is
> required
> [ ]
[jira] [Commented] (SLING-9397) SAML2 Authentication Handler [initial submission]
[
https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17101911#comment-17101911
]
Cris Rockwell commented on SLING-9397:
--
Regarding NOTICE, it's building from the Velocity template below. The template
would need to be updated to place a module notice statement into this, and I
made a PR to do that.
*
[https://github.com/apache/sling-apache-sling-jar-resource-bundle/blob/master/src/main/resources/META-INF/NOTICE.vm]
* [https://github.com/apache/sling-apache-sling-jar-resource-bundle/pull/1]
Changing the version of sling-apache-sling-jar-resource-bundle from 1.0.0 to
1.0.1-SNAPSHOT. If that actually happens, then line 209 from the sling-parent
would also need to increment the version to 1.0.1
* [https://github.com/apache/sling-parent/blob/master/sling-parent/pom.xml]
After which, modules can place a notice statement in the pom.xml properties
{{}}{{ }}{{}}
{{ This module includes modified code from webprofile-ref-project-v3 [1], which
has ASL2 as the license.}}
{{ [1]: https://bitbucket.org/srasmusson/webprofile-ref-project-v3}}
{{}}
And then the NOTICE will be built using the updated template and also have
whatever noticeStatement is needed by the module.
SAML2 Service Provider
This module includes modified code from webprofile-ref-project-v3 [1],
which has ASL2 as the license.
[1]: [https://bitbucket.org/srasmusson/webprofile-ref-project-v3]
Copyright 2007-2020 The Apache Software Foundation
Apache Sling is based on source code originally developed
by Day Software (http://www.day.com/).
This product includes software developed at
The Apache Software Foundation (http://www.apache.org/).
> SAML2 Authentication Handler [initial submission]
> -
>
> Key: SLING-9397
> URL: https://issues.apache.org/jira/browse/SLING-9397
> Project: Sling
> Issue Type: New Feature
> Components: Authentication
> Environment: localhost
>Reporter: Cris Rockwell
>Priority: Major
> Labels: SAML, authentification, security, user_management
> Original Estimate: 168h
> Remaining Estimate: 168h
>
> Here is a pull request which adds an authentication handler for a SAML2
> Service Provider via the embedded OpenSAML V3 dependencies
> [https://github.com/apache/sling-whiteboard/pull/51]
>
> *TODO Before Initial*
> [X] Sync attributes released by the IDP
> [X] Confirm license and attribution
> "As the code is ASL2 and does not require a notice or anything else, we don't
> need to mention in. But I think its usually good style to do so and have a
> single sentence in our NOTICE that we include (modified) code from ... which
> has ASL2 as the license"
>
> *TODO After Initial*
> [ ] Get confirmation the project builds and operates as expected
> [ ] Ensure that the NOTICE file is the correct one
> [ ] Clarify whether we can depend on artifacts not deployed on Maven Central
> [ ] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects
> * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf]
> [ ] Consider whether use of {{SAML2ConfigService}} and
> {{SAML2ConfigServiceImpl}} is a good design or not.
> [ ] Get feedback whether README instructions are too much, too little,
> unclear, etc
> [ ] Decide whether to make signing and encryption optional. Currently it is
> required
> [ ] Find and fix any bugs
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (SLING-9397) SAML2 Authentication Handler [initial submission]
[
https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17101051#comment-17101051
]
Cris Rockwell commented on SLING-9397:
--
WRT the Web Profile SSO Profile specification, line 396 states...
??SAML Confirmation Method Identifiers: The SAML V2.0 "bearer" confirmation
method identifier, urn:oasis:names:tc:SAML:2.0:cm:bearer, is used by this
profile.??
And this is manifested in the saml2 response
{{}}
{{..}}
https://localhost:2443/sp/consumer"/|https://localhost:2443/sp/consumer]>
Line 364 gives an example about how to use this data. The data above was taken
from an example from my localhost tests on April 14th
The bearer of the assertion can confirm itself as the subject, provided the
assertion is delivered in a message sent to "
[https://localhost:2443/sp/consumer]; before 14:33 GMT on April 14th , 2020, in
response to a request with ID "_498f728a71735ba28bbc19d634517c18".
When processing the SAML2 Response, this relying party code needs to validate
these three conditions.
> SAML2 Authentication Handler [initial submission]
> -
>
> Key: SLING-9397
> URL: https://issues.apache.org/jira/browse/SLING-9397
> Project: Sling
> Issue Type: New Feature
> Components: Authentication
> Environment: localhost
>Reporter: Cris Rockwell
>Priority: Major
> Labels: SAML, authentification, security, user_management
> Original Estimate: 168h
> Remaining Estimate: 168h
>
> Here is a pull request which adds an authentication handler for a SAML2
> Service Provider via the embedded OpenSAML V3 dependencies
> [https://github.com/apache/sling-whiteboard/pull/51]
>
> *TODO Before Initial*
> [X] Sync attributes released by the IDP
> [X] Confirm license and attribution
> "As the code is ASL2 and does not require a notice or anything else, we don't
> need to mention in. But I think its usually good style to do so and have a
> single sentence in our NOTICE that we include (modified) code from ... which
> has ASL2 as the license"
>
> *TODO After Initial*
> [ ] Get confirmation the project builds and operates as expected
> [ ] Clarify whether we can depend on artifacts not deployed on Maven Central
> [ ] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects
> * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf]
> [ ] Consider whether use of {{SAML2ConfigService}} and
> {{SAML2ConfigServiceImpl}} is a good design or not.
