[jira] [Created] (SLING-10864) Update Sling CMS Quickstart Docs
Cris Rockwell created SLING-10864: - Summary: Update Sling CMS Quickstart Docs Key: SLING-10864 URL: https://issues.apache.org/jira/browse/SLING-10864 Project: Sling Issue Type: Task Components: App CMS Affects Versions: App CMS 1.0.4 Reporter: Cris Rockwell Attachments: Screen Shot 2021-10-11 at 12.36.05 PM.png In the cms quickstart docs, [https://github.com/apache/sling-org-apache-sling-app-cms/blob/master/docs/quickstart.md] it says to download the org.apache.sling.cms jar from [https://search.maven.org/search?q=org.apache.sling.cms] The jar does not appear at this location (see attached) I would recommend updating the link to point at Github releases instead https://github.com/apache/sling-org-apache-sling-app-cms/releases -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (SLING-10857) Review and Update Maven Archetype Page
Cris Rockwell created SLING-10857: - Summary: Review and Update Maven Archetype Page Key: SLING-10857 URL: https://issues.apache.org/jira/browse/SLING-10857 Project: Sling Issue Type: Task Components: Documentation Reporter: Cris Rockwell Assignee: Cris Rockwell The sling-site maven-archetypes page could be improved https://sling.apache.org/documentation/development/maven-archetypes.html [ ] Add missing sling-project-archetype [ ] Add link to each referenced archetype readme -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-9882) Add more information about the project in the README
[ https://issues.apache.org/jira/browse/SLING-9882?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17425551#comment-17425551 ] Cris Rockwell commented on SLING-9882: -- Ok got it. I see now sling-content-package-archetype does need some documentation. https://github.com/apache/sling-content-package-archetype > Add more information about the project in the README > > > Key: SLING-9882 > URL: https://issues.apache.org/jira/browse/SLING-9882 > Project: Sling > Issue Type: Task > Components: Maven Plugins and Archetypes >Reporter: Robert Munteanu >Assignee: Cris Rockwell >Priority: Major > Fix For: Content Package Archetype 1.0.2 > > > [~reusr1] points out that we could use some more documentation in > sling-content-package-archetype, see for example > https://github.com/apache/sling-project-archetype/blob/master/README.md . -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Assigned] (SLING-9882) Add more information about the project in the README
[ https://issues.apache.org/jira/browse/SLING-9882?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Cris Rockwell reassigned SLING-9882: Assignee: Cris Rockwell > Add more information about the project in the README > > > Key: SLING-9882 > URL: https://issues.apache.org/jira/browse/SLING-9882 > Project: Sling > Issue Type: Task > Components: Maven Plugins and Archetypes >Reporter: Robert Munteanu >Assignee: Cris Rockwell >Priority: Major > Fix For: Content Package Archetype 1.0.2 > > > [~reusr1] points out that we could use some more documentation in > sling-content-package-archetype, see for example > https://github.com/apache/sling-project-archetype/blob/master/README.md . -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-9882) Add more information about the project in the README
[ https://issues.apache.org/jira/browse/SLING-9882?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17425215#comment-17425215 ] Cris Rockwell commented on SLING-9882: -- I'm not sure what information is missing from the Sling Project Archetype README.md. I found the current state sufficiently informative. However, sling-project-archetype is missing from the list of maven-archetypes on the page below. https://sling.apache.org/documentation/development/maven-archetypes.html Is this is a good ticket to reference when making that change? > Add more information about the project in the README > > > Key: SLING-9882 > URL: https://issues.apache.org/jira/browse/SLING-9882 > Project: Sling > Issue Type: Task > Components: Maven Plugins and Archetypes >Reporter: Robert Munteanu >Priority: Major > Fix For: Content Package Archetype 1.0.2 > > > [~reusr1] points out that we could use some more documentation in > sling-content-package-archetype, see for example > https://github.com/apache/sling-project-archetype/blob/master/README.md . -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Resolved] (SLING-10843) Referrer Filter allowance for app://
[ https://issues.apache.org/jira/browse/SLING-10843?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Cris Rockwell resolved SLING-10843. --- Resolution: Fixed PR3 was merged > Referrer Filter allowance for app:// > > > Key: SLING-10843 > URL: https://issues.apache.org/jira/browse/SLING-10843 > Project: Sling > Issue Type: Improvement > Components: Sling Security >Affects Versions: Security 1.1.20 >Reporter: Cris Rockwell >Assignee: Cris Rockwell >Priority: Major > Fix For: Security 1.1.22 > > > Sling's ReferrerFilter has this code in the isValidRequest method. > // check for air referrer - which is always allowedif ( > referrer.startsWith("app:/") ) { return true; > } > [Sling > ReferrerFilter|https://github.com/apache/sling-org-apache-sling-security/blob/master/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java] > There's no need to have app:// as a hard-coded allowance around the Referrer > Filter, because applications can configure allow.hosts.regexp to allow AIR > referrer if needed. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (SLING-10843) Referrer Filter allowance for app://
[ https://issues.apache.org/jira/browse/SLING-10843?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Cris Rockwell updated SLING-10843: -- Fix Version/s: Security 1.1.22 > Referrer Filter allowance for app:// > > > Key: SLING-10843 > URL: https://issues.apache.org/jira/browse/SLING-10843 > Project: Sling > Issue Type: Improvement > Components: Sling Security >Affects Versions: Security 1.1.20 >Reporter: Cris Rockwell >Assignee: Cris Rockwell >Priority: Major > Fix For: Security 1.1.22 > > > Sling's ReferrerFilter has this code in the isValidRequest method. > // check for air referrer - which is always allowedif ( > referrer.startsWith("app:/") ) { return true; > } > [Sling > ReferrerFilter|https://github.com/apache/sling-org-apache-sling-security/blob/master/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java] > There's no need to have app:// as a hard-coded allowance around the Referrer > Filter, because applications can configure allow.hosts.regexp to allow AIR > referrer if needed. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-10843) Referrer Filter allowance for app://
[ https://issues.apache.org/jira/browse/SLING-10843?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17421439#comment-17421439 ] Cris Rockwell commented on SLING-10843: --- Maybe there was an issue configuring allowedUriReferrers configuration with an app URI. But I don't see the issue configuring allowedRegexReferrers with the pattern shown in the [test|https://github.com/apache/sling-org-apache-sling-security/pull/3/files]. It may also be nice to know if such an allowance for AIR/SWF is still needed given the state of those technologies. > Referrer Filter allowance for app:// > > > Key: SLING-10843 > URL: https://issues.apache.org/jira/browse/SLING-10843 > Project: Sling > Issue Type: Improvement > Components: Sling Security >Affects Versions: Security 1.1.20 >Reporter: Cris Rockwell >Assignee: Cris Rockwell >Priority: Major > > Sling's ReferrerFilter has this code in the isValidRequest method. > // check for air referrer - which is always allowedif ( > referrer.startsWith("app:/") ) { return true; > } > [Sling > ReferrerFilter|https://github.com/apache/sling-org-apache-sling-security/blob/master/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java] > There's no need to have app:// as a hard-coded allowance around the Referrer > Filter, because applications can configure allow.hosts.regexp to allow AIR > referrer if needed. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (SLING-10843) Referrer Filter allowance for app://
Cris Rockwell created SLING-10843: - Summary: Referrer Filter allowance for app:// Key: SLING-10843 URL: https://issues.apache.org/jira/browse/SLING-10843 Project: Sling Issue Type: Improvement Components: Sling Security Affects Versions: Security 1.1.20 Reporter: Cris Rockwell Assignee: Cris Rockwell Sling's ReferrerFilter has this code in the isValidRequest method. // check for air referrer - which is always allowedif ( referrer.startsWith("app:/") ) { return true; } [Sling ReferrerFilter|https://github.com/apache/sling-org-apache-sling-security/blob/master/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java] There's no need to have app:// as a hard-coded allowance around the Referrer Filter, because applications can configure allow.hosts.regexp to allow AIR referrer if needed. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Comment Edited] (SLING-3469) Provide out of the box CSRF protection
[ https://issues.apache.org/jira/browse/SLING-3469?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17408867#comment-17408867 ] Cris Rockwell edited comment on SLING-3469 at 9/2/21, 2:15 PM: --- After reviewing a few posts about Adobe Integrated Runtime * [https://tracker.adobe.com/#/view/AIR-2945647] * [https://community.adobe.com/t5/air-discussions/htmlloader-and-quot-referer-quot-request-header/td-p/3614351#3841814] I recommend removing the code above that allows SWF apps (and others) that bypass the ReferrerFilter using the app:// exception. was (Author: cris): After reviewing a few posts about Adobe Integrated Runtime * [https://tracker.adobe.com/#/view/AIR-2945647] * [https://community.adobe.com/t5/air-discussions/htmlloader-and-quot-referer-quot-request-header/td-p/3614351#3841814] I recommend removing the code above that allows SWF apps (and others) that bypass the ReferrerFilter using the app:// exception. > Provide out of the box CSRF protection > -- > > Key: SLING-3469 > URL: https://issues.apache.org/jira/browse/SLING-3469 > Project: Sling > Issue Type: Improvement >Reporter: Raviteja Lokineni >Priority: Critical > > One such vulnerability can found on the default login form for > FormBasedAuthenticationHandler. > Grails framework has implemented this protection using custom tag library and > filters. Ref: http://grails.org/doc/2.2.1/ref/Tags/form.html -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-3469) Provide out of the box CSRF protection
[ https://issues.apache.org/jira/browse/SLING-3469?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17408867#comment-17408867 ] Cris Rockwell commented on SLING-3469: -- After reviewing a few posts about Adobe Integrated Runtime * [https://tracker.adobe.com/#/view/AIR-2945647] * [https://community.adobe.com/t5/air-discussions/htmlloader-and-quot-referer-quot-request-header/td-p/3614351#3841814] I recommend removing the code above that allows SWF apps (and others) that bypass the ReferrerFilter using the app:// exception. > Provide out of the box CSRF protection > -- > > Key: SLING-3469 > URL: https://issues.apache.org/jira/browse/SLING-3469 > Project: Sling > Issue Type: Improvement >Reporter: Raviteja Lokineni >Priority: Critical > > One such vulnerability can found on the default login form for > FormBasedAuthenticationHandler. > Grails framework has implemented this protection using custom tag library and > filters. Ref: http://grails.org/doc/2.2.1/ref/Tags/form.html -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-3469) Provide out of the box CSRF protection
[ https://issues.apache.org/jira/browse/SLING-3469?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17407656#comment-17407656 ] Cris Rockwell commented on SLING-3469: -- I have a few questions about this... * The OWASP CSRF Cheatsheet (linked below) mentions a process of checking the 'Origin' header and comparing to the 'Referrer' header. Sling's Referrer Filter compares the host name (obtained by parsing the referrer header) to `request.getServerName()` It seems equivalent, but is it? any advantage either way? * Does the JEE Reference CSRFValidationFilter (linked below)demonstrate any mitigation techniques that Sling should consider adopting? * Sling's ReferrerFilter has this code in the isValidRequest method. It seems odd and my internet searches did not return an obvious answer about why this is done. Ideas? {code:java} // check for air referrer - which is always allowed if ( referrer.startsWith("app:/") ) { return true; } {code} [Sling ReferrerFilter|https://github.com/apache/sling-org-apache-sling-security/blob/master/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java] [Cross-Site Request Forgery Prevention Cheat Sheet|https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#java-reference-example] [JEE Reference CSRFValidationFilter|https://github.com/righettod/poc-csrf/blob/master/src/main/java/eu/righettod/poccsrf/filter/CSRFValidationFilter.java] > Provide out of the box CSRF protection > -- > > Key: SLING-3469 > URL: https://issues.apache.org/jira/browse/SLING-3469 > Project: Sling > Issue Type: Improvement >Reporter: Raviteja Lokineni >Priority: Critical > > One such vulnerability can found on the default login form for > FormBasedAuthenticationHandler. > Grails framework has implemented this protection using custom tag library and > filters. Ref: http://grails.org/doc/2.2.1/ref/Tags/form.html -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Resolved] (SLING-10193) SAML Auth Handler Initial Release
[ https://issues.apache.org/jira/browse/SLING-10193?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Cris Rockwell resolved SLING-10193. --- Resolution: Done > SAML Auth Handler Initial Release > - > > Key: SLING-10193 > URL: https://issues.apache.org/jira/browse/SLING-10193 > Project: Sling > Issue Type: Task > Components: Authentication >Reporter: Cris Rockwell >Assignee: Cris Rockwell >Priority: Major > Fix For: SAML2 Service Provider 0.2.4 > > Attachments: Screen Shot 2021-04-06 at 3.11.46 PM.png, Screen Shot > 2021-04-06 at 3.11.55 PM.png, Screen Shot 2021-04-06 at 3.12.23 PM.png > > > Tasks for initial release > [done] Test Coverage >80% > [done] JAAS configuration programmatically added within activator start, and > removed JAAS config within stop method > [ok] Conduct security scanning and input fuzz testing > [done] Improve mapping for attribute sync'ing. Currently it only takes the > attribute Assertion. It saves the property (if exists in the assertion) as > the friendlyName (if exists in the assertion) and makes no provision for > relative path or control naming of the property. Instead utilize a mapping > nomenclature > `[attributeName:profile/anyName,urn:oid:1.2.840.113549.1.9.1:profile/email]` > [done] Move project from sling-whiteboard to separate github repository -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Resolved] (SLING-10315) Onboard new project for SonarCloud Analysis
[ https://issues.apache.org/jira/browse/SLING-10315?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Cris Rockwell resolved SLING-10315. --- Resolution: Done > Onboard new project for SonarCloud Analysis > --- > > Key: SLING-10315 > URL: https://issues.apache.org/jira/browse/SLING-10315 > Project: Sling > Issue Type: Task > Components: Authentication >Reporter: Cris Rockwell >Assignee: Fabrice Bellingard >Priority: Major > Fix For: SAML2 Service Provider 0.2.4 > > > As per documentation for new Sling repositories, a Jira ticket is required > for on-boarding new projects for SonarCloud analysis > The Jenkins Build is here > https://ci-builds.apache.org/job/Sling/job/modules/job/sling-org-apache-sling-auth-saml2/job/master/ > The Sling github repository is here > https://github.com/apache/sling-org-apache-sling-auth-saml2 > Let me know if you need anything else from me. > Thanks! -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (SLING-10193) SAML Auth Handler Initial Release
[ https://issues.apache.org/jira/browse/SLING-10193?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Cris Rockwell updated SLING-10193: -- Description: Tasks for initial release [done] Test Coverage >80% [done] JAAS configuration programmatically added within activator start, and removed JAAS config within stop method [ok] Conduct security scanning and input fuzz testing [done] Improve mapping for attribute sync'ing. Currently it only takes the attribute Assertion. It saves the property (if exists in the assertion) as the friendlyName (if exists in the assertion) and makes no provision for relative path or control naming of the property. Instead utilize a mapping nomenclature `[attributeName:profile/anyName,urn:oid:1.2.840.113549.1.9.1:profile/email]` [done] Move project from sling-whiteboard to separate github repository was: Tasks for initial release [done] Test Coverage >80% [done] JAAS configuration programmatically added within activator start, and removed JAAS config within stop method [ok] Conduct security scanning and input fuzz testing [done] Improve mapping for attribute sync'ing. Currently it only takes the attribute Assertion. It saves the property (if exists in the assertion) as the friendlyName (if exists in the assertion) and makes no provision for relative path or control naming of the property. Instead utilize a mapping nomenclature `[attributeName:profile/anyName,urn:oid:1.2.840.113549.1.9.1:profile/email]` [ ] Move project from sling-whiteboard to separate github repository > SAML Auth Handler Initial Release > - > > Key: SLING-10193 > URL: https://issues.apache.org/jira/browse/SLING-10193 > Project: Sling > Issue Type: Task > Components: Authentication >Reporter: Cris Rockwell >Assignee: Cris Rockwell >Priority: Major > Fix For: SAML2 Service Provider 0.2.4 > > Attachments: Screen Shot 2021-04-06 at 3.11.46 PM.png, Screen Shot > 2021-04-06 at 3.11.55 PM.png, Screen Shot 2021-04-06 at 3.12.23 PM.png > > > Tasks for initial release > [done] Test Coverage >80% > [done] JAAS configuration programmatically added within activator start, and > removed JAAS config within stop method > [ok] Conduct security scanning and input fuzz testing > [done] Improve mapping for attribute sync'ing. Currently it only takes the > attribute Assertion. It saves the property (if exists in the assertion) as > the friendlyName (if exists in the assertion) and makes no provision for > relative path or control naming of the property. Instead utilize a mapping > nomenclature > `[attributeName:profile/anyName,urn:oid:1.2.840.113549.1.9.1:profile/email]` > [done] Move project from sling-whiteboard to separate github repository -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (SLING-9397) SAML2 Authentication Handler [initial submission]
[ https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Cris Rockwell updated SLING-9397: - Description: Here is a pull request which adds an authentication handler for a SAML2 Service Provider via the embedded OpenSAML V3 dependencies [https://github.com/apache/sling-whiteboard/pull/51] *TODO Before Initial* [X] Sync attributes released by the IDP [X] Confirm license and attribution "As the code is ASL2 and does not require a notice or anything else, we don't need to mention in. But I think its usually good style to do so and have a single sentence in our NOTICE that we include (modified) code from ... which has ASL2 as the license" *TODO After Initial* [X] Get confirmation the project builds and operates as expected [X] Ensure that the NOTICE file is the correct one [X] Testing setup ( documentation, local SAML provider, etc ) [X] Clarify whether we can depend on artifacts not deployed on Maven Central [X] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf] [X] Decide whether to make signing and encryption optional. Currently it is required [X] Get feedback whether README instructions are too much, too little, unclear, etc [X] Consider whether use of {{SAML2ConfigService}} and {{SAML2ConfigServiceImpl}} is a good design or not. [ok] Find and fix any bugs. was: Here is a pull request which adds an authentication handler for a SAML2 Service Provider via the embedded OpenSAML V3 dependencies [https://github.com/apache/sling-whiteboard/pull/51] *TODO Before Initial* [X] Sync attributes released by the IDP [X] Confirm license and attribution "As the code is ASL2 and does not require a notice or anything else, we don't need to mention in. But I think its usually good style to do so and have a single sentence in our NOTICE that we include (modified) code from ... which has ASL2 as the license" *TODO After Initial* [X] Get confirmation the project builds and operates as expected [X] Ensure that the NOTICE file is the correct one [X] Testing setup ( documentation, local SAML provider, etc ) [X] Clarify whether we can depend on artifacts not deployed on Maven Central [X] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf] [X] Decide whether to make signing and encryption optional. Currently it is required [X] Get feedback whether README instructions are too much, too little, unclear, etc [X] Consider whether use of {{SAML2ConfigService}} and {{SAML2ConfigServiceImpl}} is a good design or not. [ ] Find and fix any bugs. > SAML2 Authentication Handler [initial submission] > - > > Key: SLING-9397 > URL: https://issues.apache.org/jira/browse/SLING-9397 > Project: Sling > Issue Type: New Feature > Components: Authentication > Environment: localhost >Reporter: Cris Rockwell >Assignee: Cris Rockwell >Priority: Major > Labels: SAML, authentification, security, user_management > Fix For: SAML2 Service Provider 0.2.4 > > Original Estimate: 168h > Time Spent: 1h 20m > Remaining Estimate: 166h 40m > > Here is a pull request which adds an authentication handler for a SAML2 > Service Provider via the embedded OpenSAML V3 dependencies > [https://github.com/apache/sling-whiteboard/pull/51] > > *TODO Before Initial* > [X] Sync attributes released by the IDP > [X] Confirm license and attribution > "As the code is ASL2 and does not require a notice or anything else, we don't > need to mention in. But I think its usually good style to do so and have a > single sentence in our NOTICE that we include (modified) code from ... which > has ASL2 as the license" > > *TODO After Initial* > [X] Get confirmation the project builds and operates as expected > [X] Ensure that the NOTICE file is the correct one > [X] Testing setup ( documentation, local SAML provider, etc ) > [X] Clarify whether we can depend on artifacts not deployed on Maven Central > [X] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects > * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf] > [X] Decide whether to make signing and encryption optional. Currently it is > required > [X] Get feedback whether README instructions are too much, too little, > unclear, etc > [X] Consider whether use of {{SAML2ConfigService}} and > {{SAML2ConfigServiceImpl}} is a good design or not. > [ok] Find and fix any bugs. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (SLING-9397) SAML2 Authentication Handler [initial submission]
