LDSTechForumProjects

SSO Simulator Revisions

Go to SSO Simulator Downloads to download the simulator. Bugs can be reported via the simulators bug tracker at https://tech.lds.org/jira/browse/WAMULAT. The simulator in that project is known as the Wamulator which is short for the Web Access Management Simulator.

History

  • 8.0.5 (2016.02.22)
    • Fixed IAMAM-1387 wherein a policy opening up access to resources via the OPTIONS method anonymously within a broader policy requiring authentication for all resources, causes all resources falling within the OPTIONS policy's URL set to be accessible anonymously essentially overriding the more restrictive policy for http methods that were not specified in the OPTIONS policy. This change was necessary to bring the wamulator in line with the WAM environment.
  • 8.0.4 (2016.04.13) skipped version number
  • 8.0.3 (2016.02.22)
    • Added a new configuration property aggregation to the LDAP User Source allowing locally cached user attributes to be reloaded from LDAP with every authentication for that user thus allowing user attrubutes to track changes in the backing LDAP source. Internally-accessible-only jira item: IAMAM-1320.


  • 8.0.2 (2015.09.30)
    • Increased key size to 2048 for SHA256 generated certs,
    • Fixed NPE caused when unauthenticated user requested resource that required authentication and whose URL included a no value query parameter such as a in ...?a&b=c.
  • 8.0.1
    • No changes. Unfortunate mis-tagging issue. No jar ever released with this version label.
  • 8.0 (2014.06.17)
    • Upgraded to Jetty 9.1.5,
    • Upgraded to JDK 1.7 as required by Jetty 9.
    • Refactored all http console port paths to reside beneath /wamulator.
    • Replaced http console JSPs with Freemarker templating system simplifying console codebase
    • Fixed class cast exception when explicit Deny before Allow policy is evaluated.
    • Removed <rewrite-cookie> that supported cookie path rewriting and removed <rewrite-redirect> that supported rewriting the Location header of 302 redirects since neither feature is supported by the WAM environment.
    • Removed <sso-traffic>'s strip-empty-headers attribute since that feature is not supported by the WAM environment and the flaw in a third party server that needed it was fixed some years ago. Since this was an obscure feature and rarely used its documentation was also removed.


  • 7.0.4 (2014.04.29)
    • Rolled in pull request 1 (Requires VPN) allowing fragments to be passed through the sign-in process and not get dropped.
    • Rolled in pull request 2 (Requires VPN) eliminating an Apache JSP validation error in an Http Console file when the WAMulator is running the in a stack project IDE environment.


  • 7.0.3 (2013.09.30)
    • Added cctx-unenforced configuration to the config.xml which allows you to configure an application server based on a context that will act like it is not protected by WAM.
    • Enhanced logging that lets the user know which tpath endpoint matched the requested URL.
    • Visual enhancements to make list of users more readable on the signin page.
    • User filter on the signin page to make it easier find the desired user when you have a large list of users configured.
    • Bug fix: Matching of user attributes and ldap filters are no longer case sensitive.
  • 7.0.2 (2013.06.27)
    • Bug fix: cctx-file configuration in the config.xml was only finding local files in the exact directory instead of searching subpaths as well.


  • 7.0.1 (2013.05.20)
    • Added ability to reference config files in a "file-alias" using system variables or "system-alias".


  • 7.0 (2012.02.04)
    • Added full support for using a Policy Exposee export.
    • Start of Breaking API changes to make it so that a large portion of the configuration is found in a file exported from Policy Exposee.
      • Removed <conditions> and its children - these are now configured in the Policy Exposee export.
      • Removed <headers> and its children - these are now configured in the Policy Exposee export.
      • Removed <unenforced> - this is determined by the policy in the Policy Exposee export.
      • Removed <allow> - this is determined by the policy in the Policy Exposee export.
      • Removed the cctx and tpath attributes from <cctx-mapping>.
      • Removed support the Entitlements simulator.


  • 6.5 (2012.04.26)
    • fixed WAMULAT-9 allowing for a single <cctx-file> directive to serve up multiple content types from directories and sub-directories.
    • fixed WAMULAT-69 allowing users to be declared in one source with attribute overrides but obtain the bulk of information for those users from a following user source.
    • fixed WAMULAT-78 causing the user to be returned to the sign-in page if a user is not found when authenticating to CODA via the coda user source.
    • added a title attribute to the console-recording directive
    • added a purge-header directive for purging all such headers from a request including any injected by the wamulator.
    • ssl enhancements adjusting the scheme attribute of the by-site directive and renaming cctx-mapping directive's scheme attribute to cscheme and adding tscheme and tSslPort port attributes.
    • added formAction attribute to sso-sign-in-url directive for overriding where the wamulator's sign-in page forms get posted.


