Changes in Release 2.6.2 ============================================= [JOST-223] - Misspelled error constant in SAML 1 StatusCode interface [JOST-224] - Superfluous/wrong type constants in SAML 1 and SAML 2 interfaces [JOST-226] - Mispelled method name in SAMLMDCredentialContext, getEncryptionMethod vs getEncryptionMethods [JOST-238] - https:// URLs with HttpResource or FileBackedHttpResource are vulnerable to MitM attacks (missing hostname verification) Changes in Release 2.6.1 ============================================= [JOST-210] - AbstractSAMLObject should not override equals but not hashCode [JOST-213] - Scoping class has incorrect xsi:type [JOST-215] - Opensaml1 failed to pass veracode due Use of Wrong Operator in String Comparison (CWE ID 597) [JOST-218] - AbstractMetadataProvider is incorrectly performing an unnecessary validity check and erroneous TRACE message [JOST-219] - AbstractReloadingMetadataProvider refresh() is public, should be synchronized for concurrent access [JOST-220] - IdP stopping metadata retrieval Also, updating POM to implement: [JXT-106] - Update Apache Santuario (xmlsec) to 1.5.6 Changes in Release 2.6.0 ============================================= [JOST-135] - Opensaml prunes empty xml namespaces, that are required for correct encryption [JOST-162] - Globally enabling schema validation breaks the Signature metadata filter [JOST-169] - Update Velocity Dependency [JOST-183] - AbstractReloadingMetadataProvider code for maxRefreshDelay doesn't match documentation [JOST-184] - It would be nice if ESAPI.encodeForURL could be made to work [JOST-185] - Defaultbootstrap does not initialize the providers from the WS-Trust and WS-Policy schemas in openws [JOST-187] - Velocity initialization code uses an invalid key for the configuration properties set [JOST-188] - DefaultBootstrap is unnecessarily calling Velocity singleton initialization [JOST-190] - Backport some bugfixes from OpenSAML3 [JOST-191] - Merge back misc XACML fixes from OpenSAML3 [JOST-192] - org.opensaml.saml2.metadata.provider.SignatureValidationFilter => java.lang.UnsupportedOperationException [JOST-193] - Make the implementation of custom bootstrap code easier, without relying on private data from DefaultBootstrap [JOST-194] - org.opensaml.ESAPISecurityConfig should use singleton pattern like the default ESAPI reference class [JOST-195] - Use system property-based override for our custom ESAPI config rather than ESAPI locator class call [JOST-196] - On MetadataProviderCredentialResolver, expose the MetadataProvider used to construct the resolver [JOST-197] - XML providers for Async Logout extensions [JOST-198] - Configuration files for XMLObject providers often missing Type registrations [JOST-199] - SAML SOAP encoders should use the supplied outbound SOAP Envelope from the message context, if it exists [JOST-200] - Reduce memory usage of unit tests [JOST-201] - SAML1 and 2 base message encoders have incorrect selection logic in getEndpointURL() [JOST-203] - Head/body template injection for SAML binding templates [JOST-205] - MetadataProvider doesn't report error during refresh if the metadata file doesn't exist any more [JOST-206] - Setting failFastInitialization=false has no effect [JOST-207] - FilesystemMetadataProvider fetchMetadata() does not work correctly if file last modified time is older than getLastRefresh() in some cases [JOST-208] - FileBackedHTTPMetadataProvider constructor doesn't behave correctly vis-a-vis fail-fast setting if the backing file path has problems [JOST-209] - Add tests for fail-fast in HTTPMetadataProvider Changes in Release 2.5.3 ============================================= [JOST-176] - SubjectConfirmationUnmarshaller processChildElement misplaces KeyInfo [JOST-179] - FileBackedHTTPMetadataProvider does not properly release HTTP connections [JOST-180] - Update dependencies [JOST-181] - Bug in marshalling an XACML Policy AttributeDesignatorType [JOST-182] - Clean up maven assembly description Changes in Release 2.5.2 ============================================= [JOST-160] - Not all times in logging normalized to Zulu [JOST-163] - No way to stop