[ https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Cris Rockwell updated SLING-9397: - Fix Version/s: SAML2 Service Provider 0.2.4 > SAML2 Authentication Handler [initial submission] > - > > Key: SLING-9397 > URL: https://issues.apache.org/jira/browse/SLING-9397 > Project: Sling > Issue Type: New Feature > Components: Authentication > Environment: localhost >Reporter: Cris Rockwell >Assignee: Cris Rockwell >Priority: Major > Labels: SAML, authentification, security, user_management > Fix For: SAML2 Service Provider 0.2.4 > > Original Estimate: 168h > Time Spent: 1h 20m > Remaining Estimate: 166h 40m > > Here is a pull request which adds an authentication handler for a SAML2 > Service Provider via the embedded OpenSAML V3 dependencies > [https://github.com/apache/sling-whiteboard/pull/51] > > *TODO Before Initial* > [X] Sync attributes released by the IDP > [X] Confirm license and attribution > "As the code is ASL2 and does not require a notice or anything else, we don't > need to mention in. But I think its usually good style to do so and have a > single sentence in our NOTICE that we include (modified) code from ... which > has ASL2 as the license" > > *TODO After Initial* > [X] Get confirmation the project builds and operates as expected > [X] Ensure that the NOTICE file is the correct one > [X] Testing setup ( documentation, local SAML provider, etc ) > [X] Clarify whether we can depend on artifacts not deployed on Maven Central > [X] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects > * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf] > [X] Decide whether to make signing and encryption optional. Currently it is > required > [X] Get feedback whether README instructions are too much, too little, > unclear, etc > [X] Consider whether use of {{SAML2ConfigService}} and > {{SAML2ConfigServiceImpl}} is a good design or not. > [ ] Find and fix any bugs. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (SLING-10193) SAML Auth Handler Initial Release
[ https://issues.apache.org/jira/browse/SLING-10193?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Cris Rockwell updated SLING-10193: -- Fix Version/s: SAML2 Service Provider 0.2.4 > SAML Auth Handler Initial Release > - > > Key: SLING-10193 > URL: https://issues.apache.org/jira/browse/SLING-10193 > Project: Sling > Issue Type: Task > Components: Authentication >Reporter: Cris Rockwell >Assignee: Cris Rockwell >Priority: Major > Fix For: SAML2 Service Provider 0.2.4 > > Attachments: Screen Shot 2021-04-06 at 3.11.46 PM.png, Screen Shot > 2021-04-06 at 3.11.55 PM.png, Screen Shot 2021-04-06 at 3.12.23 PM.png > > > Tasks for initial release > [done] Test Coverage >80% > [done] JAAS configuration programmatically added within activator start, and > removed JAAS config within stop method > [ok] Conduct security scanning and input fuzz testing > [done] Improve mapping for attribute sync'ing. Currently it only takes the > attribute Assertion. It saves the property (if exists in the assertion) as > the friendlyName (if exists in the assertion) and makes no provision for > relative path or control naming of the property. Instead utilize a mapping > nomenclature > `[attributeName:profile/anyName,urn:oid:1.2.840.113549.1.9.1:profile/email]` > [ ] Move project from sling-whiteboard to separate github repository -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-10290) Every request renews sling.formauth token
[ https://issues.apache.org/jira/browse/SLING-10290?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17339308#comment-17339308 ] Cris Rockwell commented on SLING-10290: --- Thanks for the suggestion Eric. I created a new ticket as you suggest in SLING-10350 relating to the weak algorithm. > Every request renews sling.formauth token > - > > Key: SLING-10290 > URL: https://issues.apache.org/jira/browse/SLING-10290 > Project: Sling > Issue Type: Bug > Components: Authentication >Affects Versions: Form Based Authentication 1.0.20 >Reporter: Cris Rockwell >Assignee: Eric Norman >Priority: Critical > Attachments: image-2021-04-09-14-19-17-509.png > > > When using Apache Sling Form Based Authentication Handler > Every request and subrequest sets a new value for `sling.formauth` > Analyzing the code indicates that it not the intended behavior, > and the cookie value of `sling.formauth` should be consistent for 30 minutes > according to the default value of form.auth.timeout > Debugging shows that the method > [getCookieAuthData|https://github.com/apache/sling-org-apache-sling-auth-form/blob/master/src/main/java/org/apache/sling/auth/form/impl/FormAuthenticationHandler.java#L514-L519] > always returns null AuthenticationInfo properties are > user.jcr.credentials, sling.authType and user.name. But this is not a > property called sling.formauth -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (SLING-10350) Use a stronger algorithm in TokenStore
Cris Rockwell created SLING-10350: - Summary: Use a stronger algorithm in TokenStore Key: SLING-10350 URL: https://issues.apache.org/jira/browse/SLING-10350 Project: Sling Issue Type: Improvement Components: Authentication Affects Versions: Form Based Authentication 1.0.20 Reporter: Cris Rockwell The TokenStore in Forms uses SHA-1 final Mac m = Mac.getInstance(HMAC_SHA1); https://github.com/apache/sling-org-apache-sling-auth-form/blob/e7cfa7827c9ce39d5f686556bb2555c83c335c3f/src/main/java/org/apache/sling/auth/form/impl/TokenStore.java#L143 Cryptographic hash algorithms such as MD2, MD4, MD5, MD6, HAVAL-128, HMAC-MD5, DSA (which uses SHA-1), RIPEMD, RIPEMD-128, RIPEMD-160, HMACRIPEMD160 and SHA-1 are no longer considered secure, because it is possible to have collisions (little computational effort is enough to find two or more different inputs that produce the same hash). The provisioning of weak security tokens for every request could be considered a security vulnerability. Also in a production environment with many active users, the risk of accidental collision is not impossible. I don't recommend doing this before SLING-10290, because constant provisioning of the tokens is performance drain, and will be more so with a stronger algorithm. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (SLING-10290) Every request renews sling.formauth token
[ https://issues.apache.org/jira/browse/SLING-10290?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Cris Rockwell updated SLING-10290: -- Priority: Critical (was: Major) > Every request renews sling.formauth token > - > > Key: SLING-10290 > URL: https://issues.apache.org/jira/browse/SLING-10290 > Project: Sling > Issue Type: Bug > Components: Authentication >Affects Versions: Form Based Authentication 1.0.20 >Reporter: Cris Rockwell >Priority: Critical > Attachments: image-2021-04-09-14-19-17-509.png > > > When using Apache Sling Form Based Authentication Handler > Every request and subrequest sets a new value for `sling.formauth` > Analyzing the code indicates that it not the intended behavior, > and the cookie value of `sling.formauth` should be consistent for 30 minutes > according to the default value of form.auth.timeout > Debugging shows that the method > [getCookieAuthData|https://github.com/apache/sling-org-apache-sling-auth-form/blob/master/src/main/java/org/apache/sling/auth/form/impl/FormAuthenticationHandler.java#L514-L519] > always returns null AuthenticationInfo properties are > user.jcr.credentials, sling.authType and user.name. But this is not a > property called sling.formauth -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-10290) Every request renews sling.formauth token
[ https://issues.apache.org/jira/browse/SLING-10290?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17325824#comment-17325824 ] Cris Rockwell commented on SLING-10290: --- Suggest upgrade this ticket to Critical. The TokenStore in Forms uses SHA-1 {{final Mac m = Mac.getInstance(HMAC_SHA1);}} https://github.com/apache/sling-org-apache-sling-auth-form/blob/e7cfa7827c9ce39d5f686556bb2555c83c335c3f/src/main/java/org/apache/sling/auth/form/impl/TokenStore.java#L143 Cryptographic hash algorithms such as MD2, MD4, MD5, MD6, HAVAL-128, HMAC-MD5, DSA (which uses SHA-1), RIPEMD, RIPEMD-128, RIPEMD-160, HMACRIPEMD160 and SHA-1 are no longer considered secure, because it is possible to have collisions (little computational effort is enough to find two or more different inputs that produce the same hash). The provisioning of weak security tokens for every request could be considered a security vulnerability. Also in a production environment with many active users, the risk of accidental collision is not impossible. > Every request renews sling.formauth token > - > > Key: SLING-10290 > URL: https://issues.apache.org/jira/browse/SLING-10290 > Project: Sling > Issue Type: Bug > Components: Authentication >Affects Versions: Form Based Authentication 1.0.20 >Reporter: Cris Rockwell >Priority: Major > Attachments: image-2021-04-09-14-19-17-509.png > > > When using Apache Sling Form Based Authentication Handler > Every request and subrequest sets a new value for `sling.formauth` > Analyzing the code indicates that it not the intended behavior, > and the cookie value of `sling.formauth` should be consistent for 30 minutes > according to the default value of form.auth.timeout > Debugging shows that the method > [getCookieAuthData|https://github.com/apache/sling-org-apache-sling-auth-form/blob/master/src/main/java/org/apache/sling/auth/form/impl/FormAuthenticationHandler.java#L514-L519] > always returns null AuthenticationInfo properties are > user.jcr.credentials, sling.authType and user.name. But this is not a > property called sling.formauth -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (SLING-10315) Onboard new project for SonarCloud Analysis
Cris Rockwell created SLING-10315: - Summary: Onboard new project for SonarCloud Analysis Key: SLING-10315 URL: https://issues.apache.org/jira/browse/SLING-10315 Project: Sling Issue Type: Task Components: Authentication Reporter: Cris Rockwell Assignee: Fabrice Bellingard Fix For: Auth SAML2 0.2.0 As per documentation for new Sling repositories, a Jira ticket is required for on-boarding new projects for SonarCloud analysis The Jenkins Build is here https://ci-builds.apache.org/job/Sling/job/modules/job/sling-org-apache-sling-auth-saml2/job/master/ The Sling github repository is here https://github.com/apache/sling-org-apache-sling-auth-saml2 Let me know if you need anything else from me. Thanks! -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (SLING-10290) Every request renews sling.formauth token
[ https://issues.apache.org/jira/browse/SLING-10290?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Cris Rockwell updated SLING-10290: -- Description: When using Apache Sling Form Based Authentication Handler Every request and subrequest sets a new value for `sling.formauth` Analyzing the code indicates that it not the intended behavior, and the cookie value of `sling.formauth` should be consistent for 30 minutes according to the default value of form.auth.timeout Debugging shows that the method [getCookieAuthData|https://github.com/apache/sling-org-apache-sling-auth-form/blob/master/src/main/java/org/apache/sling/auth/form/impl/FormAuthenticationHandler.java#L514-L519] always returns null AuthenticationInfo properties are user.jcr.credentials, sling.authType and user.name. But this is not a property called sling.formauth was: When using Apache Sling Form Based Authentication Handler Every request and subrequest sets a new value for `sling.formauth` Analyzing the code indicates that it not the intended behavior, and the cookie value of `sling.formauth` should be consistent for 30 minutes according to the default value of form.auth.timeout Debugging shows that the method [getCookieAuthData|https://github.com/apache/sling-org-apache-sling-auth-form/blob/master/src/main/java/org/apache/sling/auth/form/impl/FormAuthenticationHandler.java#L514-L519] always returns null AuthenticationInfo properties are user.jcr.credentials, sling.authType and user.name. But not a property called sling.formauth (e.g. the default key name of attrCookieAuthData) > Every request renews sling.formauth token > - > > Key: SLING-10290 > URL: https://issues.apache.org/jira/browse/SLING-10290 > Project: Sling > Issue Type: Bug > Components: Authentication >Affects Versions: Form Based Authentication 1.0.20 >Reporter: Cris Rockwell >Priority: Major > Attachments: image-2021-04-09-14-19-17-509.png > > > When using Apache Sling Form Based Authentication Handler > Every request and subrequest sets a new value for `sling.formauth` > Analyzing the code indicates that it not the intended behavior, > and the cookie value of `sling.formauth` should be consistent for 30 minutes > according to the default value of form.auth.timeout > Debugging shows that the method > [getCookieAuthData|https://github.com/apache/sling-org-apache-sling-auth-form/blob/master/src/main/java/org/apache/sling/auth/form/impl/FormAuthenticationHandler.java#L514-L519] > always returns null AuthenticationInfo properties are > user.jcr.credentials, sling.authType and user.name. But this is not a > property called sling.formauth -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (SLING-10290) Every request renews sling.formauth token
[ https://issues.apache.org/jira/browse/SLING-10290?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Cris Rockwell updated SLING-10290: -- Description: When using Apache Sling Form Based Authentication Handler Every request and subrequest sets a new value for `sling.formauth` Analyzing the code indicates that it not the intended behavior, and the cookie value of `sling.formauth` should be consistent for 30 minutes according to the default value of form.auth.timeout Debugging shows that the method [getCookieAuthData|https://github.com/apache/sling-org-apache-sling-auth-form/blob/master/src/main/java/org/apache/sling/auth/form/impl/FormAuthenticationHandler.java#L514-L519] always returns null AuthenticationInfo properties are user.jcr.credentials, sling.authType and user.name. But not a property called sling.formauth (e.g. the default key name of attrCookieAuthData) was: When using Apache Sling Form Based Authentication Handler Every request and subrequest sets a new value for `sling.formauth` Analyzing the code indicates that it not the intended behavior, and the cookie value of `sling.formauth` should be consistent for 30 minutes according to the default value of form.auth.timeout Debugging shows that the method [getCookieAuthData|https://github.com/apache/sling-org-apache-sling-auth-form/blob/master/src/main/java/org/apache/sling/auth/form/impl/FormAuthenticationHandler.java#L514-L519] always returns null AuthenticationInfo properties are user.jcr.credentials, sling.authType and user.name. But not a property called sling.formauth (e.g. the default key name of attrCookieAuthData) !image-2021-04-09-14-19-17-509.png! > Every request renews sling.formauth token > - > > Key: SLING-10290 > URL: https://issues.apache.org/jira/browse/SLING-10290 > Project: Sling > Issue Type: Bug > Components: Authentication >Affects Versions: Form Based Authentication 1.0.20 >Reporter: Cris Rockwell >Priority: Major > Attachments: image-2021-04-09-14-19-17-509.png > > > When using Apache Sling Form Based Authentication Handler > Every request and subrequest sets a new value for `sling.formauth` > Analyzing the code indicates that it not the intended behavior, > and the cookie value of `sling.formauth` should be consistent for 30 minutes > according to the default value of form.auth.timeout > Debugging shows that the method > [getCookieAuthData|https://github.com/apache/sling-org-apache-sling-auth-form/blob/master/src/main/java/org/apache/sling/auth/form/impl/FormAuthenticationHandler.java#L514-L519] > always returns null AuthenticationInfo properties are > user.jcr.credentials, sling.authType and user.name. But not a property called > sling.formauth (e.g. the default key name of attrCookieAuthData) -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (SLING-10290) Every request renews sling.formauth token
Cris Rockwell created SLING-10290: - Summary: Every request renews sling.formauth token Key: SLING-10290 URL: https://issues.apache.org/jira/browse/SLING-10290 Project: Sling Issue Type: Bug Components: Authentication Affects Versions: Form Based Authentication 1.0.20 Reporter: Cris Rockwell Attachments: image-2021-04-09-14-19-17-509.png When using Apache Sling Form Based Authentication Handler Every request and subrequest sets a new value for `sling.formauth` Analyzing the code indicates that it not the intended behavior, and the cookie value of `sling.formauth` should be consistent for 30 minutes according to the default value of form.auth.timeout Debugging shows that the method [getCookieAuthData|https://github.com/apache/sling-org-apache-sling-auth-form/blob/master/src/main/java/org/apache/sling/auth/form/impl/FormAuthenticationHandler.java#L514-L519] always returns null AuthenticationInfo properties are user.jcr.credentials, sling.authType and user.name. But not a property called sling.formauth (e.g. the default key name of attrCookieAuthData) !image-2021-04-09-14-19-17-509.png! -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (SLING-10193) SAML Auth Handler Initial Release
[ https://issues.apache.org/jira/browse/SLING-10193?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Cris Rockwell updated SLING-10193: -- Description: Tasks for initial release [done] Test Coverage >80% [done] JAAS configuration programmatically added within activator start, and removed JAAS config within stop method [ok] Conduct security scanning and input fuzz testing [done] Improve mapping for attribute sync'ing. Currently it only takes the attribute Assertion. It saves the property (if exists in the assertion) as the friendlyName (if exists in the assertion) and makes no provision for relative path or control naming of the property. Instead utilize a mapping nomenclature `[attributeName:profile/anyName,urn:oid:1.2.840.113549.1.9.1:profile/email]` [ ] Move project from sling-whiteboard to separate github repository was: Tasks for initial release [done] Test Coverage >80% [done] JAAS configuration programmatically added within activator start, and removed JAAS config within stop method [ ] Conduct security scanning and input fuzz testing [done] Improve mapping for attribute sync'ing. Currently it only takes the attribute Assertion. It saves the property (if exists in the assertion) as the friendlyName (if exists in the assertion) and makes no provision for relative path or control naming of the property. Instead utilize a mapping nomenclature `[attributeName:profile/anyName,urn:oid:1.2.840.113549.1.9.1:profile/email]` [ ] Move project from sling-whiteboard to separate github repository > SAML Auth Handler Initial Release > - > > Key: SLING-10193 > URL: https://issues.apache.org/jira/browse/SLING-10193 > Project: Sling > Issue Type: Task > Components: Authentication >Reporter: Cris Rockwell >Assignee: Cris Rockwell >Priority: Major > Attachments: Screen Shot 2021-04-06 at 3.11.46 PM.png, Screen Shot > 2021-04-06 at 3.11.55 PM.png, Screen Shot 2021-04-06 at 3.12.23 PM.png > > > Tasks for initial release > [done] Test Coverage >80% > [done] JAAS configuration programmatically added within activator start, and > removed JAAS config within stop method > [ok] Conduct security scanning and input fuzz testing > [done] Improve mapping for attribute sync'ing. Currently it only takes the > attribute Assertion. It saves the property (if exists in the assertion) as > the friendlyName (if exists in the assertion) and makes no provision for > relative path or control naming of the property. Instead utilize a mapping > nomenclature > `[attributeName:profile/anyName,urn:oid:1.2.840.113549.1.9.1:profile/email]` > [ ] Move project from sling-whiteboard to separate github repository -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (SLING-10193) SAML Auth Handler Initial Release
[ https://issues.apache.org/jira/browse/SLING-10193?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Cris Rockwell updated SLING-10193: -- Description: Tasks for initial release [done] Test Coverage >80% [done] JAAS configuration programmatically added within activator start, and removed JAAS config within stop method [ ] Conduct security scanning and input fuzz testing [done] Improve mapping for attribute sync'ing. Currently it only takes the attribute Assertion. It saves the property (if exists in the assertion) as the friendlyName (if exists in the assertion) and makes no provision for relative path or control naming of the property. Instead utilize a mapping nomenclature `[attributeName:profile/anyName,urn:oid:1.2.840.113549.1.9.1:profile/email]` [ ] Move project from sling-whiteboard to separate github repository was: Tasks for initial release [done] Test Coverage >80% [done] JAAS configuration programmatically added within activator start, and removed JAAS config within stop method [ ] Conduct security scanning and input fuzz testing [ ] Improve mapping for attribute sync'ing. Currently it only takes the attribute Assertion. It saves the property (if exists in the assertion) as the friendlyName (if exists in the assertion) and makes no provision for relative path or control naming of the property. Instead utilize a mapping nomenclature `[attributeName:profile/anyName,urn:oid:1.2.840.113549.1.9.1:profile/email]` [ ] Move project from sling-whiteboard to separate github repository > SAML Auth Handler Initial Release > - > > Key: SLING-10193 > URL: https://issues.apache.org/jira/browse/SLING-10193 > Project: Sling > Issue Type: Task > Components: Authentication >Reporter: Cris Rockwell >Assignee: Cris Rockwell >Priority: Major > Attachments: Screen Shot 2021-04-06 at 3.11.46 PM.png, Screen Shot > 2021-04-06 at 3.11.55 PM.png, Screen Shot 2021-04-06 at 3.12.23 PM.png > > > Tasks for initial release > [done] Test Coverage >80% > [done] JAAS configuration programmatically added within activator start, and > removed JAAS config within stop method > [ ] Conduct security scanning and input fuzz testing > [done] Improve mapping for attribute sync'ing. Currently it only takes the > attribute Assertion. It saves the property (if exists in the assertion) as > the friendlyName (if exists in the assertion) and makes no provision for > relative path or control naming of the property. Instead utilize a mapping > nomenclature > `[attributeName:profile/anyName,urn:oid:1.2.840.113549.1.9.1:profile/email]` > [ ] Move project from sling-whiteboard to separate github repository -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (SLING-10193) SAML Auth Handler Initial Release
