Are there nightly builds of the WSO2 GREG somewhere? I'm behind a customer's proxy which has a weird configuration, building from source is getting very difficult. My specific need is to test the new WADL support, which doesn't look available in the 4.5.0 distribution. On the other hand, is there any alternative way to test the new WADL support without building the GREG from scratch?
If you need to evaluate nightly build the location given is correct. But WADL support has been removed from WSO2 4.5.1 distribution at the moment. So this binary pack does not include it.
Related
I am looking out for suggestions on the recent vulnerability(https://blogs.apache.org/security/entry/cve-2022-42889) which is also coming from the wso2 IS 5.11 binary downloaded from(https://github.com/wso2/product-is/releases/tag/v5.11.0) and the carbon libraries we are using in custom plugins like:
<groupId>org.wso2.carbon.identity.framework</groupId><artifactId>org.wso2.carbon.identity.mgt</artifactId>
<version>5.18.187</version>
<groupId>org.wso2.carbon.identity.framework</groupId>
<artifactId>org.wso2.carbon.identity.application.authentication.framework</artifactId>
<version>5.18.187</version>
<groupId>org.wso2.carbon.identity.framework</groupId>
<artifactId>org.wso2.carbon.identity.provisioning</artifactId>
<version>5.18.187</version>
As there any upgrades to these which is compatible with wso2 IS v5.11?
From wso2 advisories, it is mentioned that the vulnerability has no impact on the products [1] since the preconditions are not met and the team promises of fixing the vulnerable versions and (paid) customers will be able to obtain it through their security update once it is available. Along with this effort, the public fix will be done for the current public branch and will be available if you build the product-is from the repository. The timeline for the public fix is yet to be known.
And the suggested upgrade would be to 1.10.0 of Apache Commons Text library for 5.11.0.
This library comes to Identity server 5.11 pack mainly through Forget me tool. And in the latest release (wso2is-6.0.0), forget me tool has been externalized[2] which could be used in the product on demand.
Refer:
[1] https://docs.wso2.com/display/Security/CVE-2022-42889
[2] https://is.docs.wso2.com/en/latest/deploy/remove-references-to-deleted-user-identities/#building-the-identity-anonymization-tool
I am getting log4j-core -> 2.12.0 vulnerability with org.wso2.carbon.identity.application.authentication.framework
As per the github link - https://github.com/wso2/product-is/blob/v5.11.0/pom.xml
the compatible version for WSO2 IS v5.11 is 5.18.187
But as I checked over maven also, the specified version https://mvnrepository.com/artifact/org.wso2.carbon.identity.framework/org.wso2.carbon.identity.application.authentication.framework/5.18.187
is log4j core vulnerabilities in compile dependency https://mvnrepository.com/artifact/org.wso2.carbon.identity.framework/org.wso2.carbon.identity.testutil/5.18.187
Could you please suggest, if I should go with upgrading the version of org.wso2.carbon.identity.application.authentication.framework or should just add direct dependency for log4j-core 2.17.2
Upgrading the org.wso2.carbon.identity.application.authentication.framework would not be compatible with the other modules in the distribution and I recommend not doing so since it could lead to some breaking changes in the product features.
And upgrading the log4j-core dependency in the org.wso2.carbon.identity.application.authentication.framework to the 2.17.2 version alone would not work since there are other artifacts that were affected by the log4j vulnerability.
Since this vulnerability was identified, WSO2 has released an updated version for the product-is which you can download from their website.
The Version 5.11.0 - SERVICE PACK 01 which you can download from here would have the updated product-is v5.11.0 with the fixes for the log4j vulnerability. And it also includes bug fixes for the initial 5.11.0 release.
Hence, I recommend going with the already existing 5.11.0 - SERVICE PACK 01
instead of manually updating the affected artifacts.
Upgrading org.wso2.carbon.identity.application.authentication.framework might lead in to breaking changes and updating log4j-core dependency will not resolve the issue since there can be other components whcih are also affected by this vulnerability.
WSO2 has already identified and fixed this. I would like to recommend you to download and use the latest Identity Server version (IS 6.0.0) from the official WSO2 website or from git releases. The WSO2 team has paid special attention to fixing most of the 3rd party vulnerabilities in this release and there are so many new features available.