  • 5.54 (2012.04.19)
    • fixed WAMULAT-77 which was causing unsolicited cookie rewrites and broke any set-cookie response header containing an Expires attribute.
  • 6.4 (2012.03.28)
    • fixed lack of cctx header being injected per cctx-mapping declaration
  • 6.3 (2012.03.26)
    • fixed WAMULAT-71 cn attribute automatic for all users
  • 6.2 (2012.03.20)
    • added disable-tls property to 6.x LDAP User Source allowing for non-TLS/SSL connections to test LDAP stores
    • fixed propagation of cookie across domains
  • 6.1 (2012.03.19)
    • fixed WAMULAT-70 injected headers scrubbed
    • fixed WAMULAT-52 utf usernames fix
    • fixed WAMULAT-39 allow unspecified actions now forbidden
    • turned off java sessions in JSPs
  • 5.53 (2011.12.09)
    • Added sign-in fields to selectUser.jsp for selenium test support so tests leveraging WAM sign-in field IDs work when testing apps fronted with the wamulator.
  • 5.52 (2011.11.08)
    • Fixed WAMULAT-62 does a better job preserving request schema when constructing redirect urls.
  • 5.51 (2011.10.07)
    • Fixed WAMULAT-58 which fixes sessions NOT expiring.
    • Added support for policy-exposee tool's token authority rest endpoint /admin/oam-ta/cookie-name.
  • 5.50 (2011.09.17)
    • Fixed WAMULAT-56 which brings the WAMulator in conformance withrfc 2616, section 10.3.5 which indicates that 304 Not Modified responses should not contain a body and therefore the WAMulator should not listen for further characters when no content-length response header was included and the server doesn't close the connection even though a connection: close header was included in the request.
  • 5.49 (2011.09.11)
    • Fixed WAMULAT-54 by adding new <port-access> element. Connections from hosts other than that housing the WAMulator are now forbidden by default unless enabled via this new element.
  • 5.47 (2011.06.30)
    • Fixed WAMULAT-48 encoding user header values according to RFC 2047 as incorporated by http 1.1's RFC 2616 and fixing the console's listUsers.jsp page to be served up with utf-8 character encoding so multi-byte characters appear as they should.
    • Fixed WAMULAT-37 so coda retrieved headers now have the proper header names for all headers.
  • 5.46 (2011.06.09)
    • Fixed WAMULAT-35 allowing pipe chars in query string to pass through wamulator.
    • Fixed WAMULAT-36 allowing creation of the /logs directory to occur only when <console-recording>'s enable-debug-logging is true or logging for RequestHandler has been set to fine.
  • 5.45 (2011.05.13)
    • Fixed NPE when <Attribute> evaluated a user with no declared User <Att> elements.
    • Added TLS/SSL support both on incoming request via the new <proxy-tls> and on outbound, proxied requests to applications via the scheme attribute on the <cctx-mapping> directive.
    • Enhanced the SSO Traffic tab to show lock images in separate columns for incoming and outgoing requests if they are recieved over TLS. Lock images and faint bullet images are courtesy of www.famfamfam.com.
      HTTPS traffic portrayed
  • 5.44 (2011.04.25)
    • Fixed lack of the User <Att>'s data being injected into the declared User.
    • Removed erroneously checked in web.xml content causing exception at startup.
    • Fixed WAMULAT-32 allowing user pwd (their password) attribute to be optional.
  • 5.40 (2011.03.09)
    • Fixed bug WAMULAT-25 allowing body content of server http responses having no content-length response header to make it through the simulator and get passed back to the client rather than be dropped.
  • 5.39 (2011.02.15)
    • Added file watcher that detects when the config file is updated and restarts the simulator when an update is detected. It is no longer necessary to manually shut down the simulator and restart when the config file is updated.
    • Added more logging of the decisions the simulator makes as it compares incoming requests with the paths defined in the config file. This logging should help in the debugging of ctx paths and help developers to more quickly get the simulator working for their project. Along with the logging changes, a new logging.properties file, named: "ctx-request-processing-logging.properties" was added. When more logging of ctx path comparisons is desired, include this logging properties file as a command-line parameter like this: -Djava.util.logging.config.file=ctx-request-processing-logging.properties
    • Changed ctx path comparisons such that they are now done in a case-insensitive manner. This was done in response to a request from the .Net developers.
  • 5.37 (2010.11.16)
    • WAMULAT-20 Changed from log4j to using the JDK logger for logging. By default the JDK logger will log to the console. To customize this simply create a logging.properties file and supply it as a parameter to the emulator using -Djava.util.logging.config.file={location or properties file}. For details on creating a JDK logging.properties file read the JDK documentation or search google.
    • WAMULAT-3 Added support for an XSD. The XSD is optional but will provide better error messages and ide validation/completion if used. Add the schema to your file by changing your root config element to something like:
<config allow-non-sso-traffic="false"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xmlns="http://code.lds.org/schema/wamulator"