[ https://issues.apache.org/jira/browse/SLING-10193?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Cris Rockwell updated SLING-10193: -- Description: Tasks for initial release [done] Test Coverage >80% [done] JAAS configuration programmatically added within activator start, and removed JAAS config within stop method [ ] Conduct security scanning and input fuzz testing [ ] Improve mapping for attribute sync'ing. Currently it only takes the attribute Assertion. It saves the property (if exists in the assertion) as the friendlyName (if exists in the assertion) and makes no provision for relative path or control naming of the property. Instead utilize a mapping nomenclature `[attributeName:profile/anyName,urn:oid:1.2.840.113549.1.9.1:profile/email]` [ ] Move project from sling-whiteboard to separate github repository was: Tasks for initial release [done] Test Coverage >80% [ ] JAAS configuration programmatically added within activator start, and removed JAAS config within stop method [ ] Conduct security scanning and input fuzz testing [ ] Improve mapping for attribute sync'ing. Currently it only takes the attribute Assertion. It saves the property (if exists in the assertion) as the friendlyName (if exists in the assertion) and makes no provision for relative path or control naming of the property. Instead utilize a mapping nomenclature `[attributeName:profile/anyName,urn:oid:1.2.840.113549.1.9.1:profile/email]` [ ] Move project from sling-whiteboard to separate github repository > SAML Auth Handler Initial Release > - > > Key: SLING-10193 > URL: https://issues.apache.org/jira/browse/SLING-10193 > Project: Sling > Issue Type: Task > Components: Authentication >Reporter: Cris Rockwell >Assignee: Cris Rockwell >Priority: Major > Attachments: Screen Shot 2021-04-06 at 3.11.46 PM.png, Screen Shot > 2021-04-06 at 3.11.55 PM.png, Screen Shot 2021-04-06 at 3.12.23 PM.png > > > Tasks for initial release > [done] Test Coverage >80% > [done] JAAS configuration programmatically added within activator start, and > removed JAAS config within stop method > [ ] Conduct security scanning and input fuzz testing > [ ] Improve mapping for attribute sync'ing. Currently it only takes the > attribute Assertion. It saves the property (if exists in the assertion) as > the friendlyName (if exists in the assertion) and makes no provision for > relative path or control naming of the property. Instead utilize a mapping > nomenclature > `[attributeName:profile/anyName,urn:oid:1.2.840.113549.1.9.1:profile/email]` > [ ] Move project from sling-whiteboard to separate github repository -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (SLING-10193) SAML Auth Handler Initial Release
[ https://issues.apache.org/jira/browse/SLING-10193?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Cris Rockwell updated SLING-10193: -- Attachment: Screen Shot 2021-04-06 at 3.12.23 PM.png Screen Shot 2021-04-06 at 3.11.55 PM.png Screen Shot 2021-04-06 at 3.11.46 PM.png > SAML Auth Handler Initial Release > - > > Key: SLING-10193 > URL: https://issues.apache.org/jira/browse/SLING-10193 > Project: Sling > Issue Type: Task > Components: Authentication >Reporter: Cris Rockwell >Assignee: Cris Rockwell >Priority: Major > Attachments: Screen Shot 2021-04-06 at 3.11.46 PM.png, Screen Shot > 2021-04-06 at 3.11.55 PM.png, Screen Shot 2021-04-06 at 3.12.23 PM.png > > > Tasks for initial release > [done] Test Coverage >80% > [ ] JAAS configuration programmatically added within activator start, and > removed JAAS config within stop method > [ ] Conduct security scanning and input fuzz testing > [ ] Improve mapping for attribute sync'ing. Currently it only takes the > attribute Assertion. It saves the property (if exists in the assertion) as > the friendlyName (if exists in the assertion) and makes no provision for > relative path or control naming of the property. Instead utilize a mapping > nomenclature > `[attributeName:profile/anyName,urn:oid:1.2.840.113549.1.9.1:profile/email]` > [ ] Move project from sling-whiteboard to separate github repository -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (SLING-10193) SAML Auth Handler Initial Release
[ https://issues.apache.org/jira/browse/SLING-10193?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Cris Rockwell updated SLING-10193: -- Description: Tasks for initial release [done] Test Coverage >80% [ ] JAAS configuration programmatically added within activator start, and removed JAAS config within stop method [ ] Conduct security scanning and input fuzz testing [ ] Improve mapping for attribute sync'ing. Currently it only takes the attribute Assertion. It saves the property (if exists in the assertion) as the friendlyName (if exists in the assertion) and makes no provision for relative path or control naming of the property. Instead utilize a mapping nomenclature `[attributeName:profile/anyName,urn:oid:1.2.840.113549.1.9.1:profile/email]` [ ] Move project from sling-whiteboard to separate github repository was: Tasks for initial release [ ] Test Coverage >80% [ ] JAAS configuration programmatically added within activator start, and removed JAAS config within stop method [ ] Conduct security scanning and input fuzz testing [ ] Improve mapping for attribute sync'ing. Currently it only takes the attribute Assertion. It saves the property (if exists in the assertion) as the friendlyName (if exists in the assertion) and makes no provision for relative path or control naming of the property. Instead utilize a mapping nomenclature `[attributeName:profile/anyName,urn:oid:1.2.840.113549.1.9.1:profile/email]` [ ] Move project from sling-whiteboard to separate github repository > SAML Auth Handler Initial Release > - > > Key: SLING-10193 > URL: https://issues.apache.org/jira/browse/SLING-10193 > Project: Sling > Issue Type: Task > Components: Authentication >Reporter: Cris Rockwell >Assignee: Cris Rockwell >Priority: Major > Attachments: Screen Shot 2021-04-06 at 3.11.46 PM.png, Screen Shot > 2021-04-06 at 3.11.55 PM.png, Screen Shot 2021-04-06 at 3.12.23 PM.png > > > Tasks for initial release > [done] Test Coverage >80% > [ ] JAAS configuration programmatically added within activator start, and > removed JAAS config within stop method > [ ] Conduct security scanning and input fuzz testing > [ ] Improve mapping for attribute sync'ing. Currently it only takes the > attribute Assertion. It saves the property (if exists in the assertion) as > the friendlyName (if exists in the assertion) and makes no provision for > relative path or control naming of the property. Instead utilize a mapping > nomenclature > `[attributeName:profile/anyName,urn:oid:1.2.840.113549.1.9.1:profile/email]` > [ ] Move project from sling-whiteboard to separate github repository -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (SLING-10193) SAML Auth Handler Initial Release
[ https://issues.apache.org/jira/browse/SLING-10193?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Cris Rockwell updated SLING-10193: -- Description: Tasks for initial release [ ] Test Coverage >80% [ ] JAAS configuration programmatically added within activator start, and removed JAAS config within stop method [ ] Conduct security scanning and input fuzz testing [ ] Improve mapping for attribute sync'ing. Currently it only takes the attribute Assertion. It saves the property (if exists in the assertion) as the friendlyName (if exists in the assertion) and makes no provision for relative path or control naming of the property. Instead utilize a mapping nomenclature `[attributeName:profile/anyName,urn:oid:1.2.840.113549.1.9.1:profile/email]` [ ] Move project from sling-whiteboard to separate github repository was: Continuation of SLING-9397 Tasks [ ] Test Coverage >80% [ ] JAAS configuration programmatically added within activator start, and removed JAAS config within stop method [ ] Conduct security scanning and input fuzz testing [ ] Move project from sling-whiteboard to separate github repository > SAML Auth Handler Initial Release > - > > Key: SLING-10193 > URL: https://issues.apache.org/jira/browse/SLING-10193 > Project: Sling > Issue Type: Task > Components: Authentication >Reporter: Cris Rockwell >Assignee: Cris Rockwell >Priority: Major > > Tasks for initial release > [ ] Test Coverage >80% > [ ] JAAS configuration programmatically added within activator start, and > removed JAAS config within stop method > [ ] Conduct security scanning and input fuzz testing > [ ] Improve mapping for attribute sync'ing. Currently it only takes the > attribute Assertion. It saves the property (if exists in the assertion) as > the friendlyName (if exists in the assertion) and makes no provision for > relative path or control naming of the property. Instead utilize a mapping > nomenclature > `[attributeName:profile/anyName,urn:oid:1.2.840.113549.1.9.1:profile/email]` > [ ] Move project from sling-whiteboard to separate github repository -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Resolved] (SLING-9397) SAML2 Authentication Handler [initial submission]
[ https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Cris Rockwell resolved SLING-9397. -- Resolution: Done Initial submission to sling-whiteboard was done a while ago. There are a few follow tasks to track for initial release within SLING-10193 > SAML2 Authentication Handler [initial submission] > - > > Key: SLING-9397 > URL: https://issues.apache.org/jira/browse/SLING-9397 > Project: Sling > Issue Type: New Feature > Components: Authentication > Environment: localhost >Reporter: Cris Rockwell >Assignee: Cris Rockwell >Priority: Major > Labels: SAML, authentification, security, user_management > Original Estimate: 168h > Time Spent: 1h 20m > Remaining Estimate: 166h 40m > > Here is a pull request which adds an authentication handler for a SAML2 > Service Provider via the embedded OpenSAML V3 dependencies > [https://github.com/apache/sling-whiteboard/pull/51] > > *TODO Before Initial* > [X] Sync attributes released by the IDP > [X] Confirm license and attribution > "As the code is ASL2 and does not require a notice or anything else, we don't > need to mention in. But I think its usually good style to do so and have a > single sentence in our NOTICE that we include (modified) code from ... which > has ASL2 as the license" > > *TODO After Initial* > [X] Get confirmation the project builds and operates as expected > [X] Ensure that the NOTICE file is the correct one > [X] Testing setup ( documentation, local SAML provider, etc ) > [X] Clarify whether we can depend on artifacts not deployed on Maven Central > [X] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects > * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf] > [X] Decide whether to make signing and encryption optional. Currently it is > required > [X] Get feedback whether README instructions are too much, too little, > unclear, etc > [X] Consider whether use of {{SAML2ConfigService}} and > {{SAML2ConfigServiceImpl}} is a good design or not. > [ ] Find and fix any bugs. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (SLING-10193) SAML Auth Handler Initial Release
Cris Rockwell created SLING-10193: - Summary: SAML Auth Handler Initial Release Key: SLING-10193 URL: https://issues.apache.org/jira/browse/SLING-10193 Project: Sling Issue Type: Task Components: Authentication Reporter: Cris Rockwell Assignee: Cris Rockwell Continuation of SLING-9397 Tasks [ ] Test Coverage >80% [ ] JAAS configuration programmatically added within activator start, and removed JAAS config within stop method [ ] Conduct security scanning and input fuzz testing [ ] Move project from sling-whiteboard to separate github repository -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (SLING-9980) Junit Core ITs fail with jdk11
[ https://issues.apache.org/jira/browse/SLING-9980?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Cris Rockwell updated SLING-9980: - Component/s: JUnit Core > Junit Core ITs fail with jdk11 > -- > > Key: SLING-9980 > URL: https://issues.apache.org/jira/browse/SLING-9980 > Project: Sling > Issue Type: Improvement > Components: JUnit Core >Reporter: Bertrand Delacretaz >Assignee: Bertrand Delacretaz >Priority: Minor > > The integration tests under {{src/it/annotations-it}} fail with jdk11 as > follows: > {code} > INFO] [INFO] Running org.apache.sling.junit.annotations.ReferenceIT > [INFO] [main] INFO org.ops4j.pax.exam.spi.DefaultExamSystem - Pax Exam System > (Version: 4.13.4) created. > ... > [INFO] WARNING: An illegal reflective access operation has occurred > [INFO] WARNING: Illegal reflective access by > org.apache.felix.framework.ext.ClassPathExtenderFactory$DefaultClassLoaderExtender > > (file:/Users/bert/workspace/apache/sling/sling-org-apache-sling-junit-core/target/it-repo/org/apache/felix/org.apache.felix.framework/6.0.3/org.apache.felix.framework-6.0.3.jar) > to method java.net.URLClassLoader.addURL(java.net.URL) > [INFO] WARNING: Please consider reporting this to the maintainers of > org.apache.felix.framework.ext.ClassPathExtenderFactory$DefaultClassLoaderExtender > [INFO] WARNING: Use --illegal-access=warn to enable warnings of further > illegal reflective access operations > ... > [INFO] [ERROR] Tests run: 1, Failures: 0, Errors: 1, Skipped: 0, Time > elapsed: 89.29 s <<< FAILURE! - in > org.apache.sling.junit.annotations.ReferenceIT > [INFO] [ERROR] org.apache.sling.junit.annotations.ReferenceIT Time elapsed: > 89.27 s <<< ERROR! > [INFO] org.ops4j.pax.exam.TestContainerException: > org.osgi.framework.BundleException: Could not create bundle object. > [INFO]at > org.ops4j.pax.exam.forked.ForkedTestContainer.start(ForkedTestContainer.java:168) > [INFO]at > org.ops4j.pax.exam.junit.PaxExamServer.before(PaxExamServer.java:87) > [INFO]at > org.apache.sling.junit.annotations.it@1.0.0/org.apache.sling.junit.annotations.ReferenceIT$1.before(ReferenceIT.java:61) > ... > [INFO] Caused by: org.osgi.framework.BundleException: Could not create bundle > object. > [INFO]at > org.apache.felix.framework.Felix.installBundle(Felix.java:3312) > [INFO]at > org.apache.felix.framework.BundleContextImpl.installBundle(BundleContextImpl.java:147) > [INFO]at > org.apache.felix.framework.BundleContextImpl.installBundle(BundleContextImpl.java:120) > [INFO]at > org.ops4j.pax.swissbox.framework.RemoteFrameworkImpl.installBundle(RemoteFrameworkImpl.java:132) > ... > [INFO] Caused by: java.lang.UnsupportedOperationException: Unable to add > extension bundle. > [INFO]at > org.apache.felix.framework.ExtensionManager.addExtensionBundle(ExtensionManager.java:430) > [INFO]at > org.apache.felix.framework.Felix.installBundle(Felix.java:3279) > [INFO]at > org.apache.felix.framework.BundleContextImpl.installBundle(BundleContextImpl.java:147) > [INFO]at > org.apache.felix.framework.BundleContextImpl.installBundle(BundleContextImpl.java:120) > [INFO]at > org.ops4j.pax.swissbox.framework.RemoteFrameworkImpl.installBundle(RemoteFrameworkImpl.java:132) > {code} -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (SLING-9397) SAML2 Authentication Handler [initial submission]
[ https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Cris Rockwell updated SLING-9397: - Description: Here is a pull request which adds an authentication handler for a SAML2 Service Provider via the embedded OpenSAML V3 dependencies [https://github.com/apache/sling-whiteboard/pull/51] *TODO Before Initial* [X] Sync attributes released by the IDP [X] Confirm license and attribution "As the code is ASL2 and does not require a notice or anything else, we don't need to mention in. But I think its usually good style to do so and have a single sentence in our NOTICE that we include (modified) code from ... which has ASL2 as the license" *TODO After Initial* [X] Get confirmation the project builds and operates as expected [X] Ensure that the NOTICE file is the correct one [X] Testing setup ( documentation, local SAML provider, etc ) [X] Clarify whether we can depend on artifacts not deployed on Maven Central [X] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf] [X] Decide whether to make signing and encryption optional. Currently it is required [X] Get feedback whether README instructions are too much, too little, unclear, etc [X] Consider whether use of {{SAML2ConfigService}} and {{SAML2ConfigServiceImpl}} is a good design or not. [ ] Find and fix any bugs. was: Here is a pull request which adds an authentication handler for a SAML2 Service Provider via the embedded OpenSAML V3 dependencies [https://github.com/apache/sling-whiteboard/pull/51] *TODO Before Initial* [X] Sync attributes released by the IDP [X] Confirm license and attribution "As the code is ASL2 and does not require a notice or anything else, we don't need to mention in. But I think its usually good style to do so and have a single sentence in our NOTICE that we include (modified) code from ... which has ASL2 as the license" *TODO After Initial* [X] Get confirmation the project builds and operates as expected [X] Ensure that the NOTICE file is the correct one [X] Testing setup ( documentation, local SAML provider, etc ) [X] Clarify whether we can depend on artifacts not deployed on Maven Central [X] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf] [X] Decide whether to make signing and encryption optional. Currently it is required [X] Get feedback whether README instructions are too much, too little, unclear, etc [ ] Consider whether use of {{SAML2ConfigService}} and {{SAML2ConfigServiceImpl}} is a good design or not. [ ] Find and fix any bugs. > SAML2 Authentication Handler [initial submission] > - > > Key: SLING-9397 > URL: https://issues.apache.org/jira/browse/SLING-9397 > Project: Sling > Issue Type: New Feature > Components: Authentication > Environment: localhost >Reporter: Cris Rockwell >Assignee: Cris Rockwell >Priority: Major > Labels: SAML, authentification, security, user_management > Original Estimate: 168h > Time Spent: 1h 20m > Remaining Estimate: 166h 40m > > Here is a pull request which adds an authentication handler for a SAML2 > Service Provider via the embedded OpenSAML V3 dependencies > [https://github.com/apache/sling-whiteboard/pull/51] > > *TODO Before Initial* > [X] Sync attributes released by the IDP > [X] Confirm license and attribution > "As the code is ASL2 and does not require a notice or anything else, we don't > need to mention in. But I think its usually good style to do so and have a > single sentence in our NOTICE that we include (modified) code from ... which > has ASL2 as the license" > > *TODO After Initial* > [X] Get confirmation the project builds and operates as expected > [X] Ensure that the NOTICE file is the correct one > [X] Testing setup ( documentation, local SAML provider, etc ) > [X] Clarify whether we can depend on artifacts not deployed on Maven Central > [X] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects > * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf] > [X] Decide whether to make signing and encryption optional. Currently it is > required > [X] Get feedback whether README instructions are too much, too little, > unclear, etc > [X] Consider whether use of {{SAML2ConfigService}} and > {{SAML2ConfigServiceImpl}} is a good design or not. > [ ] Find and fix any bugs. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-9397) SAML2 Authentication Handler [initial submission]
[ https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17281415#comment-17281415 ] Cris Rockwell commented on SLING-9397: -- Nope. Prefer to keep it on the ticket. Thanks > SAML2 Authentication Handler [initial submission] > - > > Key: SLING-9397 > URL: https://issues.apache.org/jira/browse/SLING-9397 > Project: Sling > Issue Type: New Feature > Components: Authentication > Environment: localhost >Reporter: Cris Rockwell >Assignee: Cris Rockwell >Priority: Major > Labels: SAML, authentification, security, user_management > Original Estimate: 168h > Time Spent: 1h 20m > Remaining Estimate: 166h 40m > > Here is a pull request which adds an authentication handler for a SAML2 > Service Provider via the embedded OpenSAML V3 dependencies > [https://github.com/apache/sling-whiteboard/pull/51] > > *TODO Before Initial* > [X] Sync attributes released by the IDP > [X] Confirm license and attribution > "As the code is ASL2 and does not require a notice or anything else, we don't > need to mention in. But I think its usually good style to do so and have a > single sentence in our NOTICE that we include (modified) code from ... which > has ASL2 as the license" > > *TODO After Initial* > [X] Get confirmation the project builds and operates as expected > [X] Ensure that the NOTICE file is the correct one > [X] Testing setup ( documentation, local SAML provider, etc ) > [X] Clarify whether we can depend on artifacts not deployed on Maven Central > [X] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects > * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf] > [X] Decide whether to make signing and encryption optional. Currently it is > required > [X] Get feedback whether README instructions are too much, too little, > unclear, etc > [ ] Consider whether use of {{SAML2ConfigService}} and > {{SAML2ConfigServiceImpl}} is a good design or not. > [ ] Find and fix any bugs. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-9397) SAML2 Authentication Handler [initial submission]
[ https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17281261#comment-17281261 ] Cris Rockwell commented on SLING-9397: -- {quote}Who are you trying to protect the sensitive data from? As far as I can tell Sling is mostly being run in a single-tenant manner and there is no effort to make it multi-tenant.{quote} {quote}If you're trying to make it safe from malicious code deployed in the same JVM, I'd say that all bets are off already.{quote} Yes. My concern is making it harder in case of RCE or malicious Java bundles. I get the idea that ‘all bets are off’ in those scenarios. Security training instructs us to think in terms of layers. In keeping with the principle of least privilege; if these data aren't needed by other services and those services aren't fully trusted, then I should consider access control more carefully. That's why I'm considering simplifying the project structure to eliminate the config service and placing all the component and services within the same package, and using package private scope. > SAML2 Authentication Handler [initial submission] > - > > Key: SLING-9397 > URL: https://issues.apache.org/jira/browse/SLING-9397 > Project: Sling > Issue Type: New Feature > Components: Authentication > Environment: localhost >Reporter: Cris Rockwell >Assignee: Cris Rockwell >Priority: Major > Labels: SAML, authentification, security, user_management > Original Estimate: 168h > Time Spent: 1h 20m > Remaining Estimate: 166h 40m > > Here is a pull request which adds an authentication handler for a SAML2 > Service Provider via the embedded OpenSAML V3 dependencies > [https://github.com/apache/sling-whiteboard/pull/51] > > *TODO Before Initial* > [X] Sync attributes released by the IDP > [X] Confirm license and attribution > "As the code is ASL2 and does not require a notice or anything else, we don't > need to mention in. But I think its usually good style to do so and have a > single sentence in our NOTICE that we include (modified) code from ... which > has ASL2 as the license" > > *TODO After Initial* > [X] Get confirmation the project builds and operates as expected > [X] Ensure that the NOTICE file is the correct one > [X] Testing setup ( documentation, local SAML provider, etc ) > [X] Clarify whether we can depend on artifacts not deployed on Maven Central > [X] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects > * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf] > [X] Decide whether to make signing and encryption optional. Currently it is > required > [X] Get feedback whether README instructions are too much, too little, > unclear, etc > [ ] Consider whether use of {{SAML2ConfigService}} and > {{SAML2ConfigServiceImpl}} is a good design or not. > [ ] Find and fix any bugs. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-9397) SAML2 Authentication Handler [initial submission]
