question to updates strategy

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

question to updates strategy

Roman CHRENKO

Hi.

I have some questions to updates strategy for WSO2 IS. (I know that WSO2 IS 5.4.0 is released now, but I can better explain my question on version 5.3.0.)

There was in basic installation package for WSO2 IS 5.3.0 (wso2is-5.3.0.zip), in folder "repository/components/dropins" SAML Federation plugin (org.wso2.carbon.identity.application.authenticator.samlsso) version 5.1.5. There was a bug in the class DefaultSAML2SSOManager. Method buildLogoutRequest() incorrectly set (always!) nameId.setFormat(NameIDType.UNSPECIFIED), which was interpreted by som trusted IDPs as wrong LogoutRequest. This bug was fixed in version 5.1.6: if some conditions are met, it sets: nameId.setFormat(NameIDType.ENTITY);

In the time when version 5.1.7 was available in GIT, I tried to download updates for WSO2 IS by WUM. But updated zip-package contained only unpatched version 5.1.5. Command "wum list" shows basic and "updated" versions of WSO2 IS:

c:\Program Files\WUM\bin>wum list

Product                 Updated                         Filename

wso2is-5.3.0            16 Oct 17 13:36 CEST            wso2is-5.3.0.1497977325530.zip

wso2is-5.3.0            -                               wso2is-5.3.0.zip

Version 5.1.7 was released on Jun 27, 2017 (by https://github.com/wso2-extensions/identity-outbound-auth-samlsso/releases).

-          How to instruct WUM to include also latest patches for specific component (for example SAML Federation plugin : org.wso2.carbon.identity.application.authenticator.samlsso)? Or is it a bug in WUM that it doesn't download latest patches for dropins?

-          I know that I can download the source code of 5.1.6+ from GIT and build the plugin ("OSGI bundle") by Maven. But can I copy newly created JAR file into the dropins folder? Don't expect other OSGI components specific version 5.1.5? I am afraid that it can lead to inconsistent state of WSO2 IS. How to get to consistent state with version 5.1.6+?

 

Best regards,

Roman Chrenko

 


_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: question to updates strategy

Kasun Gajasinghe
Hi Roman,

5.1.5 and 5.1.7 are two patch releases of 5.1.x minor version. That means there shouldn't be any API changes nor incompatibility between the two. Hence, you can replace the said dropons jar with the newer version. 
OSGi accepts version ranges. Usually, it is set to one minor version to the next immediate one. For ex. [5.1.0, 5.2.0) - square bracket means inclusive [ - bracket means exclusive. 

There's no flag in WUM to do what you suggested. Have to check why the dropins jars are not in WUM. 

On Tue, Jan 2, 2018 at 2:21 AM Roman CHRENKO <[hidden email]> wrote:

Hi.

I have some questions to updates strategy for WSO2 IS. (I know that WSO2 IS 5.4.0 is released now, but I can better explain my question on version 5.3.0.)

There was in basic installation package for WSO2 IS 5.3.0 (wso2is-5.3.0.zip), in folder "repository/components/dropins" SAML Federation plugin (org.wso2.carbon.identity.application.authenticator.samlsso) version 5.1.5. There was a bug in the class DefaultSAML2SSOManager. Method buildLogoutRequest() incorrectly set (always!) nameId.setFormat(NameIDType.UNSPECIFIED), which was interpreted by som trusted IDPs as wrong LogoutRequest. This bug was fixed in version 5.1.6: if some conditions are met, it sets: nameId.setFormat(NameIDType.ENTITY);

In the time when version 5.1.7 was available in GIT, I tried to download updates for WSO2 IS by WUM. But updated zip-package contained only unpatched version 5.1.5. Command "wum list" shows basic and "updated" versions of WSO2 IS:

c:\Program Files\WUM\bin>wum list

Product                 Updated                         Filename

wso2is-5.3.0            16 Oct 17 13:36 CEST            wso2is-5.3.0.1497977325530.zip

wso2is-5.3.0            -                               wso2is-5.3.0.zip

Version 5.1.7 was released on Jun 27, 2017 (by https://github.com/wso2-extensions/identity-outbound-auth-samlsso/releases).