AbstractReloadingMetadataProvider threads [JOST-164] - MetadataProvider minRefreshDelay cannot be set greater than 4 hours [JOST-165] - Update 3rd party runtime library dependencies [JOST-171] - org.opensaml.saml2.metadata.provider.AbstractReloadingMetadataProvider:246 missing param in logging statement [JOST-173] - Wrong Treatment of ResponseLocation and Location in Metadata [JOST-174] - ChainingMetadataProvider calls clear() on unmodifiable list Changes in Release 2.5.1 ============================================= - Addressed a signature wrapping attack Changes in Release 2.5.0 ============================================= [JOST-119] - change pom to create attached -sources jar [JOST-135] - Update Version class with getVersion() and getName() static methods [JOST-145] - can not create policy file with EnvironmentAttributeDesignator tag [JOST-147] - Add support for MDUI extensions into OpenSAML2 [JOST-149] - SubjectTypeImplBuilder typo causes invalid documents to be built [JOST-150] - Template input needs to be HTML encoded. [JOST-151] - Fix up some potential concurrency issues with metadata provders and filters [JOST-152] - Some pom changes for Opensaml2 [JOST-153] - Javadoc fixes [JOST-154] - FilesystemMetadataProviderTest failed [JOST-155] - MetadataCredentialResolverCachingTest.testSigning_UnspecToEncryption failed [JOST-156] - MetadataCredentialResolverCachingTest.testSigning_EncryptionToUnspec failed [JOST-157] - references to spaces.internet.edu may need changed to wiki.shibboleth.net [JOST-158] - Update POM for Shib.net Repo and attach generate Javadocs [JOST-159] - Support EntityAttributes metadata extension Changes in Release 2.4.1 ============================================= [JOST-134] - Static helper classes should not use static Loggers [JOST-137] - Option for BasicSAMLArtifactMapEntryFactory to explicitly serialize the SAML message in the newly created entry [JOST-139] - Update libs for 2.4.1 [JOST-140] - understoodHeaders fields not initialized in HTTPSOAP11Decoder no args constructor [JOST-142] - Replay rule passes "null" into replay check if requiredRule not set [JOST-143] - Metadata refresh occuring every 5 minutes [JOST-144] - ResourcedBacked metadata provider with local files reloads too often Changes in Release 2.4.0 ============================================= [JOST-36] - XACML marshallers and unmarshallers should extend abstract superclasses [JOST-63] - Investigate whether a fatal metadata filter error can be made to not cause a fatal error in the provider [JOST-88] - Create an AttributeConsumingServiceSelector, similar in API to the existing Basic- and AuthnRequest Endpoint selectors [JOST-100] - BaseMessageDecoder uses java.net.URL equals() for URI comparison [JOST-102] - don't download remote metadata if it hasn't changed [JOST-106] - Improved logging when configuration / metadata reloaded [JOST-107] - cached metadata should include XML comments [JOST-108] - Metadata provider should ignore SSL server cert (at least optionally) [JOST-109] - The IDP should verify that the fetched metadata is valid, even after filters, before overwriting the previous one [JOST-110] - Clean up Basic- artifact map and entry or add alternative implementations [JOST-111] - control metadata load with a scheduled job rather than on demand [JOST-112] - Overuse of InclusivePrefixes list when signing [JOST-116] - QueryDescriptorTypeImpl.getOrderedChildren() does not include children from superclass [JOST-118] - Configure Apache XML Security library to not emit line breaks by default [JOST-122] - Consent value mismatch [JOST-123] - Use of invalide metadata results in strange error from RequiredValidUntil filter [JOST-124] - Metadata providers could log a warning if the initial metadata they get is expired [JOST-125] - FileBackedHTTPMetadataProvider stops reloading metadata under certain conditions [JOST-126] - Declare all non-visibly used namespaces on a signed SignableSAMLObject [JOST-127] - Update 3rd party libraries for 2.4.0 release [JOST-128] - Defaulting of various metadata collections may be incorrect [JOST-129] - Malformed metadata causes an NPE (OrganizationName, OrganizationDisplayName and