[ https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17279771#comment-17279771 ] Cris Rockwell commented on SLING-9397: -- One of the open items identified in the ticket description regards *SAML2ConfigService* and the implementation *SAML2ConfigServiceImpl*. This service provides SAML configurations to *AuthenticationHandlerSAML2* and *Saml2UserMgtServiceImpl*. Because SAML2ConfigService has keystore information, I find it uncomfortable making it generally available as an OSGI whiteboard service. I would like some feedback about the appropriate way to provide sensitive configurations only to the required services. > SAML2 Authentication Handler [initial submission] > - > > Key: SLING-9397 > URL: https://issues.apache.org/jira/browse/SLING-9397 > Project: Sling > Issue Type: New Feature > Components: Authentication > Environment: localhost >Reporter: Cris Rockwell >Assignee: Cris Rockwell >Priority: Major > Labels: SAML, authentification, security, user_management > Original Estimate: 168h > Time Spent: 1h 20m > Remaining Estimate: 166h 40m > > Here is a pull request which adds an authentication handler for a SAML2 > Service Provider via the embedded OpenSAML V3 dependencies > [https://github.com/apache/sling-whiteboard/pull/51] > > *TODO Before Initial* > [X] Sync attributes released by the IDP > [X] Confirm license and attribution > "As the code is ASL2 and does not require a notice or anything else, we don't > need to mention in. But I think its usually good style to do so and have a > single sentence in our NOTICE that we include (modified) code from ... which > has ASL2 as the license" > > *TODO After Initial* > [X] Get confirmation the project builds and operates as expected > [X] Ensure that the NOTICE file is the correct one > [X] Testing setup ( documentation, local SAML provider, etc ) > [X] Clarify whether we can depend on artifacts not deployed on Maven Central > [X] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects > * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf] > [X] Decide whether to make signing and encryption optional. Currently it is > required > [X] Get feedback whether README instructions are too much, too little, > unclear, etc > [ ] Consider whether use of {{SAML2ConfigService}} and > {{SAML2ConfigServiceImpl}} is a good design or not. > [ ] Find and fix any bugs. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Assigned] (SLING-9397) SAML2 Authentication Handler [initial submission]
[ https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Cris Rockwell reassigned SLING-9397: Assignee: Cris Rockwell > SAML2 Authentication Handler [initial submission] > - > > Key: SLING-9397 > URL: https://issues.apache.org/jira/browse/SLING-9397 > Project: Sling > Issue Type: New Feature > Components: Authentication > Environment: localhost >Reporter: Cris Rockwell >Assignee: Cris Rockwell >Priority: Major > Labels: SAML, authentification, security, user_management > Original Estimate: 168h > Time Spent: 1h 20m > Remaining Estimate: 166h 40m > > Here is a pull request which adds an authentication handler for a SAML2 > Service Provider via the embedded OpenSAML V3 dependencies > [https://github.com/apache/sling-whiteboard/pull/51] > > *TODO Before Initial* > [X] Sync attributes released by the IDP > [X] Confirm license and attribution > "As the code is ASL2 and does not require a notice or anything else, we don't > need to mention in. But I think its usually good style to do so and have a > single sentence in our NOTICE that we include (modified) code from ... which > has ASL2 as the license" > > *TODO After Initial* > [X] Get confirmation the project builds and operates as expected > [X] Ensure that the NOTICE file is the correct one > [X] Testing setup ( documentation, local SAML provider, etc ) > [X] Clarify whether we can depend on artifacts not deployed on Maven Central > [X] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects > * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf] > [X] Decide whether to make signing and encryption optional. Currently it is > required > [X] Get feedback whether README instructions are too much, too little, > unclear, etc > [ ] Consider whether use of {{SAML2ConfigService}} and > {{SAML2ConfigServiceImpl}} is a good design or not. > [ ] Find and fix any bugs. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Resolved] (SLING-9915) Remove deprecated flags for SlingAnnotationsTestRunner and TestReference
[ https://issues.apache.org/jira/browse/SLING-9915?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Cris Rockwell resolved SLING-9915. -- Fix Version/s: JUnit Core 1.1.2 Resolution: Fixed > Remove deprecated flags for SlingAnnotationsTestRunner and TestReference > > > Key: SLING-9915 > URL: https://issues.apache.org/jira/browse/SLING-9915 > Project: Sling > Issue Type: Task > Components: JUnit Core >Affects Versions: JUnit Core 1.1.0 >Reporter: Cris Rockwell >Assignee: Cris Rockwell >Priority: Minor > Labels: test, tools > Fix For: JUnit Core 1.1.2 > > > As per discussion thread > https://www.mail-archive.com/dev@sling.apache.org/msg100097.html > Revert this commit > https://github.com/apache/sling-org-apache-sling-junit-core/commit/c7f98b1172126f1e5f961ec9d17d12b239c34e0d > Reviving annotations > @TestReference > @SlingAnnotationsTestRunner > Review docs and suggest updates > https://sling.apache.org/documentation/development/sling-testing-tools.html > https://sling.apache.org/documentation/bundles/org-apache-sling-junit-bundles.html -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-9980) Junit Core ITs fail with jdk11
[ https://issues.apache.org/jira/browse/SLING-9980?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17245362#comment-17245362 ] Cris Rockwell commented on SLING-9980: -- Thanks for creating this ticket. One question about the reference to sling-org-apache-sling-servlets-annotations, does it build with Java 11? Locally, I get a build error and the CI might have the same trouble... [https://ci-builds.apache.org/blue/organizations/jenkins/Sling%2Fmodules%2Fsling-org-apache-sling-servlets-annotations/detail/master/44/pipeline/32] > Junit Core ITs fail with jdk11 > -- > > Key: SLING-9980 > URL: https://issues.apache.org/jira/browse/SLING-9980 > Project: Sling > Issue Type: Improvement >Reporter: Bertrand Delacretaz >Assignee: Bertrand Delacretaz >Priority: Minor > > The integration tests under {{src/it/annotations-it}} fail with jdk11 as > follows: > {code} > INFO] [INFO] Running org.apache.sling.junit.annotations.ReferenceIT > [INFO] [main] INFO org.ops4j.pax.exam.spi.DefaultExamSystem - Pax Exam System > (Version: 4.13.4) created. > ... > [INFO] WARNING: An illegal reflective access operation has occurred > [INFO] WARNING: Illegal reflective access by > org.apache.felix.framework.ext.ClassPathExtenderFactory$DefaultClassLoaderExtender > > (file:/Users/bert/workspace/apache/sling/sling-org-apache-sling-junit-core/target/it-repo/org/apache/felix/org.apache.felix.framework/6.0.3/org.apache.felix.framework-6.0.3.jar) > to method java.net.URLClassLoader.addURL(java.net.URL) > [INFO] WARNING: Please consider reporting this to the maintainers of > org.apache.felix.framework.ext.ClassPathExtenderFactory$DefaultClassLoaderExtender > [INFO] WARNING: Use --illegal-access=warn to enable warnings of further > illegal reflective access operations > ... > [INFO] [ERROR] Tests run: 1, Failures: 0, Errors: 1, Skipped: 0, Time > elapsed: 89.29 s <<< FAILURE! - in > org.apache.sling.junit.annotations.ReferenceIT > [INFO] [ERROR] org.apache.sling.junit.annotations.ReferenceIT Time elapsed: > 89.27 s <<< ERROR! > [INFO] org.ops4j.pax.exam.TestContainerException: > org.osgi.framework.BundleException: Could not create bundle object. > [INFO]at > org.ops4j.pax.exam.forked.ForkedTestContainer.start(ForkedTestContainer.java:168) > [INFO]at > org.ops4j.pax.exam.junit.PaxExamServer.before(PaxExamServer.java:87) > [INFO]at > org.apache.sling.junit.annotations.it@1.0.0/org.apache.sling.junit.annotations.ReferenceIT$1.before(ReferenceIT.java:61) > ... > [INFO] Caused by: org.osgi.framework.BundleException: Could not create bundle > object. > [INFO]at > org.apache.felix.framework.Felix.installBundle(Felix.java:3312) > [INFO]at > org.apache.felix.framework.BundleContextImpl.installBundle(BundleContextImpl.java:147) > [INFO]at > org.apache.felix.framework.BundleContextImpl.installBundle(BundleContextImpl.java:120) > [INFO]at > org.ops4j.pax.swissbox.framework.RemoteFrameworkImpl.installBundle(RemoteFrameworkImpl.java:132) > ... > [INFO] Caused by: java.lang.UnsupportedOperationException: Unable to add > extension bundle. > [INFO]at > org.apache.felix.framework.ExtensionManager.addExtensionBundle(ExtensionManager.java:430) > [INFO]at > org.apache.felix.framework.Felix.installBundle(Felix.java:3279) > [INFO]at > org.apache.felix.framework.BundleContextImpl.installBundle(BundleContextImpl.java:147) > [INFO]at > org.apache.felix.framework.BundleContextImpl.installBundle(BundleContextImpl.java:120) > [INFO]at > org.ops4j.pax.swissbox.framework.RemoteFrameworkImpl.installBundle(RemoteFrameworkImpl.java:132) > {code} -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-9935) NoClassDefFoundError org/junit/platform/engine/TestEngine
[ https://issues.apache.org/jira/browse/SLING-9935?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17244233#comment-17244233 ] Cris Rockwell commented on SLING-9935: -- If I understand the questions properly, no JUnit bundles are not installed. Yes Junit 4 seems to work fine. Image shows many Junit 4 bundles !Screen Shot 2020-12-04 at 1.49.06 PM.png|width=654,height=535! Here it shows Junit Tests after executing !Screen Shot 2020-12-04 at 1.49.45 PM.png|width=584,height=281! > NoClassDefFoundError org/junit/platform/engine/TestEngine > - > > Key: SLING-9935 > URL: https://issues.apache.org/jira/browse/SLING-9935 > Project: Sling > Issue Type: Bug > Components: JUnit Core >Affects Versions: JUnit Core 1.1.2 >Reporter: Cris Rockwell >Assignee: Julian Sedding >Priority: Minor > Attachments: Screen Shot 2020-12-04 at 1.49.06 PM.png, Screen Shot > 2020-12-04 at 1.49.45 PM.png > > Time Spent: 0.5h > Remaining Estimate: 0h > > When starting Sling with org.apache.sling.junit.core v 1.1.1-SNAPSHOT, > standard output shows many exceptions related to an optional import upon > startup. > > ERROR: Bundle org.apache.sling.junit.core [189] EventDispatcher: Error during > dispatch. (java.lang.NoClassDefFoundError: > org/junit/platform/engine/TestEngine) > ERROR: Bundle org.apache.sling.junit.core [189] EventDispatcher: Error during > dispatch. (java.lang.NoClassDefFoundError: > org/junit/platform/engine/TestEngine)java.lang.NoClassDefFoundError: > org/junit/platform/engine/TestEngine at > org.apache.sling.junit.impl.servlet.junit5.TestEngineTracker$Customizer.getTestEnginesForBundle(TestEngineTracker.java:83) > at > org.apache.sling.junit.impl.servlet.junit5.TestEngineTracker$Customizer.addingBundle(TestEngineTracker.java:67) > at > org.apache.sling.junit.impl.servlet.junit5.TestEngineTracker$Customizer.addingBundle(TestEngineTracker.java:63) > at > org.osgi.util.tracker.BundleTracker$Tracked.customizerAdding(BundleTracker.java:475) > at > org.osgi.util.tracker.BundleTracker$Tracked.customizerAdding(BundleTracker.java:420) > at > org.osgi.util.tracker.AbstractTracked.trackAdding(AbstractTracked.java:256) > at org.osgi.util.tracker.AbstractTracked.track(AbstractTracked.java:229) at > org.osgi.util.tracker.BundleTracker$Tracked.bundleChanged(BundleTracker.java:450) > at > org.apache.felix.framework.EventDispatcher.invokeBundleListenerCallback(EventDispatcher.java:915) > at > org.apache.felix.framework.EventDispatcher.fireEventImmediately(EventDispatcher.java:834) > at > org.apache.felix.framework.EventDispatcher.fireBundleEvent(EventDispatcher.java:516) > at org.apache.felix.framework.Felix.fireBundleEvent(Felix.java:4817) at > org.apache.felix.framework.Felix.startBundle(Felix.java:2336) at > org.apache.felix.framework.Felix.setActiveStartLevel(Felix.java:1539) at > org.apache.felix.framework.FrameworkStartLevelImpl.run(FrameworkStartLevelImpl.java:308) > at java.base/java.lang.Thread.run(Thread.java:834) > ERROR: Bundle org.apache.sling.junit.core [189] EventDispatcher: Error during > dispatch. (java.lang.NoClassDefFoundError: > org/junit/platform/engine/TestEngine)java.lang.NoClassDefFoundError: > org/junit/platform/engine/TestEngine at > org.apache.sling.junit.impl.servlet.junit5.TestEngineTracker$Customizer.getTestEnginesForBundle(TestEngineTracker.java:83) > at > org.apache.sling.junit.impl.servlet.junit5.TestEngineTracker$Customizer.addingBundle(TestEngineTracker.java:67) > at > org.apache.sling.junit.impl.servlet.junit5.TestEngineTracker$Customizer.addingBundle(TestEngineTracker.java:63) > at > org.osgi.util.tracker.BundleTracker$Tracked.customizerAdding(BundleTracker.java:475) > at > org.osgi.util.tracker.BundleTracker$Tracked.customizerAdding(BundleTracker.java:420) > at > org.osgi.util.tracker.AbstractTracked.trackAdding(AbstractTracked.java:256) > at org.osgi.util.tracker.AbstractTracked.track(AbstractTracked.java:229) at > org.osgi.util.tracker.BundleTracker$Tracked.bundleChanged(BundleTracker.java:450) > at > org.apache.felix.framework.EventDispatcher.invokeBundleListenerCallback(EventDispatcher.java:915) > at > org.apache.felix.framework.EventDispatcher.fireEventImmediately(EventDispatcher.java:834) > at > org.apache.felix.framework.EventDispatcher.fireBundleEvent(EventDispatcher.java:516) > at org.apache.felix.framework.Felix.fireBundleEvent(Felix.java:4817) at > org.apache.felix.framework.Felix.startBundle(Felix.java:2336) at > org.apache.felix.framework.Felix.setActiveStartLevel(Felix.java:1539) at > org.apache.felix.framework.FrameworkStartLevelImpl.run(FrameworkStartLevelImpl.java:308) > at java.base/java.lang.Thread.run(Thread.java:834) > ERROR: Bundle org.apache.sling.junit.core [189]
[jira] [Comment Edited] (SLING-9935) NoClassDefFoundError org/junit/platform/engine/TestEngine
[ https://issues.apache.org/jira/browse/SLING-9935?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17244233#comment-17244233 ] Cris Rockwell edited comment on SLING-9935 at 12/4/20, 6:55 PM: If I understand the questions properly, no JUnit 5 bundles are not installed. Yes Junit 4 seems to work fine. Image shows many Junit 4 bundles !Screen Shot 2020-12-04 at 1.49.06 PM.png|width=654,height=535! Here it shows Junit Tests after executing !Screen Shot 2020-12-04 at 1.49.45 PM.png|width=584,height=281! was (Author: cris): If I understand the questions properly, no JUnit bundles are not installed. Yes Junit 4 seems to work fine. Image shows many Junit 4 bundles !Screen Shot 2020-12-04 at 1.49.06 PM.png|width=654,height=535! Here it shows Junit Tests after executing !Screen Shot 2020-12-04 at 1.49.45 PM.png|width=584,height=281! > NoClassDefFoundError org/junit/platform/engine/TestEngine > - > > Key: SLING-9935 > URL: https://issues.apache.org/jira/browse/SLING-9935 > Project: Sling > Issue Type: Bug > Components: JUnit Core >Affects Versions: JUnit Core 1.1.2 >Reporter: Cris Rockwell >Assignee: Julian Sedding >Priority: Minor > Attachments: Screen Shot 2020-12-04 at 1.49.06 PM.png, Screen Shot > 2020-12-04 at 1.49.45 PM.png > > Time Spent: 0.5h > Remaining Estimate: 0h > > When starting Sling with org.apache.sling.junit.core v 1.1.1-SNAPSHOT, > standard output shows many exceptions related to an optional import upon > startup. > > ERROR: Bundle org.apache.sling.junit.core [189] EventDispatcher: Error during > dispatch. (java.lang.NoClassDefFoundError: > org/junit/platform/engine/TestEngine) > ERROR: Bundle org.apache.sling.junit.core [189] EventDispatcher: Error during > dispatch. (java.lang.NoClassDefFoundError: > org/junit/platform/engine/TestEngine)java.lang.NoClassDefFoundError: > org/junit/platform/engine/TestEngine at > org.apache.sling.junit.impl.servlet.junit5.TestEngineTracker$Customizer.getTestEnginesForBundle(TestEngineTracker.java:83) > at > org.apache.sling.junit.impl.servlet.junit5.TestEngineTracker$Customizer.addingBundle(TestEngineTracker.java:67) > at > org.apache.sling.junit.impl.servlet.junit5.TestEngineTracker$Customizer.addingBundle(TestEngineTracker.java:63) > at > org.osgi.util.tracker.BundleTracker$Tracked.customizerAdding(BundleTracker.java:475) > at > org.osgi.util.tracker.BundleTracker$Tracked.customizerAdding(BundleTracker.java:420) > at > org.osgi.util.tracker.AbstractTracked.trackAdding(AbstractTracked.java:256) > at org.osgi.util.tracker.AbstractTracked.track(AbstractTracked.java:229) at > org.osgi.util.tracker.BundleTracker$Tracked.bundleChanged(BundleTracker.java:450) > at > org.apache.felix.framework.EventDispatcher.invokeBundleListenerCallback(EventDispatcher.java:915) > at > org.apache.felix.framework.EventDispatcher.fireEventImmediately(EventDispatcher.java:834) > at > org.apache.felix.framework.EventDispatcher.fireBundleEvent(EventDispatcher.java:516) > at org.apache.felix.framework.Felix.fireBundleEvent(Felix.java:4817) at > org.apache.felix.framework.Felix.startBundle(Felix.java:2336) at > org.apache.felix.framework.Felix.setActiveStartLevel(Felix.java:1539) at > org.apache.felix.framework.FrameworkStartLevelImpl.run(FrameworkStartLevelImpl.java:308) > at java.base/java.lang.Thread.run(Thread.java:834) > ERROR: Bundle org.apache.sling.junit.core [189] EventDispatcher: Error during > dispatch. (java.lang.NoClassDefFoundError: > org/junit/platform/engine/TestEngine)java.lang.NoClassDefFoundError: > org/junit/platform/engine/TestEngine at > org.apache.sling.junit.impl.servlet.junit5.TestEngineTracker$Customizer.getTestEnginesForBundle(TestEngineTracker.java:83) > at > org.apache.sling.junit.impl.servlet.junit5.TestEngineTracker$Customizer.addingBundle(TestEngineTracker.java:67) > at > org.apache.sling.junit.impl.servlet.junit5.TestEngineTracker$Customizer.addingBundle(TestEngineTracker.java:63) > at > org.osgi.util.tracker.BundleTracker$Tracked.customizerAdding(BundleTracker.java:475) > at > org.osgi.util.tracker.BundleTracker$Tracked.customizerAdding(BundleTracker.java:420) > at > org.osgi.util.tracker.AbstractTracked.trackAdding(AbstractTracked.java:256) > at org.osgi.util.tracker.AbstractTracked.track(AbstractTracked.java:229) at > org.osgi.util.tracker.BundleTracker$Tracked.bundleChanged(BundleTracker.java:450) > at > org.apache.felix.framework.EventDispatcher.invokeBundleListenerCallback(EventDispatcher.java:915) > at > org.apache.felix.framework.EventDispatcher.fireEventImmediately(EventDispatcher.java:834) > at > org.apache.felix.framework.EventDispatcher.fireBundleEvent(EventDispatcher.java:516) > at
[jira] [Updated] (SLING-9935) NoClassDefFoundError org/junit/platform/engine/TestEngine
[ https://issues.apache.org/jira/browse/SLING-9935?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Cris Rockwell updated SLING-9935: - Attachment: Screen Shot 2020-12-04 at 1.49.45 PM.png > NoClassDefFoundError org/junit/platform/engine/TestEngine > - > > Key: SLING-9935 > URL: https://issues.apache.org/jira/browse/SLING-9935 > Project: Sling > Issue Type: Bug > Components: JUnit Core >Affects Versions: JUnit Core 1.1.2 >Reporter: Cris Rockwell >Assignee: Julian Sedding >Priority: Minor > Attachments: Screen Shot 2020-12-04 at 1.49.06 PM.png, Screen Shot > 2020-12-04 at 1.49.45 PM.png > > Time Spent: 0.5h > Remaining Estimate: 0h > > When starting Sling with org.apache.sling.junit.core v 1.1.1-SNAPSHOT, > standard output shows many exceptions related to an optional import upon > startup. > > ERROR: Bundle org.apache.sling.junit.core [189] EventDispatcher: Error during > dispatch. (java.lang.NoClassDefFoundError: > org/junit/platform/engine/TestEngine) > ERROR: Bundle org.apache.sling.junit.core [189] EventDispatcher: Error during > dispatch. (java.lang.NoClassDefFoundError: > org/junit/platform/engine/TestEngine)java.lang.NoClassDefFoundError: > org/junit/platform/engine/TestEngine at > org.apache.sling.junit.impl.servlet.junit5.TestEngineTracker$Customizer.getTestEnginesForBundle(TestEngineTracker.java:83) > at > org.apache.sling.junit.impl.servlet.junit5.TestEngineTracker$Customizer.addingBundle(TestEngineTracker.java:67) > at > org.apache.sling.junit.impl.servlet.junit5.TestEngineTracker$Customizer.addingBundle(TestEngineTracker.java:63) > at > org.osgi.util.tracker.BundleTracker$Tracked.customizerAdding(BundleTracker.java:475) > at > org.osgi.util.tracker.BundleTracker$Tracked.customizerAdding(BundleTracker.java:420) > at > org.osgi.util.tracker.AbstractTracked.trackAdding(AbstractTracked.java:256) > at org.osgi.util.tracker.AbstractTracked.track(AbstractTracked.java:229) at > org.osgi.util.tracker.BundleTracker$Tracked.bundleChanged(BundleTracker.java:450) > at > org.apache.felix.framework.EventDispatcher.invokeBundleListenerCallback(EventDispatcher.java:915) > at > org.apache.felix.framework.EventDispatcher.fireEventImmediately(EventDispatcher.java:834) > at > org.apache.felix.framework.EventDispatcher.fireBundleEvent(EventDispatcher.java:516) > at org.apache.felix.framework.Felix.fireBundleEvent(Felix.java:4817) at > org.apache.felix.framework.Felix.startBundle(Felix.java:2336) at > org.apache.felix.framework.Felix.setActiveStartLevel(Felix.java:1539) at > org.apache.felix.framework.FrameworkStartLevelImpl.run(FrameworkStartLevelImpl.java:308) > at java.base/java.lang.Thread.run(Thread.java:834) > ERROR: Bundle org.apache.sling.junit.core [189] EventDispatcher: Error during > dispatch. (java.lang.NoClassDefFoundError: > org/junit/platform/engine/TestEngine)java.lang.NoClassDefFoundError: > org/junit/platform/engine/TestEngine at > org.apache.sling.junit.impl.servlet.junit5.TestEngineTracker$Customizer.getTestEnginesForBundle(TestEngineTracker.java:83) > at > org.apache.sling.junit.impl.servlet.junit5.TestEngineTracker$Customizer.addingBundle(TestEngineTracker.java:67) > at > org.apache.sling.junit.impl.servlet.junit5.TestEngineTracker$Customizer.addingBundle(TestEngineTracker.java:63) > at > org.osgi.util.tracker.BundleTracker$Tracked.customizerAdding(BundleTracker.java:475) > at > org.osgi.util.tracker.BundleTracker$Tracked.customizerAdding(BundleTracker.java:420) > at > org.osgi.util.tracker.AbstractTracked.trackAdding(AbstractTracked.java:256) > at org.osgi.util.tracker.AbstractTracked.track(AbstractTracked.java:229) at > org.osgi.util.tracker.BundleTracker$Tracked.bundleChanged(BundleTracker.java:450) > at > org.apache.felix.framework.EventDispatcher.invokeBundleListenerCallback(EventDispatcher.java:915) > at > org.apache.felix.framework.EventDispatcher.fireEventImmediately(EventDispatcher.java:834) > at > org.apache.felix.framework.EventDispatcher.fireBundleEvent(EventDispatcher.java:516) > at org.apache.felix.framework.Felix.fireBundleEvent(Felix.java:4817) at > org.apache.felix.framework.Felix.startBundle(Felix.java:2336) at > org.apache.felix.framework.Felix.setActiveStartLevel(Felix.java:1539) at > org.apache.felix.framework.FrameworkStartLevelImpl.run(FrameworkStartLevelImpl.java:308) > at java.base/java.lang.Thread.run(Thread.java:834) > ERROR: Bundle org.apache.sling.junit.core [189] EventDispatcher: Error during > dispatch. (java.lang.NoClassDefFoundError: > org/junit/platform/engine/TestEngine)java.lang.NoClassDefFoundError: > org/junit/platform/engine/TestEngine at >
