WSS4J
  1. WSS4J
  2. WSS-305

Migrate to OpenSaml2 2.5.1 from 2.4.1

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 1.6.1, 1.6.2
    • Fix Version/s: 1.6.3
    • Component/s: None
    • Labels:
      None
    • Environment:

      Description

      We are implementing SAML solutions and I want to make sure we can do whatever our customers need.

      Migrate to OpenSaml2 2.5.1 from 2.4.1.

        Activity

        Hide
        Gary Gregory added a comment -

        Nexus promotion is complete.

        Show
        Gary Gregory added a comment - Nexus promotion is complete.
        Show
        Gary Gregory added a comment - FYI: The bundles are staged here: xmltooling: https://oss.sonatype.org/content/repositories/central_bundles-032 openws: https://oss.sonatype.org/content/repositories/central_bundles-033 opensaml: https://oss.sonatype.org/content/repositories/central_bundles-034 Gary
        Hide
        Gary Gregory added a comment -

        I got a successful WSS4J build and my repo only has "-1" opensaml artifacts. I'll have to submit the opensaml bundles now...

        Show
        Gary Gregory added a comment - I got a successful WSS4J build and my repo only has "-1" opensaml artifacts. I'll have to submit the opensaml bundles now...
        Hide
        Gary Gregory added a comment -

        Hi Colm,

        I missed that somehow, sorry. I'll try it out.

        Thank you,
        Gary

        Show
        Gary Gregory added a comment - Hi Colm, I missed that somehow, sorry. I'll try it out. Thank you, Gary
        Hide
        Colm O hEigeartaigh added a comment -

        As a sanity test I suggested deleting your maven repo and doing a mvn clean install again, and checking that none of the Shibboleth jars get downloaded.

        Colm.

        Show
        Colm O hEigeartaigh added a comment - As a sanity test I suggested deleting your maven repo and doing a mvn clean install again, and checking that none of the Shibboleth jars get downloaded. Colm.
        Hide
        Gary Gregory added a comment -

        Hi Colm and All:

        On 08/31/11, I was able to build and test the WSS4J build with the WSS4J POM set to opensaml2 2.5.1-1, xml-apis 1.4.01, and Xerces 2.10.0 with the bundles attached to https://issues.sonatype.org/browse/OSSRH-2113

        Can someone here please test these before I submit them? I want to avoid the fiasco of the first round of submissions.

        Thank you,
        Gary

        Show
        Gary Gregory added a comment - Hi Colm and All: On 08/31/11, I was able to build and test the WSS4J build with the WSS4J POM set to opensaml2 2.5.1-1, xml-apis 1.4.01, and Xerces 2.10.0 with the bundles attached to https://issues.sonatype.org/browse/OSSRH-2113 Can someone here please test these before I submit them? I want to avoid the fiasco of the first round of submissions. Thank you, Gary
        Show
        Gary Gregory added a comment - Colm: Do you have any thoughts WRT https://issues.sonatype.org/browse/OSSRH-2113?focusedCommentId=137353&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-137353 ? Thank you, Gary
        Hide
        Gary Gregory added a comment -

        I've taken Juven suggestion and posted new bundles with a "-1" version postfix to https://issues.sonatype.org/browse/OSSRH-2113

        Show
        Gary Gregory added a comment - I've taken Juven suggestion and posted new bundles with a "-1" version postfix to https://issues.sonatype.org/browse/OSSRH-2113
        Show
        Gary Gregory added a comment - - edited Hi Colm, WRT https://issues.sonatype.org/browse/OSSRH-2113?focusedCommentId=137222&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-137222 Could you please opine on the severity of the issue here: https://issues.sonatype.org/browse/OSSRH-2113 Thank you, Gary
        Hide
        Gary Gregory added a comment -

        Ok, I've added fixed bundles to the ticket https://issues.sonatype.org/browse/OSSRH-2113

        Thanks for more catches.

        Gary

        Show
        Gary Gregory added a comment - Ok, I've added fixed bundles to the ticket https://issues.sonatype.org/browse/OSSRH-2113 Thanks for more catches. Gary
        Hide
        Colm O hEigeartaigh added a comment -

        The same problem exists for xmltooling and openws btw.