-          How to instruct WUM to include also latest patches for specific component (for example SAML Federation plugin : org.wso2.carbon.identity.application.authenticator.samlsso)? Or is it a bug in WUM that it doesn't download latest patches for dropins?

-          I know that I can download the source code of 5.1.6+ from GIT and build the plugin ("OSGI bundle") by Maven. But can I copy newly created JAR file into the dropins folder? Don't expect other OSGI components specific version 5.1.5? I am afraid that it can lead to inconsistent state of WSO2 IS. How to get to consistent state with version 5.1.6+?

 

Best regards,

Roman Chrenko

 

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
--
Kasun Gajasinghe
Associate Technical Lead, WSO2 Inc.
email: kasung AT spamfree wso2.com
linked-in: http://lk.linkedin.com/in/gajasinghe
blog: http://kasunbg.org
phone: +1 650-745-4499, 77 678 0813 
 

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Kasun Gajasinghe
Software Engineer; WSO2 Inc.
http://kasunbg.org
Reply | Threaded
Open this post in threaded view
|

Re: question to updates strategy

Roman CHRENKO

Hi, Kasun.

Thank you for your answer. But where can I find OSGI version ranges which you mentioned in previous post?

I parsed (by shell script) all JAR files in WSO2 IS installation directory (994 files), find all "META-INF\DEPENDENCIES" files and

there was no reference to "org.wso2.carbon.identity.application.authenticator.samlsso".

Do I understand well that no other OSGI component depends on "org.wso2.carbon.identity.application.authenticator.samlsso"?

 

Sorry, but I am still confused (from other results which I found during parsing DEPENDENCIES files).

 

For example, I found (in some DEPENDENCIES files) reference to "org.wso2.carbon.identity.sso.saml" (which is a component from a package "identity-inbound-auth-saml-5.3.0").

/opt/wso/repository/components/plugins/org.wso2.carbon.identity.query.saml_5.3.0.jar contains reference to: org.wso2.carbon.identity.sso.saml:bundle:5.3.0

/opt/wso/repository/components/plugins/org.wso2.carbon.identity.tools.saml.validator_5.1.2.jar contains reference to: org.wso2.carbon.identity.sso.saml:bundle:5.1.3

Isn't it inconsistence? How can saml.validator do its job correctly when there is (in installation package) no org.wso2.carbon.identity.sso.saml_5.1.3.jar, only org.wso2.carbon.identity.sso.saml_5.3.0.jar.

Does it mean that it uses the latest version despite of specific version in its DEPENDENCIES file?

 

The same for /opt/wso/repository/components/dropins/org.wso2.carbon.identity.application.authenticator.samlsso-5.1.5.jar which depends on "org.wso2.carbon.identity.application.authentication.framework:bundle:5.5.0", but there is no 5.5.0 jar for "application.authentication.framework", only version 5.7.5 (org.wso2.carbon.identity.application.authentication.framework_5.7.5.jar).

 

Best regards,

Roman

 

 

 

From: Architecture [mailto:[hidden email]] On Behalf Of KasunG Gajasinghe
Sent: Tuesday, January 2, 2018 2:10 AM
To: [hidden email]
Subject: Re: [Architecture] question to updates strategy

 

Hi Roman,

 

5.1.5 and 5.1.7 are two patch releases of 5.1.x minor version. That means there shouldn't be any API changes nor incompatibility between the two. Hence, you can replace the said dropons jar with the newer version. 

OSGi accepts version ranges. Usually, it is set to one minor version to the next immediate one. For ex. [5.1.0, 5.2.0) - square bracket means inclusive [ - bracket means exclusive. 

 

There's no flag in WUM to do what you suggested. Have to check why the dropins jars are not in WUM. 