[jira] [Updated] (SLING-9935) NoClassDefFoundError org/junit/platform/engine/TestEngine
[ https://issues.apache.org/jira/browse/SLING-9935?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Cris Rockwell updated SLING-9935: - Attachment: Screen Shot 2020-12-04 at 1.49.06 PM.png > NoClassDefFoundError org/junit/platform/engine/TestEngine > - > > Key: SLING-9935 > URL: https://issues.apache.org/jira/browse/SLING-9935 > Project: Sling > Issue Type: Bug > Components: JUnit Core >Affects Versions: JUnit Core 1.1.2 >Reporter: Cris Rockwell >Assignee: Julian Sedding >Priority: Minor > Attachments: Screen Shot 2020-12-04 at 1.49.06 PM.png > > Time Spent: 0.5h > Remaining Estimate: 0h > > When starting Sling with org.apache.sling.junit.core v 1.1.1-SNAPSHOT, > standard output shows many exceptions related to an optional import upon > startup. > > ERROR: Bundle org.apache.sling.junit.core [189] EventDispatcher: Error during > dispatch. (java.lang.NoClassDefFoundError: > org/junit/platform/engine/TestEngine) > ERROR: Bundle org.apache.sling.junit.core [189] EventDispatcher: Error during > dispatch. (java.lang.NoClassDefFoundError: > org/junit/platform/engine/TestEngine)java.lang.NoClassDefFoundError: > org/junit/platform/engine/TestEngine at > org.apache.sling.junit.impl.servlet.junit5.TestEngineTracker$Customizer.getTestEnginesForBundle(TestEngineTracker.java:83) > at > org.apache.sling.junit.impl.servlet.junit5.TestEngineTracker$Customizer.addingBundle(TestEngineTracker.java:67) > at > org.apache.sling.junit.impl.servlet.junit5.TestEngineTracker$Customizer.addingBundle(TestEngineTracker.java:63) > at > org.osgi.util.tracker.BundleTracker$Tracked.customizerAdding(BundleTracker.java:475) > at > org.osgi.util.tracker.BundleTracker$Tracked.customizerAdding(BundleTracker.java:420) > at > org.osgi.util.tracker.AbstractTracked.trackAdding(AbstractTracked.java:256) > at org.osgi.util.tracker.AbstractTracked.track(AbstractTracked.java:229) at > org.osgi.util.tracker.BundleTracker$Tracked.bundleChanged(BundleTracker.java:450) > at > org.apache.felix.framework.EventDispatcher.invokeBundleListenerCallback(EventDispatcher.java:915) > at > org.apache.felix.framework.EventDispatcher.fireEventImmediately(EventDispatcher.java:834) > at > org.apache.felix.framework.EventDispatcher.fireBundleEvent(EventDispatcher.java:516) > at org.apache.felix.framework.Felix.fireBundleEvent(Felix.java:4817) at > org.apache.felix.framework.Felix.startBundle(Felix.java:2336) at > org.apache.felix.framework.Felix.setActiveStartLevel(Felix.java:1539) at > org.apache.felix.framework.FrameworkStartLevelImpl.run(FrameworkStartLevelImpl.java:308) > at java.base/java.lang.Thread.run(Thread.java:834) > ERROR: Bundle org.apache.sling.junit.core [189] EventDispatcher: Error during > dispatch. (java.lang.NoClassDefFoundError: > org/junit/platform/engine/TestEngine)java.lang.NoClassDefFoundError: > org/junit/platform/engine/TestEngine at > org.apache.sling.junit.impl.servlet.junit5.TestEngineTracker$Customizer.getTestEnginesForBundle(TestEngineTracker.java:83) > at > org.apache.sling.junit.impl.servlet.junit5.TestEngineTracker$Customizer.addingBundle(TestEngineTracker.java:67) > at > org.apache.sling.junit.impl.servlet.junit5.TestEngineTracker$Customizer.addingBundle(TestEngineTracker.java:63) > at > org.osgi.util.tracker.BundleTracker$Tracked.customizerAdding(BundleTracker.java:475) > at > org.osgi.util.tracker.BundleTracker$Tracked.customizerAdding(BundleTracker.java:420) > at > org.osgi.util.tracker.AbstractTracked.trackAdding(AbstractTracked.java:256) > at org.osgi.util.tracker.AbstractTracked.track(AbstractTracked.java:229) at > org.osgi.util.tracker.BundleTracker$Tracked.bundleChanged(BundleTracker.java:450) > at > org.apache.felix.framework.EventDispatcher.invokeBundleListenerCallback(EventDispatcher.java:915) > at > org.apache.felix.framework.EventDispatcher.fireEventImmediately(EventDispatcher.java:834) > at > org.apache.felix.framework.EventDispatcher.fireBundleEvent(EventDispatcher.java:516) > at org.apache.felix.framework.Felix.fireBundleEvent(Felix.java:4817) at > org.apache.felix.framework.Felix.startBundle(Felix.java:2336) at > org.apache.felix.framework.Felix.setActiveStartLevel(Felix.java:1539) at > org.apache.felix.framework.FrameworkStartLevelImpl.run(FrameworkStartLevelImpl.java:308) > at java.base/java.lang.Thread.run(Thread.java:834) > ERROR: Bundle org.apache.sling.junit.core [189] EventDispatcher: Error during > dispatch. (java.lang.NoClassDefFoundError: > org/junit/platform/engine/TestEngine)java.lang.NoClassDefFoundError: > org/junit/platform/engine/TestEngine at > org.apache.sling.junit.impl.servlet.junit5.TestEngineTracker$Customizer.getTestEnginesForBundle(TestEngineTracker.java:83) > at >
[jira] [Commented] (SLING-9695) Sling Starter datastore
[ https://issues.apache.org/jira/browse/SLING-9695?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17242551#comment-17242551 ] Cris Rockwell commented on SLING-9695: -- I closed the PR I created for this without merging. Starter is only an example, and the closed PR provides that. [https://github.com/apache/sling-org-apache-sling-starter/pull/13] > Sling Starter datastore > --- > > Key: SLING-9695 > URL: https://issues.apache.org/jira/browse/SLING-9695 > Project: Sling > Issue Type: Improvement > Components: Starter >Affects Versions: Starter 12 >Reporter: Cris Rockwell >Priority: Minor > Labels: datastore, default > Time Spent: 3h 10m > Remaining Estimate: 0h > > Sling Starter jar should use a file datastore by default. In my experience, a > datastore provides a noticeable performance boost. It took too long to figure > out how to get Sling working with a file datastore. > https://jackrabbit.apache.org/oak/docs/osgi_config.html#config-sling > https://stackoverflow.com/questions/62030664/aem-filedatastore-missing-parameter-options/62032775 > https://stackoverflow.com/questions/63569028/add-new-datastore-during-upgrade > Proposed change > [configurations runModes=oak_tar] > org.apache.jackrabbit.oak.segment.SegmentNodeStoreService > name="Default\ NodeStore" > org.apache.jackrabbit.oak.plugins.blob.datastore.FileDataStore > minRecordLength=I"4096" > path="sling/repository/datastore" > cacheSizeInMB=I"128" > org.apache.jackrabbit.oak.segment.SegmentNodeStoreService > customBlobStore=B"true" -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Resolved] (SLING-9695) Sling Starter datastore
[ https://issues.apache.org/jira/browse/SLING-9695?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Cris Rockwell resolved SLING-9695. -- Assignee: Cris Rockwell Resolution: Abandoned > Sling Starter datastore > --- > > Key: SLING-9695 > URL: https://issues.apache.org/jira/browse/SLING-9695 > Project: Sling > Issue Type: Improvement > Components: Starter >Affects Versions: Starter 12 >Reporter: Cris Rockwell >Assignee: Cris Rockwell >Priority: Minor > Labels: datastore, default > Time Spent: 3h 10m > Remaining Estimate: 0h > > Sling Starter jar should use a file datastore by default. In my experience, a > datastore provides a noticeable performance boost. It took too long to figure > out how to get Sling working with a file datastore. > https://jackrabbit.apache.org/oak/docs/osgi_config.html#config-sling > https://stackoverflow.com/questions/62030664/aem-filedatastore-missing-parameter-options/62032775 > https://stackoverflow.com/questions/63569028/add-new-datastore-during-upgrade > Proposed change > [configurations runModes=oak_tar] > org.apache.jackrabbit.oak.segment.SegmentNodeStoreService > name="Default\ NodeStore" > org.apache.jackrabbit.oak.plugins.blob.datastore.FileDataStore > minRecordLength=I"4096" > path="sling/repository/datastore" > cacheSizeInMB=I"128" > org.apache.jackrabbit.oak.segment.SegmentNodeStoreService > customBlobStore=B"true" -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-9915) Remove deprecated flags for SlingAnnotationsTestRunner and TestReference
[ https://issues.apache.org/jira/browse/SLING-9915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17240865#comment-17240865 ] Cris Rockwell commented on SLING-9915: -- Thanks [~bdelacretaz] for the tips. After reviewing the maven-failsafe-plugin instructions (1) debugging access to the test worked. Debugging the actual test Sling instance also worked with a separate debugger configured in {{pax.vm.options}} as suggested in the pom properties, and while running both debuggers. It may be useful to add a few comments in the project about these debugging procedures. {code:java} -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5015 {code} Thank you for fixing the tests with your commit [https://github.com/apache/sling-org-apache-sling-junit-core/commit/4aa41bcb60c64eb0de795e54774e8f45c7e4f1aa |https://github.com/apache/sling-org-apache-sling-junit-core/commit/4aa41bcb60c64eb0de795e54774e8f45c7e4f1aa.]I've reviewed the changes. Seems two fixes were needed: * Properly installing the org.apache.sling.junit.core bundle (and not embedding it) {code:java} mavenBundle().groupId("org.apache.sling").artifactId("org.apache.sling.junit.core").versionAsInProject(){code} * Properly satisfying the {{osgi.contract=JavaJSONP}} the capability (not setting Provide-Capability in the annotation-it testing bundle) {code:java} SlingOptions.versionResolver.setVersion("org.apache.sling", "org.apache.sling.commons.johnzon", "1.2.6"); {code} (1) [https://maven.apache.org/surefire/maven-failsafe-plugin/examples/debugging.html] > Remove deprecated flags for SlingAnnotationsTestRunner and TestReference > > > Key: SLING-9915 > URL: https://issues.apache.org/jira/browse/SLING-9915 > Project: Sling > Issue Type: Task > Components: JUnit Core >Affects Versions: JUnit Core 1.1.0 >Reporter: Cris Rockwell >Assignee: Cris Rockwell >Priority: Minor > Labels: test, tools > > As per discussion thread > https://www.mail-archive.com/dev@sling.apache.org/msg100097.html > Revert this commit > https://github.com/apache/sling-org-apache-sling-junit-core/commit/c7f98b1172126f1e5f961ec9d17d12b239c34e0d > Reviving annotations > @TestReference > @SlingAnnotationsTestRunner > Review docs and suggest updates > https://sling.apache.org/documentation/development/sling-testing-tools.html > https://sling.apache.org/documentation/bundles/org-apache-sling-junit-bundles.html -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (SLING-9935) NoClassDefFoundError org/junit/platform/engine/TestEngine
Cris Rockwell created SLING-9935: Summary: NoClassDefFoundError org/junit/platform/engine/TestEngine Key: SLING-9935 URL: https://issues.apache.org/jira/browse/SLING-9935 Project: Sling Issue Type: Bug Components: JUnit Core Affects Versions: JUnit Core 1.1.2 Reporter: Cris Rockwell When starting Sling with org.apache.sling.junit.core v 1.1.1-SNAPSHOT, standard output shows many exceptions related to an optional import upon startup. ERROR: Bundle org.apache.sling.junit.core [189] EventDispatcher: Error during dispatch. (java.lang.NoClassDefFoundError: org/junit/platform/engine/TestEngine) ERROR: Bundle org.apache.sling.junit.core [189] EventDispatcher: Error during dispatch. (java.lang.NoClassDefFoundError: org/junit/platform/engine/TestEngine)java.lang.NoClassDefFoundError: org/junit/platform/engine/TestEngine at org.apache.sling.junit.impl.servlet.junit5.TestEngineTracker$Customizer.getTestEnginesForBundle(TestEngineTracker.java:83) at org.apache.sling.junit.impl.servlet.junit5.TestEngineTracker$Customizer.addingBundle(TestEngineTracker.java:67) at org.apache.sling.junit.impl.servlet.junit5.TestEngineTracker$Customizer.addingBundle(TestEngineTracker.java:63) at org.osgi.util.tracker.BundleTracker$Tracked.customizerAdding(BundleTracker.java:475) at org.osgi.util.tracker.BundleTracker$Tracked.customizerAdding(BundleTracker.java:420) at org.osgi.util.tracker.AbstractTracked.trackAdding(AbstractTracked.java:256) at org.osgi.util.tracker.AbstractTracked.track(AbstractTracked.java:229) at org.osgi.util.tracker.BundleTracker$Tracked.bundleChanged(BundleTracker.java:450) at org.apache.felix.framework.EventDispatcher.invokeBundleListenerCallback(EventDispatcher.java:915) at org.apache.felix.framework.EventDispatcher.fireEventImmediately(EventDispatcher.java:834) at org.apache.felix.framework.EventDispatcher.fireBundleEvent(EventDispatcher.java:516) at org.apache.felix.framework.Felix.fireBundleEvent(Felix.java:4817) at org.apache.felix.framework.Felix.startBundle(Felix.java:2336) at org.apache.felix.framework.Felix.setActiveStartLevel(Felix.java:1539) at org.apache.felix.framework.FrameworkStartLevelImpl.run(FrameworkStartLevelImpl.java:308) at java.base/java.lang.Thread.run(Thread.java:834) ERROR: Bundle org.apache.sling.junit.core [189] EventDispatcher: Error during dispatch. (java.lang.NoClassDefFoundError: org/junit/platform/engine/TestEngine)java.lang.NoClassDefFoundError: org/junit/platform/engine/TestEngine at org.apache.sling.junit.impl.servlet.junit5.TestEngineTracker$Customizer.getTestEnginesForBundle(TestEngineTracker.java:83) at org.apache.sling.junit.impl.servlet.junit5.TestEngineTracker$Customizer.addingBundle(TestEngineTracker.java:67) at org.apache.sling.junit.impl.servlet.junit5.TestEngineTracker$Customizer.addingBundle(TestEngineTracker.java:63) at org.osgi.util.tracker.BundleTracker$Tracked.customizerAdding(BundleTracker.java:475) at org.osgi.util.tracker.BundleTracker$Tracked.customizerAdding(BundleTracker.java:420) at org.osgi.util.tracker.AbstractTracked.trackAdding(AbstractTracked.java:256) at org.osgi.util.tracker.AbstractTracked.track(AbstractTracked.java:229) at org.osgi.util.tracker.BundleTracker$Tracked.bundleChanged(BundleTracker.java:450) at org.apache.felix.framework.EventDispatcher.invokeBundleListenerCallback(EventDispatcher.java:915) at org.apache.felix.framework.EventDispatcher.fireEventImmediately(EventDispatcher.java:834) at org.apache.felix.framework.EventDispatcher.fireBundleEvent(EventDispatcher.java:516) at org.apache.felix.framework.Felix.fireBundleEvent(Felix.java:4817) at org.apache.felix.framework.Felix.startBundle(Felix.java:2336) at org.apache.felix.framework.Felix.setActiveStartLevel(Felix.java:1539) at org.apache.felix.framework.FrameworkStartLevelImpl.run(FrameworkStartLevelImpl.java:308) at java.base/java.lang.Thread.run(Thread.java:834) ERROR: Bundle org.apache.sling.junit.core [189] EventDispatcher: Error during dispatch. (java.lang.NoClassDefFoundError: org/junit/platform/engine/TestEngine)java.lang.NoClassDefFoundError: org/junit/platform/engine/TestEngine at org.apache.sling.junit.impl.servlet.junit5.TestEngineTracker$Customizer.getTestEnginesForBundle(TestEngineTracker.java:83) at org.apache.sling.junit.impl.servlet.junit5.TestEngineTracker$Customizer.addingBundle(TestEngineTracker.java:67) at org.apache.sling.junit.impl.servlet.junit5.TestEngineTracker$Customizer.addingBundle(TestEngineTracker.java:63) at org.osgi.util.tracker.BundleTracker$Tracked.customizerAdding(BundleTracker.java:475) at org.osgi.util.tracker.BundleTracker$Tracked.customizerAdding(BundleTracker.java:420) at org.osgi.util.tracker.AbstractTracked.trackAdding(AbstractTracked.java:256) at org.osgi.util.tracker.AbstractTracked.track(AbstractTracked.java:229) at
[jira] [Commented] (SLING-9915) Remove deprecated flags for SlingAnnotationsTestRunner and TestReference
[ https://issues.apache.org/jira/browse/SLING-9915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17236530#comment-17236530 ] Cris Rockwell commented on SLING-9915: -- https://github.com/apache/sling-org-apache-sling-junit-core/pull/5 > Remove deprecated flags for SlingAnnotationsTestRunner and TestReference > > > Key: SLING-9915 > URL: https://issues.apache.org/jira/browse/SLING-9915 > Project: Sling > Issue Type: Task > Components: JUnit Core >Affects Versions: JUnit Core 1.1.0 >Reporter: Cris Rockwell >Assignee: Cris Rockwell >Priority: Minor > Labels: test, tools > > As per discussion thread > https://www.mail-archive.com/dev@sling.apache.org/msg100097.html > Revert this commit > https://github.com/apache/sling-org-apache-sling-junit-core/commit/c7f98b1172126f1e5f961ec9d17d12b239c34e0d > Reviving annotations > @TestReference > @SlingAnnotationsTestRunner > Review docs and suggest updates > https://sling.apache.org/documentation/development/sling-testing-tools.html > https://sling.apache.org/documentation/bundles/org-apache-sling-junit-bundles.html -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Assigned] (SLING-9915) Remove deprecated flags for SlingAnnotationsTestRunner and TestReference
[ https://issues.apache.org/jira/browse/SLING-9915?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Cris Rockwell reassigned SLING-9915: Assignee: Cris Rockwell > Remove deprecated flags for SlingAnnotationsTestRunner and TestReference > > > Key: SLING-9915 > URL: https://issues.apache.org/jira/browse/SLING-9915 > Project: Sling > Issue Type: Task > Components: JUnit Core >Affects Versions: JUnit Core 1.1.0 >Reporter: Cris Rockwell >Assignee: Cris Rockwell >Priority: Minor > Labels: test, tools > > As per discussion thread > https://www.mail-archive.com/dev@sling.apache.org/msg100097.html > Revert this commit > https://github.com/apache/sling-org-apache-sling-junit-core/commit/c7f98b1172126f1e5f961ec9d17d12b239c34e0d > Reviving annotations > @TestReference > @SlingAnnotationsTestRunner > Review docs and suggest updates > https://sling.apache.org/documentation/development/sling-testing-tools.html > https://sling.apache.org/documentation/bundles/org-apache-sling-junit-bundles.html -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (SLING-9915) Remove deprecated flags for SlingAnnotationsTestRunner and TestReference
Cris Rockwell created SLING-9915: Summary: Remove deprecated flags for SlingAnnotationsTestRunner and TestReference Key: SLING-9915 URL: https://issues.apache.org/jira/browse/SLING-9915 Project: Sling Issue Type: Task Components: JUnit Core Affects Versions: JUnit Core 1.1.0 Reporter: Cris Rockwell As per discussion thread https://www.mail-archive.com/dev@sling.apache.org/msg100097.html Revert this commit https://github.com/apache/sling-org-apache-sling-junit-core/commit/c7f98b1172126f1e5f961ec9d17d12b239c34e0d Reviving annotations @TestReference @SlingAnnotationsTestRunner Review docs and suggest updates https://sling.apache.org/documentation/development/sling-testing-tools.html https://sling.apache.org/documentation/bundles/org-apache-sling-junit-bundles.html -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Comment Edited] (SLING-9397) SAML2 Authentication Handler [initial submission]
[ https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17118977#comment-17118977 ] Cris Rockwell edited comment on SLING-9397 at 11/16/20, 5:11 PM: - Question about local testing using "docker or some sort of JUnit setup:" I assume this means one step that installs and configures an external IDP (running locally), installs the related configurations for SAML2 module in Sling; perhaps a mvn profile, and runs integration JUnit tests. Let me know if I misunderstood. It could take me a while for that. My knowledge and experience using docker is (shall we say) just now emerging. For example, I had Keycloak IDP running via docker and a week later it wouldn't start at all. Since I'm novice at docker and had this trouble, I had revised the instructions to download and install Keycloak the old fashioned way. Nevertheless, I can take another pass... [X] Change signing and encryption to optional. This will simplify localhost testing. [X] One step process to launch a preconfigured localhost IDP external to Sling [X] Maven profile to rollout OSGI SAML2 settings for localhost IDP above (moved to example package) Any kind of direct help or advice would be most appreciated. Otherwise, I'll chip away this localhost testing. was (Author: cris_rockwell): Question about local testing using "docker or some sort of JUnit setup:" I assume this means one step that installs and configures an external IDP (running locally), installs the related configurations for SAML2 module in Sling; perhaps a mvn profile, and runs integration JUnit tests. Let me know if I misunderstood. It could take me a while for that. My knowledge and experience using docker is (shall we say) just now emerging. For example, I had Keycloak IDP running via docker and a week later it wouldn't start at all. Since I'm novice at docker and had this trouble, I had revised the instructions to download and install Keycloak the old fashioned way. Nevertheless, I can take another pass... [ ] Change signing and encryption to optional. This will simplify localhost testing. [ ] One step process to launch a preconfigured localhost IDP external to Sling [ ] Maven profile to rollout OSGI SAML2 settings for localhost IDP above Any kind of direct help or advice would be most appreciated. Otherwise, I'll chip away this localhost testing. > SAML2 Authentication Handler [initial submission] > - > > Key: SLING-9397 > URL: https://issues.apache.org/jira/browse/SLING-9397 > Project: Sling > Issue Type: New Feature > Components: Authentication > Environment: localhost >Reporter: Cris Rockwell >Priority: Major > Labels: SAML, authentification, security, user_management > Original Estimate: 168h > Time Spent: 1h 20m > Remaining Estimate: 166h 40m > > Here is a pull request which adds an authentication handler for a SAML2 > Service Provider via the embedded OpenSAML V3 dependencies > [https://github.com/apache/sling-whiteboard/pull/51] > > *TODO Before Initial* > [X] Sync attributes released by the IDP > [X] Confirm license and attribution > "As the code is ASL2 and does not require a notice or anything else, we don't > need to mention in. But I think its usually good style to do so and have a > single sentence in our NOTICE that we include (modified) code from ... which > has ASL2 as the license" > > *TODO After Initial* > [X] Get confirmation the project builds and operates as expected > [X] Ensure that the NOTICE file is the correct one > [X] Testing setup ( documentation, local SAML provider, etc ) > [X] Clarify whether we can depend on artifacts not deployed on Maven Central > [X] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects > * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf] > [X] Decide whether to make signing and encryption optional. Currently it is > required > [X] Get feedback whether README instructions are too much, too little, > unclear, etc > [ ] Consider whether use of {{SAML2ConfigService}} and > {{SAML2ConfigServiceImpl}} is a good design or not. > [ ] Find and fix any bugs. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (SLING-9397) SAML2 Authentication Handler [initial submission]
