GridShib for GT Change Log gridshib-gt-0_6_0-rc (2008-04-07) * fix distribution build script ** http://bugzilla.globus.org/globus/show_bug.cgi?id=5824 * reorganize documentation ** introduce docbook-generated documentation ** rewrite the readme doc ** update the Quick Start ** add a new standalone change log ** update all copyright notices ** http://bugzilla.globus.org/globus/show_bug.cgi?id=5854 ** http://bugzilla.globus.org/globus/show_bug.cgi?id=5747 * implement a blacklist of name IDs ** add new config parameter "blacklistNameIdentifiersFile" ** implement SAMLPrincipal and GS4GTSecurityContextLogger classes ** refactor GS4GTSecurityContext class ** refactor isPermitted method in SAMLBlacklistPDPImpl class ** http://bugzilla.globus.org/globus/show_bug.cgi?id=5960 * fix attribute matching algorithm ** http://bugzilla.globus.org/globus/show_bug.cgi?id=5971 * add username principals to GS4GT security context ** log mapped usernames in GS4GTSecurityContextLogger ** log usernames from gridmap short-circuiting ** implement UserNamePrincipal class ** http://bugzilla.globus.org/globus/show_bug.cgi?id=5979 ** http://bugzilla.globus.org/globus/show_bug.cgi?id=5980 gridshib-gt-0_6_0-alpha (2008-01-31) * add new documentation ** add readme.html and quick-start.html * modify build files ** automate distribution process ** distribute ZIP as well as GZIP ** repair build of JAR files ** rationalize build.properties files ** require JDK 1.4 source builds ** http://bugzilla.globus.org/globus/show_bug.cgi?id=5101 ** http://bugzilla.globus.org/globus/show_bug.cgi?id=5237 ** http://bugzilla.globus.org/globus/show_bug.cgi?id=5165 ** http://bugzilla.globus.org/globus/show_bug.cgi?id=5194 ** http://bugzilla.globus.org/globus/show_bug.cgi?id=5562 ** http://bugzilla.globus.org/globus/show_bug.cgi?id=5564 * remove configuration parameters ** remove AAIdentity config parameter (AUTHZ_IDENTITY_KEY) ** remove requireAuthzMap config parameter (AUTHZ_MAP_KEY) ** http://bugzilla.globus.org/globus/show_bug.cgi?id=5565 ** http://bugzilla.globus.org/globus/show_bug.cgi?id=5566 * require absolute paths in configuration files ** http://bugzilla.globus.org/globus/show_bug.cgi?id=5569 * fix incompatibility with GT 4.1.3 ** http://bugzilla.globus.org/globus/show_bug.cgi?id=5709 * fix return type of SecurityContextFactory method ** http://bugzilla.globus.org/globus/show_bug.cgi?id=5817 * incorporate GS4GT into GT nightly build process gridshib-gt-0_6_0-tp4 (2007-07-30) gridshib-gt-0_6_0-tp3 (2007-06-25) * fix username mapping algorithm ** http://bugzilla.globus.org/globus/show_bug.cgi?id=5326 * upgrade proxy interceptors to GT 4.1.2 ** http://bugzilla.globus.org/globus/show_bug.cgi?id=5372 * fork EchoService source code for GT 4.1+ ** http://bugzilla.globus.org/globus/show_bug.cgi?id=5373 gridshib-gt-0_6_0-tp2 (2007-05-21) gridshib-gt-0_6_0-tp1 (2007-05-14) * fix bug in proxy PIP ** http://bugzilla.globus.org/globus/show_bug.cgi?id=5177 gridshib-gt-0_5_2 (2007-04-04) * Resolved GT4.0.4 compiling issue: added workaround discussed in bug 5117 (see comment #7). ** http://bugzilla.globus.org/globus/show_bug.cgi?id=5117 * Enhanced build structure: changed base package names listed below: Distribution Old Package Name New Package Name binary gridshib-gt gridshib-gt-core source attribute_service gridshib-gt-service source gridshib-gt-unittests gridshib-gt-service-unittests See bug 5164 for details. ** http://bugzilla.globus.org/globus/show_bug.cgi?id=5164 * Resolved SAMLAuthnPIP issue, trusted authentication authorities configuration was being lost: bug 5177. * Resolved SAML tools 0.1.3 compatibility issue: bug 5181. ** http://bugzilla.globus.org/globus/show_bug.cgi?id=5181 * Fixed numerous bugs and typos in the documentation ** http://bugzilla.globus.org/globus/show_bug.cgi?id=4962 ** http://bugzilla.globus.org/globus/show_bug.cgi?id=4937 gridshib-gt-0_5_1 (2007-02-15) * Added the optional ability to include VOMS authorization decisions as part of the GridShib PDP's decision. This is particularly useful for GT4.0.x deployments that need to support both since it provides an OR combination with SAML attribute based authorization (vs. an AND combination which is all that GT4.0.x security chains provide). See the VOMS section. * The SAML Authentication Assertion PIP now accepts GSI2 impersonation proxies (it only had accepted