Upgrading IPRangePredicate and predicate logic to idp 4.0.0

Redman, Chad chad_redman at unc.edu
Tue Mar 24 14:02:03 EDT 2020

Our idp 3.4.6 configuration had a condition on the shibboleth.SessionManager, which enforced consistent address checks for a range *outside of* a set of CIDR blocks. In 3.4.6, the configuration was

idp.session.consistentAddressCondition = custom.CheckAddressForNonLocalOnly

    <bean id="custom.CheckAddressForNonLocalOnly" parent="shibboleth.Conditions.NOT">
        <constructor-arg ref="custom.WhitelistIPCheck" />
    <bean id="custom.WhitelistIPCheck"
        <property name="ranges">
                <bean class="net.shibboleth.utilities.java.support.net.IPRange"  factory-method="parseCIDRBlock" c:cidrBlock="..."/>

In idp 4.0.0, the consistentAddressCondition property in the shibboleth.SessionManager bean now uses a BiPredicate instead of a Predicate. For the IP check itself, it appears I need to change the class from org.opensaml.profile.logic.IPRangePredicate to net.shibboleth.idp.session.logic.IPRangeBiPredicate. However, trying to invert that result with a shibboleth.Conditions.NOT predicate no longer works, as there is no conversion between Predicate and BiPredicate.

Is there a better way of configuring this so that there is no Predicate/BiPredicate mismatch?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200324/dc95e899/attachment.html>

More information about the users mailing list