 

On Tue, Jan 2, 2018 at 2:21 AM Roman CHRENKO <[hidden email]> wrote:

Hi.

I have some questions to updates strategy for WSO2 IS. (I know that WSO2 IS 5.4.0 is released now, but I can better explain my question on version 5.3.0.)

There was in basic installation package for WSO2 IS 5.3.0 (wso2is-5.3.0.zip), in folder "repository/components/dropins" SAML Federation plugin (org.wso2.carbon.identity.application.authenticator.samlsso) version 5.1.5. There was a bug in the class DefaultSAML2SSOManager. Method buildLogoutRequest() incorrectly set (always!) nameId.setFormat(NameIDType.UNSPECIFIED), which was interpreted by som trusted IDPs as wrong LogoutRequest. This bug was fixed in version 5.1.6: if some conditions are met, it sets: nameId.setFormat(NameIDType.ENTITY);

In the time when version 5.1.7 was available in GIT, I tried to download updates for WSO2 IS by WUM. But updated zip-package contained only unpatched version 5.1.5. Command "wum list" shows basic and "updated" versions of WSO2 IS:

c:\Program Files\WUM\bin>wum list

Product                 Updated                         Filename

wso2is-5.3.0            16 Oct 17 13:36 CEST            wso2is-5.3.0.1497977325530.zip

wso2is-5.3.0            -                               wso2is-5.3.0.zip

Version 5.1.7 was released on Jun 27, 2017 (by https://github.com/wso2-extensions/identity-outbound-auth-samlsso/releases).

-          How to instruct WUM to include also latest patches for specific component (for example SAML Federation plugin : org.wso2.carbon.identity.application.authenticator.samlsso)? Or is it a bug in WUM that it doesn't download latest patches for dropins?

-          I know that I can download the source code of 5.1.6+ from GIT and build the plugin ("OSGI bundle") by Maven. But can I copy newly created JAR file into the dropins folder? Don't expect other OSGI components specific version 5.1.5? I am afraid that it can lead to inconsistent state of WSO2 IS. How to get to consistent state with version 5.1.6+?

 

Best regards,

Roman Chrenko

 

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

--

Kasun Gajasinghe
Associate Technical Lead, WSO2 Inc.
email: kasung AT spamfree wso2.com
linked-in: http://lk.linkedin.com/in/gajasinghe
blog: http://kasunbg.org
phone: +1 650-745-4499, 77 678 0813 
 


_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: question to updates strategy

Kasun Gajasinghe


On Tue, Jan 2, 2018 at 9:35 PM, Roman CHRENKO <[hidden email]> wrote:

Hi, Kasun.

Thank you for your answer. But where can I find OSGI version ranges which you mentioned in previous post?

I parsed (by shell script) all JAR files in WSO2 IS installation directory (994 files), find all "META-INF\DEPENDENCIES" files and

there was no reference to "org.wso2.carbon.identity.application.authenticator.samlsso".

Do I understand well that no other OSGI component depends on "org.wso2.carbon.identity.application.authenticator.samlsso"?

 

Sorry, but I am still confused (from other results which I found during parsing DEPENDENCIES files).

 

For example, I found (in some DEPENDENCIES files) reference to "org.wso2.carbon.identity.sso.saml" (which is a component from a package "identity-inbound-auth-saml-5.3.0").



I would say to not look at the DEPENDENCIES file to figure out OSGi problems. This is a generated file Maven build, and has no relation to OSGi.

To know how OSGi runtime works, start the product with -DosgiConsole. For ex.

sh bin/wso2server.sh -DosgiConsole

Now, you can check the osgi runtime through the command-line. 

------

In OSGi, the dependencies are specified via the Import-Package (and Require-Bundle but this is not a common occurrence) directive.  

Let me show you a sample commands that we use for debugging purposes.