	xsi:schemaLocation="http://code.lds.org/schema/wamulator http://code.lds.org/schema/wamulator/wamulator-5.0.xsd"/>
    • WAMULAT-11 Refactored how aliases are processed. Adding support for a "default" alias value. Take advantage of the new syntax by doing something like:
<?system-alias wam-proxy-port="wamProxyPort" default="8080"?>
<config proxy-port="{{wam-proxy-port}}"/>
  • 5.29 (2010.11.16)
    • added CDSSO via master domain. ex:
 <sso-cookie name="lds-policy" domain=".lds.org">  <!-- master domain -->
   <cdsso domain=".ldschurch.org"/>                <!--subsidiary domain -->
   <cdsso domain=".mormon.org"/>                   <!--subsidiary domain -->
 </sso-cookie>
    • made sessions specific to a domain and they propagate over to other domains automatically
    • added enforcement of one by-site host falling within the master domain
    • WAMULAT-10 cookies work with localhost domain
    • WAMULAT-17 log ports for rest service locations
    • WAMULAT-2 throw specific exceptions for start/stop problems
  • 5.28 (2010.10.25)
    • Modified command logging so console output shows when we are stopping and starting the simulator
  • 5.27 (2010.10.14)
    • refactored commands for better unit testing
    • tweaks enabling remote launching of simulator
  • 5.26 (2010.10.06)
    • changes for building "uber jar", no impact on simulator features.
    • added command line command support for:
      • start (running in traditional blocking fashion, this is the default if no command is specified)
      • stop (will stop the simulator running locally whether started in blocking or non-blocking fashion)
      • run (starts the simulator in an orphan process and exits)
  • 5.25 (2010.09.13)
    • fixed erroneous removal of last non asterisk character of allow/unenforced cpath leading to /bc/* consuming /bcs/*
    • added "*" support for action attribute of allow element
    • added X-Forwarded-host header
    • fixed session termination link in ui console
  • 5.24 (2010.08.31)
    • stripped signin/signout query parms upon redirects to prevent problems with apps
    • added two-pass parsing of config so conditions don't have to be at top of file
    • changed console title so browser tabs holding console are more readily discernible
    • added host, shortened date, and added actual http resp msg in SSO Traffic tab
    • cleaned up command line output so ports more readily visible
    • added more error handling and more clarity to error messages
    • added case-insensitive sort of users in Users and Sessions tab
  • 5.23 (2010.08.20)
    • added <cctx-mapping>'s attributes of host-header and policy-service-url-gateway
    • removed launching of multiple evaluator garbage collecting threads and their conflicting log entries
    • simplified such log entries so that they take up less space
    • added logging of forward proxy (non reverse proxy sso) traffic if enabled by <config>'s allow-non-sso-traffic attribute
    • Enhanced traffic tab to distinguish between both traffic types and add popup labels clarifying all columns in that view.
  • 5.22 (2010.08.18)
    • Minor tweaks to console traffic tab fixing freaky rendering of URIs containing unescaped ampersand character followed by "l" as in "&lang=eng".
  • 5.21 (2010.08.17)
    • Minor tweaks to console traffic tab preventing wrapping of timestamp
    • removal of System.out.println's when adding user sso headers.
  • 5.20 (2010.08.13)
    • Added support for embedding condition custom syntax directly in configuration files. (See the <conditions> directive.)
    • Added support for adjusting the proxy's Socket timeouts. (See the <proxy-timeout> directive.)
    • Reworked entitlements so that evaluation now implements the OES hierarchical evaluation model and configuration now supports multiple directives for the same URN but with different actions allowing for specification of different conditions for different actions on a URN.
    • Made declaration of the <sso-sign-in-url> directive optional and added checks alerting simulator users when the sign-in page has different domain than that of the cookie preventing the browser from accepting the cookie set by the page.
    • Made declaration of the <config> directive's rest-version attribute optional. It now defaults to CD_OESv1.
  • 5.19 (2010.08.03)
    • Added ability to strip empty headers in proxy traffic including headers injected by the simulator itself. This was a stop gap solution to a flaw in 4.1-3 version of Mark Logic where its get-request-header() and get-request-header-names() methods fail to see any headers beyond the first empty header incurred in an http request. See the <sso-traffic> configuration element.
  • 5.18 (2010.08.02)
    • Removed isLink feature of entitlements since it was being implemented to conform to the OES solution and was found to be problematic and dysfunctional.
  • 5.17 (2010.07.27)
    • implemented change in SSO strategy where a single rest service is bound to a single policy-domain alleviating the need for rest service clients to know the policy-domain in which their policies are stored and simply delegate to the service indicated by the passed-in policy-service-url value. Now one rest service is started in the console per by-site declaration and available instances are listed in the rest traffic tab.
