FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian Java

 
 
LinkBack Thread Tools
 
Old 07-26-2011, 04:09 PM
Csillag Tamas
 
Default packaging shibboleth identity provider

Hi,

Today there was a plan mentioned during the lecture give by DSAs at
Debconf11.

It was about improving the websites with some kind of SSO solution
and Shibboleth was mentioned explicitly.

I told them that I operate a Shibboleth identity provider at work (a
Hungarian University) and if needed I can help them. One of them (sorry
I do not remember the name) told me that currently the blocker is that
the identity provider (which is written in java) is not available in
Debian, only the service provider which is an apache module. They told
me to talk to java packagers about that. (If it becomes available
they will request a backport and we can move on.)

I talked to Sylvestre Ledru (I hope I get the name right) and he said
he does not know any specific problems with it and told me to just
mail the java list (so here I am .

I also cc the shibboleth packagers
(http://wiki.debian.org/Teams/DebianShibboleth)

In Hungary the NIIF (which operates the Hungarian research network)
made some enhancement to it http://software.niif.hu/ so if *this* gets
packaged our university can also benefit from it otherwise if the
official (http://shibboleth.internet2.edu/) it is good for a start.

Now we use it with tomcat6 and there is an apache2 instance proxying
incoming requests, but maybe Jetty is easier from a packager
objective, I do not know (Jetty looks more promising to me anyways).
https://wiki.shibboleth.net/confluence/display/SHIB2/IdPJetty7Prepare

Thanks for you reply.
(I will mail a pointer to the DSAs, when this appears in the archive.)

Regards,
cstamas
--
CSILLAG Tamas (cstamas) - http://digitus.itk.ppke.hu/~cstamas


--
To UNSUBSCRIBE, email to debian-java-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110726160941.GO24885@rivendell">http://lists.debian.org/20110726160941.GO24885@rivendell
 
Old 07-26-2011, 06:14 PM
Russ Allbery
 
Default packaging shibboleth identity provider

Csillag Tamas <cstamas@digitus.itk.ppke.hu> writes:

> I told them that I operate a Shibboleth identity provider at work (a
> Hungarian University) and if needed I can help them. One of them (sorry
> I do not remember the name) told me that currently the blocker is that
> the identity provider (which is written in java) is not available in
> Debian, only the service provider which is an apache module. They told
> me to talk to java packagers about that. (If it becomes available they
> will request a backport and we can move on.)

> I talked to Sylvestre Ledru (I hope I get the name right) and he said
> he does not know any specific problems with it and told me to just
> mail the java list (so here I am .

> I also cc the shibboleth packagers
> (http://wiki.debian.org/Teams/DebianShibboleth)

There are multiple problems with packaging the Shibboleth IdP. We have an
internal (out of date) package that we use at Stanford, but it's not close
to suitable for Debian.

The problems include:

* The Shibboleth IdP, like a lot of Java software, relies on lots of
supporting Java libraries. All of those libraries need to be separately
packaged for Debian for Debian-acceptable official packages of the IdP,
similar to how xml-security-c, opensaml2, and xmltooling were packaged
for the SP. However, this is more complex in the Java world, since Java
developers are used to just distributing byte code and often don't have
much experience working with packagers who expect to rebuild from
source.

* Source is not a common distribution format for the IdP, and the current
distribution isn't really designed to be packager-friendly (because so
far as I know no one has really worked on that before), so substantial
work needs to be done on figuring out how to build it from source and
put it into a form that works well with a Debian pacakge.

* Debian in general lacks a policy on how to handle packaged Java web
applications and their interactions with web application containers like
Tomcat and Jetty. I made a preliminary proposal about how that could
work, but haven't had time to pursue it further.

Full Debian-acceptable packages of the IdP will be a substantial amount of
work. My guess is something on the order of 100 hours of work with
someone with prior Debian Java packaging expertise, with possible
unforseen issues around licensing or difficulty building underlying Java
libraries from source that could require even more work.

--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>


--
To UNSUBSCRIBE, email to debian-java-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 87vcuovrhw.fsf@windlord.stanford.edu">http://lists.debian.org/87vcuovrhw.fsf@windlord.stanford.edu
 
Old 07-26-2011, 10:07 PM
"Cantor, Scott E."
 
Default packaging shibboleth identity provider

On 7/26/11 12:09 PM, "Csillag Tamas" <cstamas@digitus.itk.ppke.hu> wrote:
>
>Now we use it with tomcat6 and there is an apache2 instance proxying
>incoming requests, but maybe Jetty is easier from a packager
>objective, I do not know (Jetty looks more promising to me anyways).
>https://wiki.shibboleth.net/confluence/display/SHIB2/IdPJetty7Prepare

Jetty is the only supported container for the IdP going forward, and v3
will be shipped with an embedded version of it. Just FYI.

-- Scott


--
To UNSUBSCRIBE, email to debian-java-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: CA54B28A.E3C1%cantor.2@osu.edu">http://lists.debian.org/CA54B28A.E3C1%cantor.2@osu.edu
 

Thread Tools




All times are GMT. The time now is 04:31 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org