--------

1. Add your bundle to dropins
2. Start the wso2 server with osgiConsole
3. Check whether your bundle got activated successfully via the osgi command-line console. 

osgi> ss org.wso2.carbon.identity.application.authenticator.samlsso
id State       Bundle
278 ACTIVE      org.wso2.carbon.identity.application.authenticator.samlsso_5.1.5

If you see that the state is active, then that means your bundle's dependencies are satisfied.

4. To know the status of rest of the bundles, simply type 'ss' (ss == 'short status').
This will display all the bundles and their activation status. Simply compare this output with/without your new bundle.

----------

For the curious side of you - if you need to find out the import package directive and other info, do the following.

1. Find out the Bundle ID of the interested bundle. (ss = short status)
osgi> ss org.wso2.carbon.identity.application.authenticator.samlsso
id State       Bundle
278 ACTIVE      org.wso2.carbon.identity.application.authenticator.samlsso_5.1.5

2. Get Bundle information
osgi> bundle 278
org.wso2.carbon.identity.application.authenticator.samlsso_5.1.5 [278]
  Id=278, Status=ACTIVE      Data Root=/home/kasun/deployments/wso2is-5.3.0/repository/components/default/configuration/org.eclipse.osgi/bundles/278/data
  "Registered Services"
    {org.wso2.carbon.identity.application.authentication.framework.ApplicationAuthenticator}={service.id=173}
  Services in use:
    {org.wso2.carbon.user.core.service.RealmService, org.wso2.carbon.user.api.UserRealmService}={service.id=165}
  Exported packages
    org.wso2.carbon.identity.application.authenticator.samlsso; version="5.1.5"[exported]
    org.wso2.carbon.identity.application.authenticator.samlsso.exception; version="5.1.5"[exported]
    org.wso2.carbon.identity.application.authenticator.samlsso.manager; version="5.1.5"[exported]
    org.wso2.carbon.identity.application.authenticator.samlsso.model; version="5.1.5"[exported]
    org.wso2.carbon.identity.application.authenticator.samlsso.util; version="5.1.5"[exported]
  Imported packages
    javax.crypto; version="0.0.0"<org.eclipse.osgi_3.9.1.v20130814-1242 [0]>
    javax.servlet; version="2.6.0"<tomcat-servlet-api_7.0.73.wso2v1 [530]>
    javax.servlet.http; version="2.6.0"<tomcat-servlet-api_7.0.73.wso2v1 [530]>
    javax.xml.namespace; version="0.0.0"<org.eclipse.osgi_3.9.1.v20130814-1242 [0]>
    .....

3. Look at the Imported Packages section. I usually skip to org.wso2.carbon.* packages in the Imported Packages section. :) This is just more info. Here, you can know how exactly the bundle wiring has happened.

4. To find out the Import-Package version ranges, type the below command.
osgi> headers 278
Bundle headers:
 Bnd-LastModified = 1483521538532
 Import-Package = ....
 Export-Package = ....
 ....
 

I'd like to know how it goes!
 

/opt/wso/repository/components/plugins/org.wso2.carbon.identity.query.saml_5.3.0.jar contains reference to: org.wso2.carbon.identity.sso.saml:bundle:5.3.0

/opt/wso/repository/components/plugins/org.wso2.carbon.identity.tools.saml.validator_5.1.2.jar contains reference to: org.wso2.carbon.identity.sso.saml:bundle:5.1.3

Isn't it inconsistence? How can saml.validator do its job correctly when there is (in installation package) no org.wso2.carbon.identity.sso.saml_5.1.3.jar, only org.wso2.carbon.identity.sso.saml_5.3.0.jar.


Since this is a build-time information, this inconsistency in DEPENDENCIES file does not really have an affect at runtime. What is actually important is the Import-Package version ranges. This is specified in the maven pom.xml under the maven-bundle-plugin section at build-time.
  

Does it mean that it uses the latest version despite of specific version in its DEPENDENCIES file?