[ https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Cris Rockwell updated SLING-9397: - Description: Here is a pull request which adds an authentication handler for a SAML2 Service Provider via the embedded OpenSAML V3 dependencies [https://github.com/apache/sling-whiteboard/pull/51] *TODO Before Initial* [X] Sync attributes released by the IDP [X] Confirm license and attribution "As the code is ASL2 and does not require a notice or anything else, we don't need to mention in. But I think its usually good style to do so and have a single sentence in our NOTICE that we include (modified) code from ... which has ASL2 as the license" *TODO After Initial* [X] Get confirmation the project builds and operates as expected [X] Ensure that the NOTICE file is the correct one [X] Testing setup ( documentation, local SAML provider, etc ) [X] Clarify whether we can depend on artifacts not deployed on Maven Central [X] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf] [X] Decide whether to make signing and encryption optional. Currently it is required [X] Get feedback whether README instructions are too much, too little, unclear, etc [ ] Consider whether use of {{SAML2ConfigService}} and {{SAML2ConfigServiceImpl}} is a good design or not. [ ] Find and fix any bugs. was: Here is a pull request which adds an authentication handler for a SAML2 Service Provider via the embedded OpenSAML V3 dependencies [https://github.com/apache/sling-whiteboard/pull/51] *TODO Before Initial* [X] Sync attributes released by the IDP [X] Confirm license and attribution "As the code is ASL2 and does not require a notice or anything else, we don't need to mention in. But I think its usually good style to do so and have a single sentence in our NOTICE that we include (modified) code from ... which has ASL2 as the license" *TODO After Initial* [ ] Get confirmation the project builds and operates as expected [X] Ensure that the NOTICE file is the correct one [ ] Testing setup ( documentation, local SAML provider, etc ) [ ] Clarify whether we can depend on artifacts not deployed on Maven Central [ ] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf] [ ] Consider whether use of {{SAML2ConfigService}} and {{SAML2ConfigServiceImpl}} is a good design or not. [ ] Get feedback whether README instructions are too much, too little, unclear, etc [ ] Decide whether to make signing and encryption optional. Currently it is required [ ] Find and fix any bugs > SAML2 Authentication Handler [initial submission] > - > > Key: SLING-9397 > URL: https://issues.apache.org/jira/browse/SLING-9397 > Project: Sling > Issue Type: New Feature > Components: Authentication > Environment: localhost >Reporter: Cris Rockwell >Priority: Major > Labels: SAML, authentification, security, user_management > Original Estimate: 168h > Time Spent: 1h 20m > Remaining Estimate: 166h 40m > > Here is a pull request which adds an authentication handler for a SAML2 > Service Provider via the embedded OpenSAML V3 dependencies > [https://github.com/apache/sling-whiteboard/pull/51] > > *TODO Before Initial* > [X] Sync attributes released by the IDP > [X] Confirm license and attribution > "As the code is ASL2 and does not require a notice or anything else, we don't > need to mention in. But I think its usually good style to do so and have a > single sentence in our NOTICE that we include (modified) code from ... which > has ASL2 as the license" > > *TODO After Initial* > [X] Get confirmation the project builds and operates as expected > [X] Ensure that the NOTICE file is the correct one > [X] Testing setup ( documentation, local SAML provider, etc ) > [X] Clarify whether we can depend on artifacts not deployed on Maven Central > [X] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects > * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf] > [X] Decide whether to make signing and encryption optional. Currently it is > required > [X] Get feedback whether README instructions are too much, too little, > unclear, etc > [ ] Consider whether use of {{SAML2ConfigService}} and > {{SAML2ConfigServiceImpl}} is a good design or not. > [ ] Find and fix any bugs. > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-9648) SlingPropertiesPrinter fails to activate: No bundle context property 'sling.properties.url' provided
[ https://issues.apache.org/jira/browse/SLING-9648?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17215414#comment-17215414 ] Cris Rockwell commented on SLING-9648: -- It's been some time. Any sense when 1.4.2 will appear in Maven Central? https://mvnrepository.com/artifact/org.apache.sling/org.apache.sling.settings > SlingPropertiesPrinter fails to activate: No bundle context property > 'sling.properties.url' provided > > > Key: SLING-9648 > URL: https://issues.apache.org/jira/browse/SLING-9648 > Project: Sling > Issue Type: Bug >Reporter: Robert Munteanu >Assignee: Konrad Windszus >Priority: Major > Fix For: Settings 1.4.2 > > Time Spent: 0.5h > Remaining Estimate: 0h > > When starting up the Sling Starter I see the following error printed on the > console: > {noformat}ERROR: bundle org.apache.sling.settings:1.4.0 > (22)[org.apache.sling.settings.impl.SlingPropertiesPrinter(1)] : Error > during instantiation of the implementation object > java.lang.reflect.InvocationTargetException > at > java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native > Method) > at > java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) > at > java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at > java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:490) > at > org.apache.felix.scr.impl.inject.internal.ComponentConstructorImpl.newInstance(ComponentConstructorImpl.java:312) > at > org.apache.felix.scr.impl.manager.SingleComponentManager.createImplementationObject(SingleComponentManager.java:279) > at > org.apache.felix.scr.impl.manager.SingleComponentManager.createComponent(SingleComponentManager.java:115) > at > org.apache.felix.scr.impl.manager.SingleComponentManager.getService(SingleComponentManager.java:984) > at > org.apache.felix.scr.impl.manager.SingleComponentManager.getServiceInternal(SingleComponentManager.java:957) > at > org.apache.felix.scr.impl.manager.SingleComponentManager.getService(SingleComponentManager.java:902) > at > org.apache.felix.framework.ServiceRegistrationImpl.getFactoryUnchecked(ServiceRegistrationImpl.java:348) > at > org.apache.felix.framework.ServiceRegistrationImpl.getService(ServiceRegistrationImpl.java:248) > at > org.apache.felix.framework.ServiceRegistry.getService(ServiceRegistry.java:350) > at org.apache.felix.framework.Felix.getService(Felix.java:3954) > at > org.apache.felix.framework.BundleContextImpl.getService(BundleContextImpl.java:450) > at > org.apache.felix.inventory.impl.webconsole.WebConsoleAdapter.addingService(WebConsoleAdapter.java:152) > at > org.osgi.util.tracker.ServiceTracker$Tracked.customizerAdding(ServiceTracker.java:943) > at > org.osgi.util.tracker.ServiceTracker$Tracked.customizerAdding(ServiceTracker.java:871) > at > org.osgi.util.tracker.AbstractTracked.trackAdding(AbstractTracked.java:256) > at > org.osgi.util.tracker.AbstractTracked.trackInitial(AbstractTracked.java:183) > at org.osgi.util.tracker.ServiceTracker.open(ServiceTracker.java:321) > at org.osgi.util.tracker.ServiceTracker.open(ServiceTracker.java:264) > at > org.apache.felix.inventory.impl.webconsole.WebConsoleAdapter.(WebConsoleAdapter.java:68) > at org.apache.felix.inventory.impl.Activator.start(Activator.java:63) > at > org.apache.felix.framework.util.SecureAction.startActivator(SecureAction.java:698) > at org.apache.felix.framework.Felix.activateBundle(Felix.java:2402) > at org.apache.felix.framework.Felix.startBundle(Felix.java:2308) > at org.apache.felix.framework.Felix.setActiveStartLevel(Felix.java:1539) > at > org.apache.felix.framework.FrameworkStartLevelImpl.run(FrameworkStartLevelImpl.java:308) > at java.base/java.lang.Thread.run(Thread.java:834) > Caused by: java.lang.IllegalStateException: No bundle context property > 'sling.properties.url' provided > at > org.apache.sling.settings.impl.SlingPropertiesPrinter.(SlingPropertiesPrinter.java:64) > ... 30 more > {noformat} -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-9707) Variable ${sling.home} not replaced in configuration values
[ https://issues.apache.org/jira/browse/SLING-9707?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17190816#comment-17190816 ] Cris Rockwell commented on SLING-9707: -- Looks good now. Thanks all! > Variable ${sling.home} not replaced in configuration values > --- > > Key: SLING-9707 > URL: https://issues.apache.org/jira/browse/SLING-9707 > Project: Sling > Issue Type: Bug > Components: Feature Model, Starter >Affects Versions: Starter 12 >Reporter: Cris Rockwell >Assignee: Robert Munteanu >Priority: Major > Fix For: Starter 12 > > > When configuring a file datastore, the variable ${sling.home} would be useful > as showed in the following feature.json and in the Starter Pull Request > ([https://github.com/apache/sling-org-apache-sling-starter/pull/13]) > { > "bundles":[ > { > "id":"org.apache.jackrabbit:oak-segment-tar:${oak.version}", > "start-order":"15" > } > ], > "configurations":{ > "org.apache.jackrabbit.oak.segment.SegmentNodeStoreService": > { "name":"Default NodeStore", "customBlobStore":true } > , > "org.apache.jackrabbit.oak.plugins.blob.datastore.FileDataStore": { > "minRecordLength":4096, > "path":"${sling.home}/repository/datastore", > "cacheSizeInMB":128 > } > } > } > Running java -jar dependency/org.apache.sling.feature.launcher.jar -f > slingfeature-tmp/feature-oak_tar.json -p sling > Results in a folder called ${sling.home} > {{➜ $ ls target}} > {{${sling.home} maven-archiver > org.apache.sling.starter-12-SNAPSHOT-oak_tar_far.far sling}} > {{classes maven-shared-archive-resources > org.apache.sling.starter-12-SNAPSHOT-sources.jar > sling-slingfeature-maven-plugin-fmtmp}} > {{dependency maven-status org.apache.sling.starter-12-SNAPSHOT.jar > slingfeature-tmp}} > {{generated-test-sources > org.apache.sling.starter-12-SNAPSHOT-oak_mongo_far.far rat.txt test-classes}} > > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (SLING-9707) Variable ${sling.home}
[ https://issues.apache.org/jira/browse/SLING-9707?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Cris Rockwell updated SLING-9707: - Description: When configuring a file datastore, the variable ${sling.home} would be useful as showed in the following feature.json and in the Starter Pull Request ([https://github.com/apache/sling-org-apache-sling-starter/pull/13]) { "bundles":[ { "id":"org.apache.jackrabbit:oak-segment-tar:${oak.version}", "start-order":"15" } ], "configurations":{ "org.apache.jackrabbit.oak.segment.SegmentNodeStoreService": { "name":"Default NodeStore", "customBlobStore":true } , "org.apache.jackrabbit.oak.plugins.blob.datastore.FileDataStore": { "minRecordLength":4096, "path":"${sling.home}/repository/datastore", "cacheSizeInMB":128 } } } Running java -jar dependency/org.apache.sling.feature.launcher.jar -f slingfeature-tmp/feature-oak_tar.json -p sling Results in a folder called ${sling.home} {{➜ $ ls target}} {{${sling.home} maven-archiver org.apache.sling.starter-12-SNAPSHOT-oak_tar_far.far sling}} {{classes maven-shared-archive-resources org.apache.sling.starter-12-SNAPSHOT-sources.jar sling-slingfeature-maven-plugin-fmtmp}} {{dependency maven-status org.apache.sling.starter-12-SNAPSHOT.jar slingfeature-tmp}} {{generated-test-sources org.apache.sling.starter-12-SNAPSHOT-oak_mongo_far.far rat.txt test-classes}} was: When configuring a file datastore, the variable ${sling.home} would be useful as showing in the following feature.json and in the Starter Pull Request ([https://github.com/apache/sling-org-apache-sling-starter/pull/13]) { "bundles":[ { "id":"org.apache.jackrabbit:oak-segment-tar:${oak.version}", "start-order":"15" } ], "configurations":{ "org.apache.jackrabbit.oak.segment.SegmentNodeStoreService": { "name":"Default NodeStore", "customBlobStore":true } , "org.apache.jackrabbit.oak.plugins.blob.datastore.FileDataStore": { "minRecordLength":4096, "path":"${sling.home}/repository/datastore", "cacheSizeInMB":128 } } } Running java -jar dependency/org.apache.sling.feature.launcher.jar -f slingfeature-tmp/feature-oak_tar.json -p sling Results in a folder called ${sling.home} {{➜ $ ls target}} {{${sling.home} maven-archiver org.apache.sling.starter-12-SNAPSHOT-oak_tar_far.far sling}} {{classes maven-shared-archive-resources org.apache.sling.starter-12-SNAPSHOT-sources.jar sling-slingfeature-maven-plugin-fmtmp}} {{dependency maven-status org.apache.sling.starter-12-SNAPSHOT.jar slingfeature-tmp}} {{generated-test-sources org.apache.sling.starter-12-SNAPSHOT-oak_mongo_far.far rat.txt test-classes}} > Variable ${sling.home} > -- > > Key: SLING-9707 > URL: https://issues.apache.org/jira/browse/SLING-9707 > Project: Sling > Issue Type: Bug > Components: Feature Model, Starter >Affects Versions: Starter 12 >Reporter: Cris Rockwell >Priority: Major > > When configuring a file datastore, the variable ${sling.home} would be useful > as showed in the following feature.json and in the Starter Pull Request > ([https://github.com/apache/sling-org-apache-sling-starter/pull/13]) > { > "bundles":[ > { > "id":"org.apache.jackrabbit:oak-segment-tar:${oak.version}", > "start-order":"15" > } > ], > "configurations":{ > "org.apache.jackrabbit.oak.segment.SegmentNodeStoreService": > { "name":"Default NodeStore", "customBlobStore":true } > , > "org.apache.jackrabbit.oak.plugins.blob.datastore.FileDataStore": { > "minRecordLength":4096, > "path":"${sling.home}/repository/datastore", > "cacheSizeInMB":128 > } > } > } > Running java -jar dependency/org.apache.sling.feature.launcher.jar -f > slingfeature-tmp/feature-oak_tar.json -p sling > Results in a folder called ${sling.home} > {{➜ $ ls target}} > {{${sling.home} maven-archiver > org.apache.sling.starter-12-SNAPSHOT-oak_tar_far.far sling}} > {{classes maven-shared-archive-resources > org.apache.sling.starter-12-SNAPSHOT-sources.jar > sling-slingfeature-maven-plugin-fmtmp}} > {{dependency maven-status org.apache.sling.starter-12-SNAPSHOT.jar > slingfeature-tmp}} > {{generated-test-sources > org.apache.sling.starter-12-SNAPSHOT-oak_mongo_far.far rat.txt test-classes}} > > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (SLING-9707) Variable ${sling.home}
Cris Rockwell created SLING-9707: Summary: Variable ${sling.home} Key: SLING-9707 URL: https://issues.apache.org/jira/browse/SLING-9707 Project: Sling Issue Type: Bug Components: Feature Model, Starter Affects Versions: Starter 12 Reporter: Cris Rockwell When configuring a file datastore, the variable ${sling.home} would be useful as showing in the following feature.json and in the Starter Pull Request ([https://github.com/apache/sling-org-apache-sling-starter/pull/13]) { "bundles":[ { "id":"org.apache.jackrabbit:oak-segment-tar:${oak.version}", "start-order":"15" } ], "configurations":{ "org.apache.jackrabbit.oak.segment.SegmentNodeStoreService": { "name":"Default NodeStore", "customBlobStore":true } , "org.apache.jackrabbit.oak.plugins.blob.datastore.FileDataStore": { "minRecordLength":4096, "path":"${sling.home}/repository/datastore", "cacheSizeInMB":128 } } } Running java -jar dependency/org.apache.sling.feature.launcher.jar -f slingfeature-tmp/feature-oak_tar.json -p sling Results in a folder called ${sling.home} {{➜ $ ls target}} {{${sling.home} maven-archiver org.apache.sling.starter-12-SNAPSHOT-oak_tar_far.far sling}} {{classes maven-shared-archive-resources org.apache.sling.starter-12-SNAPSHOT-sources.jar sling-slingfeature-maven-plugin-fmtmp}} {{dependency maven-status org.apache.sling.starter-12-SNAPSHOT.jar slingfeature-tmp}} {{generated-test-sources org.apache.sling.starter-12-SNAPSHOT-oak_mongo_far.far rat.txt test-classes}} -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (SLING-9695) Sling Starter datastore
Cris Rockwell created SLING-9695: Summary: Sling Starter datastore Key: SLING-9695 URL: https://issues.apache.org/jira/browse/SLING-9695 Project: Sling Issue Type: Improvement Components: Starter Affects Versions: Starter 12 Reporter: Cris Rockwell Sling Starter jar should use a file datastore by default. In my experience, a datastore provides a noticeable performance boost. It took too long to figure out how to get Sling working with a file datastore. https://jackrabbit.apache.org/oak/docs/osgi_config.html#config-sling https://stackoverflow.com/questions/62030664/aem-filedatastore-missing-parameter-options/62032775 https://stackoverflow.com/questions/63569028/add-new-datastore-during-upgrade Proposed change [configurations runModes=oak_tar] org.apache.jackrabbit.oak.segment.SegmentNodeStoreService name="Default\ NodeStore" org.apache.jackrabbit.oak.plugins.blob.datastore.FileDataStore minRecordLength=I"4096" path="sling/repository/datastore" cacheSizeInMB=I"128" org.apache.jackrabbit.oak.segment.SegmentNodeStoreService customBlobStore=B"true" -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (SLING-9600) Sling Query won't install on Sling12 Launcher Instance
Cris Rockwell created SLING-9600: Summary: Sling Query won't install on Sling12 Launcher Instance Key: SLING-9600 URL: https://issues.apache.org/jira/browse/SLING-9600 Project: Sling Issue Type: Bug Components: Sling Query Affects Versions: Sling Query 4.0.2 Reporter: Cris Rockwell Logs show this error commons-lang is missing... {quote}23.07.2020 11:16:28.973 *INFO* [OsgiInstallerImpl] org.apache.sling.installer.core.impl.tasks.BundleStartTask Could not start bundle org.apache.sling.query [218]. Reason: {}. Will retry. org.osgi.framework.BundleException: Unable to resolve org.apache.sling.query [218](R 218.0): missing requirement [org.apache.sling.query [218](R 218.0)] osgi.wiring.package; (&(osgi.wiring.package=org.apache.commons.lang)(version>=2.5.0)(!(version>=3.0.0))) Unresolved requirements: [[org.apache.sling.query [218](R 218.0)] osgi.wiring.package; (&(osgi.wiring.package=org.apache.commons.lang)(version>=2.5.0)(!(version>=3.0.0)))] at org.apache.felix.framework.Felix.resolveBundleRevision(Felix.java:4368) at org.apache.felix.framework.Felix.startBundle(Felix.java:2281) at org.apache.felix.framework.BundleImpl.start(BundleImpl.java:998) at org.apache.felix.framework.BundleImpl.start(BundleImpl.java:984) at org.apache.sling.installer.core.impl.tasks.BundleStartTask.execute(BundleStartTask.java:97) [org.apache.sling.installer.core:3.11.2] at org.apache.sling.installer.core.impl.OsgiInstallerImpl.doExecuteTasks(OsgiInstallerImpl.java:918) [org.apache.sling.installer.core:3.11.2] at org.apache.sling.installer.core.impl.OsgiInstallerImpl.executeTasks(OsgiInstallerImpl.java:755) [org.apache.sling.installer.core:3.11.2] at org.apache.sling.installer.core.impl.OsgiInstallerImpl.run(OsgiInstallerImpl.java:304) [org.apache.sling.installer.core:3.11.2] at java.base/java.lang.Thread.run(Thread.java:834) 23.07.2020 11:16:28.978 *INFO* [OsgiInstallerImpl] org.apache.sling.installer.core.impl.tasks.BundleStartTask Could not start bundle org.apache.sling.query [218]. Reason: {}. Will retry. org.osgi.framework.BundleException: Unable to resolve org.apache.sling.query [218](R 218.0): missing requirement [org.apache.sling.query [218](R 218.0)] osgi.wiring.package; (&(osgi.wiring.package=org.apache.commons.lang)(version>=2.5.0)(!(version>=3.0.0))) Unresolved requirements: [[org.apache.sling.query [218](R 218.0)] osgi.wiring.package; (&(osgi.wiring.package=org.apache.commons.lang)(version>=2.5.0)(!(version>=3.0.0)))] at org.apache.felix.framework.Felix.resolveBundleRevision(Felix.java:4368) at org.apache.felix.framework.Felix.startBundle(Felix.java:2281) at org.apache.felix.framework.BundleImpl.start(BundleImpl.java:998) at org.apache.felix.framework.BundleImpl.start(BundleImpl.java:984) at org.apache.sling.installer.core.impl.tasks.BundleStartTask.execute(BundleStartTask.java:97) [org.apache.sling.installer.core:3.11.2] at org.apache.sling.installer.core.impl.OsgiInstallerImpl.doExecuteTasks(OsgiInstallerImpl.java:918) [org.apache.sling.installer.core:3.11.2] at org.apache.sling.installer.core.impl.OsgiInstallerImpl.executeTasks(OsgiInstallerImpl.java:755) [org.apache.sling.installer.core:3.11.2] at org.apache.sling.installer.core.impl.OsgiInstallerImpl.run(OsgiInstallerImpl.java:304) [org.apache.sling.installer.core:3.11.2] at java.base/java.lang.Thread.run(Thread.java:834){quote} *After updating the pom dependency and various import statements, the bundle builds and installs. * Removed Added org.apache.commons commons-lang3 3.9 }} Based on the migration guide, most use cases should be fine just updating the import statements. I think that's the case for Sling Query as well. http://commons.apache.org/proper/commons-lang/article3_0.html -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-9545) Distribution Core bundle with Java 11
[ https://issues.apache.org/jira/browse/SLING-9545?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17143843#comment-17143843 ] Cris Rockwell commented on SLING-9545: -- Ah ok! I was missing the distribution.api bundle. Thank you very much. > Distribution Core bundle with Java 11 > - > > Key: SLING-9545 > URL: https://issues.apache.org/jira/browse/SLING-9545 > Project: Sling > Issue Type: Bug > Components: Content Distribution >Affects Versions: Content Distribution Core 0.3.4, Content Distribution > Core 0.4.2 >Reporter: Cris Rockwell >Priority: Major > Attachments: Screen Shot 2020-06-24 at 8.09.38 AM.png, Screen Shot > 2020-06-24 at 8.38.26 AM.png > > > Apache Sling Distribution Core (org.apache.sling.distribution.core) bundle > does not activate on Sling12 using Java 11 > https://github.com/apache/sling-org-apache-sling-distribution-core > {{mvn clean install}} results in the error below > [ERROR] Failed to execute goal > org.apache.maven.plugins:maven-antrun-plugin:1.8:run > (set-bundle-required-execution-environment) on project > org.apache.sling.distribution.core: An Ant BuildException has occured: Unable > to create javax script engine for javascript > [ERROR] around Ant part