        Colm.

        Show
        Colm O hEigeartaigh added a comment - The same problem exists for xmltooling and openws btw. Colm.
        Hide
        Gary Gregory added a comment -

        Hi Colm,

        Arg!

        I created https://issues.sonatype.org/browse/OSSRH-2113 and attached a fixed bundle to the ticket.

        Good (late catch!

        Thank you,
        Gary

        Show
        Gary Gregory added a comment - Hi Colm, Arg! I created https://issues.sonatype.org/browse/OSSRH-2113 and attached a fixed bundle to the ticket. Good (late catch! Thank you, Gary
        Hide
        Colm O hEigeartaigh added a comment -

        Hi Gary,

        The problem is in the Opensaml pom(s):

        http://repo1.maven.org/maven2/org/opensaml/opensaml/2.5.1/opensaml-2.5.1.pom

        <dependency><groupId>$

        {xerces.groupId}

        </groupId><artifactId>xml-apis</artifactId><version>1.4.01</version><scope>runtime</scope></dependency>

        Colm.

        Show
        Colm O hEigeartaigh added a comment - Hi Gary, The problem is in the Opensaml pom(s): http://repo1.maven.org/maven2/org/opensaml/opensaml/2.5.1/opensaml-2.5.1.pom <dependency><groupId>$ {xerces.groupId} </groupId><artifactId>xml-apis</artifactId><version>1.4.01</version><scope>runtime</scope></dependency> Colm.
        Hide
        Gary Gregory added a comment -

        Hi Colm,

        Are you sure you are talking about xml-apis?

        When I look at http://search.maven.org/remotecontent?filepath=xml-apis/xml-apis/1.4.01/xml-apis-1.4.01.pom

        I see:

        <groupId>xml-apis</groupId><artifactId>xml-apis</artifactId>

        Gary

        Show
        Gary Gregory added a comment - Hi Colm, Are you sure you are talking about xml-apis? When I look at http://search.maven.org/remotecontent?filepath=xml-apis/xml-apis/1.4.01/xml-apis-1.4.01.pom I see: <groupId>xml-apis</groupId><artifactId>xml-apis</artifactId> Gary
        Hide
        Colm O hEigeartaigh added a comment -

        Hi Gary,

        Unfortunately there is a bug in the poms...xml-apis has the wrong groupId (xerces, should be xml-apis). It doesn't really matter for the moment as I can override it in the WSS4J pom. I'm not sure if there's a procedure for changing artifacts that have already been uploaded to maven central.

        Colm.

        Show
        Colm O hEigeartaigh added a comment - Hi Gary, Unfortunately there is a bug in the poms...xml-apis has the wrong groupId (xerces, should be xml-apis). It doesn't really matter for the moment as I can override it in the WSS4J pom. I'm not sure if there's a procedure for changing artifacts that have already been uploaded to maven central. Colm.
        Hide
        Gary Gregory added a comment -

        There are now four new bundles in the Central Sync Sources:

        • xml-apis-1.4.01
        • xmltooling-1.3.2
        • openws-1.4.2
        • opensaml-2.5.1

        For example, OpenSaml 2.5.1 is here: https://oss.sonatype.org/index.html#view-repositories;central-sync~browsestorage~/org/opensaml/opensaml/2.5.1/opensaml-2.5.1.jar

        For the archeologists out there, please see: https://issues.sonatype.org/browse/OSSRH-2101

        Show
        Gary Gregory added a comment - There are now four new bundles in the Central Sync Sources: xml-apis-1.4.01 xmltooling-1.3.2 openws-1.4.2 opensaml-2.5.1 For example, OpenSaml 2.5.1 is here: https://oss.sonatype.org/index.html#view-repositories;central-sync~browsestorage~/org/opensaml/opensaml/2.5.1/opensaml-2.5.1.jar For the archeologists out there, please see: https://issues.sonatype.org/browse/OSSRH-2101
        Show
        Gary Gregory added a comment - Interesting development: https://issues.sonatype.org/browse/OSSRH-2101?focusedCommentId=137090&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-137090
        Show
        Gary Gregory added a comment - Created https://issues.sonatype.org/browse/OSSRH-2101
        Hide
        Colm O hEigeartaigh added a comment -

        Try creating a JIRA here and asking them:

        https://issues.sonatype.org/browse/OSSRH

        Colm.