GSI3 and GSI4 in the past). * Any exception produced in the SAML Authentication Assertion PIP (except for initialization exceptions) now does not halt the entire authentication/authorization process for that operation. * Fix documentation bug ** http://bugzilla.globus.org/globus/show_bug.cgi?id=4999 gridshib-gt-0_5_0 (2006-11-30) * All of the functionality is now compatible with both GT4.0.x and the new GT4.1 development release. There were major changes in the GT4.1 authorization infrastructure and the GridShib code has been restructured to work for both the new and old GT authorization API by using small wrappers specific to each. When installing from source, the correct wrapper is included by auto-sensing the Globus installation being used. When installing from binaries (GAR files), you must use the appropriate, version specific GAR. ** http://bugzilla.globus.org/globus/show_bug.cgi?id=4637 * Matched xml dependency jars with GT4.1 and gt-opensaml. When installing on top of GT4.1+, there is no longer a library overwrite of xalan.jar, xercesImpl.jar, and xml-apis.jar. * Replaced the DN access control list with gridmap authorization (that will also map DNs to usernames for use by grid services such as GRAM). For 4.0.x, this behavior is activated with a new configuration "consultDefaultGridmap". For 4.1+, you can configure the authorization chain to try gridmap authorization before the gridshib PDP. In both cases, as with the previous DN access control functionality, a successful match will short-circuit the authorization processing, bypassing attribute based authorization. * Resolved bug 4582, the SAML authentication assertion PIP now only accepts bearer confirmation method. ** http://bugzilla.globus.org/globus/show_bug.cgi?id=4582 * The SAML authentication assertion PIP requires the trusted authorities file to be an absolute path. * All of the Java packages were migrated from org.globus.wsrf.impl.security.authorization to org.globus.gridshib.gt.authorization * Logging must now be configured with the "log4j.category.org.globus.gridshib" prefix. For example: "log4j.category.org.globus.gridshib=INFO" and "log4j.category.org.globus.gridshib=DEBUG". * Logging statements were enhanced throughout the code (especially at the DEBUG level). * Resolved bug 4681, the rfc2253dn utility program prints correct and more information. http://bugzilla.globus.org/globus/show_bug.cgi?id=4681 * For developers: because of the shift to gridmap authorization for identity based authorization, the programmatic configuration of a dynamically instantiated PDP instance (e.g., to protect a particular WSRF resource instance with a particular policy) is now different. Instead of configuring the DN policy via the SHIB_PDP_POLICY_KEY object, use the DEFAULT_GRIDMAP key to pass a GridMap object. * Fix documentation bugs ** http://bugzilla.globus.org/globus/show_bug.cgi?id=4680 * Update copyright notices ** http://bugzilla.globus.org/globus/show_bug.cgi?id=4179 gridshib-gt-0_4_1 (2006-06-19) * Added the SAML authentication assertion PIP, which can be used with the SAML authentication assertion embedding tool for IdP (and principal name) discovery. ** http://bugzilla.globus.org/globus/show_bug.cgi?id=4500 ** http://bugzilla.globus.org/globus/show_bug.cgi?id=4423 gridshib-gt-0_4_0 (2006-03-11) * Enabled query PIP to use metadata for its AA configuration, see Using SAML2 metadata to configure GridShib for GT * Added metadata tool to translate metadata into trusted certificate files (PEM), see Using SAML2 metadata to configure GridShib for GT * To enable metadata parsing, we have added the metadata parsing functionality found in Shibboleth 1.3c to OpenSAML 1.1 and are using the resulting combination in a library named globus-opensaml-1.1.jar. For more information, see its README file. * New versions of xalan.jar, xercesImpl.jar, and xml-apis.jar are needed to support globus-opensaml-1.1.jar. Deploying gridshib-gt will update the current GT4.0.x jars. They are backwards compatible to the libraries distributed with GT4.0.x. See this paragraph for more information. * Resolved bug 3820 ** http://bugzilla.globus.org/globus/show_bug.cgi?id=3820 * Added new documentation section for the metadata enhancements and added documentation for the SAMLMapPIP that can map attributes to system accounts (see the Username mappings section).