probably many others) [JOST-131] - Typo in SSODescriptor interface getDefaultArtificateResolutionService() Changes in Release 2.3.2 ============================================= [JOST-84] - FileBackedHTTPMetadataProvider takes inordinately long to time out [JOST-98] - AttributeConsumingServices in SPSSODescriptorSchemaValidator [JOST-101] - Expired message should be logged with WARN level instead of ERROR [JOST-103] - Wrong log level for "Credential cache cleared" [JOST-104] - Expired metadata element caused fatal IllegalArgumentException Changes in Release 2.3.1 ============================================= [JOST-99] - Form generation vulnerable to XSS injection Changes in Release 2.3.0 ============================================= [JOST-28] - BaseSAML1MessageDecoder and subclasses mistakenly take an ArtifactMap as a constructor arg [JOST-69] - BasicSAMLArtifactMap dereferences a pointer that might be null [JOST-76] - Relax requirement that HTTP requests be GETs when using Redirect and Artifact Binding [JOST-77] - Metadata refresh causes ConcurrentModificationException and idp failure [JOST-78] - Update libs for 2.2.4 release [JOST-79] - StatusDetail builder is missing from saml2-protocol-config.properties file [JOST-83] - Add object provider support for Condition for Delegation Restriction extension schema [JOST-85] - metadata missing entityId causes NullPointerException [JOST-86] - In absense of matching endpoint, IDP choose the first ACS in metadata. [JOST-87] - In org.opensaml.saml2.binding.encoding.BaseSAML2MessageEncoder OutboundMessage should be compared against StatusResponseType instead of Response [JOST-89] - Create XMLObject object provider for IdP Discovery Protocol endpoint * Add object provider support for SAML 2 ECP schema Changes in Release 2.2.3 ============================================= [JOST-70] - ActionType typo in xacml20-context-config.xml [JOST-71] - Wrong localname in StatusMessageTypeImplBuilder [JOST-72] - XACMLAuthzDecisionQuery : returncontext attribute not handled properly by marshaller * Add various XACML constants * Major memory usage improvements * Pick up latest version of libs Changes in Release 2.2.2 ============================================= [JOST-66] Cleanup ArtifactMap related classes [JOST-67] SAML 1 and 2 POST encoders rely on system encoding when providing the bytes for Base64 encoding * Update logging libraries to grab some bug fixes Changes in Release 2.2.1 ============================================= [JOST-64] - Multiple calls to ChainingMetadataProvider#getMetadata result in "EntitiesDescriptor is already the child of another XMLObject" exception Changes in Release 2.2.0 ============================================= [JOST-32] - MetadataSignatureFilter should verify signatures on RoleDescriptor and AffiliationDescriptor elements [JOST-35] - some XACML elements not correctly marshalled [JOST-37] - inline policies in XACML policy sets cannot be unmarshalled [JOST-38] - Marshalling problem for AttributeAssignmentType [JOST-39] - ReferencedPolicies not used correctly [JOST-40] - Misspelled method name in ReferencedPoliciesType [JOST-42] - Missing function for PolicySetType choice group [JOST-43] - Method setExpression() of class ExpressionType doesn't work [JOST-44] - Method getAttributeValues() of AttributeType should return List [JOST-45] - Missing StatusMessage and Description XACML object implementations [JOST-46] - Method getPolicies of PolicySetType returns null [JOST-48] - Add feature to require validUntil expiration on metadata [JOST-49] - cacheDuration and validUntil values in metadata are ignored [JOST-50] - Security policy rule which evaluates and enforces SAML 2 metadata SPSSODescriptor/@AuthnRequestsSigned [JOST-51] - Issue with multiple obligation handlers [JOST-53] - boolean values can not be nulled. Setters should take Boolean objects as in the SAML classes [JOST-54] - New addObligationhandlers method in ObligationService [JOST-62] - Add version information in library JAR manifest and provide command line tool to view it Changes in Release 2.1.0 ============================================= * Addition of contributed XACML code