        Show
        Colm O hEigeartaigh added a comment - Try creating a JIRA here and asking them: https://issues.sonatype.org/browse/OSSRH Colm.
        Hide
        Gary Gregory added a comment -

        All staging repos have dropped. Reason unknown

        – Posted from Bugbox for iPhone

        Show
        Gary Gregory added a comment - All staging repos have dropped. Reason unknown – Posted from Bugbox for iPhone
        Hide
        Gary Gregory added a comment - - edited
        Show
        Gary Gregory added a comment - - edited xml-apis-1.4.01 uploaded to https://oss.sonatype.org/content/repositories/central_bundles-207 xmltooling-1.3.2-bundle.jar uploaded to https://oss.sonatype.org/content/repositories/central_bundles-209 openws-1.4.2-bundle.jar uploaded to https://oss.sonatype.org/content/repositories/central_bundles-210 opensaml-2.5.1-bundle.jar uploaded to https://oss.sonatype.org/content/repositories/central_bundles-211
        Hide
        Gary Gregory added a comment -

        Ah, I missed some stuff:

        -Invalid POM: /xml-apis/xml-apis/1.4.01/xml-apis-1.4.01.pom: License information missing, Developer information missing

        Show
        Gary Gregory added a comment - Ah, I missed some stuff: -Invalid POM: /xml-apis/xml-apis/1.4.01/xml-apis-1.4.01.pom: License information missing, Developer information missing
        Hide
        Colm O hEigeartaigh added a comment -

        Looks good to me.

        Colm.

        Show
        Colm O hEigeartaigh added a comment - Looks good to me. Colm.
        Hide
        Gary Gregory added a comment -

        Arg!

        One more time, please check https://people.apache.org/~ggregory/temp/xml-apis-1.4.01-bundle.jar

        Thank you!
        Gary

        Show
        Gary Gregory added a comment - Arg! One more time, please check https://people.apache.org/~ggregory/temp/xml-apis-1.4.01-bundle.jar Thank you! Gary
        Hide
        Colm O hEigeartaigh added a comment -
        Show
        Colm O hEigeartaigh added a comment - This part of the pom is wrong: <scm><connection>scm:svn: http://svn.apache.org/repos/asf/xml/commons/tags/xml-commons-external-1_3_04/ </connection><url> http://svn.apache.org/viewvc/xml/commons/tags/xml-commons-external-1_3_04/ </url></scm> Colm.
        Hide
        Gary Gregory added a comment -

        Hi Colm,

        Can you please check https://people.apache.org/~ggregory/temp/xml-apis-1.4.01-bundle.jar

        Thank you,
        Gary

        Show
        Gary Gregory added a comment - Hi Colm, Can you please check https://people.apache.org/~ggregory/temp/xml-apis-1.4.01-bundle.jar Thank you, Gary
        Hide
        Colm O hEigeartaigh added a comment -

        Hi Gary,

        They look fine. One problem though is that the Xerces 2.10 version you've uploaded has a dependency on XML-APIs 1.4.01 (as do the Opensaml poms) that does not exist in Maven Central:

        http://repo1.maven.org/maven2/xml-apis/xml-apis/

        So this needs to be uploaded before the Opensaml bundles.

        Colm.

        Show
        Colm O hEigeartaigh added a comment - Hi Gary, They look fine. One problem though is that the Xerces 2.10 version you've uploaded has a dependency on XML-APIs 1.4.01 (as do the Opensaml poms) that does not exist in Maven Central: http://repo1.maven.org/maven2/xml-apis/xml-apis/ So this needs to be uploaded before the Opensaml bundles. Colm.
        Hide
        Gary Gregory added a comment - - edited

        OK, I've set the xml-apis version to 1.4.01 for both opensaml and openws. Please see https://people.apache.org/~ggregory/temp/

        XMLTooling is up there now as well. Same kind of changes: groupId is now xerces. xml-apis is 1.4.01, same as Xerces.

