Build 1.2.0 content Version 1.2.0 + Validation of the Citizen country code (SP provided) with the the IDP country returned + Anti replay mechanism at S-PEPS and C-PEPS level (error message will be 200006 - The SAML Request Token is missing or invalid. ) + Correction in the cookie check when using moa/mocca integration + Skew Time configuration for CPEPS + SAML not after and not before check + Extension on Validation of SAML and Stork schema + For mandatory unknown attributes, request should be rejected (Correction) + Extend the demo server PEPS configuration by creating keystores and certificates (saml signature) by stakeholder (SP/SPEPS/CPEPS/IDP) reflecting better the reality. (instead of one for all). + Security Improvements Web session management : Add secure flag for session cookies (only available in Servlet 3.0 : tomcat 7 - glassfish 3 - jBoss 7 - webLogic 12c) HttpOnly flag for session cookies (only available in Servlet 3.0 : tomcat 7 - glassfish 3 - jBoss 7 - webLogic 12c) Add HSTS (force keeping Strict-Transport-Security: max-age=60000; includeSubDomains) with a feature selector Framing protection : X-Frame-Options header for all the application XSS countermeasures 1. Content Security Policy (CSP) Added X-Content-Security-Policy for backward compatibility Added X-WebKit-CSP for backward compatibility Added Content-Security-Policy Modification of the jsp to prevent inline scripting (disabled on the moa/mocca page due to iFrame integration) Added a fallback mechanism showing warning message if the CSP filter has been disabled Added a report handler logging all the CSP violations 2. X-XSS-Protection header Added the header (use a feature selector declared in peps.xml) 3. X-Content-Type-Options: nosniff Added the header (use a feature selector declared in peps.xml) + Code quality : possible nullpointers correction in AUCPEPS, STORKSamlEngine + Code quality/security : Standard pseudo-random number generators cannot withstand cryptographic attacks : replace with secureRandom. + Simplification of configuration : Remove of the double references of peps.xml & specific.properties in the classpath. All the configurations use spring injection on the same files (located outside of the application). Define some default values for possible missing configurations + Correction of an UTF-8 issue on encoding on moa/mocca ####################### previous releases ####################### Build 1.1.1 content STORK-Peps-1.1.1.zip = Distribution version '111' of the reference PEPS Doc\QuickStarted-STORK-Peps-Binaries.doc = Quick Install of preconfigured PEPS Doc\PEPS 1.1.1 Installation Manual.docx = Detailed install Guide STORK-Peps-Sources-1.1.1.zip = Source files of the reference PEPS including an example of implementation of a SP (service provider), Idp (Identity provider) , AP (attributes provider) and an example of signModule. (maven projects) STORK-Peps-Binaries-Glassfish-1.1.1.zip = Deployable war files of a preconfigured PEPS (Country CA) for a glassfish Server ( including AP.war, IdP.war, PEPS.war, SignModule.war, SP.war ) STORK-Peps-Binaries-Jboss-1.1.1.zip = Deployable war files of a preconfigured PEPS (Country CB) for a jboss Server ( including AP.war, IdP.war, PEPS.war, SignModule.war, SP.war ) STORK-Peps-Binaries-Tomcat-1.1.1.zip = Deployable war files of a preconfigured PEPS (Country CC) for a tomcat Server ( including AP.war, IdP.war, PEPS.war, SignModule.war, SP.war ) STORK-Peps-Binaries-Wls-1.1.1.zip = Deployable war files of a preconfigured PEPS (Country CD) for a weblogic Server ( including AP.war, IdP.war, PEPS.war, SignModule.war, SP.war ) Version 1.1.1 + Upgrade of struts version from 2.3.15.1 to 2.3.16.2 in order to respond security vulnerabilities (CVE-2014-0094, CVE-2013-6348, CVE-2013-4316) Please, refer to http://struts.apache.org/announce.html for further information. ======= Build 1.1.0 content STORK-Peps-1.1.0.zip = Distribution version '110' of the reference PEPS Doc\QuickStarted-STORK-Peps-Binaries.doc = Quick Install of preconfigured PEPS Doc\PEPS 1.1.0 Installation Manual.docx = Detailed install Guide STORK-Peps-Sources-1.1.0.zip = Source files of the reference PEPS including an example of implementation of a SP (service provider), Idp (Identity provider) , AP (attributes provider) and an example of signModule. (maven projects) STORK-Peps-Binaries-Glassfish-1.1.0.zip = Deployable war files of a preconfigured PEPS (Country CA) for a glassfish Server ( including AP.war, IdP.war, PEPS.war, SignModule.war, SP.war ) STORK-Peps-Binaries-Jboss-1.1.0.zip = Deployable war files of a preconfigured PEPS (Country CB) for a jboss Server ( including AP.war, IdP.war, PEPS.war, SignModule.war, SP.war ) STORK-Peps-Binaries-Tomcat-1.1.0.zip = Deployable war files of a preconfigured PEPS (Country CC) for a tomcat Server ( including AP.war, IdP.war, PEPS.war, SignModule.war, SP.war ) STORK-Peps-Binaries-Wls-1.1.0.zip = Deployable war files of a preconfigured PEPS (Country CD) for a weblogic Server ( including AP.war, IdP.war, PEPS.war, SignModule.war, SP.war ) Version 1.1.0 + Direct integration with the Austrian MOA/MOCCA components without using a VIDP. Please note: this integration requires cookies to be allowed at server side. + Fix of an issue in the signedDoc (AP part), where some characters were not properly escaped. ======= Build 1.0.3 content STORK-Peps-1.0.3.zip = Distribution version '103' of the reference PEPS Doc\QuickStarted-STORK-Peps-Binaries.doc = Quick Install of preconfigured PEPS Doc\PEPS 1.0.3 Installation Manual.docx = Detailed install Guide STORK-Peps-Sources-1.0.3.zip = Source files of the reference PEPS including an example of implementation of a SP (service provider), Idp (Identity provider) , AP (attributes provider) and an example of signModule. (maven projects) STORK-Peps-Binaries-Glassfish-1.0.3.zip = Deployable war files of a preconfigured PEPS (Country CA) for a glassfish Server ( including AP.war, IdP.war, PEPS.war, SignModule.war, SP.war ) STORK-Peps-Binaries-Jboss-1.0.3.zip = Deployable war files of a preconfigured PEPS (Country CB) for a jboss Server ( including AP.war, IdP.war, PEPS.war, SignModule.war, SP.war ) STORK-Peps-Binaries-Tomcat-1.0.3.zip = Deployable war files of a preconfigured PEPS (Country CC) for a tomcat Server ( including AP.war, IdP.war, PEPS.war, SignModule.war, SP.war ) STORK-Peps-Binaries-Wls-1.0.3.zip = Deployable war files of a preconfigured PEPS (Country CD) for a weblogic Server ( including AP.war, IdP.war, PEPS.war, SignModule.war, SP.war ) Version 1.0.3 + Modification of the build to support Tomcat 6, Glassfish 3, jBoss 6, Weblogic 10.3.6 + Review the code to remove potential errors and to improve code quality (based on findbugs - pmd reports : nullPointers reference, bad error management, cyclomatic complecity, ...) + Fix of a security issue related to the struts 2 library + Fix of an issue in the signedDoc where some characters were not properly escaped + Fix unit test problems + Change the packaging (see above) + Add an example of preconfigured PEPS + Correction in the IDP to allow configuration without AP + Inclusion of the M2 repository used for the build Module support status: (1=built and verified; 2=built only; 3=untested) 1: STORK-Commons 1: STORK-SAMLEngine 1: STORK-Specific 1: STORK-PEPS 1: STORK-SP 1: STORK-IdP-1.0 1: STORK-AP 2: STORK-VersionControl 2: STORK-UPDATER 3: STORK-signmodule 3: STORK-IdP 3: STORK-IdP (alternative)