[jira] [Commented] (SLING-9545) Distribution Core bundle with Java 11
[ https://issues.apache.org/jira/browse/SLING-9545?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17143812#comment-17143812 ] Cris Rockwell commented on SLING-9545: -- When you docs https://cwiki.apache.org/confluence/display/SLING/Java+version+support has the statement, but the bundle only works with Java 8. "Sling currently supports the following releases of Java 8, as it is a version that many are currently using as a basline 11, as it is the most recent version for which Oracle provides Long-Term Support" > Distribution Core bundle with Java 11 > - > > Key: SLING-9545 > URL: https://issues.apache.org/jira/browse/SLING-9545 > Project: Sling > Issue Type: Bug > Components: Content Distribution >Affects Versions: Content Distribution Core 0.3.4, Content Distribution > Core 0.4.2 >Reporter: Cris Rockwell >Priority: Major > Attachments: Screen Shot 2020-06-24 at 8.09.38 AM.png, Screen Shot > 2020-06-24 at 8.38.26 AM.png > > > Apache Sling Distribution Core (org.apache.sling.distribution.core) bundle > does not activate on Sling12 using Java 11 > https://github.com/apache/sling-org-apache-sling-distribution-core > {{mvn clean install}} results in the error below > [ERROR] Failed to execute goal > org.apache.maven.plugins:maven-antrun-plugin:1.8:run > (set-bundle-required-execution-environment) on project > org.apache.sling.distribution.core: An Ant BuildException has occured: Unable > to create javax script engine for javascript > [ERROR] around Ant part
[jira] [Comment Edited] (SLING-9545) Distribution Core bundle with Java 11
[ https://issues.apache.org/jira/browse/SLING-9545?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17143803#comment-17143803 ] Cris Rockwell edited comment on SLING-9545 at 6/24/20, 12:39 PM: - Do you think even it is not required (optional import)? Usually there is an osgi wiring error in the logs, which I could not find. I'll try your suggestion. -- After resolving the optional dependency, org.apache.sling.distribution.core bundle still not Active. !Screen Shot 2020-06-24 at 8.38.26 AM.png! was (Author: cris_rockwell): Do you think even it is not required (optional import)? Usually there is an osgi wiring error in the logs, which I could not find. I'll try your suggestion. > Distribution Core bundle with Java 11 > - > > Key: SLING-9545 > URL: https://issues.apache.org/jira/browse/SLING-9545 > Project: Sling > Issue Type: Bug > Components: Content Distribution >Affects Versions: Content Distribution Core 0.3.4, Content Distribution > Core 0.4.2 >Reporter: Cris Rockwell >Priority: Major > Attachments: Screen Shot 2020-06-24 at 8.09.38 AM.png, Screen Shot > 2020-06-24 at 8.38.26 AM.png > > > Apache Sling Distribution Core (org.apache.sling.distribution.core) bundle > does not activate on Sling12 using Java 11 > https://github.com/apache/sling-org-apache-sling-distribution-core > {{mvn clean install}} results in the error below > [ERROR] Failed to execute goal > org.apache.maven.plugins:maven-antrun-plugin:1.8:run > (set-bundle-required-execution-environment) on project > org.apache.sling.distribution.core: An Ant BuildException has occured: Unable > to create javax script engine for javascript > [ERROR] around Ant part
[jira] [Reopened] (SLING-9545) Distribution Core bundle with Java 11
[ https://issues.apache.org/jira/browse/SLING-9545?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Cris Rockwell reopened SLING-9545: -- Unless you actually got this bundle Active, do not mark as resolved please. > Distribution Core bundle with Java 11 > - > > Key: SLING-9545 > URL: https://issues.apache.org/jira/browse/SLING-9545 > Project: Sling > Issue Type: Bug > Components: Content Distribution >Affects Versions: Content Distribution Core 0.3.4, Content Distribution > Core 0.4.2 >Reporter: Cris Rockwell >Priority: Major > Attachments: Screen Shot 2020-06-24 at 8.09.38 AM.png > > > Apache Sling Distribution Core (org.apache.sling.distribution.core) bundle > does not activate on Sling12 using Java 11 > https://github.com/apache/sling-org-apache-sling-distribution-core > {{mvn clean install}} results in the error below > [ERROR] Failed to execute goal > org.apache.maven.plugins:maven-antrun-plugin:1.8:run > (set-bundle-required-execution-environment) on project > org.apache.sling.distribution.core: An Ant BuildException has occured: Unable > to create javax script engine for javascript > [ERROR] around Ant part
[jira] [Comment Edited] (SLING-9545) Distribution Core bundle with Java 11
[ https://issues.apache.org/jira/browse/SLING-9545?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17143803#comment-17143803 ] Cris Rockwell edited comment on SLING-9545 at 6/24/20, 12:32 PM: - Do you think even it is not required (optional import)? Usually there is an osgi wiring error in the logs, which I could not find. I'll try your suggestion. was (Author: cris_rockwell): Do you think even it is not required (optional import)? Usually there is an osgi wiring error in the logs, which I could not find. > Distribution Core bundle with Java 11 > - > > Key: SLING-9545 > URL: https://issues.apache.org/jira/browse/SLING-9545 > Project: Sling > Issue Type: Bug > Components: Content Distribution >Affects Versions: Content Distribution Core 0.3.4, Content Distribution > Core 0.4.2 >Reporter: Cris Rockwell >Priority: Major > Attachments: Screen Shot 2020-06-24 at 8.09.38 AM.png > > > Apache Sling Distribution Core (org.apache.sling.distribution.core) bundle > does not activate on Sling12 using Java 11 > https://github.com/apache/sling-org-apache-sling-distribution-core > {{mvn clean install}} results in the error below > [ERROR] Failed to execute goal > org.apache.maven.plugins:maven-antrun-plugin:1.8:run > (set-bundle-required-execution-environment) on project > org.apache.sling.distribution.core: An Ant BuildException has occured: Unable > to create javax script engine for javascript > [ERROR] around Ant part
[jira] [Commented] (SLING-9545) Distribution Core bundle with Java 11
[ https://issues.apache.org/jira/browse/SLING-9545?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17143803#comment-17143803 ] Cris Rockwell commented on SLING-9545: -- Do you think even it is not required (optional import)? Usually there is an osgi wiring error in the logs, which I could not find. > Distribution Core bundle with Java 11 > - > > Key: SLING-9545 > URL: https://issues.apache.org/jira/browse/SLING-9545 > Project: Sling > Issue Type: Bug > Components: Content Distribution >Affects Versions: Content Distribution Core 0.3.4, Content Distribution > Core 0.4.2 >Reporter: Cris Rockwell >Priority: Major > Attachments: Screen Shot 2020-06-24 at 8.09.38 AM.png > > > Apache Sling Distribution Core (org.apache.sling.distribution.core) bundle > does not activate on Sling12 using Java 11 > https://github.com/apache/sling-org-apache-sling-distribution-core > {{mvn clean install}} results in the error below > [ERROR] Failed to execute goal > org.apache.maven.plugins:maven-antrun-plugin:1.8:run > (set-bundle-required-execution-environment) on project > org.apache.sling.distribution.core: An Ant BuildException has occured: Unable > to create javax script engine for javascript > [ERROR] around Ant part
[jira] [Commented] (SLING-9545) Distribution Core bundle with Java 11
[ https://issues.apache.org/jira/browse/SLING-9545?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17143787#comment-17143787 ] Cris Rockwell commented on SLING-9545: -- No. I don't think so. I downloaded the bundle at 0.3.4 and 0.4.2 from maven central and tried uploading and installing to /system/console/bundles. The bundle state is Installed and not active. Maybe the Java 11 build issue is separate. I thought maybe it's related to the header Bundle-RequiredExecutionEnvironment: JavaSE-1.8 https://mvnrepository.com/artifact/org.apache.sling/org.apache.sling.distribution.core/0.3.4 https://mvnrepository.com/artifact/org.apache.sling/org.apache.sling.distribution.core/0.4.2 !Screen Shot 2020-06-24 at 8.09.38 AM.png! > Distribution Core bundle with Java 11 > - > > Key: SLING-9545 > URL: https://issues.apache.org/jira/browse/SLING-9545 > Project: Sling > Issue Type: Bug > Components: Content Distribution >Affects Versions: Content Distribution Core 0.3.4, Content Distribution > Core 0.4.2 >Reporter: Cris Rockwell >Priority: Major > Attachments: Screen Shot 2020-06-24 at 8.09.38 AM.png > > > Apache Sling Distribution Core (org.apache.sling.distribution.core) bundle > does not activate on Sling12 using Java 11 > https://github.com/apache/sling-org-apache-sling-distribution-core > {{mvn clean install}} results in the error below > [ERROR] Failed to execute goal > org.apache.maven.plugins:maven-antrun-plugin:1.8:run > (set-bundle-required-execution-environment) on project > org.apache.sling.distribution.core: An Ant BuildException has occured: Unable > to create javax script engine for javascript > [ERROR] around Ant part
[jira] [Updated] (SLING-9545) Distribution Core bundle with Java 11
[ https://issues.apache.org/jira/browse/SLING-9545?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Cris Rockwell updated SLING-9545: - Attachment: Screen Shot 2020-06-24 at 8.09.38 AM.png > Distribution Core bundle with Java 11 > - > > Key: SLING-9545 > URL: https://issues.apache.org/jira/browse/SLING-9545 > Project: Sling > Issue Type: Bug > Components: Content Distribution >Affects Versions: Content Distribution Core 0.3.4, Content Distribution > Core 0.4.2 >Reporter: Cris Rockwell >Priority: Major > Attachments: Screen Shot 2020-06-24 at 8.09.38 AM.png > > > Apache Sling Distribution Core (org.apache.sling.distribution.core) bundle > does not activate on Sling12 using Java 11 > https://github.com/apache/sling-org-apache-sling-distribution-core > {{mvn clean install}} results in the error below > [ERROR] Failed to execute goal > org.apache.maven.plugins:maven-antrun-plugin:1.8:run > (set-bundle-required-execution-environment) on project > org.apache.sling.distribution.core: An Ant BuildException has occured: Unable > to create javax script engine for javascript > [ERROR] around Ant part
[jira] [Created] (SLING-9545) Distribution Core bundle with Java 11
Cris Rockwell created SLING-9545: Summary: Distribution Core bundle with Java 11 Key: SLING-9545 URL: https://issues.apache.org/jira/browse/SLING-9545 Project: Sling Issue Type: Bug Components: Content Distribution Affects Versions: Content Distribution Core 0.4.2, Content Distribution Core 0.3.4 Reporter: Cris Rockwell Apache Sling Distribution Core (org.apache.sling.distribution.core) bundle does not activate on Sling12 using Java 11 https://github.com/apache/sling-org-apache-sling-distribution-core {{mvn clean install}} results in the error below [ERROR] Failed to execute goal org.apache.maven.plugins:maven-antrun-plugin:1.8:run (set-bundle-required-execution-environment) on project org.apache.sling.distribution.core: An Ant BuildException has occured: Unable to create javax script engine for javascript [ERROR] around Ant part
[jira] [Comment Edited] (SLING-9397) SAML2 Authentication Handler [initial submission]
[ https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17140558#comment-17140558 ] Cris Rockwell edited comment on SLING-9397 at 6/19/20, 1:43 PM: [~rombert] I've started some updates on this bundle: Switch build source and target to Java 11, Updated OpenSAML to V4, and Clarified processes the README for local testing. I'm in the process of making SSL, encryption and signing optional. Keycloak Server has an option to do partial realm imports and exports, which contain the realm "clients" and groups, but does not include users (I assume for security reasons). Here is a draft of the new README https://github.com/cmrockwell/sling-whiteboard-saml/tree/saml2-auth-handler/Upgrade-Sling12-OpenSAMLV4-Java11/saml-handler As you can see some things are configured manually. * JAAS OSGI * SAML2 OSGI * Service User ** Service User Mapping ** Service User Creation ** Service User ACL A Composum package could be used to package the Service User and Service User ACL's. I don't know how include include OSGI configs in a Composum. I may be wrong but the UI doesn't seem to allow it. was (Author: cris_rockwell): [~rombert] I've started some updates on this bundle: Switch build source and target to Java 11, Updated OpenSAML to V4, and Clarified processes the README for local testing. I'm in the process of making SSL, encryption and signing optional. Keycloak Server has an option to do partial realm imports and exports, which contain the realm "clients" and groups, but does not include users (I assume for security reasons). Here is a draft of the new README https://github.com/cmrockwell/sling-whiteboard-saml/tree/saml2-auth-handler/Upgrade-Sling12-OpenSAMLV4-Java11/saml-handler As you can see some things are configured manually. * JAAS OSGI * SAML2 OSGI * Service User ** Service User Mapping ** Service User Creation ** Service User ACL A Composum package could be used to package the Service User and Service User ACL's. I don't know how include include a OSGI configs in a Composum. I may be wrong but the UI doesn't seem to allow it. > SAML2 Authentication Handler [initial submission] > - > > Key: SLING-9397 > URL: https://issues.apache.org/jira/browse/SLING-9397 > Project: Sling > Issue Type: New Feature > Components: Authentication > Environment: localhost >Reporter: Cris Rockwell >Priority: Major > Labels: SAML, authentification, security, user_management > Original Estimate: 168h > Time Spent: 1h > Remaining Estimate: 167h > > Here is a pull request which adds an authentication handler for a SAML2 > Service Provider via the embedded OpenSAML V3 dependencies > [https://github.com/apache/sling-whiteboard/pull/51] > > *TODO Before Initial* > [X] Sync attributes released by the IDP > [X] Confirm license and attribution > "As the code is ASL2 and does not require a notice or anything else, we don't > need to mention in. But I think its usually good style to do so and have a > single sentence in our NOTICE that we include (modified) code from ... which > has ASL2 as the license" > > *TODO After Initial* > [ ] Get confirmation the project builds and operates as expected > [X] Ensure that the NOTICE file is the correct one > [ ] Testing setup ( documentation, local SAML provider, etc ) > [ ] Clarify whether we can depend on artifacts not deployed on Maven Central > [ ] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects > * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf] > [ ] Consider whether use of {{SAML2ConfigService}} and > {{SAML2ConfigServiceImpl}} is a good design or not. > [ ] Get feedback whether README instructions are too much, too little, > unclear, etc > [ ] Decide whether to make signing and encryption optional. Currently it is > required > [ ] Find and fix any bugs > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-9397) SAML2 Authentication Handler [initial submission]
[ https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17140558#comment-17140558 ] Cris Rockwell commented on SLING-9397: -- [~rombert] I've started some updates on this bundle: Switch build source and target to Java 11, Updated OpenSAML to V4, and Clarified processes the README for local testing. I'm in the process of making SSL, encryption and signing optional. Keycloak Server has an option to do partial realm imports and exports, which contain the realm "clients" and groups, but does not include users (I assume for security reasons). Here is a draft of the new README https://github.com/cmrockwell/sling-whiteboard-saml/tree/saml2-auth-handler/Upgrade-Sling12-OpenSAMLV4-Java11/saml-handler As you can see some things are configured manually. * JAAS OSGI * SAML2 OSGI * Service User ** Service User Mapping ** Service User Creation ** Service User ACL A Composum package could be used to package the Service User and Service User ACL's. I don't know how include include a OSGI configs in a Composum. I may be wrong but the UI doesn't seem to allow it. > SAML2 Authentication Handler [initial submission] > - > > Key: SLING-9397 > URL: https://issues.apache.org/jira/browse/SLING-9397 > Project: Sling > Issue Type: New Feature > Components: Authentication > Environment: localhost >Reporter: Cris Rockwell >Priority: Major > Labels: SAML, authentification, security, user_management > Original Estimate: 168h > Time Spent: 1h > Remaining Estimate: 167h > > Here is a pull request which adds an authentication handler for a SAML2 > Service Provider via the embedded OpenSAML V3 dependencies > [https://github.com/apache/sling-whiteboard/pull/51] > > *TODO Before Initial* > [X] Sync attributes released by the IDP > [X] Confirm license and attribution > "As the code is ASL2 and does not require a notice or anything else, we don't > need to mention in. But I think its usually good style to do so and have a > single sentence in our NOTICE that we include (modified) code from ... which > has ASL2 as the license" > > *TODO After Initial* > [ ] Get confirmation the project builds and operates as expected > [X] Ensure that the NOTICE file is the correct one > [ ] Testing setup ( documentation, local SAML provider, etc ) > [ ] Clarify whether we can depend on artifacts not deployed on Maven Central > [ ] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects > * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf] > [ ] Consider whether use of {{SAML2ConfigService}} and > {{SAML2ConfigServiceImpl}} is a good design or not. > [ ] Get feedback whether README instructions are too much, too little, > unclear, etc > [ ] Decide whether to make signing and encryption optional. Currently it is > required > [ ] Find and fix any bugs > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-9397) SAML2 Authentication Handler [initial submission]
[ https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17118977#comment-17118977 ] Cris Rockwell commented on SLING-9397: -- Question about local testing using "docker or some sort of JUnit setup:" I assume this means one step that installs and configures an external IDP (running locally), installs the related configurations for SAML2 module in Sling; perhaps a mvn profile, and runs integration JUnit tests. Let me know if I misunderstood. It could take me a while for that. My knowledge and experience using docker is (shall we say) just now emerging. For example, I had Keycloak IDP running via docker and a week later it wouldn't start at all. Since I'm novice at docker and had this trouble, I had revised the instructions to download and install Keycloak the old fashioned way. Nevertheless, I can take another pass... [ ] Change signing and encryption to optional. This will simplify localhost testing. [ ] One step process to launch a preconfigured localhost IDP external to Sling [ ] Maven profile to rollout OSGI SAML2 settings for localhost IDP above Any kind of direct help or advice would be most appreciated. Otherwise, I'll chip away this localhost testing. > SAML2 Authentication Handler [initial submission] > - > > Key: SLING-9397 > URL: https://issues.apache.org/jira/browse/SLING-9397 > Project: Sling > Issue Type: New Feature > Components: Authentication > Environment: localhost >Reporter: Cris Rockwell >Priority: Major > Labels: SAML, authentification, security, user_management > Original Estimate: 168h > Time Spent: 1h > Remaining Estimate: 167h > > Here is a pull request which adds an authentication handler for a SAML2 > Service Provider via the embedded OpenSAML V3 dependencies > [https://github.com/apache/sling-whiteboard/pull/51] > > *TODO Before Initial* > [X] Sync attributes released by the IDP > [X] Confirm license and attribution > "As the code is ASL2 and does not require a notice or anything else, we don't > need to mention in. But I think its usually good style to do so and have a > single sentence in our NOTICE that we include (modified) code from ... which > has ASL2 as the license" > > *TODO After Initial* > [ ] Get confirmation the project builds and operates as expected > [X] Ensure that the NOTICE file is the correct one > [ ] Testing setup ( documentation, local SAML provider, etc ) > [ ] Clarify whether we can depend on artifacts not deployed on Maven Central > [ ] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects > * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf] > [ ] Consider whether use of {{SAML2ConfigService}} and > {{SAML2ConfigServiceImpl}} is a good design or not. > [ ] Get feedback whether README instructions are too much, too little, > unclear, etc > [ ] Decide whether to make signing and encryption optional. Currently it is > required > [ ] Find and fix any bugs > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (SLING-9397) SAML2 Authentication Handler [initial submission]