        Show
        Gary Gregory added a comment - - edited OK, I've set the xml-apis version to 1.4.01 for both opensaml and openws. Please see https://people.apache.org/~ggregory/temp/ XMLTooling is up there now as well. Same kind of changes: groupId is now xerces. xml-apis is 1.4.01, same as Xerces.
        Hide
        Colm O hEigeartaigh added a comment -

        Hi Gary,

        A couple of points...

        1) You're missing a bundle for XMLTooling 1.3.2
        2) xml-apis version is incorrect - it's set at 2.10.0 in the openws pom.

        Colm.

        Show
        Colm O hEigeartaigh added a comment - Hi Gary, A couple of points... 1) You're missing a bundle for XMLTooling 1.3.2 2) xml-apis version is incorrect - it's set at 2.10.0 in the openws pom. Colm.
        Hide
        Gary Gregory added a comment -

        Please try the bundles in:

        https://people.apache.org/~ggregory/temp/

        You should see:

        [image: [ ]] opensaml-2.5.1-bundle.jar
        <https://people.apache.org/%7Eggregory/temp/opensaml-2.5.1-bundle.jar>
        17-Aug-2011 14:43 8.9M [image: [ ]] openws-1.4.2-bundle.jar
        <https://people.apache.org/%7Eggregory/temp/openws-1.4.2-bundle.jar>
        17-Aug-2011 14:43 4.1M

        Gary

        On Wed, Aug 17, 2011 at 10:35 AM, Colm O hEigeartaigh (JIRA) <


        Thank you,
        Gary

        http://garygregory.wordpress.com/
        http://garygregory.com/
        http://people.apache.org/~ggregory/
        http://twitter.com/GaryGregory

        Show
        Gary Gregory added a comment - Please try the bundles in: https://people.apache.org/~ggregory/temp/ You should see: [image: [ ]] opensaml-2.5.1-bundle.jar < https://people.apache.org/%7Eggregory/temp/opensaml-2.5.1-bundle.jar > 17-Aug-2011 14:43 8.9M [image: [ ]] openws-1.4.2-bundle.jar < https://people.apache.org/%7Eggregory/temp/openws-1.4.2-bundle.jar > 17-Aug-2011 14:43 4.1M Gary On Wed, Aug 17, 2011 at 10:35 AM, Colm O hEigeartaigh (JIRA) < – Thank you, Gary http://garygregory.wordpress.com/ http://garygregory.com/ http://people.apache.org/~ggregory/ http://twitter.com/GaryGregory
        Hide
        Colm O hEigeartaigh added a comment -

        Hi Gary,

        I'm not sure why they got dropped again. Could you upload the bundles somewhere where I could test them before trying again?

        Colm.

        Show
        Colm O hEigeartaigh added a comment - Hi Gary, I'm not sure why they got dropped again. Could you upload the bundles somewhere where I could test them before trying again? Colm.
        Hide
        Gary Gregory added a comment -

        Does anyone know what happened? What's next?

        Show
        Gary Gregory added a comment - Does anyone know what happened? What's next?
        Hide
        Gary Gregory added a comment -

        Ah, something did not work for someone but no details:

        The Central Bundles-109 (u:garygregory, a:98.180.64.79) staging repository has been dropped.
        The Central Bundles-110 (u:garygregory, a:98.180.64.79) staging repository has been dropped.

