-
Notifications
You must be signed in to change notification settings - Fork 6
/
CHANGES
178 lines (130 loc) · 6.68 KB
/
CHANGES
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
2.8.7
-- Moving --fetch-static-idp-file to orp so data only nodes can have it installed
2.3.0
-- https://github.com/ESGF/esg-orp/issues?milestone=1&state=closed
2.2.0
-- Switched YUI libraries to be served from Google CDN (ajax.googleapis.com) as Yahoo site does not allow for https
(preventing users from registering at ORP)
2.0.0
- Refactored to include end-point for authorization service.
2.0.1
- Removing 401 status code for all URLs except on login redirect.
- Upgraded security dependency.
2.1.0
- Upgrading security dependency to 2.0.3
2.1.1
- Copied over example XML configuration files from esgf-security module.
2.1.2
- Added CMIP5 Commercial group to esgf_ats_static.xml
2.1.3
- Removed CMIP5 endpoints in esgf_ats_static.xml otherwise they show up as multiple registration buttons.
2.1.4
- Upgraded dependency of esgf-security to avoid duplicate group registration URLs
- Inserted common entries in esgf_ats_static.xml
- Inserted example entries in esgf_policies_local.xml (commented out)
2.1.5
- Upgraded security dependency
2.1.6
- Inserted commented-out statement about role="default" for CMIP5 access.
2.1.7
-- Prevented registration for obsolete role="default" (in view only)
2.1.9
-- Sanitization of openid string at form submission.
======================== OLDER VERSIONS (in reverse order) ================================
1.2.12
Renamed a few classes
1.2.11
Updating security dependency again.
1.2.10
Updating security dependency.
1.2.9
Updated dependency on esgf-security.
1.2.8
Introduced the CompositePolicyService to support multiple collaborators for the AuthenticationFilter,
in order for exampe to combine matching regular expressions with parsing the ESGF policy files.
1.2.7
Fixed bug in registration module that prevented proper download of resource
1.2.6
Switching Openid4Java consumer to use general registry facility from esgf-security package.
Configuring the ORP with a dynamic and a static whitelist of trusted IdPs.
1.2.5
Inserting support for registering with groups that don't have automatic approval.
1.2.4
Merged BADC work on re-factoring OpenDAP support.
Moved all business logic out of SAMLAuthorizationFilterCollaborator into SAMLAuthorizationServiceClient.
1.2.3
Inserted generic Authorizer interface and SAML implementation, for use of framework outside of servlet filters.
1.2.2
Fixed bug that prevented authorization of .das, .dds requests from gateway.
Improved messaging on registration user interface in the case no access control groups are returned.
1.2.1
Changed application style to same look and feel as ESGF Identity provider.
1.2.0
Inserted support for group registration workflow
Inserted RegistrationFilter for redirection to registration relay page
1.1.4
Changed AuthenticationByIPFilter to read a dynamic list of LAS servers IP addresses.
Upgraded Spring dependency to 3.0.5
1.1.3 Changed name of trusted IdP white list file to esgf_idp.xml
1.1.2
Modified TDSPolicyService to allow securing of opendap aggregations. The URI of an aggregation request
("/obs4cmip5.NASA-JPL.AQUA.AIRS.mon.hus.1.aggregation.1.dods") is reduced to the dataset id of the THREDDS catalog
("obs4cmip5.NASA-JPL.AQUA.AIRS.mon.hus.1.aggregation.1") which is correctly restricted by the TDS
1.1.0
Inserted capability of reading white list of trusted Identity Providers from local file.
The location of the file is specified in the Spring XML configuration, currently encoded as /esg/config/idpWhiteList.xml.
Every time the file is updated, the white list will be reloaded the first time it needs to be used.
1.0.5
Modified Authorization Filter to query multiple endpoints, sequentially.
Added NOAA endpoints to white list.
Commenting out keystore location properties in esg-orp.properties
Updating dependency on esgf-security module.
1.0.4 Added PCMDI and ORNL ESGF nodes endpoints
1.0.3 Improved help text in login page to display redirect URL to user (http://esgf.org/bugzilla/show_bug.cgi?id=38)
1.0.1
Change numbering schema again to start with 1.0 :-)
moved properties from WEB-INF/esg/orp/orp/config/application.properties to
WEB-INF/classes/esg-orp.properties
If properties not present or configured, try to parse CATALINA_HOME/conf/server.xml
retrieving the data from the first connector which is declared as secured.
auth filter: get's ORP certificate by connecting per SSL to the ORP (thus validating the certificate)
auth filter: Certificate is cached and check for expiration before being used.
auth filter: SAML cookie is cached along with other information (cookie validity dates)
in the user session. Until the expiration date the cookie will be verbatim compared
with that from the user session. If it's the same one, no further authentication
takes place.
1.1.2.1
Changed numbering schema to start with datanode number.
Resolved warnings due to deprecated constructors in Spring Security package.
Renaming package from "esg.datanode.security" to "esg.orp".
Fixed HTTP parameter name ("openid_identifier") for automatic redirect from the ORP to the IdP, if present.
1.2.1
Migrated code to ESGF GIT repository, restructured to be compiled by Ivy
Updated dependencies on Spring and Tiles jars
Inserted AuthenticationByIPFilter to be used for LAS.
1.2.0
- Moved XML configuration files to ORP specific directory: esg/datanode/security/orp/config
- Moved application.properties to ORP specific directory: esg/datanode/security/orp/config
- Changed name of LOG output stream
- Introduced support for OpenID attribute exchange
1.1.9
Added BSD Open Source License license
Insert experimental filter X509PreAuthenticationFilter
- Detects client X509 certificate and sets authorization flag (bypass redirection to ORP)
- Only works for HTTPS requests
- Must be inserted before AuthenticationFilter
- DO NOT USE IN PRODUCTION
1.1.8
Enabled white listing of Identity Providers.
- Required manual configuration of OpenIDAuthenticationFilter in security context.
Moved retrieval and parsing of SAML authentication cookie from AuthorizationFilter to AuthenticationFilter.
- Makes authentication process more self-consistent (also lowers the chance of getting order of filters wrong)
- Requires the filter parameters "trustore" and "trustorePassword" to be set on the AuthenticationFilter instead of the AuthorizationFilter.
- If the SAML authentication cookie is found and succesfully parsed, the use openid identity is saved at request scope as the value of
the attribute named "esg.openid" - can be retrieved by any downstream component including the metrics filter.
1.1.0
Inclusion of new components for expanded flexibility:
- FilterAuthorizationFilter as an alternative to the TDSAuthorizer
- NoAuthorizationFilterCollaborator to bypass authorization
1.0.0
Initial distribution