    • removed support for sso-entitlements element as child of /config and replaced with entitlements element as child of by-site. Its former policy-domain attribute is no longer supported and is replaced by the containing by-site element's host attribute value.
    • added auto-definition and injection of policy-service-url global header, prevented injection if configured, and logs message indicating header declaration should be removed
    • updated config file parser to prepend by-site's host as the policy-domain for entitlement urns so that urns are applicable for a single rest service instance.
    • updated rest service's /arePermitted endpoint to prepend policy-domain of rest service instance and log unsupported requests that have a policy-domain already prepended
    • began initial work on isLink feature which will be completed in a later release but has no impact on this release except for a minor innocuous appearance in the rest traffic logs
    • fixed NPE that occurs when custom syntax condition debugging is turned on
  • 5.16 (2010.07.08)
    • Replaced HasLdsAccountId custom condition syntax with HasLdsApplication, added user/ldsApplications to config, exposed user attributes in listUser.jsp, provided org.lds.sso.appwrap.ConvertToNoLdsAccountId tool for converting files.
  • 5.15 (2010.06.25)
    • Replaced greedy-unenforced attribute in the by-site element with policy and entitlement evaluation being declaration order dependent allowing for deeper nested items that should require authentication to be declared first while an unenforced declaration can follow leaving all higher sub-paths publicly available.
  • 5.14 (2010.06.22)
    • Really added backwards compatibility support for older URL /rest/oes/1 not what I changed it to /oes/rest/1.
  • 5.13 (2010.06.21)
    • Added backwards compatibility support for older /oes/rest/1 URL location with hits logged to ses.log indicating use of a deprecated URL.
  • 5.12 (2010.06.14)
    • Changed rest endpoint URL to /oes/v1.0/rest/ to conform to the LDS URL standard. This requires updating to the CD-OESv1-1.9 version of clientlib.
  • 5.11 (2010.06.09)
    • Added greedy-unenforced attribute to by-site element in configuration allowing for unenforced URL declarations to not be greedy which they are by default. This allows for enforced URLs to reside beneath unenforced URLs hierarchically and still be enforced.
    • fixed individual id header to match the definition in the SSO Injected Headers page.
  • 5.10 (2010.06.04)
    • added highlighting to Users and Sessions tab for user headers that do not match those on SSO Injected Headers.
    • added unit tests for signin/signout query parameter functionality
    • added support for signin/signout query parms being empty but having the equals sign
    • fixed incorrect definition of policy-individualid header
    • added definition for policy-preferredlanguage header
    • added support for implicit {{console-port}} alias in <sso-sign-in-url> element when auto-binding is used.
    • fixed incorrect case of rest methods being hit showing in Rest Traffic tab.
    • added I'm Alive non-jsp console page at /is-alive that shows the version and indicates the simulator is running.
  • 5.9 (2010.05.27)
    • Removed auto-folding of response headers which was breaking cookies for most browsers. (Folding was a side-effect of the changes made for v5.4.)
  • 5.8 (2010.05.27)
    • Added support for policy-signin and policy-signout headers and their values' use as empty-valued query parameters. See Developing SSO Protected Applications and SSO Injected Headers for more detail.
    • Added set-cookie-WAS and location-WAS response headers when redirect or cookie path rewrite has taken place showing the original unchanged value to clients for troubleshooting problems.
    • Fixed version showing in console as "in IDE" to show the version being run.
  • 5.7 (2010.05.26)
    • removed infinite redirect loop detection.
  • 5.6 (2010.05.13)
    • updated headers to match those of the WAM environment.
  • 5.5 (2010.05.12)
    • added CtxMatch conditional syntax for evaluating context parameters passed for entitlement questions of the OES REST interface.
  • 5.4 (2010.05.11)
    • added optional preserve-host attribute to cctx-mapping for rare occassions where the host header needs to be rewritten to the values of thost and tport prior to proxying to that back end application.
  • 5.3 (2010.05.10)
    • added query string to infinite redirect detect for rest service calls that only see query parameter changes
    • extended support for "auto" binding console and proxy on any available port to by-site's port attribute and cctx-mapping's tport attribute for better unit testing.
  • 5.2 (2010.05.08)
    • fixed x-forwarded-host clobbering host header
    • added support for condition aliases using file:file-path
    • fixed NPE when rest-version not specified
    • fixed NPE when condition specified for entitlement

Started keeping revision history at start of May. Previous version information is not provided.

This page was last modified on 13 April 2016, at 15:55.

Note: Content found in this wiki may not always reflect official Church information. See Terms of Use.