        Show
        Gary Gregory added a comment - Ah, something did not work for someone but no details: The Central Bundles-109 (u:garygregory, a:98.180.64.79) staging repository has been dropped. The Central Bundles-110 (u:garygregory, a:98.180.64.79) staging repository has been dropped.
        Hide
        Gary Gregory added a comment - - edited

        OK, here we go again:

        POM changes:

        • Removed repository section pointing to shibboleth.net
        • Removed distribution section pointing to shibboleth.net
        • Changed the Xerces groupId reference from org.apache.xerces to xerces to match what is in WSS4J's POM which also matches what is in Maven Central.
        Show
        Gary Gregory added a comment - - edited OK, here we go again: opensaml-2.5.1: https://oss.sonatype.org/content/repositories/central_bundles-109 openws-1.4.2: https://oss.sonatype.org/content/repositories/central_bundles-110 POM changes: Removed repository section pointing to shibboleth.net Removed distribution section pointing to shibboleth.net Changed the Xerces groupId reference from org.apache.xerces to xerces to match what is in WSS4J's POM which also matches what is in Maven Central.
        Hide
        Colm O hEigeartaigh added a comment -

        Hi Gary,

        Do you have a link where I can take a look at the bundles before they get uploaded to Maven Central? What changes did you make to the poms?

        Colm.

        Show
        Colm O hEigeartaigh added a comment - Hi Gary, Do you have a link where I can take a look at the bundles before they get uploaded to Maven Central? What changes did you make to the poms? Colm.
        Hide
        Gary Gregory added a comment -

        FYI:

        ---------- Forwarded message ----------
        From: Nexus Repository Manager <nexus@oss.sonatype.org>
        Date: Tue, Aug 16, 2011 at 9:58 AM
        Subject: Nexus: Staging Completed.
        To: Gary Gregory <garydgregory@gmail.com>, central@sonatype.com

        Description:

        Close staging repository automatically for uploaded bundle.

        Details:

        The following artifacts have been staged to the Central Bundles-093 (u:garygregory, a:98.180.64.79) repository.

        openws-1.4.2.jar.asc
        openws-1.4.2.pom
        openws-1.4.2.pom.asc
        openws-1.4.2-javadoc.jar
        openws-1.4.2-javadoc.jar.asc
        openws-1.4.2.jar
        openws-1.4.2-sources.jar.asc
        openws-1.4.2-sources.jar
        archetype-catalog.xml

        Show
        Gary Gregory added a comment - FYI: ---------- Forwarded message ---------- From: Nexus Repository Manager <nexus@oss.sonatype.org> Date: Tue, Aug 16, 2011 at 9:58 AM Subject: Nexus: Staging Completed. To: Gary Gregory <garydgregory@gmail.com>, central@sonatype.com Description: Close staging repository automatically for uploaded bundle. Details: The following artifacts have been staged to the Central Bundles-093 (u:garygregory, a:98.180.64.79) repository. openws-1.4.2.jar.asc openws-1.4.2.pom openws-1.4.2.pom.asc openws-1.4.2-javadoc.jar openws-1.4.2-javadoc.jar.asc openws-1.4.2.jar openws-1.4.2-sources.jar.asc openws-1.4.2-sources.jar archetype-catalog.xml
        Hide
        Gary Gregory added a comment -

        FYI:

        ---------- Forwarded message ----------
        From: Nexus Repository Manager <nexus@oss.sonatype.org>
        Date: Tue, Aug 16, 2011 at 9:51 AM
        Subject: Nexus: Staging Completed.
        To: Gary Gregory <garydgregory@gmail.com>, central@sonatype.com

        Description:

        Close staging repository automatically for uploaded bundle.

        Details:

        The following artifacts have been staged to the Central Bundles-092 (u:garygregory, a:98.180.64.79) repository.

        opensaml-2.5.1.jar
        opensaml-2.5.1-sources.jar
        opensaml-2.5.1.pom
        opensaml-2.5.1.pom.asc
        opensaml-2.5.1-javadoc.jar
        opensaml-2.5.1-javadoc.jar.asc
        opensaml-2.5.1-sources.jar.asc
        opensaml-2.5.1.jar.asc
        archetype-catalog.xml