The same for /opt/wso/repository/components/dropins/org.wso2.carbon.identity.application.authenticator.samlsso-5.1.5.jar which depends on "org.wso2.carbon.identity.application.authentication.framework:bundle:5.5.0", but there is no 5.5.0 jar for "application.authentication.framework", only version 5.7.5 (org.wso2.carbon.identity.application.authentication.framework_5.7.5.jar).

 

Best regards,

Roman

 

 

 

From: Architecture [mailto:[hidden email]] On Behalf Of KasunG Gajasinghe
Sent: Tuesday, January 2, 2018 2:10 AM
To: [hidden email]
Subject: Re: [Architecture] question to updates strategy

 

Hi Roman,

 

5.1.5 and 5.1.7 are two patch releases of 5.1.x minor version. That means there shouldn't be any API changes nor incompatibility between the two. Hence, you can replace the said dropons jar with the newer version. 

OSGi accepts version ranges. Usually, it is set to one minor version to the next immediate one. For ex. [5.1.0, 5.2.0) - square bracket means inclusive [ - bracket means exclusive. 

 

There's no flag in WUM to do what you suggested. Have to check why the dropins jars are not in WUM. 

 

On Tue, Jan 2, 2018 at 2:21 AM Roman CHRENKO <[hidden email]> wrote:

Hi.

I have some questions to updates strategy for WSO2 IS. (I know that WSO2 IS 5.4.0 is released now, but I can better explain my question on version 5.3.0.)

There was in basic installation package for WSO2 IS 5.3.0 (wso2is-5.3.0.zip), in folder "repository/components/dropins" SAML Federation plugin (org.wso2.carbon.identity.application.authenticator.samlsso) version 5.1.5. There was a bug in the class DefaultSAML2SSOManager. Method buildLogoutRequest() incorrectly set (always!) nameId.setFormat(NameIDType.UNSPECIFIED), which was interpreted by som trusted IDPs as wrong LogoutRequest. This bug was fixed in version 5.1.6: if some conditions are met, it sets: nameId.setFormat(NameIDType.ENTITY);

In the time when version 5.1.7 was available in GIT, I tried to download updates for WSO2 IS by WUM. But updated zip-package contained only unpatched version 5.1.5. Command "wum list" shows basic and "updated" versions of WSO2 IS:

c:\Program Files\WUM\bin>wum list

Product                 Updated                         Filename

wso2is-5.3.0            16 Oct 17 13:36 CEST            wso2is-5.3.0.1497977325530.zip

wso2is-5.3.0            -                               wso2is-5.3.0.zip

Version 5.1.7 was released on Jun 27, 2017 (by https://github.com/wso2-extensions/identity-outbound-auth-samlsso/releases).

-          How to instruct WUM to include also latest patches for specific component (for example SAML Federation plugin : org.wso2.carbon.identity.application.authenticator.samlsso)? Or is it a bug in WUM that it doesn't download latest patches for dropins?

-          I know that I can download the source code of 5.1.6+ from GIT and build the plugin ("OSGI bundle") by Maven. But can I copy newly created JAR file into the dropins folder? Don't expect other OSGI components specific version 5.1.5? I am afraid that it can lead to inconsistent state of WSO2 IS. How to get to consistent state with version 5.1.6+?

 

Best regards,

Roman Chrenko

 

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

--

Kasun Gajasinghe
Associate Technical Lead, WSO2 Inc.
email: kasung AT spamfree wso2.com
linked-in: http://lk.linkedin.com/in/gajasinghe
blog: http://kasunbg.org
phone: <a href="tel:+1%20650-745-4499" value="+16507454499" target="_blank">+1 650-745-4499, 77 678 0813 
 


_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture




--
Kasun Gajasinghe
Associate Technical Lead, WSO2 Inc.
email: kasung AT spamfree wso2.com
linked-in: http://lk.linkedin.com/in/gajasinghe
blog: http://kasunbg.org
phone: +1 650-745-4499, 77 678 0813 
 

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Kasun Gajasinghe
Software Engineer; WSO2 Inc.
http://kasunbg.org