Updated 1:
You can follow the temporary solution specified in this doc if you don't have a paid subscription or are unable to get the latest Identity Server product (NOTE that it is a temporary fix).
I'm currently following the WSO2 documentation on installing the BPS tooling plugin and the link given for the BPS tooling is not working(Step 4).
https://docs.wso2.com/display/BPS360/Installing+the+BPS+Tooling+Plug-In
Any resolution or an alternative method to install the same is highly appreciated.
Thanks in advance.
You should not be referring to these documents. These are for the old BPS server, which was later merged with EI and now it's discontinued. BPMN and BPEL extensions are already there in Integration Studio, hence you don't have to install any additional plugins. You can simply create a new project with the relevant type and start building your workflows. Here are tutorials you can refer to.
I am looking for eclipse plug-in for SoapUI. But, SmartBear has stopped supporting that plug-in. I am not able to download that plug-in in my eclipse. Some source say we need to use old version of eclipse like indigo.
Moreover, Datasource is also not available in SoapUI free version.
Is there any way to create a framework in SoapUI free version using Groovy scripts, so that I can maintain my test cases if anything changes in future.
We are currently focusing on Rest API.
I am confused. Any suggestions/tutorials/links/ways is highly appreciated.
I'm looking for some guidance about two specific WSO2 products, API Manager and Identity Server and for the best solution to solve the problem I'm going to explain below.
In my company, we are using ADFS 3.0 for Single Sign On support in our applications. However we are now building applications that will require OpenID Connect Specification (SPA's+Rest API's) and ADFS does not support this out of the box so we've decided to use WSO2 products for that purpose.
I already managed to install WSO2 Identity Server 5.0.0 SP1 and configured ADFS as a federated Identity Provider (the new applications will still have to authenticate users using ADFS). I also installed WSO2 API Manager 1.9.1 and configured it to use WSO2 Identity Server as the Key Manager (Configuration tutorial).
Now the problem:
Using WSO2 Identity Server 5.0.0 SP1 I couldn't get the Logout feature to work due to the issue reported here. It seems that this issue has been solved in version 5.1.0M4 so I tried to install version 5.1.0-alpha and managed to make the logout to work with ADFS (I tested it by enabling SSO for the carbon administration). However, now I'm not able to install the Key Manager feature through the carbon repositories due to incompatibilities.
As a result, with the first combination (wso2is 5.0.0 SP1/wso2am 1.9.1) I had the logout issue with ADFS and with the second combination (wso2is 5.1.0-alpha/wso2am 1.9.1), I'm not able to install the Key Manager feature in Identity Server.
Is there any way to apply a patch to solve the logout issue in the first combination? Is there a way to install the key manager feature on WSO2IS 5.1.0-alpha? Or can someone point me to another solution to solve this issue?
The issue you pointed above, marked as it type as "Patch". Usually that means WSO2 have fixed this issue for a earlier version and provided a patch to its customer. Easiest thing would be, if you are already a customer of WSO2 ask for the patch directly from their support.
If you are not a paid customer of WSO2 you are in bit of a trouble. As per this question, the source of the Service Pack also not available in public.
But luckily in your case, the component which need to have this fix not a core component. So you wouldn't be in trouble if you change the authenticator code bit. But the warning is, it would lose any fixes done for org.wso2.carbon.identity.application.authenticator.samlsso_4.2.1.jar in the service pack.
Anyway, these are the steps you should follow.
Checkout the source. Lazy path would be checkout the whole source from here. That is the most easy way which you will face less troubles when you try to build the source but the downside of that is, it would take bit of time to checkout. If you know how to build specific component from WSO2 source, you can directly checkout component it needed to changed.
Try to build the component without doing any change just to make sure there are not any issues upto this point.
Goto the class DefaultSAML2SSOManager and do the same change done in the PR.
Build the component again.
Create folder named like "patch9000" inside the <IS_HOME>/repository/components/patches/ folder.
Copy build jar (org.wso2.carbon.identity.application.authenticator.samlsso-4.2.1.jar ) in step 4 from the target folder to the <IS_HOME>/repository/components/patches/patch9000 folder.
Restart the server. If you have done everything to the point, in the server startup it would print a log like, org.wso2.carbon.server.extensions.PatchInstaller - Patch changes detected
Now retry the your flow and it would work as expected.
If you too lazy to do all above, you can wait until Identity Server Service Pack 2, which will have your fix.