        Show
        Gary Gregory added a comment - FYI: ---------- Forwarded message ---------- From: Nexus Repository Manager <nexus@oss.sonatype.org> Date: Tue, Aug 16, 2011 at 9:51 AM Subject: Nexus: Staging Completed. To: Gary Gregory <garydgregory@gmail.com>, central@sonatype.com Description: Close staging repository automatically for uploaded bundle. Details: The following artifacts have been staged to the Central Bundles-092 (u:garygregory, a:98.180.64.79) repository. opensaml-2.5.1.jar opensaml-2.5.1-sources.jar opensaml-2.5.1.pom opensaml-2.5.1.pom.asc opensaml-2.5.1-javadoc.jar opensaml-2.5.1-javadoc.jar.asc opensaml-2.5.1-sources.jar.asc opensaml-2.5.1.jar.asc archetype-catalog.xml
        Hide
        Gary Gregory added a comment -

        FYI:

        From: Nexus Repository Manager <nexus@oss.sonatype.org>
        Date: Tue, Aug 16, 2011 at 3:08 AM
        Subject: Nexus: Promotion Completed.
        To: Gary Gregory <garydgregory@gmail.com>, central@sonatype.com
        
        
        Description:
        
        <groupId>xerces</groupId> <artifactId>xercesImpl</artifactId> <version>2.10.0</version>
        
        Details:
        
        The following artifacts have been promoted to the Central Sync Sources repository.
        
        archetype-catalog.xml
        xercesImpl-2.10.0.jar
        xercesImpl-2.10.0-javadoc.jar.asc
        xercesImpl-2.10.0.pom
        xercesImpl-2.10.0-sources.jar.asc
        xercesImpl-2.10.0-sources.jar
        xercesImpl-2.10.0-javadoc.jar
        xercesImpl-2.10.0.jar.asc
        xercesImpl-2.10.0.pom.asc
        
        Show
        Gary Gregory added a comment - FYI: From: Nexus Repository Manager <nexus@oss.sonatype.org> Date: Tue, Aug 16, 2011 at 3:08 AM Subject: Nexus: Promotion Completed. To: Gary Gregory <garydgregory@gmail.com>, central@sonatype.com Description: <groupId>xerces</groupId> <artifactId>xercesImpl</artifactId> <version>2.10.0</version> Details: The following artifacts have been promoted to the Central Sync Sources repository. archetype-catalog.xml xercesImpl-2.10.0.jar xercesImpl-2.10.0-javadoc.jar.asc xercesImpl-2.10.0.pom xercesImpl-2.10.0-sources.jar.asc xercesImpl-2.10.0-sources.jar xercesImpl-2.10.0-javadoc.jar xercesImpl-2.10.0.jar.asc xercesImpl-2.10.0.pom.asc
        Hide
        Gary Gregory added a comment -

        FYI:

        	from	Nexus Repository Manager nexus@oss.sonatype.org
        to	Gary Gregory <garydgregory@gmail.com>,
        central@sonatype.com
        date	Mon, Aug 15, 2011 at 6:32 PM
        subject	Nexus: Staging Completed.
        	Important mainly because it was sent directly to you.
        	
        Description:
        
        Close staging repository automatically for uploaded bundle.
        
        Details:
        
        The following artifacts have been staged to the Central Bundles-049 (u:garygregory, a:98.180.64.79) repository.
        
        archetype-catalog.xml
        xercesImpl-2.10.0.jar
        xercesImpl-2.10.0-javadoc.jar.asc
        xercesImpl-2.10.0.pom
        xercesImpl-2.10.0-sources.jar.asc
        xercesImpl-2.10.0-sources.jar
        xercesImpl-2.10.0-javadoc.jar
        xercesImpl-2.10.0.jar.asc
        xercesImpl-2.10.0.pom.asc
        

        We'll see if it passes muster

        Show
        Gary Gregory added a comment - FYI: from Nexus Repository Manager nexus@oss.sonatype.org to Gary Gregory <garydgregory@gmail.com>, central@sonatype.com date Mon, Aug 15, 2011 at 6:32 PM subject Nexus: Staging Completed. Important mainly because it was sent directly to you. Description: Close staging repository automatically for uploaded bundle. Details: The following artifacts have been staged to the Central Bundles-049 (u:garygregory, a:98.180.64.79) repository. archetype-catalog.xml xercesImpl-2.10.0.jar xercesImpl-2.10.0-javadoc.jar.asc xercesImpl-2.10.0.pom xercesImpl-2.10.0-sources.jar.asc xercesImpl-2.10.0-sources.jar xercesImpl-2.10.0-javadoc.jar xercesImpl-2.10.0.jar.asc xercesImpl-2.10.0.pom.asc We'll see if it passes muster
        Hide
        Gary Gregory added a comment -

        Ah, thank you for the clarifications.