[ https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Cris Rockwell updated SLING-9397: - Description: Here is a pull request which adds an authentication handler for a SAML2 Service Provider via the embedded OpenSAML V3 dependencies [https://github.com/apache/sling-whiteboard/pull/51] *TODO Before Initial* [X] Sync attributes released by the IDP [X] Confirm license and attribution "As the code is ASL2 and does not require a notice or anything else, we don't need to mention in. But I think its usually good style to do so and have a single sentence in our NOTICE that we include (modified) code from ... which has ASL2 as the license" *TODO After Initial* [ ] Get confirmation the project builds and operates as expected [X] Ensure that the NOTICE file is the correct one [ ] Clarify whether we can depend on artifacts not deployed on Maven Central [ ] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf] [ ] Consider whether use of {{SAML2ConfigService}} and {{SAML2ConfigServiceImpl}} is a good design or not. [ ] Get feedback whether README instructions are too much, too little, unclear, etc [ ] Decide whether to make signing and encryption optional. Currently it is required [ ] Find and fix any bugs was: Here is a pull request which adds an authentication handler for a SAML2 Service Provider via the embedded OpenSAML V3 dependencies [https://github.com/apache/sling-whiteboard/pull/51] *TODO Before Initial* [X] Sync attributes released by the IDP [X] Confirm license and attribution "As the code is ASL2 and does not require a notice or anything else, we don't need to mention in. But I think its usually good style to do so and have a single sentence in our NOTICE that we include (modified) code from ... which has ASL2 as the license" *TODO After Initial* [ ] Get confirmation the project builds and operates as expected [ ] Ensure that the NOTICE file is the correct one [ ] Clarify whether we can depend on artifacts not deployed on Maven Central [ ] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf] [ ] Consider whether use of {{SAML2ConfigService}} and {{SAML2ConfigServiceImpl}} is a good design or not. [ ] Get feedback whether README instructions are too much, too little, unclear, etc [ ] Decide whether to make signing and encryption optional. Currently it is required [ ] Find and fix any bugs > SAML2 Authentication Handler [initial submission] > - > > Key: SLING-9397 > URL: https://issues.apache.org/jira/browse/SLING-9397 > Project: Sling > Issue Type: New Feature > Components: Authentication > Environment: localhost >Reporter: Cris Rockwell >Priority: Major > Labels: SAML, authentification, security, user_management > Original Estimate: 168h > Time Spent: 1h > Remaining Estimate: 167h > > Here is a pull request which adds an authentication handler for a SAML2 > Service Provider via the embedded OpenSAML V3 dependencies > [https://github.com/apache/sling-whiteboard/pull/51] > > *TODO Before Initial* > [X] Sync attributes released by the IDP > [X] Confirm license and attribution > "As the code is ASL2 and does not require a notice or anything else, we don't > need to mention in. But I think its usually good style to do so and have a > single sentence in our NOTICE that we include (modified) code from ... which > has ASL2 as the license" > > *TODO After Initial* > [ ] Get confirmation the project builds and operates as expected > [X] Ensure that the NOTICE file is the correct one > [ ] Clarify whether we can depend on artifacts not deployed on Maven Central > [ ] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects > * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf] > [ ] Consider whether use of {{SAML2ConfigService}} and > {{SAML2ConfigServiceImpl}} is a good design or not. > [ ] Get feedback whether README instructions are too much, too little, > unclear, etc > [ ] Decide whether to make signing and encryption optional. Currently it is > required > [ ] Find and fix any bugs > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-9397) SAML2 Authentication Handler [initial submission]
[ https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17107330#comment-17107330 ] Cris Rockwell commented on SLING-9397: -- Looks good. I've pulled the latest, built and confirmed the NOTICE has the statement by using the command below and inspecting the file. I've marked that as done in the description above. {{jar xf org.apache.sling.auth.saml2-0.1.0-SNAPSHOT.jar META-INF/NOTICE}} Let me know what is next. Thanks! > SAML2 Authentication Handler [initial submission] > - > > Key: SLING-9397 > URL: https://issues.apache.org/jira/browse/SLING-9397 > Project: Sling > Issue Type: New Feature > Components: Authentication > Environment: localhost >Reporter: Cris Rockwell >Priority: Major > Labels: SAML, authentification, security, user_management > Original Estimate: 168h > Time Spent: 1h > Remaining Estimate: 167h > > Here is a pull request which adds an authentication handler for a SAML2 > Service Provider via the embedded OpenSAML V3 dependencies > [https://github.com/apache/sling-whiteboard/pull/51] > > *TODO Before Initial* > [X] Sync attributes released by the IDP > [X] Confirm license and attribution > "As the code is ASL2 and does not require a notice or anything else, we don't > need to mention in. But I think its usually good style to do so and have a > single sentence in our NOTICE that we include (modified) code from ... which > has ASL2 as the license" > > *TODO After Initial* > [ ] Get confirmation the project builds and operates as expected > [X] Ensure that the NOTICE file is the correct one > [ ] Clarify whether we can depend on artifacts not deployed on Maven Central > [ ] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects > * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf] > [ ] Consider whether use of {{SAML2ConfigService}} and > {{SAML2ConfigServiceImpl}} is a good design or not. > [ ] Get feedback whether README instructions are too much, too little, > unclear, etc > [ ] Decide whether to make signing and encryption optional. Currently it is > required > [ ] Find and fix any bugs > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-9397) SAML2 Authentication Handler [initial submission]
[ https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17104475#comment-17104475 ] Cris Rockwell commented on SLING-9397: -- Sounds great. Thanks [~rombert]! > SAML2 Authentication Handler [initial submission] > - > > Key: SLING-9397 > URL: https://issues.apache.org/jira/browse/SLING-9397 > Project: Sling > Issue Type: New Feature > Components: Authentication > Environment: localhost >Reporter: Cris Rockwell >Priority: Major > Labels: SAML, authentification, security, user_management > Original Estimate: 168h > Time Spent: 1h > Remaining Estimate: 167h > > Here is a pull request which adds an authentication handler for a SAML2 > Service Provider via the embedded OpenSAML V3 dependencies > [https://github.com/apache/sling-whiteboard/pull/51] > > *TODO Before Initial* > [X] Sync attributes released by the IDP > [X] Confirm license and attribution > "As the code is ASL2 and does not require a notice or anything else, we don't > need to mention in. But I think its usually good style to do so and have a > single sentence in our NOTICE that we include (modified) code from ... which > has ASL2 as the license" > > *TODO After Initial* > [ ] Get confirmation the project builds and operates as expected > [ ] Ensure that the NOTICE file is the correct one > [ ] Clarify whether we can depend on artifacts not deployed on Maven Central > [ ] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects > * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf] > [ ] Consider whether use of {{SAML2ConfigService}} and > {{SAML2ConfigServiceImpl}} is a good design or not. > [ ] Get feedback whether README instructions are too much, too little, > unclear, etc > [ ] Decide whether to make signing and encryption optional. Currently it is > required > [ ] Find and fix any bugs > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (SLING-9436) Append reactor module Notice Statement
Cris Rockwell created SLING-9436: Summary: Append reactor module Notice Statement Key: SLING-9436 URL: https://issues.apache.org/jira/browse/SLING-9436 Project: Sling Issue Type: Improvement Components: Build and Source Control Affects Versions: Jar Resource Bundle 1.0.2 Reporter: Cris Rockwell As discussed in SLING-9397 ... The NOTICE is built from a Velocity template. The template needs an update such that reactor module's can append a notice statement into this aggregated NOTICE * [https://github.com/apache/sling-apache-sling-jar-resource-bundle/blob/master/src/main/resources/META-INF/NOTICE.vm] * [https://github.com/apache/sling-apache-sling-jar-resource-bundle/pull/1] Current version is 1.0.0, updating to 1.0.1. Once that occurs, line 209 from the sling-parent would also need to increment the version to 1.0.1 * [https://github.com/apache/sling-parent/blob/master/sling-parent/pom.xml] This would allow notice statement from the project pom.xml properties to append into a combined NOTICE file {{ }}{{}} -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Comment Edited] (SLING-9397) SAML2 Authentication Handler [initial submission]
[ https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17101911#comment-17101911 ] Cris Rockwell edited comment on SLING-9397 at 5/7/20, 5:44 PM: --- Regarding NOTICE, it's building from the Velocity template below. The template would need to be updated to place a module notice statement into this, and I made a PR to do that. * [https://github.com/apache/sling-apache-sling-jar-resource-bundle/blob/master/src/main/resources/META-INF/NOTICE.vm] * [https://github.com/apache/sling-apache-sling-jar-resource-bundle/pull/1] Changing the version of sling-apache-sling-jar-resource-bundle from 1.0.0 to 1.0.1-SNAPSHOT. If that actually happens, then line 209 from the sling-parent would also need to increment the version to 1.0.1 * [https://github.com/apache/sling-parent/blob/master/sling-parent/pom.xml] After which, modules can place a notice statement in the pom.xml properties {{ }}{{}} And then the NOTICE will be built using the updated template and also have whatever noticeStatement is needed by the module. SAML2 Service Provider This module includes modified code from webprofile-ref-project-v3 [1], which has ASL2 as the license. [1]: [https://bitbucket.org/srasmusson/webprofile-ref-project-v3] Copyright 2007-2020 The Apache Software Foundation Apache Sling is based on source code originally developed by Day Software ([http://www.day.com/]). This product includes software developed at The Apache Software Foundation ([http://www.apache.org/]). was (Author: cris_rockwell): Regarding NOTICE, it's building from the Velocity template below. The template would need to be updated to place a module notice statement into this, and I made a PR to do that. * [https://github.com/apache/sling-apache-sling-jar-resource-bundle/blob/master/src/main/resources/META-INF/NOTICE.vm] * [https://github.com/apache/sling-apache-sling-jar-resource-bundle/pull/1] Changing the version of sling-apache-sling-jar-resource-bundle from 1.0.0 to 1.0.1-SNAPSHOT. If that actually happens, then line 209 from the sling-parent would also need to increment the version to 1.0.1 * [https://github.com/apache/sling-parent/blob/master/sling-parent/pom.xml] After which, modules can place a notice statement in the pom.xml properties {{}}{{ }}{{}} {{ This module includes modified code from webprofile-ref-project-v3 [1], which has ASL2 as the license.}} {{ [1]: https://bitbucket.org/srasmusson/webprofile-ref-project-v3}} {{}} And then the NOTICE will be built using the updated template and also have whatever noticeStatement is needed by the module. SAML2 Service Provider This module includes modified code from webprofile-ref-project-v3 [1], which has ASL2 as the license. [1]: [https://bitbucket.org/srasmusson/webprofile-ref-project-v3] Copyright 2007-2020 The Apache Software Foundation Apache Sling is based on source code originally developed by Day Software (http://www.day.com/). This product includes software developed at The Apache Software Foundation (http://www.apache.org/). > SAML2 Authentication Handler [initial submission] > - > > Key: SLING-9397 > URL: https://issues.apache.org/jira/browse/SLING-9397 > Project: Sling > Issue Type: New Feature > Components: Authentication > Environment: localhost >Reporter: Cris Rockwell >Priority: Major > Labels: SAML, authentification, security, user_management > Original Estimate: 168h > Remaining Estimate: 168h > > Here is a pull request which adds an authentication handler for a SAML2 > Service Provider via the embedded OpenSAML V3 dependencies > [https://github.com/apache/sling-whiteboard/pull/51] > > *TODO Before Initial* > [X] Sync attributes released by the IDP > [X] Confirm license and attribution > "As the code is ASL2 and does not require a notice or anything else, we don't > need to mention in. But I think its usually good style to do so and have a > single sentence in our NOTICE that we include (modified) code from ... which > has ASL2 as the license" > > *TODO After Initial* > [ ] Get confirmation the project builds and operates as expected > [ ] Ensure that the NOTICE file is the correct one > [ ] Clarify whether we can depend on artifacts not deployed on Maven Central > [ ] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects > * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf] > [ ] Consider whether use of {{SAML2ConfigService}} and > {{SAML2ConfigServiceImpl}} is a good design or not. > [ ] Get feedback whether README instructions are too much, too little, > unclear, etc > [ ] Decide whether to make signing and encryption optional. Currently it is > required > [ ]
[jira] [Commented] (SLING-9397) SAML2 Authentication Handler [initial submission]
[ https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17101911#comment-17101911 ] Cris Rockwell commented on SLING-9397: -- Regarding NOTICE, it's building from the Velocity template below. The template would need to be updated to place a module notice statement into this, and I made a PR to do that. * [https://github.com/apache/sling-apache-sling-jar-resource-bundle/blob/master/src/main/resources/META-INF/NOTICE.vm] * [https://github.com/apache/sling-apache-sling-jar-resource-bundle/pull/1] Changing the version of sling-apache-sling-jar-resource-bundle from 1.0.0 to 1.0.1-SNAPSHOT. If that actually happens, then line 209 from the sling-parent would also need to increment the version to 1.0.1 * [https://github.com/apache/sling-parent/blob/master/sling-parent/pom.xml] After which, modules can place a notice statement in the pom.xml properties {{}}{{ }}{{}} {{ This module includes modified code from webprofile-ref-project-v3 [1], which has ASL2 as the license.}} {{ [1]: https://bitbucket.org/srasmusson/webprofile-ref-project-v3}} {{}} And then the NOTICE will be built using the updated template and also have whatever noticeStatement is needed by the module. SAML2 Service Provider This module includes modified code from webprofile-ref-project-v3 [1], which has ASL2 as the license. [1]: [https://bitbucket.org/srasmusson/webprofile-ref-project-v3] Copyright 2007-2020 The Apache Software Foundation Apache Sling is based on source code originally developed by Day Software (http://www.day.com/). This product includes software developed at The Apache Software Foundation (http://www.apache.org/). > SAML2 Authentication Handler [initial submission] > - > > Key: SLING-9397 > URL: https://issues.apache.org/jira/browse/SLING-9397 > Project: Sling > Issue Type: New Feature > Components: Authentication > Environment: localhost >Reporter: Cris Rockwell >Priority: Major > Labels: SAML, authentification, security, user_management > Original Estimate: 168h > Remaining Estimate: 168h > > Here is a pull request which adds an authentication handler for a SAML2 > Service Provider via the embedded OpenSAML V3 dependencies > [https://github.com/apache/sling-whiteboard/pull/51] > > *TODO Before Initial* > [X] Sync attributes released by the IDP > [X] Confirm license and attribution > "As the code is ASL2 and does not require a notice or anything else, we don't > need to mention in. But I think its usually good style to do so and have a > single sentence in our NOTICE that we include (modified) code from ... which > has ASL2 as the license" > > *TODO After Initial* > [ ] Get confirmation the project builds and operates as expected > [ ] Ensure that the NOTICE file is the correct one > [ ] Clarify whether we can depend on artifacts not deployed on Maven Central > [ ] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects > * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf] > [ ] Consider whether use of {{SAML2ConfigService}} and > {{SAML2ConfigServiceImpl}} is a good design or not. > [ ] Get feedback whether README instructions are too much, too little, > unclear, etc > [ ] Decide whether to make signing and encryption optional. Currently it is > required > [ ] Find and fix any bugs > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (SLING-9397) SAML2 Authentication Handler [initial submission]
[ https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17101051#comment-17101051 ] Cris Rockwell commented on SLING-9397: -- WRT the Web Profile SSO Profile specification, line 396 states... ??SAML Confirmation Method Identifiers: The SAML V2.0 "bearer" confirmation method identifier, urn:oasis:names:tc:SAML:2.0:cm:bearer, is used by this profile.?? And this is manifested in the saml2 response {{}} {{..}} https://localhost:2443/sp/consumer"/|https://localhost:2443/sp/consumer]> Line 364 gives an example about how to use this data. The data above was taken from an example from my localhost tests on April 14th The bearer of the assertion can confirm itself as the subject, provided the assertion is delivered in a message sent to " [https://localhost:2443/sp/consumer]; before 14:33 GMT on April 14th , 2020, in response to a request with ID "_498f728a71735ba28bbc19d634517c18". When processing the SAML2 Response, this relying party code needs to validate these three conditions. > SAML2 Authentication Handler [initial submission] > - > > Key: SLING-9397 > URL: https://issues.apache.org/jira/browse/SLING-9397 > Project: Sling > Issue Type: New Feature > Components: Authentication > Environment: localhost >Reporter: Cris Rockwell >Priority: Major > Labels: SAML, authentification, security, user_management > Original Estimate: 168h > Remaining Estimate: 168h > > Here is a pull request which adds an authentication handler for a SAML2 > Service Provider via the embedded OpenSAML V3 dependencies > [https://github.com/apache/sling-whiteboard/pull/51] > > *TODO Before Initial* > [X] Sync attributes released by the IDP > [X] Confirm license and attribution > "As the code is ASL2 and does not require a notice or anything else, we don't > need to mention in. But I think its usually good style to do so and have a > single sentence in our NOTICE that we include (modified) code from ... which > has ASL2 as the license" > > *TODO After Initial* > [ ] Get confirmation the project builds and operates as expected > [ ] Clarify whether we can depend on artifacts not deployed on Maven Central > [ ] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects > * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf] > [ ] Consider whether use of {{SAML2ConfigService}} and > {{SAML2ConfigServiceImpl}} is a good design or not. > [ ] Get feedback whether README instructions are too much, too little, > unclear, etc > [ ] Decide whether to make signing and encryption optional. Currently it is > required > [ ] Find and fix any bugs > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (SLING-9397) SAML2 Authentication Handler [initial submission]
[ https://issues.apache.org/jira/browse/SLING-9397?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Cris Rockwell updated SLING-9397: - Description: Here is a pull request which adds an authentication handler for a SAML2 Service Provider via the embedded OpenSAML V3 dependencies [https://github.com/apache/sling-whiteboard/pull/51] *TODO Before Initial* [X] Sync attributes released by the IDP [X] Confirm license and attribution "As the code is ASL2 and does not require a notice or anything else, we don't need to mention in. But I think its usually good style to do so and have a single sentence in our NOTICE that we include (modified) code from ... which has ASL2 as the license" [ ] Get confirmation the project builds and operates as expected *TODO After Initial* [ ] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf] [ ] Consider whether use of {{SAML2ConfigService}} and {{SAML2ConfigServiceImpl}} is a good design or not. [ ] Get feedback whether README instructions are too much, too little, unclear, etc [ ] Decide whether to make signing and encryption optional. Currently it is required [ ] Find and fix any bugs was: Here is a pull request which adds an authentication handler for a SAML2 Service Provider via the embedded OpenSAML V3 dependencies [https://github.com/apache/sling-whiteboard/pull/51] TODO: [X] Sync attributes released by the IDP [ ] Confirm license and attribution [ ] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf] [ ] Consider whether use of {{SAML2ConfigService}} and {{SAML2ConfigServiceImpl}} is a good design or not. [ ] Get feedback whether README instructions are too much, too little, unclear, etc [ ] Get confirmation the project builds and operates as expected [ ] Decide whether to make signing and encryption optional. Currently it is required [ ] Find and fix any bugs > SAML2 Authentication Handler [initial submission] > - > > Key: SLING-9397 > URL: https://issues.apache.org/jira/browse/SLING-9397 > Project: Sling > Issue Type: New Feature > Components: Authentication > Environment: localhost >Reporter: Cris Rockwell >Priority: Major > Labels: SAML, authentification, security, user_management > Original Estimate: 168h > Remaining Estimate: 168h > > Here is a pull request which adds an authentication handler for a SAML2 > Service Provider via the embedded OpenSAML V3 dependencies > [https://github.com/apache/sling-whiteboard/pull/51] > > *TODO Before Initial* > [X] Sync attributes released by the IDP > [X] Confirm license and attribution > "As the code is ASL2 and does not require a notice or anything else, we don't > need to mention in. But I think its usually good style to do so and have a > single sentence in our NOTICE that we include (modified) code from ... which > has ASL2 as the license" > [ ] Get confirmation the project builds and operates as expected > > *TODO After Initial* > [ ] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects > * [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf] > [ ] Consider whether use of {{SAML2ConfigService}} and > {{SAML2ConfigServiceImpl}} is a good design or not. > [ ] Get feedback whether README instructions are too much, too little, > unclear, etc > [ ] Decide whether to make signing and encryption optional. Currently it is > required > [ ] Find and fix any bugs > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (SLING-9397) SAML2 Authentication Handler [initial submission]
Cris Rockwell created SLING-9397: Summary: SAML2 Authentication Handler [initial submission] Key: SLING-9397 URL: https://issues.apache.org/jira/browse/SLING-9397 Project: Sling Issue Type: New Feature Components: Authentication Environment: localhost Reporter: Cris Rockwell Here is a pull request which adds an authentication handler for a SAML2 Service Provider via the embedded OpenSAML V3 dependencies [https://github.com/apache/sling-whiteboard/pull/51] TODO: [X] Sync attributes released by the IDP [ ] Confirm license and attribution [ ] Review Web Browser SSO Profile Specification 4.1 and confirm all aspects [https://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf] [ ] Consider whether use of {{SAML2ConfigService}} and {{SAML2ConfigServiceImpl}} is a good design or not. [ ] Get feedback whether README instructions are too much, too little, unclear, etc [ ] Get confirmation the project builds and operates as expected [ ] Decide whether to make signing and encryption optional. Currently it is required [ ] Find and fix any bugs -- This message was sent by Atlassian Jira (v8.3.4#803005)