Trouble with signature filter skipping
Guillaume Rousse
guillaume.rousse at renater.fr
Fri Sep 14 05:25:24 EDT 2018
Le 10/09/2018 à 14:49, Tom Scavo a écrit :
> On Mon, Sep 10, 2018 at 7:43 AM Guillaume Rousse
> <guillaume.rousse at renater.fr> wrote:
>>
>> However, I've been unable to produce the expected log message ("Skipping
>> SignatureMetadataFilter on load from backup") in the SP logs, despite
>> setting the required category in shibd.logger configuration file
>> (log4j.category.OpenSAML.MetadataFilter.Signature=DEBUG).
>
> You probably already know this but the backup file is only referenced
> at startup.
>
>> Basically, it
>> doesn't have any effect, at least with my settings. What am I doing wrong ?
>
> I don't know, did you restart the SP?
Yes, I did, as my tests involved monitoring SP start time.
I finally found the answer in the documentation, after running the SP
trough gdb: the backing file is just a backup, and not a cache, as I
naively supposed:
If a url attribute is used, the downloaded resource is copied to this
location. If the software is started and the remote resource is
unavailable or invalid, the backing file is loaded instead
The issue is even worsened by the fact we often use the same metadata
multiple times, in multiple application-specific configuration overrides
:/ I guess we'll have to investigate dynamic metadata loading, as
suggested by Scott in another thread.
Regards.
--
Guillaume Rousse
Pôle SSI
Tel: +33 1 53 94 20 45
www.renater.fr
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3637 bytes
Desc: Signature cryptographique S/MIME
URL: <http://shibboleth.net/pipermail/users/attachments/20180914/820cf8ec/attachment.p7s>
More information about the users
mailing list