        It looks like the upgrades are:

        • Xerces from 2.9.1 to 2.10.0
        • opensaml openws from 1.4.1 to 1.4.2.

        A new dependency on org.owasp.esapi esapi 2.0GA.

        Show
        Gary Gregory added a comment - Ah, thank you for the clarifications. It looks like the upgrades are: Xerces from 2.9.1 to 2.10.0 opensaml openws from 1.4.1 to 1.4.2. A new dependency on org.owasp.esapi esapi 2.0GA.
        Hide
        Daniel Kulp added a comment -


        For the most part, yes. We won't take deps on anything not at central. It's generally a bad idea to do so.

        Show
        Daniel Kulp added a comment - For the most part, yes. We won't take deps on anything not at central. It's generally a bad idea to do so.
        Hide
        Gary Gregory added a comment - - edited

        And OpenSaml 2.5.1 is here too: https://shibboleth.net/nexus/index.html

        Does WSS4J require the POM and jars to be in Maven Central or can its build point to the Shibboleth repository?

        Show
        Gary Gregory added a comment - - edited And OpenSaml 2.5.1 is here too: https://shibboleth.net/nexus/index.html Does WSS4J require the POM and jars to be in Maven Central or can its build point to the Shibboleth repository?
        Hide
        Colm O hEigeartaigh added a comment -

        Hi Gary,

        It's not that simple...the Opensaml poms contain dependencies on artifacts that aren't in Maven Central (notably Xerces 2.10). I created the relevant artifacts for 2.4.2 and uploaded them as per the URL you gave. I can look into doing likewise for 2.5.1 when I get a chance.

        Colm.

        Show
        Colm O hEigeartaigh added a comment - Hi Gary, It's not that simple...the Opensaml poms contain dependencies on artifacts that aren't in Maven Central (notably Xerces 2.10). I created the relevant artifacts for 2.4.2 and uploaded them as per the URL you gave. I can look into doing likewise for 2.5.1 when I get a chance. Colm.
        Show
        Gary Gregory added a comment - Ah, I found this: https://docs.sonatype.org/display/Repository/Uploading+3rd-party+Artifacts+to+Maven+Central
        Hide
        David Morris added a comment -

        FYI

        A recent security advisory on Shibboleth’s site regarding versions of OpenSAML prior to 2.5.1:

        http://shibboleth.internet2.edu/secadv/secadv_20110725.txt

        Basically this indicates a detected XML Signature Wrapping vulnerability which exists in the version of OpenSAML we are using, which is 2.4.1 and their recommendation is to upgrade to the corrected version 2.5.1 from https://wiki.shibboleth.net/confluence/display/SHIB2/IdP2Upgrade.

        Show
        David Morris added a comment - FYI A recent security advisory on Shibboleth’s site regarding versions of OpenSAML prior to 2.5.1: http://shibboleth.internet2.edu/secadv/secadv_20110725.txt Basically this indicates a detected XML Signature Wrapping vulnerability which exists in the version of OpenSAML we are using, which is 2.4.1 and their recommendation is to upgrade to the corrected version 2.5.1 from https://wiki.shibboleth.net/confluence/display/SHIB2/IdP2Upgrade .
        Hide
        Daniel Kulp added a comment -

        Just a point of note that this would require someone to work on getting OpenSaml 2.5.1 into maven central.

        Show
        Daniel Kulp added a comment - Just a point of note that this would require someone to work on getting OpenSaml 2.5.1 into maven central.

          People

          • Assignee:
            Colm O hEigeartaigh
            Reporter:
            Gary Gregory
          • Votes:
            1 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development