> [ ] Get feedback whether README instructions are too much, too little,
> unclear, etc
> [ ] Decide whether to make signing and encryption optional. Currently it is
> required
> [ ] Find and fix any bugs
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Updated] (SLING-9397) SAML2 Authentication Handler [initial submission]
[
https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Cris Rockwell updated SLING-9397:
-
Description:
Here is a pull request which adds an authentication handler for a SAML2 Service
Provider via the embedded OpenSAML V3 dependencies
[https://github.com/apache/sling-whiteboard/pull/51]
*TODO Before Initial*
[X] Sync attributes released by the IDP
[X] Confirm license and attribution
"As the code is ASL2 and does not require a notice or anything else, we don't
need to mention in. But I think its usually good style to do so and have a
single sentence in our NOTICE that we include (modified) code from ... which
has ASL2 as the license"
[ ] Get confirmation the project builds and operates as expected
*TODO After Initial*
[ ] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects
* [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf]
[ ] Consider whether use of {{SAML2ConfigService}} and
{{SAML2ConfigServiceImpl}} is a good design or not.
[ ] Get feedback whether README instructions are too much, too little, unclear,
etc
[ ] Decide whether to make signing and encryption optional. Currently it is
required
[ ] Find and fix any bugs
was:
Here is a pull request which adds an authentication handler for a SAML2 Service
Provider via the embedded OpenSAML V3 dependencies
[https://github.com/apache/sling-whiteboard/pull/51]
TODO:
[X] Sync attributes released by the IDP
[ ] Confirm license and attribution
[ ] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects
[https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf]
[ ] Consider whether use of {{SAML2ConfigService}} and
{{SAML2ConfigServiceImpl}} is a good design or not.
[ ] Get feedback whether README instructions are too much, too little, unclear,
etc
[ ] Get confirmation the project builds and operates as expected
[ ] Decide whether to make signing and encryption optional. Currently it is
required
[ ] Find and fix any bugs
> SAML2 Authentication Handler [initial submission]
> -
>
> Key: SLING-9397
> URL: https://issues.apache.org/jira/browse/SLING-9397
> Project: Sling
> Issue Type: New Feature
> Components: Authentication
> Environment: localhost
>Reporter: Cris Rockwell
>Priority: Major
> Labels: SAML, authentification, security, user_management
> Original Estimate: 168h
> Remaining Estimate: 168h
>
> Here is a pull request which adds an authentication handler for a SAML2
> Service Provider via the embedded OpenSAML V3 dependencies
> [https://github.com/apache/sling-whiteboard/pull/51]
>
> *TODO Before Initial*
> [X] Sync attributes released by the IDP
> [X] Confirm license and attribution
> "As the code is ASL2 and does not require a notice or anything else, we don't
> need to mention in. But I think its usually good style to do so and have a
> single sentence in our NOTICE that we include (modified) code from ... which
> has ASL2 as the license"
> [ ] Get confirmation the project builds and operates as expected
>
> *TODO After Initial*
> [ ] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects
> * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf]
> [ ] Consider whether use of {{SAML2ConfigService}} and
> {{SAML2ConfigServiceImpl}} is a good design or not.
> [ ] Get feedback whether README instructions are too much, too little,
> unclear, etc
> [ ] Decide whether to make signing and encryption optional. Currently it is
> required
> [ ] Find and fix any bugs
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Created] (SLING-9397) SAML2 Authentication Handler [initial submission]
Cris Rockwell created SLING-9397:
Summary: SAML2 Authentication Handler [initial submission]
Key: SLING-9397
URL: https://issues.apache.org/jira/browse/SLING-9397
Project: Sling
Issue Type: New Feature
Components: Authentication
Environment: localhost
Reporter: Cris Rockwell
Here is a pull request which adds an authentication handler for a SAML2 Service
Provider via the embedded OpenSAML V3 dependencies
[https://github.com/apache/sling-whiteboard/pull/51]
TODO:
[X] Sync attributes released by the IDP
[ ] Confirm license and attribution
[ ] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects
[https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf]
[ ] Consider whether use of {{SAML2ConfigService}} and
{{SAML2ConfigServiceImpl}} is a good design or not.
[ ] Get feedback whether README instructions are too much, too little, unclear,
etc
[ ] Get confirmation the project builds and operates as expected
[ ] Decide whether to make signing and encryption optional. Currently it is
required
[ ] Find and fix any bugs
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
